Attack of the Updates II

Yesterday, our updates fun continued. It started with one iBook and Sophos reporting that it had caught the OSX/Inqtana-B worm but had an error deleting the file. We altered the setting so that it could delete infected files, and started a manual scan. Before long, it had found and deleted 157 infected files, many of these Microsoft services files. We stopped the scan at that point, because the available information about OSX/Inqtana-B indicated that it should not have infected 157 files…

About that time, an hour later, we had about 40 OS X machines around campus reporting the OSX/Inqtana-B, and Sophos couldn’t delete the files, but it could stop Word and other office programs from working becuase it had blocked access to the “infected” files. We sent out the request to shut down all OS X machines on campus, becuase it was possible the worm was broadcasting over the network. The B variant of this worm could be something entirely new.

We were in dialogue with Sophos, sent them some supposedly “infected” files, and discovered that disabling Sophos would restore the OS X machines to normal operating conditions. As you might guess, Sophos had released a bad definitions set that was going crazy with false positives, and if one allowed it to delete all the system files it wanted to the computer was in bad shape indeed.

About 11 a.m. our time, Sophos let us know that they had repaired the definitions set and were broadcasting it via their update servers. We updated Sophos on our machines, and things were back to normal, except for the first iBook with all the deleted files. We were somewhat glad that wasn’t the default setting on all our OS X machines…


Comments are closed.

3 visitors online now
0 guests, 3 bots, 0 members
Max visitors today: 7 at 02:17 am UTC
This month: 9 at 09-20-2017 05:23 pm UTC
This year: 38 at 05-27-2017 07:36 am UTC
All time: 84 at 05-06-2013 07:12 am UTC