Look, what's that over there? Sophos nips Windows DNS DLL false positive in the bud

Temporary file during update shuffled off to quarantine

A Windows operating system library was wrongly identified as malware by Sophos's antivirus scanner for some users on Tuesday.

Security software from Sophos quarantined dnsapi.dll, provoking a modest number of complaints on the antimalware maker's support forums. The main gripe seemed to be bogus alerts generated by the software, rather than crashed systems, a not infrequent side-effect of erroneously putting Windows library files into quarantine.

Influential UK infosec geezer Kevin Beaumont highlighted the cockup, and soon after El Reg began prodding Sophos about the issue, the false positives were cancelled and normality was restored.

How much pain, confusion and general inconvenience did the incident cause? Probably not much, it would seem, mostly because the issue was quickly resolved.


Brown pants moment for BlueJeans: Dozens of AV tools scream its vid chat code is malware


In a knowledge base article, Sophos said the false alarm centered around a temporary file created when Windows Update was upgrading dnsapi.dll, and not the final library file, a small but important distinction that drastically limited the impact of the issue.

This problem, such as it was, is known to affect Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 only – the operating systems targeted by the Windows Update patch that triggered the false alarm. That patch is supposed to fix up "an issue where DNS requests disregard proxy configurations in Internet Explorer and Microsoft Edge."

False positives are a well-known Achilles Heel of security scanners. Even though signature-based detection is only one of the layers of protection offered by modern security software, it's still in there and it can still go wrong, occasionally.

Quality control has improved over the years but the sheer volume of malware out there means that frequent signature updates have become par for the course. Accidents will happen, so the trick becomes to respond quickly when problems crop up, a process Sophos seems to have done pretty well on this occasion. ®

Biting the hand that feeds IT © 1998–2021