OSX/Inqtana.A, OSX/Inqtana.B worm (#2): Sophos AntiVirus software generating false positives, wreaking system havoc
OSX/Inqtana.A, OSX/Inqtana.B worm (#2): Sophos AntiVirus software generating false positives, wreaking system havoc
Originally posted February 21st
In yet another case of AntiVirus software causing serious issues while purporting to be identifying infected files, it appears that Sophos' AntiVirus software is generating false positives for the "OSX/Inqtana.B worm", invoking users to delete critical application and system files and causing serious issues.
Again, the virus being identified by Sophos AntiVirus is marked Inqtana.B -- apparently a variant of the Inqtana.A malware that likewise spreads by copying itself to other computers via a bluetooth connection.
As previously reported, OSX/Inqtana.A -- a Java based proof of concept bluetooth worm that affects older versions of Mac OS X 10.4.x (Tiger). The vulnerability does not affect Mac OS X 10.4.5, and has not been found in the wild.
Despite that, Sophos' software is identifying "infected" files -- sometimes numbering in the thousands -- on Mac OS X 10.4.5 systems.
The results of the false positives are, in some cases, disastrous.
One MacFixIt reader writes:
"I have read about the proof of concept bluetooth virus by the name of OSX/Inqtana-A, but today my Sophos AntiVirus program alerted me of a virus by the name of OSX/Inqtana-B when I tried to unstuff a stuffit .sitx file. I started a virus check of my hard drive and so far after 70,000 files, Sohpos reports 1077 infections. These mostly occur inside application bundles. Sophos reports this virus warning when I open pretty much every application; denying access to some programs or letting others continue to run.
"I am running Mac OS X 10.4.5 and update via software update as soon as they arrive, and I also have my safari preferences/general/ Open 'safe' files after downloading unchecked."
Roger Miller adds:
"Inqtana.a may not be out in the wild, but inqtana.b is making a mess of our macs running OSX. We are running Sophos antivirus. I first noticed the infection when the antivirus program detected 2 instances of the virus. I started a scan and it immediately found another 7 copies. It's now up to 60 copies of the virus. Sophos was set up to delete infected files. Many of our campus computers have lost access to their Microsoft and Adobe products. We're having trouble reinstalling them because they immediately get re-infected.
Glen Winkelman reports:
"My entire department is running Mac OS X. We are using Sophos Anti-Virus software. This morning, everyone who connected to our network got warning messages. (I have attached two screen shots for you to view.)
"I contacted tech support at Sophos. They told me what to do to fix it. But now they are telling me to 'hold off' until they are sure it's not a false positive."
Another reader writes:
"Well, we have this OSX/Inqtana-B virus that's managed to get into our entire company somehow... we're protected with sophos Anti-virus... however, it seems to be hiding in the Acrobat application (6 and 7) itself and it destroys office 2004... even with a reinstall, office doesn't work."
We currently recommend that users disable Sophos AntiVirus until further notice, and disallow the application to automatically delete any files it deems "infected."
More information to follow...
Feedback? Late-breakers@macfixit.com.
Previous coverage:
Resources