Over the weekend, Sophos Anti-Virus products detected a Trojan on users’ computers that prevented them from logging onto their Windows devices. The malicious file was winlogon.exe: a file used to login to Windows. Because the file was blocked and prevented from running, affected users were unable to login, rendering their computers useless.
The detection was a false positive. The issue has now been corrected and most users are now able to use their computers again, although a number of users were annoyed that they were unable to use their computers over the weekend. A number took to Twitter to complain.
The problem occurred on Saturday September 4, 2016 and only affected individuals running the 32-bit version of Windows 7 SP1. Sophos was alerted to the false positive when complaints started to be received from users who were unable to access their computers. The issue was rapidly identified. According to Sophos, the issue was corrected “within hours”.
The Winlogon.exe file was falsely flagged as having been infected with the virus Troj/FarFli-CT. Sophos resolved the issue in an IDE released on Sunday. All affected computers should have been updated when they were next switched on, although some users were required to perform an additional fix and clear alerts from the console.
However, some users still reported being presented with a black screen after entering their login password. In such cases, the issue should have been resolved within 15 minutes; when the next anti-virus update was obtained. Any user who is still unable to use their computer can receive additional guidance from Sophos customer service.
Sophos reported that the issue only affected a small number of users, although the incident most likely caused some unwanted headaches for system administrators over the weekend. The incident is also embarrassing for Sophos, which should have whitelisted Winlogon.exe to ensure that users could still access their computers.