Sophos - Winlogon.exe detected as Troj/FarFli-CT

[LabZero]

In the Sophos Enterprise Console, in Sophos Central or in Sophos Home you may see something similar to this:

Virus/spyware 'Troj/FarFli-CT' has been detected in "C:\Windows\System32\winlogon.exe". Cleanup unavailable.

SophosLabs has fixed this issue in the IDE "java-aqr.ide" which was released on Sunday, September 4, 2016 at 9am UTC. All endpoints should have received this update or will receive this update when they turn on. Once deployed to endpoints, the issue is resolved, and no further alerts will be generated.

We are still investigating the impact in different scenarios. However, we believe that in most cases the only action needed is to clear the alerts:

In Sophos Enterprise Console (SEC) right-clicking and selecting “Resolve Alerts and Errors”
In Sophos Central clicking “Mark as Acknowledged”
In some cases (depending on the policy in force and depending on whether a user attempted a login before the fix was in place) users may see a black screen on their machine when attempting to login. The issue is limited to certain versions of Windows 7 (SP1) systems only. No other versions of Windows (XP, Vista, 8, 10) or other operating systems (Mac, Linux, Android) are impacted by this issue.

Read more:

Winlogon.exe detected as Troj/FarFli-CT - Sophos Community

 

[Terry Ganzi]

A bad malware signature caused Sophos antivirus products to detect a critical Windows file as malicious on Sunday, preventing some users from accessing their computers.

The false positive detection flagged winlogon.exe, an important component of the Windows Login subsystem, as a Trojan program called Troj/FarFli-CT. Because the file was blocked, some users who attempted to log into their computers were greeted by a black screen.


9 things to check after installing wireless access points
Whether you’re upgrading equipment or building out a whole new Wi-Fi network, use this handy checklist

READ NOW
Sophos issued an update to fix the problem within a few hours and said that the issue only affected a specific 32-bit version of Windows 7 SP1 and not Windows XP, Vista, 8 or 10.

"Based on current case volume and customer feedback, we believe the number of impacted systems to be minimal and confined to a small number of cases," the company said in a support article.

he highly doubts only a small number of customers were affected, while another one reported thathe's been on hold trying to reach Sophos Support by phone for over two hours.

You read the rest of this news here: (Sophos' false positive ruins the weekend for some Windows users)

 

[DCPC]

I have some PCs using Windows 7 SP1 that showed this in quarantine today 4/12/17. Running newest updates and definitions. Definitions updated 4/4/17. Path is C:\windows\System32\winlogon.exe. It is in quarantine but I can still logon. Should I just ignore it?

 

[Winter Soldier]

I have some PCs using Windows 7 SP1 that showed this in quarantine today 4/12/17. Running newest updates and definitions. Definitions updated 4/4/17. Path is C:\windows\System32\winlogon.exe. It is in quarantine but I can still logon. Should I just ignore it?

This problem seems to be fixed today then I would like to investigate because some malware really copies itself to System32 and injects code into winlogon.exe or explorer.exe.

 

[Arequire]

It might have blocked winlogon's execution but Sophos Home users should just be thankful its attempts at automatically deleting the file from their system failed.