Antivirus vendor Sophos has been left with egg on its face after its security software falsely marked a critical Microsoft Windows operating system file as malware, locking users out of their computers.
The security vendor said users would see a message in the Sophos Enterprise Console, Sophos Central or Sophos Home that said:
"Virus/spyware 'Troj/FarFli-CT' has been detected in "C:\Windows\System32\winlogon.exe". Cleanup unavailable."
As a result of the false positive, access to winlogon.exe was denied by Sophos AV, which in some cases effectively disabled Windows logins for users who could not access their computers.
Sophos scrambled to push out an update to rectify the problem that was causing consternation for IT support staff and confusion with users.
Fixing the issue could be complicated in some situations. Sophos said in a support document that depending on the policy in force, if a user tried to log in before the update had been applied, Windows would display just a black screen after credentials had been entered.
In that case, Sophos advised users to wait around five minutes after booting up their computer for the update to download and be applied, and a further ten minutes for a Microsoft retry loop that checks for winlogon.exe is present to complete.
There might however be cases where Microsoft System Protection has been disabled and winlogon.exe would have to be restored by booting into Windows Safe Mode.
Sophos insists that the false positive only affected "a specific version of 32-bit Windows 7" with Service Pack 1 applied, and not newer versions of the operating system.
The company believes only a small number of systems were affected by the problem.