14 DAY TRIAL // ESET, the developer of the NOD32, made the subject of a new anti-virus false positive incident that affected operating system files. Due to a quality control error, an update to the heuristics module improperly tagged at least two legit Windows files as being infected with Win32/Kryptik.JX.
According to the company, the flawed v1091 update was released to users on Sunday, March 8th, at 9:52PM PDT. The ESET products that had the misfortune to "benefit" from this upgrade, quarantined vital Windows components such as the dllhost.exe, the Microsoft DCOM DLL Host Process responsible with the proper operation of DLL-based applications, or the msdtc.exe, the Distributed Transaction Coordinator used by the Microsoft Personal Web Server and Microsoft SQL Server.
Fortunately, the glitch was noticed and addressed very quickly by ESET and did not have time to affect a lot of users. "The update downloads were stopped within ten minutes of the update release, and the update was reverted to its previous version. Due to this immediate response, less than 5% of our users were affected," the company said.
Furthermore, if no system reboot was performed in the next following hours, the subsequent update, v3919, should have automatically restored the affected files. However, this only applies to ESET v3 and v4 products, for NOD32 v2.7 manual restoration is required. In this respect, the company published a knowledge base article with detailed instructions.
"We take quality control very seriously, and we sincerely apologize for any problems caused by this issue," the ESET statement read. Yet, even though anti-virus misdiagnoses are rather common occurrences, they can hurt legitimate users or businesses in certain situations.
We previously reported about a UK company selling flower arrangements online, whose image was damaged by a false positive on one of its newsletters by the products of Symantec-owned e-mail security company MessageLabs.
When such incidents involve systems files, they are also potentially dangerous. In November 2008, AVG Anti-virus deleted user32.dll and left computers unable to boot into the operating systems, because it confused it with a banking trojan. A month earlier, McAfee incorrectly tagged the Windows Vista console IME as a password-stealing trojan. Trend Micro also had its share of buggy updates, as in September last year a similar mistake left the computers of its customers unbootable or unstable after three Windows components had been wrongfully removed.