CA antivirus deletes Windows componentBy Derek Sooman
There was a bit of a mix-up for Windows 2003 users of Computer Associates' eTrust antivirus application last Friday when the software incorrectly flagged a Windows system file as malware.
Seemingly, the error was a result of an incorrect update of the application's antivirus signature file. The update marked the file "Lsass.exe" as being fit for removal or isolation. As it turns out, Lsass.exe file is actually a system component for the Windows Server 2003 operating system. eTrust Antivirus apparently mistook Lsass.exe for the Win32/Lassrv.B virus. In any case, the result was that some servers crashed or failed to boot up properly. Computer Associates' released an update for its antivirus signature file within hours to correct the problem.
The problem was that eTrust Antivirus was mistakenly flagging the Windows Lsass.exe process, said Bob Gordon, a CA spokesman. "CA quickly discovered and fixed an issue that temporarily caused some customers to detect a problem in their Lsass.exe files," he said in an email.
According to Gordon, it took CA less than seven hours to fix the mix-up.
Whilst it is not uncommon for signature files to mistakenly identify legitimate software as malware, it is somewhat worrying that CA's software made the mistake with a well-known Windows component. Why this problem did not surface itself in testing is a mystery. Although the problem did not disrupt a large number of users, it still reflects poorly on Computer Associates.