On 19th November at 8:17 am, we became aware of a false positive detection on excel files and the same getting quarantined on some customer devices.
We sincerely regret the inconvenience caused. We immediately took necessary actions investigating the matter, thereby initiating a root cause analysis.
We would like to share that this issue was promptly resolved by 2:26 pm. The update package with the fix was made available and applied at the time of update to automatically restore the impacted files.
Based on our investigation, we would like to assure all our retail, enterprise, and government customers that their data safety is our utmost priority. Our cybersecurity solutions with comprehensive protection and sophisticated controls are fully capable to neutralize any such threat.
What led to this false positive detection?
- The issue was caused because of a signature that was targeted to detect XML files being used by malware in wild. Inadvertently though, the signature also detected XML content within some legitimate excel files, thus resulting in this False Positive.
- Many signatures are written every day. They are pushed out to end devices in form of AV Updates, multiple times a day. Each update cycle picks all the signatures that were newly created since the last cycle and combines them into a package. This package is then released to customers, and is downloaded & applied on end devices via live update functionality.
- Each update package, before release, goes through extensive testing to ensure its contents will not have any side effects on the end user devices. If the contents of the update package have a False Positive risk, an alert is generated. And, when that happens, the respective signature is removed from the package. In this case though, owing to a human error in a non-automated step, the alarm was not generated. Thus, resulting in release of the offending signature.
How do we intended to mitigate this occurrence in future?
- Majority of the pre-release testing happens via automated systems. These automations are being enhanced to include the step where the error happened.
- Additionally, the entire testing suite is being thoroughly reviewed. As part of this review, other human intervention steps would be considered for inclusion in automation as well. Also, this review will help identify any other blind spots.
- Existing monitoring systems will be enhanced to cover the identified blind spots. Also, there are existing checklists that are used in steps requiring human intervention would be enhanced to cover any current gaps.
Please write to us at firstname.lastname@example.org for any clarification.