Sophos false positives

[IanB]

I have had a number of virus alerts from Sophos v7 this morning of the form: Virus/spyware 'W32/Sohana-AR' has been detected in "file.exe", where the files in question are scripts I wrote myself and compiled using Auto-it. The suposed malware is a network worm not an .exe infector, so I am pretty sure this is a false positive.
Sophos Linky
Has anyone else had a similar experience with the latest Sophos update?

[Geoff]

Yes, Sophos detected the autoit v3 setup.exe as containing W32/Sohana-AR here. I assume it was tripping up over the example scripts in the archive.

Code:

Virus/spyware 'W32/Sohana-AR' has been detected in "C:\Documents and Settings\Administrator.CARRHILL\Desktop\autoit-v3-setup.exe\FILE:0385". Cleanup unavailable.

Infected file "C:\Documents and Settings\Administrator.CARRHILL\Desktop\autoit-v3-setup.exe" has been deleted.

[mattx]

Oh yes, I've had quite a few PCs Blue Screen on me after applying the latest updates. Sophos also maxed out the CPU on our MIS server Monday. The last false positve I got was on the peazip utility which I reported to them.
I have loads of AutoIT scripts doing bits and bobs on our network so I'll double check. Thanks for the heads up.

[IanB]

I've just had a reply from Sophos as follows:

There was indeed a false-positive report on W32/Sohana-AR which has now been corrected. Please ensure that you have all the latest IDE files applied and re-scan the files. They should no longer be detected.

I've done the update & rescan, and my utilities are no longer detected as malware. Hopefully that should also fix the problem for others.

[mattx]

That was quick !! Last time I sent them a false positive it took quite a few E-mails and attachments to convince them.....

[john]

Must admit Sophos is about to be screamed at, its gobbling up well over 100mb physical ram on my box every day again Kill the Savadmin server and it drops to 40 which is better than 100