The Sophos endpoint verification surprised its user a couple of days ago when it started false alarming users about a malware. The program identified a legit Windows process Winlogon.exe file as malware Troj/FarFli-CT. This issue cropped up on Sophos Console, Sophos Enterprise Console, Sophos Home, Sophos UTM or Central software.
Sophos was quick to fix the error within hours. However, a select few users running Windows 7 SP1 were required to follow a separate procedure to fix the problem.
Sophos wrongly flagged Winlogon.exe as malware
On September 4, 2016, Sophos experienced a fault in one of our endpoint protection verification systems and incorrectly identified a known good file as malware on a specific version of 32-bit Windows 7 SP1. Sophos issued a fix that corrected the problem within hours. A very small number of users running this specific 32-bit version of Windows 7 SP1 may have required an additional procedure to be able to log on to an affected computer.
If you are facing this error in Windows 7 SP1 you need to follow some specific procedures in order to resolve the problem that of winlogon.exe being falsely detected in the system.
The security software may display a message – “Virus/spyware ‘Troj/FarFli-CT’ has been detected in “C:\Windows\System32\winlogon.exe”. Cleanup available”.
For some computers running 32-bit Windows 7 SP1, users may even see a black screen on attempting to log in after furnishing their credentials. This problem is exclusive to users who attempted a log in before the program was patched. A Sophos definition update will take 15 minutes to trigger after the boot. So you may wait for this time or update your Sophos manually right away.
However, if your security software has automatically updated itself, you will be saved from any false alerts about this Windows file . Also upon updating, one must need to clear the alerts from consoles. In case you are using Sophos Enterprise Console select “Resolve Alerts and Errors” by right clicking in the consoles. Enter “ResolveAll” in Sophos UTM and click “Mark as Acknowledged” in Sophos Central and the last step will conclude by hitting “Ignore” in Sophos Home.
You also need to clean the residual alerts of ‘Troj/FarFli-CT’ from local Quarantine and outlined below is the process to do it.
In exceptional cases, you may need to take assistance from local Sophos support team to resolve the issue and log on successfully.