False alarm triggered by Kaspersky paralyses Windows computers
Russian anti-virus vendor Kaspersky distributed a virus signature update last night that identifies the explorer.exe file – which, among other things, provides users with the Windows desktop – as Worm.Win32.Huhk.c. This prompted several users of the software and of anti-virus software based on it, for example Gdata, to permanently remove the file. However, this causes the system to become inoperable after a reboot.
The situation is particularly likely to occur if Windows File Protection has been deactivated and Windows can't automatically restore explorer.exe. In addition, users may have deleted all copies of the file on their system, which would also result in Windows not being able to restore the file. In this case, however, Windows could be successfully recovered from the Windows installation CD by retrieving the file either through the recovery console or the emergency installation.
Shortly after publishing the flawed signatures, Kaspersky released a second update which does not trigger a false alarm for explorer.exe. Where possible, affected users should, therefore, manually update the signatures.
False alarms triggered by virus scanners are not that uncommon but don't usually affect essential system files. Avira, for example, caused a similar problem early this year when a signature update mistakenly identified the winlogon.exe file as malware. Considering Kaspersky's fast response times and high update frequency, however, it is remarkable that false alarms don't occur more often – the vendor is unlikely to have much time for thoroughly checking signatures before their release.
- Virus Worm Win32 Huhk.c, discussion about the false alarm on Kaspersky's user forum