A false positive from antivirus company Sophos made that some Windows 7 SP1 users could no longer login to their operating system last Sunday. The company writes on its website that it mistakenly marked ‘winlogon.exe’ as a virus or spyware.
Users of Sophos Enterprise Console, Sophos Home and Sophos Central received the notification, “Virus/spyaware ‘Troj/RarFli-CT’ has been detected in “C:\Windows\System32\winlogon.exe”. Cleanup unavailable.”
The culprit was an update that was released Sunday. Later that day, when Sophos became aware of the issue, the antivirus company send out a corrected update to Sophos clients. The update corrected the issue.
Sophos has stated it’s still investigating the impact and has posted a workaround in case there are still users who haven’t updated. To clear the alerts users can right-click and select “Resolve Alerts and Errors” in Sophos Enterprise Console (SEC). In Sophos Central clicking “Mark as Acknowledged” should be sufficient.
The antivirus vendor also notes that in some cases (depending on the policy in force and depending on whether a user attempted a login before the fix was in place) users may see a black screen when logging in. This issue is limited to a specific 32-bit version of Windows 7 SP1 systems only. Sophos stress that no other versions of Windows (XP, Vista, 8, 10) or other operating systems (Mac, Linux, Android) are impacted by this issue.
Users that are affected by that issue are advised to boot into Safe Mode and disable automatic startup of Sophos.