AV vendor goes to war with security shop over update server scare
(2026/01/29)
- Reference: 1769705923
- News link: https://www.theregister.co.uk/2026/01/29/escan_morphisec_dispute/
- Source link:
A spat has erupted between antivirus vendor eScan and threat intelligence outfit Morphisec over who spotted an update server incident that disrupted some eScan customers earlier this month.
Morphisec fired the opening salvo with [1]a blog post calling the incident a "critical supply-chain compromise," alleging hackers used eScan's own update system to push malicious files and interfere with cleanup. MicroWorld Technologies-owned eScan, however, says that Morphisec's account is wrong on multiple fronts.
In a statement to The Register , eScan said it detected suspicious activity through its internal monitoring before any external notification and initiated incident response the same day.
[2]
"eScan detected suspicious activity through our internal monitoring systems on January 20, 2026, and immediately initiated our incident response protocol," a spokesperson said. "We issued a preliminary security advisory to customers on January 21, 2026, along with a remediation patch."
[3]
[4]
The company alleges Morphisec published its blog and accompanying social posts later that day, claiming discovery and mischaracterizing the incident's technical details and scope.
The customer advisory eScan sent to affected users on January 22, as seen by The Register , offers a much narrower version of events. An unauthorized user gained access to configuration on a single regional update server, resulting in a rogue file briefly appearing in the update path for about two hours on January 20. The advisory states that the file distributed was not an official eScan binary or a legitimate update, and that no vulnerability existed in the eScan product itself.
[5]
According to eScan, machines that downloaded updates from the affected server during the short window could suddenly stop updating, display error pop-ups, or have their hosts files modified in a way that cut them off from eScan's update servers. eScan reports no sign that any data left the network, and says the antivirus continued to perform its day job throughout.
That doesn't square with Morphisec's depiction of a critical supply chain breach. eScan says Morphisec's write-up contains "numerous factual inaccuracies," disputing claims about how the malware behaved and how systems were affected, and asserting that the incident was limited to a small number of systems in a specific region rather than affecting customers worldwide. When asked, eScan did not say which region was affected.
[6]Everybody is WinRAR phishing, dropping RATs as fast as lightning
[7]Dutch cops cuff alleged AVCheck malware kingpin in Amsterdam
[8]Court tosses appeal by hacker who opened port to coke smugglers with malware
[9]Fake Windows BSODs check in at Europe's hotels to con staff into running malware
There is, however, some overlap between the two accounts. While eScan rejects the idea that affected systems were irreparably blocked from recovery, its own advisory instructs many customers to manually download and run a remediation tool on individual machines, often with support assistance, to restore update functionality. In other words, the fix existed, but in many cases it still required hands-on work.
eScan says it contacted affected customers over the next few days via email, phone, WhatsApp, and its support portal, and completed the cleanup within two to three days of identifying the issue. It also pulled its update infrastructure offline for checks, rebuilt the affected systems, rotated credentials, and tightened monitoring before bringing everything back online.
The dispute has since escalated beyond dueling accounts. eScan says it asked Morphisec to remove what it calls false claims, prompting the deletion of Morphisec's social media posts but not the blog itself. It also notes that several publications retracted articles based on Morphisec's claims after eScan raised concerns about their accuracy. eScan says it is now working with legal counsel regarding what it describes as demonstrably false statements.
[10]
"We are concerned that Morphisec's publication contains multiple demonstrably false technical claims that we have documented in detail," the spokesperson told The Register . "We stand behind the accuracy of our incident response and the integrity of our products."
Morphisec did not respond to The Register 's questions, but appears to be standing by a revised version of its advisory that keeps the core narrative intact – including the claims that this was a "critical eScan supply chain compromise." ®
Get our [11]Tech Resources
[1] https://www.morphisec.com/blog/critical-escan-threat-bulletin/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXuSeRDWmm5mFOdf0fx1mwAAA44&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXuSeRDWmm5mFOdf0fx1mwAAA44&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXuSeRDWmm5mFOdf0fx1mwAAA44&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXuSeRDWmm5mFOdf0fx1mwAAA44&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/01/28/winrar_bug_under_attack/
[7] https://www.theregister.com/2026/01/13/avcheck_arrest/
[8] https://www.theregister.com/2026/01/13/dutch_port_hacker_appeal/
[9] https://www.theregister.com/2026/01/06/russia_hackers_hotel_bsods/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXuSeRDWmm5mFOdf0fx1mwAAA44&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
Morphisec fired the opening salvo with [1]a blog post calling the incident a "critical supply-chain compromise," alleging hackers used eScan's own update system to push malicious files and interfere with cleanup. MicroWorld Technologies-owned eScan, however, says that Morphisec's account is wrong on multiple fronts.
In a statement to The Register , eScan said it detected suspicious activity through its internal monitoring before any external notification and initiated incident response the same day.
[2]
"eScan detected suspicious activity through our internal monitoring systems on January 20, 2026, and immediately initiated our incident response protocol," a spokesperson said. "We issued a preliminary security advisory to customers on January 21, 2026, along with a remediation patch."
[3]
[4]
The company alleges Morphisec published its blog and accompanying social posts later that day, claiming discovery and mischaracterizing the incident's technical details and scope.
The customer advisory eScan sent to affected users on January 22, as seen by The Register , offers a much narrower version of events. An unauthorized user gained access to configuration on a single regional update server, resulting in a rogue file briefly appearing in the update path for about two hours on January 20. The advisory states that the file distributed was not an official eScan binary or a legitimate update, and that no vulnerability existed in the eScan product itself.
[5]
According to eScan, machines that downloaded updates from the affected server during the short window could suddenly stop updating, display error pop-ups, or have their hosts files modified in a way that cut them off from eScan's update servers. eScan reports no sign that any data left the network, and says the antivirus continued to perform its day job throughout.
That doesn't square with Morphisec's depiction of a critical supply chain breach. eScan says Morphisec's write-up contains "numerous factual inaccuracies," disputing claims about how the malware behaved and how systems were affected, and asserting that the incident was limited to a small number of systems in a specific region rather than affecting customers worldwide. When asked, eScan did not say which region was affected.
[6]Everybody is WinRAR phishing, dropping RATs as fast as lightning
[7]Dutch cops cuff alleged AVCheck malware kingpin in Amsterdam
[8]Court tosses appeal by hacker who opened port to coke smugglers with malware
[9]Fake Windows BSODs check in at Europe's hotels to con staff into running malware
There is, however, some overlap between the two accounts. While eScan rejects the idea that affected systems were irreparably blocked from recovery, its own advisory instructs many customers to manually download and run a remediation tool on individual machines, often with support assistance, to restore update functionality. In other words, the fix existed, but in many cases it still required hands-on work.
eScan says it contacted affected customers over the next few days via email, phone, WhatsApp, and its support portal, and completed the cleanup within two to three days of identifying the issue. It also pulled its update infrastructure offline for checks, rebuilt the affected systems, rotated credentials, and tightened monitoring before bringing everything back online.
The dispute has since escalated beyond dueling accounts. eScan says it asked Morphisec to remove what it calls false claims, prompting the deletion of Morphisec's social media posts but not the blog itself. It also notes that several publications retracted articles based on Morphisec's claims after eScan raised concerns about their accuracy. eScan says it is now working with legal counsel regarding what it describes as demonstrably false statements.
[10]
"We are concerned that Morphisec's publication contains multiple demonstrably false technical claims that we have documented in detail," the spokesperson told The Register . "We stand behind the accuracy of our incident response and the integrity of our products."
Morphisec did not respond to The Register 's questions, but appears to be standing by a revised version of its advisory that keeps the core narrative intact – including the claims that this was a "critical eScan supply chain compromise." ®
Get our [11]Tech Resources
[1] https://www.morphisec.com/blog/critical-escan-threat-bulletin/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXuSeRDWmm5mFOdf0fx1mwAAA44&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXuSeRDWmm5mFOdf0fx1mwAAA44&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXuSeRDWmm5mFOdf0fx1mwAAA44&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXuSeRDWmm5mFOdf0fx1mwAAA44&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2026/01/28/winrar_bug_under_attack/
[7] https://www.theregister.com/2026/01/13/avcheck_arrest/
[8] https://www.theregister.com/2026/01/13/dutch_port_hacker_appeal/
[9] https://www.theregister.com/2026/01/06/russia_hackers_hotel_bsods/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXuSeRDWmm5mFOdf0fx1mwAAA44&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/