A faulty signature update from GRISoft published this week meant that its popular AVG anti-virus package falsely warned versions of Adobe Reader were infected with a Trojan. Reg reader Tulio received a false alarm that his system was infected by SHueur-JXW after he downloaded Adobe Acrobat Reader 7.09. GRISoft acknowledged …
No I think picking up Adobe Reader 7 as a threat is correct - just misidentified
Bioshock, recently released on PC does something similar because of the copy protection conflicting with AVG.
Actually it's not just AVG.
At work we had problems with the installers for Adobe Reader 7.09 and 8.10, with false positives detected by F-Secure AV 5.40, the solution from f-secure was to upgrade to 5.44, which does not generate the warnings.
Try running AVG on a Virtuozzo host
Recently, one copy of AVG I run has decided that all critical update packages downloaded into virtual servers hosted on this box are infected with trojans, along with the swsoft management software, and several standalone ftp servers installed in virtual servers. You can imagine my suprise when I got a couple of hundred alerts, panicked a littke, scanned the system with something else and discovered it to be fine. Thanks grisoft, just the sort of worry I need in my production environment on a friday afternoon!
After years without a single false positive, I've got 3 from AVG in the past month or so, .exes for Final Fantasy VII, Bioshock and F.E.A.R. all misidentified as virii.
Initially, I assumed AVG had moved into game reviews but I see they're being more general than that
Are you using the free version? ;) Not an excuse, but in my experience they've been fairly solid (and free!) over the last couple of years.
not the first AVG cock up
last month they screwd me up as well as a bunch of other shareware authors with yet another faulty virus signature upgrade of theirs. I had to fend off an angry mob of users that had to take sides (me vs the lions -- sorry AVG):
to their credit, they were quick to fix their cockup.
AVG correctly identifies Adobe Reader as malware!
Well, given all the bloat and crapware Adobe Reader installs, together with its automatic updates and phone-home features, I'd consider it malware! I use Foxit Reader instead - it's much smaller, faster, more reliable and doesn't demand upgrading or bug me with endless reminders every week or so... Good on you, Grisoft! ;D
AVG screwing up recently
I've had two separate occurrences of false positives in the past month. More accurately, multiple occurrences, but two unique "threats". The first "threat" was Win32/PolyCrypt in the 3dpool.zip and doom19s.zip files (from somewhere around 1993 or so, known to be clean). The second was on my father's system, where AVG Free flagged multiple files from a four-year-old version of TurboTax (business version, not consumer) as a threat. Not a good month for Grisoft/AVG.
....a bit worrying as had a Virus Alert last night when I was surfing the net and AVG Freebie throw up an alert and refuse to delete it!
Thanksfully I got NOD32 as well which then prompt a "Kill, Burn and Pillage" attack on it!
Hmm must remember to remove AVG when I get home....
Every single time you load a pdf , BEFORE it displays the doc, adobe reader goes off to the net, and tells you there is a CRITICAL update that simply must be installed right this f****** minute, and often wants a re-boot after that!!!
It's a document reader, as long as it can open a doc, there is NOTHING critical to update
So, Adobe, thanks for the free doc reader, now p*** off
Until it starts identifiing (that's for "viriiiiii" or however you savages pluralise virum, let alone pronounce it) bILLG aTES monstrous and fetid carcois as a trojan, and how do you know itself does not phone home your banking details, the barcode tattoo on your forehead? War veterens need not apply, unless otherwise handicapped, the rest of us will take it on the back of the hand.
First, it's not "SHueur-JXW" - it's "SHeur-JXW", as can clearly be seen on the picture. The "Heur" part stands for "heuristic", suggesting that AVG is not reporting a particular, known piece of malware but is simply indicating that it has found something fishy in the inspected executable - something normally used mainly by malware. And, as several people pointed out, Adobe Acrobat does plenty of fishy things.
Of course, with most lusers being the idiots that they are, the anti-virus producers have long since given up the hope that these lusers will ever become capable of understanding a report like "this file does suspicious things normally used by malware". Instead, the lusers expect a black-or-white answer, which is why most scanners nowadays have worded their heuristic reports to sound as if some known malicioius program has been found. Norton AV, for instance, reports such things as "Bloodhound.whatever".
The point of the above explanation is that we're talking about a *heuristic* report here. And heuristics, by definition, are less precise than straightforward algorithms. Sure, they catch a lot of new (unknown) malware - but occasionally they make a mistake, too, reporting a legitimate program as malicious. Like this time.
Second, whitelisting is *not* the solution of this problem. Heuristics cause false positives only rarely. Whitelisting does it all the time - it only words the report differently. Instead of saying "FooBar.XYZ found", it says "File Blah.exe is not on the list of authorised programs" or something to that aspect. And it does that *every* time you try to run an unknown executable - instead of only rarely when the executable looks really fishy. In both cases responsibility to decide whether the executable is legitimate or not is dumped onto the luser (who, by definition, is incapable of making such a decision correctly - or he wouldn't run malicious programs and get infected in the first place) - but with whitelisting it happens much more often.
Yeah, i have to disable it to play Bioshock, but seeing as its free and it doesnt rape my system like Norton/McAfee, i can live with the occasional false positive.
Fox-It Reader FTW
As has been previously mentioned, why was this so called installing Adobe reader in the first place, it's slow, buggy, resource hungry bloatware at it's worst.
It's even worse if you have full adobe acrobat installed, try opening a document then! First it tells you theres 15 critical updates, which you usually skip until you've been told enough times you relent and press install.
It sits there for ever initiating the connection, then downloading the files, then asks you for the CD. Which is stored in the server room somewhere, so you click haven't got it, so it tells you to go stuff yourself instead, deletes the downloads and carrys on annoying you. Now I'm lucky as I have ready access to the CD's if I can be bothered to walk to the server room to get one, regular users have to go through me to get one, poor souls!
So anyway, long story short, get foxit reader, get it now.. The feeling you get when you open your first 20Mb+ pdf in under a second, is like a breath of fresh air.
AVG is correct
Adobe Reader is a malicious software package - details already provided above.
Bioshock is a malicious package as well; the behavior of the DRM that is included is exactly what should be expected from a trojan.
TurboTax has in the past had a "phone home" component, so it's likely that AVG caught that - correctly.
I can't address FinalFantasy nor F.E.A.R. explicitly, but if they were "full free downloads," chances are very high that you've got *real* trojans.
The lesson here is that software publishers have a finite pool of anti-virus products they need to satisfy vis-a-vis the safety of their software, but AV publihsers have an almost infinite (and constantly-growing) pool of potential malicious packages they must test. Ergo, it is incumbent upon Adobe, et al, to test their products against the AV packages and fix any so-called "false" positives before release. It is *not* the responsibility of Grisoft, Symantec, Panda, and the few other AV vendors to test the myriad of crapware published by every software house in the Universe.
And if your AV package says you have malicious software - better safe than sorry. Get rid of the crap. There are alternatives to *every* software package (even Windows).
Could it have been worse?
Of course it could have been!
Windows as a malicious piece of software..heaven forbid ;)
> There are alternatives to *every* software package (even Windows).
Have you played BioShock?
Gamers will play the best games out there, which because they're the best have no equivalents, so we're forced to buy the platforms they run on. Which is why my otherwise MS-free home has an Xbox 360.
I agree that BioShock is a "malicious package", but only in the following sense: it's so engrossing that it's consuming most of my non-working hours!
Well, I have a similar issue.
AVG detected some of the libraries for Cygwin's Python package on my MCPC as "infected" with the Win32/PolyCrypt virii and "cleaned" them (why do I have Cygwin on a MCPC? Just in case). God knows what AVG did to the libraries - last I tried running the Python executable, it does work.
As for Bioshock... Mmmm... convulted DRM, malware in the form of copy-protection, caused a PSU of a poor bloke's PC to blow up, taking the entire PC with it in the process... Yep, that's malware alright.
> As for Bioshock... Mmmm... convulted DRM, malware in the form of copy-protection, caused a PSU of a poor bloke's PC to blow up, taking the entire PC with it in the process... Yep, that's malware alright.
Again, gamers don't have a choice. I doubt BioShock itself caused the poor dude's explosion, but as an Xbox owner I will admit out that Xboxes quite happily blow up without any assistance from third-party applications. I'm lucky I got my refurb back in time for the release of BioShock, which by the way is The Best Video Game Ever OMFG!!!G!!!!
/blows up, taking coat with me
Dr. Bontchev is right.
And the plural of virus is virus. Not virii or virum or virae.
Slight problem with using FoxIt Reader exclusively, 'cos the Inland Revenue CDs demand that you have *their* version of adobe acrobat (which is buggy as hell - even more so than a normal version) installed. I use Foxit on all my machines, except the one I do the tax on, and the difference really is noticeable...
Actually, both are legal and totally safe. They just sat on my HD for years until one day they were flagged as viruses/virii. AVG aknowledged them as genuine false positives.
They were good enough to contact me after I'd e-mailed a password protected zip with the "malicious" file to them for examination. It IS free so I'm not massively fussed but since this software has worked with AVG for years, it's a bit much to put the burden on the publishers to predict when one particular anti-virus decides (albeit as a blip) to go silly.
I take your point that software ought to be tested and proven to be compatible with a pool of common AV software before release but as soon as an AV updates its definitions, it becomes a two-way street and GRIsoft et al. have to take some responsibility (which, happily, they do).
Not that this is anything but moot anyway; I doubt Adobe Reader is still getting flagged as I type this.
How to castrate Acrobat reader?
Open reader, Go into options, disable warnings, auto updates, spash screen etc.
Go find the adobe reader program directory > Reader > plugins - move all files (leaving the folders, and any files named search* and ia32*) to a different directory.
Open a PDF in a second rather than 40 sec + update warnings et al.
Foxit is junk
We just transitioned to Foxit at work. I wish we'd actually gone through the change control process, because it's been absolutely nothing but a headache.
It refuses to print many PDFs (the print controls and such work perfectly... It just never makes it to the queue), improperly prints others (black sheets of paper, anybody?), and on occasion just plain doesn't open.
Oh Daniel -I was just going to follow your advice when I realised there isn't an options menu in Acrobat Reader.
You have to run the updater before you can switch it off...
Help > Check for updates.
Reader goes off to check for updates.
Once the Adobe Updater panel returns click 'Preferences' now uncheck 'Automatically check for Adobe updates'
This used to be in the Edit > Preferences menu, but they seem to have realised that most users won't find it there...
No, it's called "preferences" and is under the Edit menu. Problem is, when I got there I found that most of my settings were already as Daniel suggested, but Reader is still painfully slow for me. I'm off to download Foxit.