So this makes CA, McAfee, Symantec, AVG, and Kaspersky. Any others I've forgotten? Are these some bizarre-configuration WinXP installations or foreign-language versions? I have to ask because it seems illogical that these big-name, big-money AV firms would fail to test their definitions on common configurations. Of course, sometimes truth is stranger than fiction...

And just once, can the MS haters please refrain from the typical "Well, that proves [Window$ / Winderz / Winblows] is [malware / virus], ha ha ha" comments? They're really not amusing anymore.

Boot the system off a Linux live CD (or USB drive).

Copy all your important data files/documents to a USB drive or network share.

Remove the anti-virus software.

Rename back the affected system files.

Reboot.

Discover your hard-drive is encrypted and you cannot do steps 2, 3 and 4.

"Anti-virus scanners are an industry-wide problem."

Some people have computers with the OS preinstalled, and no way to recover from problems like this except by wiping their hard drive, unless they've set up the system to boot into a menu that includes Recovery Console beforehand, either because their recovery CD just has an image, or they don't even have such a thing. This sort of thing should be taken very seriously.

I do not think that word means what you think it means.

"And just once, can the MS haters please refrain from the typical "Well, that proves [Window$ / Winderz / Winblows] is [malware / virus], ha ha ha" comments?"

No. BWAHAHAHAHAHAHAHAAA!

Sorry, you asked for it. Hihihi. Haha. HahahahaHAAAAAhahaha. Cough. Hihihi.

[boot note: bad timing - it's Friday]

[windows boot note: ....]

First I've ever heard of them.

Forgive and ignorant penguinista, but don't these anti virus programs have a list of files not to wipe out, and digital signatures for them to spot when they have been modified?

Well, that proves selling videos of swatting causes less harm than looking for UFO's ha ha ha.

"and digital signatures for them to spot when they have been modified"

indeed, why don't they just assume any file digitally signed by MS that's valid is NOT infected?

Notice that this only impacts XP....

Vista and Win7 do exactly as you say and self-repair core system files. However as a portion of the OSS fanatics have been shouting about how poor Vista is (which I contest) there's an awful lot of machines that have Vista licences (and thus would be immune) but are running XP.

Same as the ActiveX vuln of late. Vsta and Win7 aren't exploitable due to securtiy improvements.

I recently got a Toshiba laptop, running Vista. I guess that I was spoiled by past experience; I never expected that anyone would ship a computer WITHOUT AN ACTUAL, LIVE, REAL, SYSTEM DISC. Toshiba did. I have since found out that Apple is, as usual, an exception to the rule in that they ship system discs with all their Macs and go so far as to state clearly, in the paper docs, in the read-me, in the first-run installer, and on their site, how to use that system disc in the event of a problem.

I screamed bloody murder to Toshiba. They shipped me _two_ system discs.

On some other systems (HP, I'm thinking of YOU) the vendor doesn't ship a system disc, but does have a recovery partition and has instructions on how to use that partition to restore the system to factory condition either directly or by burning your own system disc or both.

Anyone who runs a modern computer system and doesn't have access to the system discs, containing the OS (whichever OS he's using) and the drivers and the basic application set deserves what is going to happen to him.

CA = California = a broken, over-bloated operating system with an installed base of about 37,000,000 .. Spanish language version very popular ..

CA anti-virus though, = ca.com or "ca transforming IT management" .. they have "solutions" .. the tone of the site reminds me of Computer Associates, but surely that PoS-FUBAR company must have failed years ago

@Chris C .. please .. in 8-9 years using AVG free it's never destroyed or quarentined a critical sys file, and requires user action to quarentine ... only false positive I recall was free clickteam installer maybe 7 years ago .. not been infected since using it

point is well made, however, that all these products should include a whitelist of sorts that prevent critical OS files from being removed

Obviously CA didn't. They need shooting for that.

Is it really too difficult to type 'ca antivirus' into Google?

*sigh*

@ Ken Hagan -- re: Re: White list?

"Er, no. It would, of course, be pretty simple to auto-generate such a whitelist by checking for the signature that Microsoft's OS team use for their own code but I imagine they have religious objections to that."

Actually, assuming that all files signed by Microsoft are "safe" is an EXTREMELY BAD IDEA. It's one of those that sounds good on the surface, but breaks horribly when put into practice. Here's an example why:

http://www.theregister.co.uk/2001/03/23/microsoft_vexed_by_falsified_certs/

Excerpt: "Microsoft is scrambling to revoke two digital certificates that were issued last January by California-based VeriSign to a scam artist posing as a Microsoft employee. ... On 30 and 31 January [2001], someone posing as a Microsoft employee persuaded VeriSign, the largest US certificate authority, to issue two certificates under Microsoft's name."

Sure, it's from 2001, but don't for a minute assume it couldn't happen again.

------------------------------------------------------------

@ flybert re: @ AC ?CA?

"@Chris C .. please .. in 8-9 years using AVG free it's never destroyed or quarentined a critical sys file, and requires user action to quarentine ... only false positive I recall was free clickteam installer maybe 7 years ago .. not been infected since using it"

You obviously missed the news this past November:

http://www.theregister.co.uk/2008/11/11/avg_false_positive/

Excerpt: "Some users of AVG were left with unusable Windows systems after the popular AVG security scanner software slapped a Trojan warning on a core Windows component. AVG tagged user32.dll as a banking Trojan following a signature update issued on Sunday, advising users to delete the "harmful file". Users following this advice would be left with systems that either failed to boot or went into a continuous reboot cycle, according to dispatches from those hit by the glitch. Users of both AVG 7.5 and 8 (free and full fat editions) were hit by the snafu. AVG has admitted the problem and responded by posting advice on how to recover affected systems."

Also, I'm nearly positive AVG can be configured to automatically "heal" infected files. Don't get me wrong, AVG (prior to 8.0) was the best of the AV apps I've seen or used. But like the rest, they're not immune to false-positives.

"... and signatures on disk could be compromised by a clever virus."

Er, no they can't. That's the point. The security of all e-commerce, large amounts of military command and control, and just about every piece of IT infrastructure on the internet rests pretty much on the fact that one *cannot* modify a message (or executable file) and make a corresponding mod to the signature such that it still appears to be correctly signed by the original author. If there are viruses out there that can do this then I think we'd have heard, although I accept that perhaps it might have been drowned out by the crash of the sky falling in.

You are correct that an actual whitelist of filenames is a silly idea and a whitelist of file hashes would be out of date before it got into circulation, but "whitelisting" (in the colloquial rather than literal sense) based on signatures is simple and foolproof technique. AV vendors who do not implement this are negligent. They should be named and shamed, and every review of their software should make a big point about how rubbish they are and how no-one in their right mind should risk using the product. It's that simple.

Then again, *customers* who install AV software without this protection are even more negligent. The AV vendor can hide behind their "buyer beware" EULA. What's the sys-admin's excuse? ("Hey Boss, sorry the entire company's down this morning but I installed some software with root privileges that is remotely updated by a third party and it just bricked everyone's machine. Er, no, it doesn't have any safeguards against this kind of thing. We just hoped it wouldn't happen. Er no, we can't sue them because I signed off on their EULA. Er no, our competitors are probably still running because they'll have paid their dues to the AV company and are therefore running the same version of the engine that the AV company tests against. Er no, I haven't got another job to go to, or a lawyer.")

Wouldn't have been so bad if it didn't just quarantine the files but said I think this is infected, do you want to deal with it. First I knew was when the 2 office computers came up with a Windows service pack 3 message within a few mins of each other (guess they'd just updated).

To make matters worse, it zaps the files into quarantine then when you recover them, it zaps them again within seconds! Not done anything bad for all the years we've used it, but there are a few things they and other AV products need to think about.

Probably not - I've certainly heard your line often enough before. Try to come up with something new, gimps - you're not witty after the first two hundred times, nor in fact long before that.

Computer Associates? I still use some of their tape backup software. They are the most difficult company I ever had to deal with. Product is poor, tech support almost non-existent. Trying to get a live person on the phone is a nightmare. I would never, ever use anything of theirs again...