back to article Dodgy BitDefender update bricks systems

A dodgy update from BitDefender on Saturday bricked Win 64-Bit systems after it was applied. Rogue signature updates meant that multiple Windows and BullGuard files were falsely flagged as infected with a Trojan (now identified as Trojan-FakeAlert-5) and quarantined. Affected systems were subsequently left with applications that …

COMMENTS

This topic is closed for new posts.
FAIL

Your screwed!

The advice for home users requires booting from the appropriate Windows installation disc and using the repair option.

How many home users have a copy of the windows installation disc?

That right your screwed!

1
0
Grenade

number of malware threats

Given the total number of malware threats, isn't it the case that these false positives are going to increase. A virus signature is a hash of a variable length string. As such the function maps from a larger set to a smaller set.

Isn't it patently obvious by now that Anti-Virus software doesn't work. A better solution is a core OS that only allow a whitelist of approved apps to run. The approved-app detector running in read-only memory. Of course for such to work, the Memory Management unit would have to be immune to buffer-overflow attacks. Something the innovators don't seem to be able to do.

1
0
Flame

Re: number of malware threats

"A virus signature is a hash of a variable length string."

No, it is not. It is clear, that you have no clue how virus scanners work. Your knowledge on this subject is outdated by some 15 years.

"Isn't it patently obvious by now that Anti-Virus software doesn't work."

No, it is not. You falsely equate "Anti-Virus Software" with "virus scanners", you assume that a false positive every few months means "doesn't work" and you seem to think that using virus scanners against the current threat landscape is considered a proper line of defense. I suggest that you leave the anti-virus stuff to the anti-virus people and concentrate on something you actually know something about.

"A better solution is a core OS that only allow a whitelist of approved apps to run."

Aw, really. And who is going to approve them? The user? S/he will approve malware in a snap. The security administrator? Guess who's the secadmin for the home machine? Some kind of central entity (like a whitelist-producing company)? There are a few and they admit that the number of known good progras is SEVERAL ORDERS OF MAGNITUDE larger than the number of known malicious ones.

If there was an "easy" solution to the malware problem - don't you think that somebody would have come up with it by now??

0
0

It's a bit more difficult than that

Read only memory makes things difficult (how do you dynamically create or modify objects? If you allow write to .data sections you open up buffer overflows again. You can't write protect the ret addr on the stack because you have no way of knowing exactly where it will be, and you'd affect the whole page, likely borking someones temp buffer in the process) and whitelists aren't going to be a great help with current malware.

Whitelists have to be stored somewhere. Bearing in mind plenty of malware is capable of entering ring-0 via various routes to hide its presence, the whitelists are more than capable of being modified and their modification hidden. It will stop the "hey, install me and get free pr0n" types of installations, but the various exploits that do the rounds won't be affected at all.

The only real solution is unfortunately in hardware, but that makes chips more expensive, and requires OS producers to substantially modify their products.

It costs an awful lot of money to design and fab a wafer - you need to make sure you get your money back, and if there's little to no software to run on it how do you intend to make a profit? People will need to buy new software (or possibly run a VM but there's no guarantee the hardware would be sufficiently powerful to do that) so they won't upgrade until they have to (c/f Win 2k/XP, IE6 etc). x86 has been around an awful long time and will be difficult to displace in the home and office sectors.

In other words, we're screwed for a long time yet :( Apples movement to x86 doesn't help matters. The real solution (please don't laugh at this) is improved coding practices. I said don't laugh!

0
0
Jobs Halo

Re: number of malware threats

> Aw, really. And who is going to approve them?

What kind of stupid question is this - of course it's going to be Apple.

0
0
Coat

Almost concerned!

Until I realised this just affects Windows systems

Nothing to do with me, I'm moving along, mines the coat with the penguin guard dog (asleep)

0
0
Anonymous Coward

Oh damn!

I'm on a Windows machine! I must be fucked! Jeez, all those years of my systems never being compromised, down the drain!

Oh, wait. You must be Weebl.

0
0

BitDefender message

On behalf of BitDefender, we are very sorry for the problems that our update may have caused to your computers. We understand your disappointment, we have already solved the problem for many of our users and we are definitely trying to do the same for all other affected users.

We have released a solution for this situation and you can access it here:

http://www.bitdefender.com/site/KnowledgeBase/consumer/#638

If there are any unexpected situations, we kindly ask you to contact our support team directly via email, chat, phone or forum at http://www.bitdefender.com/site/Main/contactEmail/

Thank you for your understanding.

0
0
Silver badge
FAIL

Why don't they test these things properly first??

A recent AVG 9.0 update didn't brick systems, but it's still incapable of working nicely with Zone Alarm and caused browsing problems for a lot of people.

The only way I found to get it working properly was to re-install it but remove the Link Scanner.

Once again I think updates should be released to the staff of the companies first, so they can properly Beta test it!

2
0
Silver badge
Linux

The bad old days

Oh dear. Zone Alarm, are they still around?

So glad I no longer have to live or work in a world where it is still necessary to use products such as Zone Alarm, Spybot and anything from Symantec. Or Mcafee. Or BitDefender it appears.

Thank god for the Penguin!

0
1

wait

until linux appears on the malware authors radar.

a long wait i'll wager, a damned long wait, but it could happen.

0
0
Thumb Down

Maybe petty, but...

It actually bricked the system? Turned it into a paperweight? I think not.

0
0
FAIL

@BitDefender message

How about "stop apologizing and work on a fix"?

While Doc. Bontchev is right about the good files being several orders of magnitude more than the bad ones, core Windows files should be whitelisted against ANYTHING.

I mean, how hard can it be to keep track of Redmond's files and do a whitelist of them?

From last few years, every time a AV soft bricks boxes, it comes down to identifying Windows files as threats, so, what sort of catastrophic failure is it gonna take to get them on a whitelist?

And please dont use "resource usage" as an excuse, since the white list check only comes after a detection. Using a few more cycles per detection to avoid this sort of snafu is a drop of water on the ocean of resource waste that AV's already are.

0
0
WTF?

Because viruses never infect system files?

Because viruses never infect system files?

0
0

BitDefender message

@Nuno trancoso

The solution we developed immediately for the situation is already here:

http://www.bitdefender.com/site/KnowledgeBase/consumer/#638

0
0

BullGuard Oficial Statement

To all concerned BullGuard costumers,

Please accept my sincerest apologies for the problems you experienced this weekend. The problem was caused by a faulty update which mistook ordinary operating system files for infected files.

BullGuard takes full responsibility for the inconvenience you have experienced and we are doing everything in our power to help all the affected users restore your computer, and to ensure that this will not happen again.

What happened?

• On Saturday, March 20 at 16:40 GMT BullGuard released a signature update, which erroneously detected many operating system files as infected with "Trojan.FakeAlert.5".

• At 17:18 GMT we removed the faulty signature update from our server and rolled back to the previous one.

• At Sunday 21st at 11:40 GMT the signature update was repaired and released again.

The BullGuard Support Team is ready to assist you 24/7, as always. Live Support will still provide you with instant support, and can be accessed by following this link:

http://bullguard.com/support/live-support.aspx

You can also contact us by e-mail. Please be advised that due to increased e-mail traffic caused by this incident, we have had to temporarily switch to a response time of 24 hours for all e-mails received.

Additionally, we believe that the following links will be helpful to you:

• Initial troubleshooting steps:

http://bullguard.com/support/system-status.aspx

• Further troubleshooting information for all operating systems affected:

http://bullguard.com/support/tech-guides.aspx

Again, I sincerely apologize for the problems and inconvenience this has caused.

0
0
Silver badge
Joke

Windows system files marked as malicious?

There's an obvious joke here, I'll leave you to tease it out of your own consciousness.

Sometimes I'm really rather glad my only remaining Windows instance is a VM. :-)

Steven R

0
0
FAIL

grrrrr

Yeah so I did what they said on bull****'s forum for my mum's p.c (restore files from quaratine etc) and guess what? It didnt work, p.c was unbootable. So much so that even startup repair (HA! wtf?) claimed the OS was incompatible so had to do a factory reset.

Naturally once this was done, the FIRST thing I got her to do was UNINSTALL Bull****.

In their defense, when I made them aware that their instructions were as ueful as a chocolate teapot, they did act on it and change them fairly promptly.

0
0
Linux

Re: number of malware threats

>> "A virus signature is a hash of a variable length string."

> No, it is not. It is clear, that you have no clue how virus scanners work. Your knowledge on this subject is outdated by some 15 years.

What's your definition of a 'virus signature' and don't invoke, heuristic analysis would you .. :)

>> "Isn't it patently obvious by now that Anti-Virus software doesn't work."

> No, it is not. You falsely equate "Anti-Virus Software" with "virus scanners", you assume that a false positive every few months means "doesn't work" and you seem to think that using virus scanners against the current threat landscape is considered a proper line of defense. I suggest that you leave the anti-virus stuff to the anti-virus people and concentrate on something you actually know something about.

I notice how you do not respond to my point and instead choose to engage in a little semiotic pedentry. And I don't think 'virus scanners' are a proper line of defence. I repeat, if "Anti-Virus Software" actually worked then explain that to companies like TJX. It only takes one false negative for your whole business to be compromised.

http://www.itbusinessedge.com/cm/blogs/bentley/tjx-heartland-hacker-was-on-secret-service-payroll-as-informant/?cs=40249

>> "A better solution is a core OS that only allow a whitelist of approved apps to run."

> Aw, really. And who is going to approve them? The user? S/he will approve malware in a snap. The security administrator? Guess who's the secadmin for the home machine? Some kind of central entity (like a whitelist-producing company)? There are a few and they admit that the number of known good progras is SEVERAL ORDERS OF MAGNITUDE larger than the number of known malicious ones.

You're talking total noncense, if you don't mind me saying so. AV software/scanners rely on recognising an ever increasing list of known signatures. As such it only take one unknown signature for total system compromise. You don't have to take my word for this. Have a read of this. Take special notice of the bit on "enumerating badness", and why it is a bad idea.

http://www.ranum.com/security/computer_security/editorials/dumb/

> If there was an "easy" solution to the malware problem - don't you think that somebody would have come up with it by now??

Obviously not you. In this case I do eat my own dog food. I run Ubuntu off a read-only USB device.

0
0
Linux

It's a bit more difficult than that

> Read only memory makes things difficult (how do you dynamically create or modify objects? If you allow write to .data sections you open up buffer overflows again ..

Yea, buffer overflows overwriting the stack or heap corruption, an innovation unique(?) to how the x86 MMU handles memory. I do know there are various solutions to mitigate these type of vulnerabilities, such as ASLR and marking the stack noexec. Such solutions being open to exploition. Solution: a MMU that irrovacible allocates data or executable pages, that can't be altered/exploited by any subsequent malicous code.

> whitelists aren't going to be a great help with current malware. Whitelists have to be stored somewhere. Bearing in mind plenty of malware is capable of entering ring-0 via various routes to hide its presence ..

Well, yea, the root cause of the malware infestation is the defective WinTEL Memory Management Unit. As in, it can't prevent malicous processes walking all over memory space. How about a second embedded system that performs security functions. That runs before the main system kicks in. Current embedded hardware is powerfull enough to perform the task.

> The only real solution is unfortunately in hardware, but that makes chips more expensive, and requires OS producers to substantially modify their products.

Yes ..

> It costs an awful lot of money to design and fab a wafer - you need to make sure you get your money back ..

See second embedded system ..

0
0
This topic is closed for new posts.

Forums