Feeds

back to article 'Catastrophic' Avira antivirus update bricks Windows PCs

Security software biz Avira has apologised after its antivirus suites went haywire and disabled customers' Windows machines. A service pack issued in Monday caused its ProActiv monitoring software to think vital operating system processes were riddled with malware and blocked them from running. Users of the affected products - …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

muppets

seriously who would use this software in a business?

4
6
Linux

Re: muppets

Yes - I agree

Why would you ever use an operating system that is susceptible to viruses ?

I remember the dark ages when I used to actually bother with those anti virus shites....

15
20
Facepalm

Re: muppets

is that a troll or what?

Are you working in I.T or just a fan?

If working do any of your machines use windows?

2
7
Anonymous Coward

Re: muppets

McAfee DELETED svchost.exe after a bad sig update about 2 years ago.

Not fun :(

5
0
Silver badge
Go

Footgun

@yossarianuk Exactly. If you need antivirus you're doing it wrong.

4
8
Silver badge
Linux

Re: muppets

What would you recommend AC? I have been using Avira Antivir Professional for Four Years and have never had a false-positive problem with their product. I seriously had to double take when I saw the article title.

2
0

Re: muppets

Avast! free edition, never had a virus or any problems.

2
1
Anonymous Coward

@yossarianuk

You sound an awful lot like an OS X user from a few years ago...

Never learn anything from History, that's my motto!

3
1
Bronze badge
Happy

@yassarianuk: "Thou shouldst not cast pearls before them"

"Casting pearls before the" sw... MS Windows protagonists is not a very good idea. Alas, I often find myself doing exact same thing, <lat>quod etiam peccatum meum est.</lat>

2
0
Silver badge
FAIL

Re: muppets

Avast! free edition, never stops a virus until months after its in the wild.

There fixed it for you.

1
0

Re: muppets

We do.

We went through a thorough testing procedure before setting on an AV solution, and Avira had the lowest performance hit of any solution. We were getting a performance boost in some situations of 20-40% on slower PCs over McAfee and Sophos.

It's been great from an Enterprise perspective. Their central management suite works a hell of a lot better than McAfee's EPO, and the agents are much more seamless to deploy than with Sophos (where the agent installs seemed to always find a different random deployment problem each time).

We were really happy until it bricked all our PCs on Tuesday. That can happen to anyone (it happened to McAfee not long ago). Thankfully, it was pretty easy to recover from in our situation, and we were back up and running within 20 minutes.

2
1
Paris Hilton

Re: muppets

HAHAHAHA WHO SAYS APPLE NEVER GET VIRUSES NOW HAHAHAHA

0
1
Bronze badge

Re: muppets

"HAHAHAHA WHO SAYS APPLE NEVER GET VIRUSES NOW HAHAHAHA"

Now waiting for the bad guys to switch their attention to Linux.

Perhaps I ought to dust off my old MVS skills :-)

0
0

Re: muppets

Is there such a thing as an OS that *isn't* 'susceptible' to viruses? Give the coder enough time and I bet they'd be among your machines toute suite.....

0
0
JDX
Gold badge
Mushroom

Mandatory "doing the world a service" comment

That is all.

1
2
Silver badge
Trollface

Re: Mandatory "doing the world a service" comment

Certainly so in the case of Google Updater. It's in constant connection with the C&C server uploading private data and waiting for orders.

1
2
Silver badge

How did they hit that many?

Mistaken anti-virus hits usually only knock out one program that happened to trigger a new signature. How did they manage to hit that many? Or was it one core windows component that all of them used?

1
1
Anonymous Coward

Re: How did they hit that many?

Anti-virus software uses heuristics which are defined on Wikipedia as "Examples of this method include using a rule of thumb, an educated guess, an intuitive judgment, or common sense."

Such an approach can be too sensitive and one mistake and it will pick up lots of things.

1
0
Silver badge

Nice testing procedure

So they obviously:

1) Don't test their updates against a single Windows PC before sending them out.

2) Don't have a whitelist of known-good checksums of critically important, unchanging and pretty prevalent Windows system files.

3) Don't have a way to safely undo mistakes.

4) Don't put out an update that only touches the minimum of what it needs and lets USERS flag stuff as bad or not because it knows better.

and Windows, apparently, doesn't have a way of stopping programs from bricking the operating system by deleting critical files. Nice to know. (And, no, I don't care if you ARE an administrator user or not - you shouldn't be able to do this programmatically without at least warning the user first!)

7
3

Re: Nice testing procedure

windows does try and protect it's files

unfortunately it protects them in the same way as malware protects itself so anti-virus software uses methods that bypass the protection systems

2
3
Linux

Re: Nice testing procedure

"and Windows, apparently, doesn't have a way of stopping programs from bricking the operating system by deleting critical files."

If it's done by a process with significant privileges, very few operating systems do out of the box. To be functional an antivirus program is going to need those significant privileges.

So to be fair, that bit isn't really a Windows issues.

Being able to delete critical files as a standard user ... that's a different matter.

8
0
Anonymous Coward

windows does try and protect it's files

it is files?

17
0
Gold badge

Re: Nice testing procedure

They obviously also:

5) Don't understand digital signatures.

Let's assume your crapware has just flagged a Microsoft-signed file as a virus. What now?

If you believe that the black hats have got their paws on the private keys used to sign Windows itself, you should just give up. You cannot protect a system if the bad guys wrote it.

If, on the other hand, you believe the signature is valid, that means the file is supposed to exist and its contents are exactly as Microsoft intended them to be. What do you think is going to happen when you delete it? Is it going to be a nice end-user experience? Is it going to be tomorrow's headline in the IT press?

Questions, questions...

4
0
Silver badge

Re: Nice testing procedure

I agree that most operating systems don't. But that's no excuse if you're supposed to be making a "world-beating" operating system that's focused on security - because there's no barrier to making it work properly at all.

And MS is supposed to have their "system protection", etc.. How hard is it, precisely, to prevent certain files being deleted without being in a "system maintenance mode", or requiring an actual human's permission to do so (that was the whole POINT of the annoying UAC wasn't it?).

I'm really waiting for the day where your computer can be in either "usage" or a minimal "maintenance" mode and only in maintenance mode can you do updates, change bootloaders, play with critical files, etc. and only in usage mode can you log in as other users, browse the web, move files around, execute programs etc. And having NO PROGRAMMATIC WAY to switch between the two modes at all, and not have any processes survive the transition.

We have a sort of fake pseudo mentality that almost does this ("no running as root normally", "safe mode", etc.) but they never quite cover that the two modes of operation are distinctly different beasts.

2
0
Anonymous Coward

Re: windows does try and protect it's files

It's a counter-intuitive rule, that one, but one we learn all the same. Perhaps people registering with El Reg could also be directed to a 'there, their, they're' lesson, and prove that they can disable their caps-lock key, too. It would get rid of one regular troll, at least....

2
0
Anonymous Coward

Re: windows does try and protect it's files

Also, right alongside their/there/they're is your/you're

Perhaps commentards could also prove their (there? they're?) ability to 'lose' the habit of using 'loose' when they mean misplace or abandon.

2
0
Boffin

Re: Nice testing procedure

"I'm really waiting for the day where your computer can be in either "usage" or a minimal "maintenance" mode and only in maintenance mode can you do updates, change bootloaders, play with critical files, etc"

If you want something like that try using a Linux/BSD variant setup to mount /sbin, /etc, /usr/sbin, and others as read only when in "usage" mode and read/write when in "maintenance" mode.

Or for for added security you could use a device with a physical read only switch for the drive/partition that holds those core parts. For standard user "usage" you only need write access to a /home/, /var, and couple of others. It's been a while, but I'm sure a quick google will confirm what can be mounted read only.

Used to run a firewall off of an old P1 with Debian running off of a CD but with /var mounted on a drive.

2
0
Silver badge
FAIL

Re: Nice testing procedure

>You cannot protect a system if the bad guys wrote it.

Did anybody see that Ballmer was top of the Forbes list of the worst CEOs? What a douche nozzle he is. Obviously he didn't write it but he made sure the same business practices would continue.

1
0

This post has been deleted by its author

Gold badge
Facepalm

Re: Nice testing procedure

> And MS is supposed to have their "system protection", etc..

Yes, but you granted your A/V suite system level privilege when you installed it, precisely so it could clean up infected system files. That's what the UAC warning you got on installation was for.

ISTR that MS did want to restrict that level of access purely to the O/S itself, but the A/V vendors threatened legal action......

0
0

Re: Nice testing procedure

RE:"And MS is supposed to have their "system protection", etc.. How hard is it, precisely, to prevent certain files being deleted without being in a "system maintenance mode", or requiring an actual human's permission to do so (that was the whole POINT of the annoying UAC wasn't it?)."

1) I don't think a Windows service triggers a UAC prompt. If it did, it would break all sorts of Windows functions (including Windows update). It would be a similar situation if Unix required daemons to run under the restrictions imposed by sudo, or so I believe.

2) Requiring a user to switch an OS to a "maintenance mode" to update would be a good way of ensuring that a lot of users never update their OS. The likes of Microsoft, Apple and the various Linux vendors are having trouble ensuring people keep their Oses up to date with the mostly automatic systems in place now, how are they going to do that when people need to switch the os to a different mode? In the mean time, bad guys would merely find a way around the protection without switching to a separate mode..

0
0
Bronze badge

Re: Nice testing procedure

Nice if you read the article before posting.

3) It was possible to safely undo the mistake. By turning off the blocking. And for people who find that to difficult, it happened automatically when they brought out the update.

And, it didn't delete any files. It just a part of a system which (brokenly) blocked suspicious behavior.

And, you think users should be allowed to delete critical system files just by answering 'yes' to a warning? Sheesh. Glad I don't support your OS.

0
0
Gold badge
Trollface

Re: windows does try and protect it's files

Actually, I rather like the big dumb guy. Obviously I found him annoying the first day he arrived, but as soon as it became obvious that he was just trolling on every post it was rather fun to see how many people he could get each time.

A lot like amanfrommars, in fact. Maybe they are the same guy?

0
0
Trollface

Seems apt.

Google updater? iexplore.exe? Potentially harmful?

Say it ain't so!

5
1

Behaviour classification

Disabling the web browser and the registry editor? That sounds suspiciously like malware behaviour.

1
0
Anonymous Coward

Service pack zero?

If I went to buy a car and they told me they'd send me the steering wheel later, I'd be suspicious.

1
0

@Gerard Krupa

It isn't suspiciously like malware behaviour, it is malware behavior absolutely outright. Avira should face a very large fine in line with actual malware suppliers as this has damaged far, far more computers utilising exactly the same methods.

0
7
Anonymous Coward

That's a silly argument.

It is "malware behaviour" only in the same sense that everything that any software ever does is malware behaviour: creating and deleting files and changing their contents. The fact that it deleted the wrong files is a mistake, not "malice", which requires intent.

4
0
Anonymous Coward

Re: @Gerard Krupa

So McAfee is going to send everyone compensation for the time they bricked WinXP SP3 by flagging svchost.exe as a virus?

I'll go check the post - thanks!

0
0

no iexplore no cmd , no thats a PC thats been secured.

For complete security remove power and network cable

1
5

<sarcasm on>

Why not just turn it off?

<sarcasm off>

Got to love so called IT people who think that security is removing / disabling any piece of software that actually aids a user rather than sensible solutions.

1
0

And that the user.100% secure.

0
0
Anonymous Coward

I always knew notepad.exe was secretly very dodgy.

5
0
Anonymous Coward

Whats new?

Not exactly the first time something like this has happened. I'm fairly sure I've heard instances in the past where all the big name AV brands have done something similar - maybe many years ago for some of them but they're all just as bad as each other.

1
0
Silver badge

Re: Whats new?

Aye, I remember a supposedly uninstalled copy of Norton that blocked access to Hotmail... Bloody thing came with the PC. Thank, HP!

0
0
Flame

Brick?

No, it's bloody not bricked. Windows is not firmware. If it somehow overwrote the code on the motherboard's EEPROM, then it would be bricked. Until such time, it's a corrupt OS, i.e. soft and sod-all to do with hard or firm.

8
2
Silver badge
Mushroom

Re: Brick?

semantics.

If my ONLY machine is a Windows machine, and I cannot use it to repair itself, then it is, to all intents and purposes, bricked. Now this scenario is unlikely in any commercial setting - ideally *someone* would have an unaffected machine, from which a BootCD could be burned, to help fix the other machines. However, to a lowly home user, especially a non-tech savvy one, then having their machine borked could be a big deal.

Quite a few one-man-band IT specialists have created their own Linux Distro, which they leave with clients, who can boot from it, in the event of a disaster. They establish an OpenVPN link back to the mothership, where remote jiggery-pokery can save the say.

4
4

Re: Brick?

I agree. The word "brick" has come to have a very specific meaning--crippling a device (by overwriting firmware) to the extent that it is permanently unusable or so that only the factory can repair it. We would have the same complaint if a headline said "Bin Laden dead" when he'd only gotten a flesh wound.

1
0

What number of patch?

"Service Pack 0"

Zero?

Well that would have made me suspicious straightaway.

I mean, it's like V1.0 of a Microsoft product; you just don't, do you?

1
2

Page:

This topic is closed for new posts.