back to article 'Catastrophic' Avira antivirus update bricks Windows PCs

Security software biz Avira has apologised after its antivirus suites went haywire and disabled customers' Windows machines. A service pack issued in Monday caused its ProActiv monitoring software to think vital operating system processes were riddled with malware and blocked them from running. Users of the affected products …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    muppets

    seriously who would use this software in a business?

    1. yossarianuk
      Linux

      Re: muppets

      Yes - I agree

      Why would you ever use an operating system that is susceptible to viruses ?

      I remember the dark ages when I used to actually bother with those anti virus shites....

      1. mark 63 Silver badge
        Facepalm

        Re: muppets

        is that a troll or what?

        Are you working in I.T or just a fan?

        If working do any of your machines use windows?

        1. Anonymous Coward
          Anonymous Coward

          Re: muppets

          McAfee DELETED svchost.exe after a bad sig update about 2 years ago.

          Not fun :(

      2. Mikel
        Go

        Footgun

        @yossarianuk Exactly. If you need antivirus you're doing it wrong.

      3. Anonymous Coward
        Anonymous Coward

        @yossarianuk

        You sound an awful lot like an OS X user from a few years ago...

        Never learn anything from History, that's my motto!

      4. eulampios
        Happy

        @yassarianuk: "Thou shouldst not cast pearls before them"

        "Casting pearls before the" sw... MS Windows protagonists is not a very good idea. Alas, I often find myself doing exact same thing, <lat>quod etiam peccatum meum est.</lat>

      5. Rhino

        Re: muppets

        Is there such a thing as an OS that *isn't* 'susceptible' to viruses? Give the coder enough time and I bet they'd be among your machines toute suite.....

    2. Miek
      Linux

      Re: muppets

      What would you recommend AC? I have been using Avira Antivir Professional for Four Years and have never had a false-positive problem with their product. I seriously had to double take when I saw the article title.

      1. King Jack

        Re: muppets

        Avast! free edition, never had a virus or any problems.

        1. asdf
          FAIL

          Re: muppets

          Avast! free edition, never stops a virus until months after its in the wild.

          There fixed it for you.

    3. Anonymous Coward
      Anonymous Coward

      Re: muppets

      We do.

      We went through a thorough testing procedure before setting on an AV solution, and Avira had the lowest performance hit of any solution. We were getting a performance boost in some situations of 20-40% on slower PCs over McAfee and Sophos.

      It's been great from an Enterprise perspective. Their central management suite works a hell of a lot better than McAfee's EPO, and the agents are much more seamless to deploy than with Sophos (where the agent installs seemed to always find a different random deployment problem each time).

      We were really happy until it bricked all our PCs on Tuesday. That can happen to anyone (it happened to McAfee not long ago). Thankfully, it was pretty easy to recover from in our situation, and we were back up and running within 20 minutes.

    4. Anonymous Coward
      Paris Hilton

      Re: muppets

      HAHAHAHA WHO SAYS APPLE NEVER GET VIRUSES NOW HAHAHAHA

      1. Wensleydale Cheese

        Re: muppets

        "HAHAHAHA WHO SAYS APPLE NEVER GET VIRUSES NOW HAHAHAHA"

        Now waiting for the bad guys to switch their attention to Linux.

        Perhaps I ought to dust off my old MVS skills :-)

  2. JDX Gold badge
    Mushroom

    Mandatory "doing the world a service" comment

    That is all.

    1. Dan 55 Silver badge
      Trollface

      Re: Mandatory "doing the world a service" comment

      Certainly so in the case of Google Updater. It's in constant connection with the C&C server uploading private data and waiting for orders.

  3. Christoph

    How did they hit that many?

    Mistaken anti-virus hits usually only knock out one program that happened to trigger a new signature. How did they manage to hit that many? Or was it one core windows component that all of them used?

    1. Anonymous Coward
      Anonymous Coward

      Re: How did they hit that many?

      Anti-virus software uses heuristics which are defined on Wikipedia as "Examples of this method include using a rule of thumb, an educated guess, an intuitive judgment, or common sense."

      Such an approach can be too sensitive and one mistake and it will pick up lots of things.

  4. Lee Dowling Silver badge

    Nice testing procedure

    So they obviously:

    1) Don't test their updates against a single Windows PC before sending them out.

    2) Don't have a whitelist of known-good checksums of critically important, unchanging and pretty prevalent Windows system files.

    3) Don't have a way to safely undo mistakes.

    4) Don't put out an update that only touches the minimum of what it needs and lets USERS flag stuff as bad or not because it knows better.

    and Windows, apparently, doesn't have a way of stopping programs from bricking the operating system by deleting critical files. Nice to know. (And, no, I don't care if you ARE an administrator user or not - you shouldn't be able to do this programmatically without at least warning the user first!)

    1. Jess--

      Re: Nice testing procedure

      windows does try and protect it's files

      unfortunately it protects them in the same way as malware protects itself so anti-virus software uses methods that bypass the protection systems

      1. Anonymous Coward
        Anonymous Coward

        windows does try and protect it's files

        it is files?

        1. Anonymous Coward
        2. Anonymous Coward
          Anonymous Coward

          Re: windows does try and protect it's files

          It's a counter-intuitive rule, that one, but one we learn all the same. Perhaps people registering with El Reg could also be directed to a 'there, their, they're' lesson, and prove that they can disable their caps-lock key, too. It would get rid of one regular troll, at least....

          1. Anonymous Coward
            Anonymous Coward

            Re: windows does try and protect it's files

            Also, right alongside their/there/they're is your/you're

            Perhaps commentards could also prove their (there? they're?) ability to 'lose' the habit of using 'loose' when they mean misplace or abandon.

          2. Ken Hagan Gold badge
            Trollface

            Re: windows does try and protect it's files

            Actually, I rather like the big dumb guy. Obviously I found him annoying the first day he arrived, but as soon as it became obvious that he was just trolling on every post it was rather fun to see how many people he could get each time.

            A lot like amanfrommars, in fact. Maybe they are the same guy?

    2. Bakunin
      Linux

      Re: Nice testing procedure

      "and Windows, apparently, doesn't have a way of stopping programs from bricking the operating system by deleting critical files."

      If it's done by a process with significant privileges, very few operating systems do out of the box. To be functional an antivirus program is going to need those significant privileges.

      So to be fair, that bit isn't really a Windows issues.

      Being able to delete critical files as a standard user ... that's a different matter.

    3. Ken Hagan Gold badge

      Re: Nice testing procedure

      They obviously also:

      5) Don't understand digital signatures.

      Let's assume your crapware has just flagged a Microsoft-signed file as a virus. What now?

      If you believe that the black hats have got their paws on the private keys used to sign Windows itself, you should just give up. You cannot protect a system if the bad guys wrote it.

      If, on the other hand, you believe the signature is valid, that means the file is supposed to exist and its contents are exactly as Microsoft intended them to be. What do you think is going to happen when you delete it? Is it going to be a nice end-user experience? Is it going to be tomorrow's headline in the IT press?

      Questions, questions...

      1. Lee Dowling Silver badge

        Re: Nice testing procedure

        I agree that most operating systems don't. But that's no excuse if you're supposed to be making a "world-beating" operating system that's focused on security - because there's no barrier to making it work properly at all.

        And MS is supposed to have their "system protection", etc.. How hard is it, precisely, to prevent certain files being deleted without being in a "system maintenance mode", or requiring an actual human's permission to do so (that was the whole POINT of the annoying UAC wasn't it?).

        I'm really waiting for the day where your computer can be in either "usage" or a minimal "maintenance" mode and only in maintenance mode can you do updates, change bootloaders, play with critical files, etc. and only in usage mode can you log in as other users, browse the web, move files around, execute programs etc. And having NO PROGRAMMATIC WAY to switch between the two modes at all, and not have any processes survive the transition.

        We have a sort of fake pseudo mentality that almost does this ("no running as root normally", "safe mode", etc.) but they never quite cover that the two modes of operation are distinctly different beasts.

        1. Bakunin
          Boffin

          Re: Nice testing procedure

          "I'm really waiting for the day where your computer can be in either "usage" or a minimal "maintenance" mode and only in maintenance mode can you do updates, change bootloaders, play with critical files, etc"

          If you want something like that try using a Linux/BSD variant setup to mount /sbin, /etc, /usr/sbin, and others as read only when in "usage" mode and read/write when in "maintenance" mode.

          Or for for added security you could use a device with a physical read only switch for the drive/partition that holds those core parts. For standard user "usage" you only need write access to a /home/, /var, and couple of others. It's been a while, but I'm sure a quick google will confirm what can be mounted read only.

          Used to run a firewall off of an old P1 with Debian running off of a CD but with /var mounted on a drive.

        2. This post has been deleted by its author

        3. TeeCee Gold badge
          Facepalm

          Re: Nice testing procedure

          > And MS is supposed to have their "system protection", etc..

          Yes, but you granted your A/V suite system level privilege when you installed it, precisely so it could clean up infected system files. That's what the UAC warning you got on installation was for.

          ISTR that MS did want to restrict that level of access purely to the O/S itself, but the A/V vendors threatened legal action......

        4. Stuart Castle Silver badge

          Re: Nice testing procedure

          RE:"And MS is supposed to have their "system protection", etc.. How hard is it, precisely, to prevent certain files being deleted without being in a "system maintenance mode", or requiring an actual human's permission to do so (that was the whole POINT of the annoying UAC wasn't it?)."

          1) I don't think a Windows service triggers a UAC prompt. If it did, it would break all sorts of Windows functions (including Windows update). It would be a similar situation if Unix required daemons to run under the restrictions imposed by sudo, or so I believe.

          2) Requiring a user to switch an OS to a "maintenance mode" to update would be a good way of ensuring that a lot of users never update their OS. The likes of Microsoft, Apple and the various Linux vendors are having trouble ensuring people keep their Oses up to date with the mostly automatic systems in place now, how are they going to do that when people need to switch the os to a different mode? In the mean time, bad guys would merely find a way around the protection without switching to a separate mode..

      2. asdf
        FAIL

        Re: Nice testing procedure

        >You cannot protect a system if the bad guys wrote it.

        Did anybody see that Ballmer was top of the Forbes list of the worst CEOs? What a douche nozzle he is. Obviously he didn't write it but he made sure the same business practices would continue.

    4. david 12 Silver badge

      Re: Nice testing procedure

      Nice if you read the article before posting.

      3) It was possible to safely undo the mistake. By turning off the blocking. And for people who find that to difficult, it happened automatically when they brought out the update.

      And, it didn't delete any files. It just a part of a system which (brokenly) blocked suspicious behavior.

      And, you think users should be allowed to delete critical system files just by answering 'yes' to a warning? Sheesh. Glad I don't support your OS.

  5. Bakunin
    Trollface

    Seems apt.

    Google updater? iexplore.exe? Potentially harmful?

    Say it ain't so!

  6. Gerard Krupa

    Behaviour classification

    Disabling the web browser and the registry editor? That sounds suspiciously like malware behaviour.

  7. Anonymous Coward
    Anonymous Coward

    Service pack zero?

    If I went to buy a car and they told me they'd send me the steering wheel later, I'd be suspicious.

  8. Jeebus

    @Gerard Krupa

    It isn't suspiciously like malware behaviour, it is malware behavior absolutely outright. Avira should face a very large fine in line with actual malware suppliers as this has damaged far, far more computers utilising exactly the same methods.

    1. Anonymous Coward
      Anonymous Coward

      That's a silly argument.

      It is "malware behaviour" only in the same sense that everything that any software ever does is malware behaviour: creating and deleting files and changing their contents. The fact that it deleted the wrong files is a mistake, not "malice", which requires intent.

    2. Anonymous Coward
      Anonymous Coward

      Re: @Gerard Krupa

      So McAfee is going to send everyone compensation for the time they bricked WinXP SP3 by flagging svchost.exe as a virus?

      I'll go check the post - thanks!

  9. mark 63 Silver badge

    no iexplore no cmd , no thats a PC thats been secured.

    For complete security remove power and network cable

    1. Anonymous Coward
      Anonymous Coward

      <sarcasm on>

      Why not just turn it off?

      <sarcasm off>

      Got to love so called IT people who think that security is removing / disabling any piece of software that actually aids a user rather than sensible solutions.

    2. bigfoot780

      And that the user.100% secure.

  10. Anonymous Coward
    Anonymous Coward

    I always knew notepad.exe was secretly very dodgy.

  11. Anonymous Coward
    Anonymous Coward

    Whats new?

    Not exactly the first time something like this has happened. I'm fairly sure I've heard instances in the past where all the big name AV brands have done something similar - maybe many years ago for some of them but they're all just as bad as each other.

    1. Dave 126 Silver badge

      Re: Whats new?

      Aye, I remember a supposedly uninstalled copy of Norton that blocked access to Hotmail... Bloody thing came with the PC. Thank, HP!

  12. Chronos
    Flame

    Brick?

    No, it's bloody not bricked. Windows is not firmware. If it somehow overwrote the code on the motherboard's EEPROM, then it would be bricked. Until such time, it's a corrupt OS, i.e. soft and sod-all to do with hard or firm.

    1. JimmyPage Silver badge
      Mushroom

      Re: Brick?

      semantics.

      If my ONLY machine is a Windows machine, and I cannot use it to repair itself, then it is, to all intents and purposes, bricked. Now this scenario is unlikely in any commercial setting - ideally *someone* would have an unaffected machine, from which a BootCD could be burned, to help fix the other machines. However, to a lowly home user, especially a non-tech savvy one, then having their machine borked could be a big deal.

      Quite a few one-man-band IT specialists have created their own Linux Distro, which they leave with clients, who can boot from it, in the event of a disaster. They establish an OpenVPN link back to the mothership, where remote jiggery-pokery can save the say.

    2. John Stith

      Re: Brick?

      I agree. The word "brick" has come to have a very specific meaning--crippling a device (by overwriting firmware) to the extent that it is permanently unusable or so that only the factory can repair it. We would have the same complaint if a headline said "Bin Laden dead" when he'd only gotten a flesh wound.

  13. Andrew Duffin

    What number of patch?

    "Service Pack 0"

    Zero?

    Well that would have made me suspicious straightaway.

    I mean, it's like V1.0 of a Microsoft product; you just don't, do you?

  14. Mostly_Harmless Silver badge
    WTF?

    so....

    Don't use antivirus software and run the risk that every so often your machine will get cabbaged, causing you to spend time/effort to recover it to a working state....or....

    ...do use antivirus software and run the risk that every so often your machine will get cabbaged, causing you to spend time/effort to recover it to a working state

    1. Dave 126 Silver badge

      Re: so....

      Have a system image created daily*. Boot from recovery media, go make a cup of coffee and look out of the window for a quarter hour...

      *have a virus scan run before the image creation, otherwise Windows Backup will refuse to create it: - but only after most of the way through the process.

    2. Anonymous Coward
      Anonymous Coward

      @Don't use antivirus.....do use antivirus

      Some years ago we got hit by a nasty virus infestation opened by an innocent secretary. Until then I worked on the principle uttered by another in this forum that if you administered properly you didn't need anti-virus. The dam' thing had compromised our recent backups before it was detected, and generally caused mayhem. Since then, I have a prevention is better than cure approach and if we have to sacrifice a little functionality for a lot of safety so be it. I would say that since the ISP's can see mailouts to all their users they could do more to help

      1. Anonymous Coward
        Anonymous Coward

        Re: @Don't use antivirus.....do use antivirus

        Sure, blame the ISP instead of the dumb ass using the PC.

  15. Anonymous Coward 15
    Facepalm

    Testing

    How does it work?

    (Can we have a Kermit icon to signify a muppet?)

  16. Anonymous Coward
    Anonymous Coward

    Easy...

    Microsoft Security Essentials. No muss, no fuss, no bother.

    Google: Symantec Sucks

    1. Anonymous Coward
      Anonymous Coward

      Re: Easy...

      MSE, doesn't sound like much protection according to this herbert. The only one he rates seems to be Kaspersky.

      http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/

      Run as a Windows user, remove unused applications, patch third party apps as well as Windows. Use Firefox with at least NoScript and Adblock Plus. That'll stop the drivebys.

      Then you just have to make sure the Missus doesn't do something silly in Facebook like fall for the LilyJade, crossrider developed cross browser plugin ruse.

      1. Qdos
        FAIL

        Re: Easy...

        Kaspersky is linked to numerous BSOD instances on Windoze Seven. NOD32 on the other hand isn't - once you master how to turn off all the pesky pop-up notifications that serve no purpose... as for MSE... it's a crock of $hite...

    2. adam payne

      Re: Easy...

      Use a Microsoft product to secure my system, no thanks.

      1. JDX Gold badge

        @adam

        Way to base your decisions on pure ignorance.

  17. Framitz
    Happy

    Instincts

    I knew there was a good reason to avoid this AV like the plague.

    1. Steven Roper
      Thumb Up

      Re: Instincts

      I used to to have Avira AntiVir on my system a few years ago, back when I was playing World of Warcraft.

      Then the fucking thing minimised WoW, while I was tanking in an instance thus causing a group wipe, merely to show me a fucking ADVERT to try to get me to "upgrade" to the paid version.

      Needless to say, it was immediately uninstalled, and subsequently no Avira product has gone anywhere near any computer under my control since. Behaviour like that is as bad as the malware it purports to protect against.

  18. Anonymous Coward
    Trollface

    "...caused its ProActiv monitoring software to think vital operating system processes were riddled with malware and blocked them from running..."

    Given it was scanning Microsoft's garbage OS, I'd say that was an understandable mistake.

  19. phear46

    not totally relevant.....

    I once went for a job interview and had a 'debate' with the interviewer on what made a decent antivirus solution. I said something that worked, and didn't much interrupt my day to day usage with rediculous resource hogging. (so basically anything but Norton/McAfee). He then argued 'if its slowing your computer down at least you know its doing SOMETHING'

    Who was right? I didn't get the Job In the end.... Probably for the best.

  20. Anonymous Coward
    Anonymous Coward

    Well...

    ...that's Windoze for you!

  21. Anonymous Coward
    Anonymous Coward

    I don't know why people keep slagging off Windows....

    I find it a great way to virtualize ubuntu.

    Anyway, it's the antivirus that caused the issue with Windows, wheras if you host ubuntu in a virtual machine, and use that for your web-browsing, antivirus on windows becomes a lot less important....

  22. TeeCee Gold badge
    Facepalm

    Avira

    So it's previously managed to delete itself.

    Now it's managed to delete the O/S.

    Next week: "AVIRA DELETES TEH INTERNETS!!!111!!!!"

  23. DanceMan
    WTF?

    Perspective

    I've used Avira for years on several machines. Never had an OS go down, never had issues with it being a drag on resources, had it find a few nasties. Didn't cause either active machine any problems today either (home user). And if it had, given that reports have said recovery was relatively easy, I'd have said that was pretty reasonable, given how much it's given me for years, for free. I don't expect perfection, especially for free. If this issue applies to the paid version and to enterprise use, again, given performance over time and quality of response to the problem, honesty in quickly admitting the error and providing a solution would seem reasonable.

    I make mistakes at work. It's the response to the mistakes that's important.

    1. Anonymous Coward
      Anonymous Coward

      Re: Perspective

      The main issue was with deployments out "in the field". Computers got the update, rebooted, then couldn't start up afterwards. Trying to talk users through booting into safe mode, then disabling the Proactiv module wasn't much fun at all.

      I won't be dumping Avira, it's the least intrusive AV solution we've used, and we've tried quite a few. However, it was a pretty terrible couple of days talking marketing guys on the road through the process of fixing their PCs.

  24. adam payne

    This is a silly mistake made by Avira that can only hurt their reputation.

  25. Anonymous Coward
    Anonymous Coward

    Bricked? Really?

    Isn't "bricked" supposed to mean "turned a piece of hardware into something no more useful than a brick"?

    If you can fix it by sticking a DVD in or whatever, the machine is not "bricked." I think we should reserve the term for things like irreversible bad firmware flashes and the like. I did manage to completely brick a router once, that was good fun.

  26. G7mzh
    FAIL

    A narrow escape

    I dumped Avira last week, having got fed up with its constant advertising, and _re-writing_ of my Windows permissions.

    Looks like I was just in time!

  27. Inselaf
    Facepalm

    I dumped Antivir 8 years ago. I invested around €55 for Bit Defender Total Security & have not had a problem since!

    For all who still chose to use the freebee or any other freebee for that matter is asking for trouble in the long run.

    I have never regretted the €55´s investment.

This topic is closed for new posts.