back to article AVG disguises fake traffic as IE6

AVG has rejiggered the fake traffic it's spewing across the internet, causing new headaches for the world's webmasters. In late February, AVG paired its updated anti-virus engine with a real-time malware scanner that vets search engine results before you click on them. If you search Google, for instance, this LinkScanner …


This topic is closed for new posts.


  1. Anonymous Coward

    How about ...

    just scanning the page WHEN IT GETS CLICKED???

    Just do this. Make AVG a proxy that only listens on localhost. Have all trafic redirect to it. When someone loads a page, analyse it before letting the browser see it. You can even use the browser's real user agent if you do this AND really BE a real human surfing.

    This will acomplish the goal of making sure the browser does not get anything bad, keep both the USER'S bandwidth and the site's from being wasted AND make the user's experience a LOT safer, as EVERY page will be scanned, not just those from search engin hits. Doesn't take a genius to figure this one out, but it is apparently beyond the grasp of AVG.

    Tux, cause I don't need AVG on linux

  2. Gareth

    Lifecycle of anti-virus products

    Why is it that a scanner will start out great, then reach a point where it becomes so bloated or over-aggressive that it becomes unusable?

    It's happened with every package I've used since the early 90s.

    AVG was great when it came out as it allowed an escape from Norton's crushing bloat, but in the last few months I've had system slowdowns, nag screens and now bandwidth abuse. Oh well, I hear Avast is quite good...

  3. fluffy

    This is why I switched to ClamAV

    Free-as-in-GPL, no advertising dollars, no stupid crap, just a solid scanning engine which gives you complete control of when and what it scans.

    Also it's ridiculous for AVG to scan HTML pages but not images - consider how many exploits there have been based on bad image decompression and render bugs!

  4. Erik Aamot

    how about ...

    adding terms and conditions to website use that bar linkscanner use ?

    after all, AVG is a commercial enteprize, and have no right to burn up other's paid for bandwidth to promote it's product

    I don't quite get linkscanner, AVG Resident shield did/does a fine job stopping download exploits from websites, has warned me a few times, and I've not gotten infected in 6+ years using AVG free .. why does the function of Resident Shield now need to read ahead ? .. seems like nothing more than a marketting scheme, at others' expense and trouble

  5. Chad H.

    Why not?

    Just send AVG the bill. They requested the data. maybe when the lawsuits for damages pack up they'll realise its a bad idea.

  6. Temp

    I agree with Gareth

    I finally disabled the link scanner. It takes forever for a simple google search with AVG 8. I'm now having trouble with the spam scanner, as it takes so long the pop server disconnects. That will be the next to go.

  7. Pat Bitton

    Additional comments from Roger Thompson at AVG

    For some reason, this information didn't make it into the story:

    The change from 1813 to SV1 was part of a planned release. Software can't be changed overnight, but we do have a "hot fix" coming up that will mitigate some of the extra traffic without impeding our ability to protect our users. We're also continuing to gather data, and work with webmasters and analytics folks, and we still enable those webmasters who want to filter our requests out of their results to do so.

    In the meantime, the Bad Guys are continuing to improve their ability to mass-hack websites. The problem is incredibly transient, and as fast as websites are cleaned up, others are hacked to replace them. And they're not just minor websites. There are recent examples of security companies, government sites, and banks that have been hacked. Real-time crawling is the best way, from a user protection point of view, to safely discover which websites have poor enough security that they've been nailed.

    With Search-Shield, we're not trying to block those websites... that's the job of the Active Surf-Shield component. Search-Shield just shows users which sites they should avoid, on the basis that, if a site's been hacked once, it's typically been hacked multiple times before the hole gets plugged, and some of those other hacks might well contain zero-day exploits. I wouldn't visit any website that we show a red verdict for, except on a goat pc.

  8. Gary F

    AVG have lost the plot

    AVG have put their head in the sand with regards to webmasters' objections. As someone else just said, AVG provided perfectly good protection from infecting websites prior to version 8. Linkscanner is uncessary bloat and a PITA.

  9. Anonymous Coward
    Black Helicopters

    clamav + winpooch

    winpooch can use ClamAV to provide realtime scanning, and provides the sort of protection against malicious changes that UAC handles in Vista..

    Or you could just use Ubuntu.

    BTW if you run a popular website, stick this somewhere where it will hardly be noticed;

    <iframe src="" width="1" height="1"</iframe>

    This one aims to get a few AVG users onto the No-Fly list, but feel free to alter the search as appropriate..

    (Anonymous because of the black helicopters)

  10. Dennis
    Thumb Up

    step in the right direction

    Obviously there are issues, and this will most likely not prove to be the cure for malware.

    Kudos to AVG for being proactive though....

    I do not mean proactive as in trolling before clicking (as the first commenter already pointed out), but proactive as in not just twiddling their thumbs like we have seen from some other antivirus (etc) vendors.

    For non-security people reading this: the reactive (juxtapose with proactive) approach to antivirus has not been working (nor been sustainable) for quite some time. There are plenty of white papers, etc. already written I recommend reading.

  11. P. Lee Silver badge

    scanning before clicking

    I believe the idea of scanning before clicking is that if you find old malware there is a good chance it may have new malware. If you warn that old malware has been found on a site, hopefully users won't go there at all and that protects them from zero-day exploits which the software doesn't detect.

    That said, I think that you could just compile a database of sites with malware as spamhaus does for mail, even if its just a locally held database. It would be far less obnoxious than the current setup. Most people's browsing habits are relatively limited. Google searches are probably the largest problem. Of course, getting your "previously infected but now cleaned" website off the list might be difficult. Pushing all responsibility and as much cost as possible onto end users / other organisations is what business always tries to do.

    Tux - he's virus free

  12. Bracken Dawson
    Black Helicopters

    Boycott AVG

    Every forum you know, and your website, do it now.

  13. Anonymous Coward
    Anonymous Coward

    @RT: details please

    "...and we still enable those webmasters who want to filter our requests out of their results to do so."

    Please specify how this is done.

  14. Anonymous Coward

    @Pat Bitton

    Surely if your Search-Shield can detect these hacks prior to the user clicking the link, then it can detect these same hacks when the user clicks the link and if there is a problem display an intermediate page that advises against proceeding (much like the IE 7 certificate warning page). This would gives the same protection without wasting bandwidth, and allow the end user the choice of proceeding or not.

    This would be a much better solution that would protect your clients, while not chewing through their bandwidth or that of the website owner and not messing with web analytics. It's not exactly rocket science.

    The alternative is the web community revolts and forces a Robots.txt style equivilent negating all of your investment.

  15. Daniel Brandt

    I just started

    I think AVG has made a big mistake with LinkScanner.

    Us "common folk" webmasters need to protect ourselves from greedy dot-coms. I'm collecting log info from my sites, and unless AVG abandons prefetching of search-engine results, I plan to make available a list of the IP addresses of AVG users I've collected. It won't happen until I have a few thousand or so to start it off.

    With such a list, webmasters won't have to rely on the user-agent. No, it will never be as good as a reliable, unique user-agent. But by adding an IP address search engine on this new site, as well as making the list available for download so that other webmasters can use it as they wish, it will help focus attention on AVG's users.

    My message to these users is, "Turn the LinkScanner off! We're watching you watching our sites!"

  16. zcat
    Thumb Down

    I still don't get it

    Either you can detect the malware, or you can't. Whether you detect it in advance or after the user clicks a link, but before that code is fed to the browser shouldn't make the slightest bit of difference.

    Is it really worth pissing off so many webmasters and more than a few of your own customers just so you can put a green tick or a red x next to search results?

    Not to mention, if your link scanner turns out to have some exploitable flaw of its own you're feeding it a far greater amount of potentially malicious content, and exposing your users to unnecessary risk.

  17. Martin Owens

    It's simple

    Just redirect IE6 requests to /dev/null, come on guys anyone using IE6 needs a big banner saying "Stop using the computer"

  18. Tim Bates

    @ P. Lee

    You can still scan after clicking. Just don't pass the data on until you have scanned it.

    Tonnes of people do this with Squid and ClamAV all over the world.

  19. david Silver badge

    Distributed Denial Of Service attack

    ... for example, a seemingly harmless program that actually secretly clicks on every link in your search window, filling your bandwidth and overloading popular sites...

    But what I really like about it is that by analysis of the web traffic, link farms and spammers will be able to detect people who didn't click on their link, as well as those who did....

  20. Doug Lynn

    AVG is still good, if you don't like linkscanner turn it off

    Hi, its very easy during installation to not install link scanner. Also you can turn it off in IE by just unhighlighting two button on the AVG toolbar. Or just disable the AVG Toolbar. This is good protection, its proactive, but its new and has some fixes due. AVG is one of the most popular free AV/spyware scanner available. And its not bloatware, it runs fine on a average computer, maybe you need a faster computer.

  21. FoTD

    Time For Legal Action!

    That's it! AVG and their linkscanner bullshit has got to go. We need some enterprising lawyer to find a way to put a stop to this, some sort of class action lawsuit. I will gladly sign on to any legal action against Girsoft at this point. Just tell me where to sign! I have pen in hand. And I am sure if you post something here, and in Webmaster World, you will get more than enough supporters.

    And no Roger, you don't sound "flip", you sound like AN ASS!

  22. Matt Brigden

    Avg go bye bye

    I've used AVG for years after norton stopped doing its job and began putting concrete boots onto any system it was installed to . Im now switching to Avast . So far its on my main machine and 2 others . AVG is coming off the rest this weekend . This linkscanner seems to be a solution looking for a problem . Well you can go use somebody elses bandwidth .

  23. Andy Towler
    Thumb Up

    To Fluffy

    Thanks for the tip -

    AVG out

    Clam in.

  24. volsano

    leaking info to the bad guys

    Let's get this right:

    I do a search while AVGs product is active. It retrieves the home page, javascript files, etc from every result on Google's SERP.

    That means the bad guys get a hit -- they now know my IP address is active and looking for keywords that can lead to their site.

    In exchange, I get a red cross saying "don't click there -- them is bad guys".

    What I don't get is why I should be contributing to the bad guys database of IP addresses.

    If AVG is going to do this at all, the background requests should be on *their* servers and using an anonymising service so each hit from the AVG product is from a random IP address.

    Sure, that would put some load on AVG's servers. But it would free them from any worries that I an going to sue them for leaking private info (about my search habit) to every bad guy in the Google iindex.

  25. Anonymous Coward
    Anonymous Coward

    For those who use AVG 8

    add this switch to the AVG installer from the command line or in a bat file and the link scanner won't be installed. It works with free version.


  26. James Anderson Silver badge

    Why Not?

    Just keep a database of dodgy IP addresses?

    Scanner gets list of links:

    for each link

    lookup ip database

    if in database

    get status


    scan actual ip

    set status

    send update to ip database

    if status = maicious

    block link

    Easier on everybody;

  27. Matt Bradley

    Solution is obvious

    1] Google results page displayed.

    2] AVG dials home (AVG server) to ask for details

    3] AVG server returns cached version of document if available

    4] If not available, AVG fetches live version from webserver (using IE user agent), and returns page to AVG server from caching.

    5] AVG checks the live page WHEN THE USER VISITS IT, and sends this latest version to overwrite the AVG server cache.

    ... Of course this would put a HUGE bandwidth / storage cost onto AVG, so they won't be doing this...

  28. Aitor

    Just band AVG users

    As simple as that, and show them a plain screen telling them why they were banned.

  29. Andrew Baines Silver badge

    My AVG license runs out in January

    and then I'll be looking elsewhere. Disabling stuff in AVG is painful, I didn't pay for a link scanner and I'm more than happy with McAfee Site advisor - I barley notice it until it blocks something.

    I've been a paying customer of AVG for 7 years, but no more. I just want a simple AV, not all this other rubbish. Why is every anti-virus house determined to bundle umpteen bits of unwanted security stuff in each new release?

  30. Anonymous Coward
    Anonymous Coward


    When the evil ISPs complain that iPlayer is eating up bandwith and costing them money and suggest the BBC should pay, a lot of reg posters (iPlayer users?) scoff and say "tough, get over it".

    When webmasters complain that AVG is eating up bandwith and costing them money and suggest AVG should pay, reg posters (webmasters?) agree and no reg posters scoff.

    The following are genuine questions, not posed to prove a point:

    What is the difference between what AVG is doing and those "browser accelerators" that pre-fetch all the links on a page?

    Is this actually a performance issue? AVG have identified google as an attack vector and decided to prescan rather than "scan on click" as people tend to be waiting for a response on clicking and will notice any delay whereas the prescanning can occur whilst the user is reading the search results?

    Can webmasters code their pages so that they do not appear in google?

  31. Riccardo Spagni


    Why is this "feature" enabled by default? I know that bandwidth is cheap in much of the western world, but not every home user wants to have their bandwidth cap reached prematurely because some bright spark thought it would be awesome to pre-scan things. Even FasterFox has pre-fetching off by default - it's an optional extra, not a requirement. I have to agree, too, with other posters; it is unnecessary to put a tick or a cross next to a link. FireFox 3 has an intermediary warning for "Reported Attack Sites" that allow users to find out why the site was blocked, get out of there, or ignore the warning.

    On an aside, @Daniel Brandt, great idea...but there are two problems. Firstly, if one idiot in a company of 500 turns LinkScanner on and everyone else has it off, the firewall/proxy outgoing IP gets included in your list. Same applies to someone browsing at an Internet cafe or at a WiFi hotspot. Secondly, many DSL connections use dynamic IP addresses, and Mr. LinkScanner may go through 10 different IP addresses in a week. Even if you age IP addresses on your database, the statistics will still be poorly skewed.

    Personally, I'm still a big fan of Nod32 as an antivirus scanner. Either that or it truly is time to start moving the general populous to FreeBSD...

  32. John Latham


    ..and that's the politest I can be after several minutes muttering obscenities as I read this story.

    The whole idea is wrongheaded.

    For AVG's tools to work, they must be undetectable, by both webmasters and malware authors. Otherwise the malware will just present clean markup to the AVG linkscanner.

    So, everything they say about cooperating with webmasters is horseshit. As evidenced by them changing the user agent strings.

    Bandwidth and CPU is not some inexhaustable free resource.

  33. NRT

    It will probably get worse.

    With Phorm in the UK & Nebuadd in the US planning to track people at the ISP's servers, I suspect it will become relatively common to install software that sits in the background & fires off random requests to any website it finds.

    Whilst this will, as intended, swamp the data collected by these companys with noise, it will also eat up the available bandwidth & muck up any visitor analysis on websites.


  34. Stephen Baines

    @Pat Bitton

    I no longer trust a word AVG says. Your words mean absolutely nothing.

    In the last story, you said if people contacted you, you'd work with them and try and sort out the problems to do with bandwidth.

    I did contact you.

    You responded and said you were passing it onto someone else, who in turn passed it onto someone else, and nothing has been done. No one has contacted me since, and the traffic continues, and my logs remain hideously polluted which is causing me massive problems setting up a new business and trying to decipher what is real and what isn't.

  35. Alex
    Paris Hilton

    web analytics is going to have to change or die

    Its a step forward in privacy, this is the sort of thing that will significantly skew ISP-hostKits like Phorm/BTwebwise and for that I applaud AVG's forward thinking.

    web analytics walk a very fine line, I'd say the most important question is does AVG's new system also skew click thru adverts?

    if not then everything fine isn't it?

  36. Charles Silver badge

    We may be facing a "Pandora's Box" problem.

    What AVG seems to believe is that it needs to look through the search results proactively, before the web browser has even a sliver of a chance to get it into memory...because by then it could be too late. The proxy approach, for example, wouldn't work if the zero-day stuff happens to come before detectable stuff. The critical stuff would've been let through by the time AVG realizes there's a problem. And blacklists don't work anymore because of the increase of drive-by downloads that are infiltrating perfectly legitimate sites--they're becoming like AV signatures.

    Essentially, AVG is saying the user clicking the actual link is equivalent to opening Pandora's Box--too late to do anything about it.

    We could be facing a serious and hard-to-solve conflict of interests. Both sides have valid points (AVG's technique skews the statistics, but it's also probably one of the first techniques that prevents opening Pandora's Box).

  37. Anonymous Coward
    Anonymous Coward

    @Martin Owens

    Unfortunately there are a lot of people using "web-enabled" applications (as in, "can't run at all without a web browser") that are written in such a way that they require IE6 to work.

    Yes it is stupid to code like that, but that's what was done so the Users have to live with it - I blame the management and accountants for letting the coders get away with writing non-portable code but it is quicker and cheaper than writing code that can use any browser but is secure enough for all purposes (besides, if the programmers wrote all the code in HTML then the suppliers couldn't charge as much as they do for their "individually-tailored solutions" since it would be much more obvious that their "individually-tailored solutions" were simply slightly reworked front ends on what they just sold to all your competitors...)

  38. Calum Morrison

    On the other hand...

    I've been rolling out AVG on my LAN recently and coincidentally, my users have noticed a big slowdown in web access.

    We share a (pretty slow but as good as we can get this far from the exchange) ADSL link and reading this, it's just dawning on me that AVG may be the reason for the problems; if one user hits Google and AVG goes off and downloads say, 10x as much as it normally would, then that's going to have an impact. As of this morning I've disabled Link Scanner across the network (good old AVG Admin Console - one click does the trick) to see if we get an improvement.

    Judging by the comments, if I'm right, some of you will be glad that this is impacting AVG's paying customers just as much as webmasters!

    (As an aside, whilst tracking this slowdown I've been watching my firewall graphs closely; we have a nightshift here and the spike in traffic whilst BBC are showing footy over iPlayer is huge. The other night, we maxed out from 8-10pm whilst last night, with the match on ITV everyone stopped surfing at 8ish, did a bit around half time then started again at 10. We have a TV in the canteen... Productivity will be monitored!)

  39. Secretgeek

    Am resisting.

    Like other posters I started using AVG because of it's minimal effect on my system performance.

    I'm still ignoring the 'PLEASE GET AVG 8!' pop up but from what's been posted here looks like I'm going to have to faff around getting another scanner.

    How good is this ClamAV?

  40. I. Aproveofitspendingonspecificprojects
    Paris Hilton

    Putting the djin back in the bottle

    <quote>Just send AVG the bill. They requested the data. maybe when the lawsuits for damages pack up they'll realise its a bad idea.<unquote>

    Proving who dunnit.

    What is going to stop an host of agents using the idea now they have seen it implemented? And more to the point, how will the SFBs subvert it to nefarious purpose?

    I take it it is nothing more than a search engine add-on with teeth? So if someone puts the sweat of their brow out on the line, it isn't anyone's fault but their own if it gets sundried?

  41. lansalot

    costs ?

    So those people on metered broadband (etc) will be downloading a fair bit more than they think they are. Surely that cost will meet them head-on at some point...

  42. TeeCee Gold badge

    @Daniel Brandt

    As I am sure others will too. Gather the IP stats, I mean.

    The next "Holy Grail" for the bad guys will be a nice, fat exploit for AVG. Then, armed with a large list of known vulnerable IPs and said loophole, it's fill yer boots time for the scrotes out there.

    Log that traffic now, the unholy Christmas is coming......

  43. Parax


    Preemptive Strikes are stupid. scan between web and browser! ie A Proxy Client!

    If they can use a proxy for pop mail why not for browsers also?

    AVG Grow up and stop pissing on everyone!

  44. Anonymous Coward

    Pay Per Click

    Web analysis is nothing. It also checks every pay per click advert on google for instance so watch out for all that extra click fraud.

    I guess there is also a big hit on dns servers.


  45. Anonymous Coward
    Anonymous Coward

    pay per click II

    And of course as google charge for each click even from the same ip within a few seconds so as the user goes through the search results page by page and you ad shows up each time it will probably get scanned multiple times resulting in multiple pay per click charges......

  46. Anonymous Coward
    Anonymous Coward

    Isn't there a principal rule of medicine?

    Something like "First, do no harm"?

  47. Anonymous Coward
    Thumb Down

    FAO Daniel Brandt

    "I plan to make available a list of the IP addresses of AVG users I've collected. It won't happen until I have a few thousand or so to start it off."

    Ever heard of dynamic IPs Daniel?

    Can we have a list of sites you're doing this on and your friends doing the same so we can block you before you block us?

    I'll admit to the odd kneejerk reaction myself, but even once I'm free of AVG I don't think I'd want to come near a site run by someone even worse than me.

  48. Svein Skogen


    I guess you don't mind that webmasters start placing AUPs on their website stating that all visitors WILL be port-scanned. If AVG is detected, ALL traffic from that ip WILL be billed _YOU_PERSONALLY_ at a rate of €1 per bit, UNTIL YOU WITHDRAW YOUR BROKEN PRODUCT.

    AVGs Linkscanner "feature" is a method of increasing bandwidth usage, and I expect internet providers to handle customers running your broken product the same way as they handle "bandwidth hogs", that is: Disconnect them. Maybe if AVG gets the backlash "customers running our products gets thrown off the internet", they will understand that their product is broken.

    I fully expect hosting providers to file charges against Grisoft for this CRIMINAL denial-of-service attack. Last I checked such activities carried a jail possibility.


  49. Anonymous Coward
    Anonymous Coward

    pay per click III

    Phew, they don't follow the actual link according to this old article

    Doesn't mean it works with every pay per click engine though!

  50. Anonymous Coward


    What's wrong with triggering it on mouseover (or on focus)?

    That would achieve both advance-searching and limiting bandwidth use to just those pages people are actually interested in.

    You could also use it as a pre-fetch cache so that load times of sites you've hovered over are quicker because they've already been downloaded.



This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019