back to article Rogue CA update bricks Win XP systems

A rogue security definition update to anti-virus software from CA hobbled Windows systems earlier this week, sparking howls of protests from users. The update, issued on Wednesday, falsely labeled important Windows system files as potentially malign, dispatching them into quarantine. The action prevents Windows XP systems from …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Megaphone

    HAHA

    I'm really surprised this has affected anyone, with McAfee's record on this sort of thing it's amazing they have any customers left.

  2. Chris C

    WHY?!?

    So this makes CA, McAfee, Symantec, AVG, and Kaspersky. Any others I've forgotten? Are these some bizarre-configuration WinXP installations or foreign-language versions? I have to ask because it seems illogical that these big-name, big-money AV firms would fail to test their definitions on common configurations. Of course, sometimes truth is stranger than fiction...

    And just once, can the MS haters please refrain from the typical "Well, that proves [Window$ / Winderz / Winblows] is [malware / virus], ha ha ha" comments? They're really not amusing anymore.

  3. Anonymous Coward
    Flame

    haha...

    God I love being a Mac user.....let the flames begin....hahahahaha

  4. Steve Brammer
    FAIL

    One small problem...

    ...how do you roll-back when your PC won't boot?

  5. Robert Forsyth

    Re: One small problem

    Boot the system off a Linux live CD (or USB drive).

    Copy all your important data files/documents to a USB drive or network share.

    Remove the anti-virus software.

    Rename back the affected system files.

    Reboot.

    Discover your hard-drive is encrypted and you cannot do steps 2, 3 and 4.

  6. Paul H
    Pint

    @Steve Brammer

    You could presumably boot from a Windows XP install CD and use the recovery console to rename the affected files. That is assuming you aren't running hard disc encryption that prevents access.

    Pub time!

  7. Anonymous Coward
    FAIL

    Fail of Epic Proportions

    @Chris C. Those comments ARE amusing and always WILL be.

    Now, where did Linux put my coat.....

  8. Geoff Mackenzie

    There, I fixed it:

    "Anti-virus scanners are an industry-wide problem."

  9. John Herz
    Pint

    Yep, I'm encrypted

    At my company all laptops MUST be encrypted. "Luckily" we use a different AV product here.

    I'll be back eventually, when I get bricked.

  10. John Savard

    Terrible

    Some people have computers with the OS preinstalled, and no way to recover from problems like this except by wiping their hard drive, unless they've set up the system to boot into a menu that includes Recovery Console beforehand, either because their recovery CD just has an image, or they don't even have such a thing. This sort of thing should be taken very seriously.

  11. Anonymous Coward
    Anonymous Coward

    "errantly"?

    I do not think that word means what you think it means.

  12. Anonymous Coward
    Happy

    Re: One small problem

    Boot the system off a Linux live CD (or USB drive).

    Copy all your important data files/documents to a USB drive or network share.

    a. format disk, install linux

    or

    b. sell computer, buy a MAC

  13. Anonymous Coward
    Thumb Up

    @ Steve Brammer

    ERD Commander mate...

  14. Fred Flintstone Gold badge

    @ Why ?!?

    "And just once, can the MS haters please refrain from the typical "Well, that proves [Window$ / Winderz / Winblows] is [malware / virus], ha ha ha" comments?"

    No. BWAHAHAHAHAHAHAHAAA!

    Sorry, you asked for it. Hihihi. Haha. HahahahaHAAAAAhahaha. Cough. Hihihi.

    [boot note: bad timing - it's Friday]

    [windows boot note: ....]

  15. Anonymous Coward
    Anonymous Coward

    Who or what is CA?

    First I've ever heard of them.

  16. Flocke Kroes Silver badge

    White list?

    Forgive and ignorant penguinista, but don't these anti virus programs have a list of files not to wipe out, and digital signatures for them to spot when they have been modified?

    Well, that proves selling videos of swatting causes less harm than looking for UFO's ha ha ha.

  17. Saucerhead Tharpe
    Thumb Up

    See proof that Linux isn't ready for the desktop

    It doesn't have this vital functionality.

  18. Anonymous Coward
    Gates Horns

    Bugger this for a lark

    Seems the lowest common denominator is Windows.

    Why can't Windows protect its own critical files from this sort of buggery? I mean, come on, how hard is it to harden critical system files so that pesky virus/trojan/worm buggers can't bugger those files up?

    Last week was McAfee's turn. I think Symantec might be in for a spell of angry users sometimes soon...

    bleugh + two sugars

  19. TeeCee Gold badge
    Pirate

    Interesting.

    Apparently Cygwin is a commercial application.

    I guess that my free version must be a pirate copy then.

    Aaarhaaar, 'tis time to splice the mainbrace methinks, 'tis Friday ye knows.

  20. Jacqui Smith's DVD Collection!
    FAIL

    @ Anonymous Coward 10:06

    I'm also a Mac user, a Linux user and a Windows user, however more than that I'm an application user, I don't really see the difference in which OS my apps sit upon.

    I'll tell you what though, when OSX gets as popular as you would like it to be, my anti-virus will protect me, you on the other hand will be well fucked. :D

  21. Anonymous Coward
    Happy

    Chicken Little

    Hey, Chicken Little wasn't a false alarm!

  22. SynnerCal
    Black Helicopters

    It's a conspiracy ...

    Yet another Windows and AV failure? Hmm, either MS is behind this (to force folks to move to Vista/Win7) or - more amusingly - someone from the Linux community (I was tempted to say Mac there - but I'm sure they're far too busy preening about how marvellous their boxes look). Hence the icon.

    @Who or what is CA? - Computer Associates, a company responsible for more overtime for me than any other. Although, I've got to admin (grudgingly) that the AV software is less crap than the other digital horrors they've unleashed on the world.

    @HAHA "I'm really surprised this has affected anyone, with McAfee's record on this sort of thing it's amazing they have any customers left.". Erm, that's because this was Computer Associates this time, not McAfee - you might want to try actually _reading_ the article before going foaming off at the mouth (or whatever orifice is used).

    By the way, is "Cygwin" a commercial application? Seriously, I've only ever used the free (OSS) version and wasn't aware that it'd gone payware, especially as I just checked the website and there's no mention of payment except for the optional PayPal donate.

    Maybe I should back off my XP installs before my Zonealarm AV installs catches this file deleting behaviour...

  23. David Roberts 1
    FAIL

    Digital Signatures

    Microsoft digitally signs all their code - surely the AV could double check the digitial signature once it thinks it has a positive.

  24. frymaster

    re:signatures

    "and digital signatures for them to spot when they have been modified"

    indeed, why don't they just assume any file digitally signed by MS that's valid is NOT infected?

  25. Chris Seiter
    Alert

    RE:RE:One

    It wasn't a antivirus update that bricked one of my test laptops with encryption, it was a bad .Net update. 3 days later I was able to get the update corrected but it takes a while to unencrypt nice-sized hard drive. But at least I know how to do it and the company has also made a non-.Net version.

  26. Anonymous Coward
    Thumb Up

    RE: Bugger this for a lark

    QUOTE: Why can't Windows protect its own critical files from this sort of buggery? I mean, come on, how hard is it to harden critical system files so that pesky virus/trojan/worm buggers can't bugger those files up?

    ---

    I have to agree, if they are critical how can an antivirus just pluck them out and rename them. If i cant delete a simple text file because its locked by the system, how hard can it be with these?

  27. Mike Holden
    Linux

    Errantly?

    So what's wrng with "errantly" then? Errantly means to deviate from the proper course, the proper course in this case is to NOT quarantine proper system files.

    Seems like a reasonable use of the adjective to me.

  28. Anonymous Coward
    Thumb Up

    @Chris C

    Preach it, brotha. I'm incredibly sick of people trotting out the 'M$, Windblows' etc etc as if they're being oh-so-clever. Whenever I see that crap, I pretty much think of this:

    http://www.penny-arcade.com/comic/2003/06/30/

  29. The Original Steve

    @ Bugger this for a lark

    Notice that this only impacts XP....

    Vista and Win7 do exactly as you say and self-repair core system files. However as a portion of the OSS fanatics have been shouting about how poor Vista is (which I contest) there's an awful lot of machines that have Vista licences (and thus would be immune) but are running XP.

    Same as the ActiveX vuln of late. Vsta and Win7 aren't exploitable due to securtiy improvements.

  30. bluest.one
    Alert

    Trend?

    Just last week my AV (Comodo) disabled an internet game I sometimes play, requiring the AV to be disabled to regain functionality - as well as taking a few hours to research and pin down the exact cause, including wiping, re-downloading (several gigs) and re-installing the software in question.

    It also flagged several files I knew to be safe.

    When your Antivirus causes more problems than a virus ever has, something is seriously fucked with the system.

  31. Ken Hagan Gold badge
    FAIL

    Re: White list?

    "Forgive and ignorant penguinista, but don't these anti virus programs have a list of files not to wipe out, and digital signatures for them to spot when they have been modified?"

    Er, no. It would, of course, be pretty simple to auto-generate such a whitelist by checking for the signature that Microsoft's OS team use for their own code but I imagine they have religious objections to that.

    (That's "ha ha only serious", by the way. When MS threatened to close off the Windows kernel to anything that didn't bear the WHQL sig of approval (a different sig, but the principle is there) all the AV vendors saw their business model fly out the window and cried "foul".)

    I'm not saying MS is virus-free on campus, or that they never ship buggy code, but the only case I know of where MS actually *issued* a virus within their own code was when an early version of Microsoft WORD came with the very first macro virus on one of the samples. That was about two decades ago. In any case, there are no viruses that can infect an executable file and preserve its digital signature. We can be quite certain of that, because such a beast would be a quite stonking breakthrough in cryptoanalysis, we'd all have heard about it, and the AV product would be the first target in any case so frankly it is game over for the AV industry.

    Therefore, if your AV product flags up a positive on a properly signed core system file, it *is* a false positive. No buts. If you quarantine it, you risk bricking the system of every customer you have. Only a complete moron would quarantine such a file, or an AV vendor. But (apparently) I repeat myself.

  32. James O'Shea Silver badge
    Terminator

    And CA strikes again

    Earlier this year I scrapped CA ISS off of my mother's system because it would randomly restart(!) the system when downloading updates or scanning. She got tired of it after it restarted her machine three times in under six hours. CA tech non-support was of zero help; they were convinced that the problem had to be a conflict with something else, and nothing would convince them otherwise.

    That machine now has AVG installed.

    If this had happened before I replaced CA with AVG I would have been Very Annoyed(tm). On the other hand, if this had happened before I replaced CA with AVG, my mother would now have a Mac and that would be one less WinBox I have to worry about.

    You're terminated, CA.

  33. James O'Shea Silver badge

    precautions

    I recently got a Toshiba laptop, running Vista. I guess that I was spoiled by past experience; I never expected that anyone would ship a computer WITHOUT AN ACTUAL, LIVE, REAL, SYSTEM DISC. Toshiba did. I have since found out that Apple is, as usual, an exception to the rule in that they ship system discs with all their Macs and go so far as to state clearly, in the paper docs, in the read-me, in the first-run installer, and on their site, how to use that system disc in the event of a problem.

    I screamed bloody murder to Toshiba. They shipped me _two_ system discs.

    On some other systems (HP, I'm thinking of YOU) the vendor doesn't ship a system disc, but does have a recovery partition and has instructions on how to use that partition to restore the system to factory condition either directly or by burning your own system disc or both.

    Anyone who runs a modern computer system and doesn't have access to the system discs, containing the OS (whichever OS he's using) and the drivers and the basic application set deserves what is going to happen to him.

  34. Flybert

    @ AC ?CA?

    CA = California = a broken, over-bloated operating system with an installed base of about 37,000,000 .. Spanish language version very popular ..

    CA anti-virus though, = ca.com or "ca transforming IT management" .. they have "solutions" .. the tone of the site reminds me of Computer Associates, but surely that PoS-FUBAR company must have failed years ago

    @Chris C .. please .. in 8-9 years using AVG free it's never destroyed or quarentined a critical sys file, and requires user action to quarentine ... only false positive I recall was free clickteam installer maybe 7 years ago .. not been infected since using it

    point is well made, however, that all these products should include a whitelist of sorts that prevent critical OS files from being removed

  35. Anonymous Coward
    WTF?

    Cygwin not really a "commercial application"

    It's a free software project, and although RedHat do license a supported paid-for commercial version, it was definitely the free one that got hit.

    Not that you'd expect a CA marketroid to get this kind of subtle difference, I guess.

  36. Jessica Werkz

    Did anyone test this release.....

    Obviously CA didn't. They need shooting for that.

  37. Giddy Kipper

    @"Who or what is CA?"

    Is it really too difficult to type 'ca antivirus' into Google?

    *sigh*

  38. Anonymous Coward
    Coat

    Is this the first...

    ... AV to correctly identify the windows OS for the virus it truly is?!!

  39. James O'Brien
    FAIL

    Fuck me

    Where I work we sell CA exclusively. I had to fix a customers machine last night and the system had to be reinstalled because CA bricked its audio playback and even after 'restoring' the files system was still unstable as hell.

    What I dont understand is this, in the last 2.5 years my desktop has had Vista on it, I have had it sitting in the DMZ on my router and I have never had AV, firewall or any software for that on my system and I have yet to get a virus. Why? COMMON SENSE.

    Well time to call into work because I REALLY do not want to deal with this BS all day.\

    /AV software is a straight up FAIL nowadays.

  40. Anonymous Coward
    IT Angle

    @ flybert

    Yes, THAT CA. The name was changed to protect the guilty.

    "Where's the IT" because there evidently ain't much quality IT going on around here.

  41. Alan Barnard
    Coat

    This shows the danger...

    ...of running your anti-virus with root privileges.

    Mine's the one with Tux on the back.

  42. Kanhef
    Boffin

    re: whitelist

    Whitelists can be dangerous, and I don't think they're suitable here. A simple list of filenames is an obvious failure; once a virus infects one of those files, it will never be detected or removed. Using file hashes or signatures is better, but if they're included with the virus definitions it will break on Patch Tuesday, and signatures on disk could be compromised by a clever virus.

    What would be useful is a 'greylist' of the critical files necessary to at least boot into safe mode. They will still be scanned, but much more care used when cleaning/removing them. For example, display a warning that it may damage the OS, and suggest having a system disc at hand before making changes to those files. Maybe even recommend turning off disk encryption temporarily, just in case. This wouldn't prevent false positives, but it would avoid bricking computers automatically and might make recovery a bit easier.

  43. Chris C

    Whitelisting MS cert, AVG false-positive

    @ Ken Hagan -- re: Re: White list?

    "Er, no. It would, of course, be pretty simple to auto-generate such a whitelist by checking for the signature that Microsoft's OS team use for their own code but I imagine they have religious objections to that."

    Actually, assuming that all files signed by Microsoft are "safe" is an EXTREMELY BAD IDEA. It's one of those that sounds good on the surface, but breaks horribly when put into practice. Here's an example why:

    http://www.theregister.co.uk/2001/03/23/microsoft_vexed_by_falsified_certs/

    Excerpt: "Microsoft is scrambling to revoke two digital certificates that were issued last January by California-based VeriSign to a scam artist posing as a Microsoft employee. ... On 30 and 31 January [2001], someone posing as a Microsoft employee persuaded VeriSign, the largest US certificate authority, to issue two certificates under Microsoft's name."

    Sure, it's from 2001, but don't for a minute assume it couldn't happen again.

    ------------------------------------------------------------

    @ flybert re: @ AC ?CA?

    "@Chris C .. please .. in 8-9 years using AVG free it's never destroyed or quarentined a critical sys file, and requires user action to quarentine ... only false positive I recall was free clickteam installer maybe 7 years ago .. not been infected since using it"

    You obviously missed the news this past November:

    http://www.theregister.co.uk/2008/11/11/avg_false_positive/

    Excerpt: "Some users of AVG were left with unusable Windows systems after the popular AVG security scanner software slapped a Trojan warning on a core Windows component. AVG tagged user32.dll as a banking Trojan following a signature update issued on Sunday, advising users to delete the "harmful file". Users following this advice would be left with systems that either failed to boot or went into a continuous reboot cycle, according to dispatches from those hit by the glitch. Users of both AVG 7.5 and 8 (free and full fat editions) were hit by the snafu. AVG has admitted the problem and responded by posting advice on how to recover affected systems."

    Also, I'm nearly positive AVG can be configured to automatically "heal" infected files. Don't get me wrong, AVG (prior to 8.0) was the best of the AV apps I've seen or used. But like the rest, they're not immune to false-positives.

  44. James Ashton
    Thumb Down

    "Brick" doesn't mean this

    To "brick" means means to render the hardware permanently as useful as a brick. This anti-virus screw up will, at worst, mean re-installing the OS with a very good chance of some data loss. It's bad ... but not _that_ bad.

  45. Big-nosed Pengie
    FAIL

    LOL

    Windows. It's its own punishment.

  46. Ken Hagan Gold badge

    @Kanhef

    "... and signatures on disk could be compromised by a clever virus."

    Er, no they can't. That's the point. The security of all e-commerce, large amounts of military command and control, and just about every piece of IT infrastructure on the internet rests pretty much on the fact that one *cannot* modify a message (or executable file) and make a corresponding mod to the signature such that it still appears to be correctly signed by the original author. If there are viruses out there that can do this then I think we'd have heard, although I accept that perhaps it might have been drowned out by the crash of the sky falling in.

    You are correct that an actual whitelist of filenames is a silly idea and a whitelist of file hashes would be out of date before it got into circulation, but "whitelisting" (in the colloquial rather than literal sense) based on signatures is simple and foolproof technique. AV vendors who do not implement this are negligent. They should be named and shamed, and every review of their software should make a big point about how rubbish they are and how no-one in their right mind should risk using the product. It's that simple.

    Then again, *customers* who install AV software without this protection are even more negligent. The AV vendor can hide behind their "buyer beware" EULA. What's the sys-admin's excuse? ("Hey Boss, sorry the entire company's down this morning but I installed some software with root privileges that is remotely updated by a third party and it just bricked everyone's machine. Er, no, it doesn't have any safeguards against this kind of thing. We just hoped it wouldn't happen. Er no, we can't sue them because I signed off on their EULA. Er no, our competitors are probably still running because they'll have paid their dues to the AV company and are therefore running the same version of the engine that the AV company tests against. Er no, I haven't got another job to go to, or a lawyer.")

  47. Trev 2

    Would be nice if it asked

    Wouldn't have been so bad if it didn't just quarantine the files but said I think this is infected, do you want to deal with it. First I knew was when the 2 office computers came up with a Windows service pack 3 message within a few mins of each other (guess they'd just updated).

    To make matters worse, it zaps the files into quarantine then when you recover them, it zaps them again within seconds! Not done anything bad for all the years we've used it, but there are a few things they and other AV products need to think about.

  48. Anonymous Coward
    Anonymous Coward

    Re: Is this the first...

    Probably not - I've certainly heard your line often enough before. Try to come up with something new, gimps - you're not witty after the first two hundred times, nor in fact long before that.

  49. Bruce Ordway

    Who or what is CA?

    Computer Associates? I still use some of their tape backup software. They are the most difficult company I ever had to deal with. Product is poor, tech support almost non-existent. Trying to get a live person on the phone is a nightmare. I would never, ever use anything of theirs again...

  50. Rob Moss 1
    Flame

    Another quality CA product

    It just goes to show, that you should never under any circumstances use any CA software in a production environment :-)

  51. ZenCoder

    Solution for these situations ..

    Repartition your hard drive to separate your installed software and your documents.

    Move the Desktop, My Documents folder .... to the documents partition.

    Get an External Hard Drive.

    Use a partition level backup utility to backup your software partition.

    Use syc software to backup your documents.

    The other day .. Windows XP went nuts on me in the middle of a project. I could try to fix it but instead I popped in a boot cd, started a restoration from the backup I did a few days prior and made some lunch.

    On my Mac I use Time Machine.

    Seriously if your computer is the least bit important ... learn to do some basic backup procedures or slip a geeky friend some money to set it up for you.

    All the necessary software is free.

  52. Ken Hagan Gold badge

    @Chris C

    Your example *could* happen again, but unless the rogue certificate was then used by the Microsoft OS team to sign executables, it wouldn't matter. It would (and presumably did) allow someone to release an EXE that said "I'm from MS". It would not allow one to fake the particular certificate used by the OS team to sign kernel code.

This topic is closed for new posts.

Other stories you might like