HAHA
I'm really surprised this has affected anyone, with McAfee's record on this sort of thing it's amazing they have any customers left.
A rogue security definition update to anti-virus software from CA hobbled Windows systems earlier this week, sparking howls of protests from users. The update, issued on Wednesday, falsely labeled important Windows system files as potentially malign, dispatching them into quarantine. The action prevents Windows XP systems from …
So this makes CA, McAfee, Symantec, AVG, and Kaspersky. Any others I've forgotten? Are these some bizarre-configuration WinXP installations or foreign-language versions? I have to ask because it seems illogical that these big-name, big-money AV firms would fail to test their definitions on common configurations. Of course, sometimes truth is stranger than fiction...
And just once, can the MS haters please refrain from the typical "Well, that proves [Window$ / Winderz / Winblows] is [malware / virus], ha ha ha" comments? They're really not amusing anymore.
Boot the system off a Linux live CD (or USB drive).
Copy all your important data files/documents to a USB drive or network share.
Remove the anti-virus software.
Rename back the affected system files.
Reboot.
Discover your hard-drive is encrypted and you cannot do steps 2, 3 and 4.
Some people have computers with the OS preinstalled, and no way to recover from problems like this except by wiping their hard drive, unless they've set up the system to boot into a menu that includes Recovery Console beforehand, either because their recovery CD just has an image, or they don't even have such a thing. This sort of thing should be taken very seriously.
"And just once, can the MS haters please refrain from the typical "Well, that proves [Window$ / Winderz / Winblows] is [malware / virus], ha ha ha" comments?"
No. BWAHAHAHAHAHAHAHAAA!
Sorry, you asked for it. Hihihi. Haha. HahahahaHAAAAAhahaha. Cough. Hihihi.
[boot note: bad timing - it's Friday]
[windows boot note: ....]
Seems the lowest common denominator is Windows.
Why can't Windows protect its own critical files from this sort of buggery? I mean, come on, how hard is it to harden critical system files so that pesky virus/trojan/worm buggers can't bugger those files up?
Last week was McAfee's turn. I think Symantec might be in for a spell of angry users sometimes soon...
bleugh + two sugars
I'm also a Mac user, a Linux user and a Windows user, however more than that I'm an application user, I don't really see the difference in which OS my apps sit upon.
I'll tell you what though, when OSX gets as popular as you would like it to be, my anti-virus will protect me, you on the other hand will be well fucked. :D
Yet another Windows and AV failure? Hmm, either MS is behind this (to force folks to move to Vista/Win7) or - more amusingly - someone from the Linux community (I was tempted to say Mac there - but I'm sure they're far too busy preening about how marvellous their boxes look). Hence the icon.
@Who or what is CA? - Computer Associates, a company responsible for more overtime for me than any other. Although, I've got to admin (grudgingly) that the AV software is less crap than the other digital horrors they've unleashed on the world.
@HAHA "I'm really surprised this has affected anyone, with McAfee's record on this sort of thing it's amazing they have any customers left.". Erm, that's because this was Computer Associates this time, not McAfee - you might want to try actually _reading_ the article before going foaming off at the mouth (or whatever orifice is used).
By the way, is "Cygwin" a commercial application? Seriously, I've only ever used the free (OSS) version and wasn't aware that it'd gone payware, especially as I just checked the website and there's no mention of payment except for the optional PayPal donate.
Maybe I should back off my XP installs before my Zonealarm AV installs catches this file deleting behaviour...
It wasn't a antivirus update that bricked one of my test laptops with encryption, it was a bad .Net update. 3 days later I was able to get the update corrected but it takes a while to unencrypt nice-sized hard drive. But at least I know how to do it and the company has also made a non-.Net version.
QUOTE: Why can't Windows protect its own critical files from this sort of buggery? I mean, come on, how hard is it to harden critical system files so that pesky virus/trojan/worm buggers can't bugger those files up?
---
I have to agree, if they are critical how can an antivirus just pluck them out and rename them. If i cant delete a simple text file because its locked by the system, how hard can it be with these?
Notice that this only impacts XP....
Vista and Win7 do exactly as you say and self-repair core system files. However as a portion of the OSS fanatics have been shouting about how poor Vista is (which I contest) there's an awful lot of machines that have Vista licences (and thus would be immune) but are running XP.
Same as the ActiveX vuln of late. Vsta and Win7 aren't exploitable due to securtiy improvements.
Just last week my AV (Comodo) disabled an internet game I sometimes play, requiring the AV to be disabled to regain functionality - as well as taking a few hours to research and pin down the exact cause, including wiping, re-downloading (several gigs) and re-installing the software in question.
It also flagged several files I knew to be safe.
When your Antivirus causes more problems than a virus ever has, something is seriously fucked with the system.
"Forgive and ignorant penguinista, but don't these anti virus programs have a list of files not to wipe out, and digital signatures for them to spot when they have been modified?"
Er, no. It would, of course, be pretty simple to auto-generate such a whitelist by checking for the signature that Microsoft's OS team use for their own code but I imagine they have religious objections to that.
(That's "ha ha only serious", by the way. When MS threatened to close off the Windows kernel to anything that didn't bear the WHQL sig of approval (a different sig, but the principle is there) all the AV vendors saw their business model fly out the window and cried "foul".)
I'm not saying MS is virus-free on campus, or that they never ship buggy code, but the only case I know of where MS actually *issued* a virus within their own code was when an early version of Microsoft WORD came with the very first macro virus on one of the samples. That was about two decades ago. In any case, there are no viruses that can infect an executable file and preserve its digital signature. We can be quite certain of that, because such a beast would be a quite stonking breakthrough in cryptoanalysis, we'd all have heard about it, and the AV product would be the first target in any case so frankly it is game over for the AV industry.
Therefore, if your AV product flags up a positive on a properly signed core system file, it *is* a false positive. No buts. If you quarantine it, you risk bricking the system of every customer you have. Only a complete moron would quarantine such a file, or an AV vendor. But (apparently) I repeat myself.
Earlier this year I scrapped CA ISS off of my mother's system because it would randomly restart(!) the system when downloading updates or scanning. She got tired of it after it restarted her machine three times in under six hours. CA tech non-support was of zero help; they were convinced that the problem had to be a conflict with something else, and nothing would convince them otherwise.
That machine now has AVG installed.
If this had happened before I replaced CA with AVG I would have been Very Annoyed(tm). On the other hand, if this had happened before I replaced CA with AVG, my mother would now have a Mac and that would be one less WinBox I have to worry about.
You're terminated, CA.
I recently got a Toshiba laptop, running Vista. I guess that I was spoiled by past experience; I never expected that anyone would ship a computer WITHOUT AN ACTUAL, LIVE, REAL, SYSTEM DISC. Toshiba did. I have since found out that Apple is, as usual, an exception to the rule in that they ship system discs with all their Macs and go so far as to state clearly, in the paper docs, in the read-me, in the first-run installer, and on their site, how to use that system disc in the event of a problem.
I screamed bloody murder to Toshiba. They shipped me _two_ system discs.
On some other systems (HP, I'm thinking of YOU) the vendor doesn't ship a system disc, but does have a recovery partition and has instructions on how to use that partition to restore the system to factory condition either directly or by burning your own system disc or both.
Anyone who runs a modern computer system and doesn't have access to the system discs, containing the OS (whichever OS he's using) and the drivers and the basic application set deserves what is going to happen to him.
CA = California = a broken, over-bloated operating system with an installed base of about 37,000,000 .. Spanish language version very popular ..
CA anti-virus though, = ca.com or "ca transforming IT management" .. they have "solutions" .. the tone of the site reminds me of Computer Associates, but surely that PoS-FUBAR company must have failed years ago
@Chris C .. please .. in 8-9 years using AVG free it's never destroyed or quarentined a critical sys file, and requires user action to quarentine ... only false positive I recall was free clickteam installer maybe 7 years ago .. not been infected since using it
point is well made, however, that all these products should include a whitelist of sorts that prevent critical OS files from being removed
Where I work we sell CA exclusively. I had to fix a customers machine last night and the system had to be reinstalled because CA bricked its audio playback and even after 'restoring' the files system was still unstable as hell.
What I dont understand is this, in the last 2.5 years my desktop has had Vista on it, I have had it sitting in the DMZ on my router and I have never had AV, firewall or any software for that on my system and I have yet to get a virus. Why? COMMON SENSE.
Well time to call into work because I REALLY do not want to deal with this BS all day.\
/AV software is a straight up FAIL nowadays.
Whitelists can be dangerous, and I don't think they're suitable here. A simple list of filenames is an obvious failure; once a virus infects one of those files, it will never be detected or removed. Using file hashes or signatures is better, but if they're included with the virus definitions it will break on Patch Tuesday, and signatures on disk could be compromised by a clever virus.
What would be useful is a 'greylist' of the critical files necessary to at least boot into safe mode. They will still be scanned, but much more care used when cleaning/removing them. For example, display a warning that it may damage the OS, and suggest having a system disc at hand before making changes to those files. Maybe even recommend turning off disk encryption temporarily, just in case. This wouldn't prevent false positives, but it would avoid bricking computers automatically and might make recovery a bit easier.
@ Ken Hagan -- re: Re: White list?
"Er, no. It would, of course, be pretty simple to auto-generate such a whitelist by checking for the signature that Microsoft's OS team use for their own code but I imagine they have religious objections to that."
Actually, assuming that all files signed by Microsoft are "safe" is an EXTREMELY BAD IDEA. It's one of those that sounds good on the surface, but breaks horribly when put into practice. Here's an example why:
http://www.theregister.co.uk/2001/03/23/microsoft_vexed_by_falsified_certs/
Excerpt: "Microsoft is scrambling to revoke two digital certificates that were issued last January by California-based VeriSign to a scam artist posing as a Microsoft employee. ... On 30 and 31 January [2001], someone posing as a Microsoft employee persuaded VeriSign, the largest US certificate authority, to issue two certificates under Microsoft's name."
Sure, it's from 2001, but don't for a minute assume it couldn't happen again.
------------------------------------------------------------
@ flybert re: @ AC ?CA?
"@Chris C .. please .. in 8-9 years using AVG free it's never destroyed or quarentined a critical sys file, and requires user action to quarentine ... only false positive I recall was free clickteam installer maybe 7 years ago .. not been infected since using it"
You obviously missed the news this past November:
http://www.theregister.co.uk/2008/11/11/avg_false_positive/
Excerpt: "Some users of AVG were left with unusable Windows systems after the popular AVG security scanner software slapped a Trojan warning on a core Windows component. AVG tagged user32.dll as a banking Trojan following a signature update issued on Sunday, advising users to delete the "harmful file". Users following this advice would be left with systems that either failed to boot or went into a continuous reboot cycle, according to dispatches from those hit by the glitch. Users of both AVG 7.5 and 8 (free and full fat editions) were hit by the snafu. AVG has admitted the problem and responded by posting advice on how to recover affected systems."
Also, I'm nearly positive AVG can be configured to automatically "heal" infected files. Don't get me wrong, AVG (prior to 8.0) was the best of the AV apps I've seen or used. But like the rest, they're not immune to false-positives.
"... and signatures on disk could be compromised by a clever virus."
Er, no they can't. That's the point. The security of all e-commerce, large amounts of military command and control, and just about every piece of IT infrastructure on the internet rests pretty much on the fact that one *cannot* modify a message (or executable file) and make a corresponding mod to the signature such that it still appears to be correctly signed by the original author. If there are viruses out there that can do this then I think we'd have heard, although I accept that perhaps it might have been drowned out by the crash of the sky falling in.
You are correct that an actual whitelist of filenames is a silly idea and a whitelist of file hashes would be out of date before it got into circulation, but "whitelisting" (in the colloquial rather than literal sense) based on signatures is simple and foolproof technique. AV vendors who do not implement this are negligent. They should be named and shamed, and every review of their software should make a big point about how rubbish they are and how no-one in their right mind should risk using the product. It's that simple.
Then again, *customers* who install AV software without this protection are even more negligent. The AV vendor can hide behind their "buyer beware" EULA. What's the sys-admin's excuse? ("Hey Boss, sorry the entire company's down this morning but I installed some software with root privileges that is remotely updated by a third party and it just bricked everyone's machine. Er, no, it doesn't have any safeguards against this kind of thing. We just hoped it wouldn't happen. Er no, we can't sue them because I signed off on their EULA. Er no, our competitors are probably still running because they'll have paid their dues to the AV company and are therefore running the same version of the engine that the AV company tests against. Er no, I haven't got another job to go to, or a lawyer.")
Wouldn't have been so bad if it didn't just quarantine the files but said I think this is infected, do you want to deal with it. First I knew was when the 2 office computers came up with a Windows service pack 3 message within a few mins of each other (guess they'd just updated).
To make matters worse, it zaps the files into quarantine then when you recover them, it zaps them again within seconds! Not done anything bad for all the years we've used it, but there are a few things they and other AV products need to think about.
Computer Associates? I still use some of their tape backup software. They are the most difficult company I ever had to deal with. Product is poor, tech support almost non-existent. Trying to get a live person on the phone is a nightmare. I would never, ever use anything of theirs again...
Repartition your hard drive to separate your installed software and your documents.
Move the Desktop, My Documents folder .... to the documents partition.
Get an External Hard Drive.
Use a partition level backup utility to backup your software partition.
Use syc software to backup your documents.
The other day .. Windows XP went nuts on me in the middle of a project. I could try to fix it but instead I popped in a boot cd, started a restoration from the backup I did a few days prior and made some lunch.
On my Mac I use Time Machine.
Seriously if your computer is the least bit important ... learn to do some basic backup procedures or slip a geeky friend some money to set it up for you.
All the necessary software is free.
Your example *could* happen again, but unless the rogue certificate was then used by the Microsoft OS team to sign executables, it wouldn't matter. It would (and presumably did) allow someone to release an EXE that said "I'm from MS". It would not allow one to fake the particular certificate used by the OS team to sign kernel code.