muppets
seriously who would use this software in a business?
'Catastrophic' Avira antivirus update bricks Windows PCs
Security software biz Avira has apologised after its antivirus suites went haywire and disabled customers' Windows machines. A service pack issued in Monday caused its ProActiv monitoring software to think vital operating system processes were riddled with malware and blocked them from running. Users of the affected products …
-
-
Wednesday 16th May 2012 22:09 GMT Anonymous Coward
Re: muppets
We do.
We went through a thorough testing procedure before setting on an AV solution, and Avira had the lowest performance hit of any solution. We were getting a performance boost in some situations of 20-40% on slower PCs over McAfee and Sophos.
It's been great from an Enterprise perspective. Their central management suite works a hell of a lot better than McAfee's EPO, and the agents are much more seamless to deploy than with Sophos (where the agent installs seemed to always find a different random deployment problem each time).
We were really happy until it bricked all our PCs on Tuesday. That can happen to anyone (it happened to McAfee not long ago). Thankfully, it was pretty easy to recover from in our situation, and we were back up and running within 20 minutes.
-
-
Wednesday 16th May 2012 13:14 GMT Anonymous Coward
Re: How did they hit that many?
Anti-virus software uses heuristics which are defined on Wikipedia as "Examples of this method include using a rule of thumb, an educated guess, an intuitive judgment, or common sense."
Such an approach can be too sensitive and one mistake and it will pick up lots of things.
-
-
Wednesday 16th May 2012 12:35 GMT Lee Dowling
Nice testing procedure
So they obviously:
1) Don't test their updates against a single Windows PC before sending them out.
2) Don't have a whitelist of known-good checksums of critically important, unchanging and pretty prevalent Windows system files.
3) Don't have a way to safely undo mistakes.
4) Don't put out an update that only touches the minimum of what it needs and lets USERS flag stuff as bad or not because it knows better.
and Windows, apparently, doesn't have a way of stopping programs from bricking the operating system by deleting critical files. Nice to know. (And, no, I don't care if you ARE an administrator user or not - you shouldn't be able to do this programmatically without at least warning the user first!)
-
-
-
Wednesday 16th May 2012 13:44 GMT Anonymous Coward
Re: windows does try and protect it's files
It's a counter-intuitive rule, that one, but one we learn all the same. Perhaps people registering with El Reg could also be directed to a 'there, their, they're' lesson, and prove that they can disable their caps-lock key, too. It would get rid of one regular troll, at least....
-
Saturday 19th May 2012 14:25 GMT Ken Hagan
Re: windows does try and protect it's files
Actually, I rather like the big dumb guy. Obviously I found him annoying the first day he arrived, but as soon as it became obvious that he was just trolling on every post it was rather fun to see how many people he could get each time.
A lot like amanfrommars, in fact. Maybe they are the same guy?
-
-
Wednesday 16th May 2012 12:45 GMT Bakunin
Re: Nice testing procedure
"and Windows, apparently, doesn't have a way of stopping programs from bricking the operating system by deleting critical files."
If it's done by a process with significant privileges, very few operating systems do out of the box. To be functional an antivirus program is going to need those significant privileges.
So to be fair, that bit isn't really a Windows issues.
Being able to delete critical files as a standard user ... that's a different matter.
-
Wednesday 16th May 2012 12:59 GMT Ken Hagan
Re: Nice testing procedure
They obviously also:
5) Don't understand digital signatures.
Let's assume your crapware has just flagged a Microsoft-signed file as a virus. What now?
If you believe that the black hats have got their paws on the private keys used to sign Windows itself, you should just give up. You cannot protect a system if the bad guys wrote it.
If, on the other hand, you believe the signature is valid, that means the file is supposed to exist and its contents are exactly as Microsoft intended them to be. What do you think is going to happen when you delete it? Is it going to be a nice end-user experience? Is it going to be tomorrow's headline in the IT press?
Questions, questions...
-
Wednesday 16th May 2012 13:40 GMT Lee Dowling
Re: Nice testing procedure
I agree that most operating systems don't. But that's no excuse if you're supposed to be making a "world-beating" operating system that's focused on security - because there's no barrier to making it work properly at all.
And MS is supposed to have their "system protection", etc.. How hard is it, precisely, to prevent certain files being deleted without being in a "system maintenance mode", or requiring an actual human's permission to do so (that was the whole POINT of the annoying UAC wasn't it?).
I'm really waiting for the day where your computer can be in either "usage" or a minimal "maintenance" mode and only in maintenance mode can you do updates, change bootloaders, play with critical files, etc. and only in usage mode can you log in as other users, browse the web, move files around, execute programs etc. And having NO PROGRAMMATIC WAY to switch between the two modes at all, and not have any processes survive the transition.
We have a sort of fake pseudo mentality that almost does this ("no running as root normally", "safe mode", etc.) but they never quite cover that the two modes of operation are distinctly different beasts.
-
Wednesday 16th May 2012 14:25 GMT Bakunin
Re: Nice testing procedure
"I'm really waiting for the day where your computer can be in either "usage" or a minimal "maintenance" mode and only in maintenance mode can you do updates, change bootloaders, play with critical files, etc"
If you want something like that try using a Linux/BSD variant setup to mount /sbin, /etc, /usr/sbin, and others as read only when in "usage" mode and read/write when in "maintenance" mode.
Or for for added security you could use a device with a physical read only switch for the drive/partition that holds those core parts. For standard user "usage" you only need write access to a /home/, /var, and couple of others. It's been a while, but I'm sure a quick google will confirm what can be mounted read only.
Used to run a firewall off of an old P1 with Debian running off of a CD but with /var mounted on a drive.
-
This post has been deleted by its author
-
Thursday 17th May 2012 01:59 GMT TeeCee
Re: Nice testing procedure
> And MS is supposed to have their "system protection", etc..
Yes, but you granted your A/V suite system level privilege when you installed it, precisely so it could clean up infected system files. That's what the UAC warning you got on installation was for.
ISTR that MS did want to restrict that level of access purely to the O/S itself, but the A/V vendors threatened legal action......
-
Thursday 17th May 2012 08:38 GMT Stuart Castle
Re: Nice testing procedure
RE:"And MS is supposed to have their "system protection", etc.. How hard is it, precisely, to prevent certain files being deleted without being in a "system maintenance mode", or requiring an actual human's permission to do so (that was the whole POINT of the annoying UAC wasn't it?)."
1) I don't think a Windows service triggers a UAC prompt. If it did, it would break all sorts of Windows functions (including Windows update). It would be a similar situation if Unix required daemons to run under the restrictions imposed by sudo, or so I believe.
2) Requiring a user to switch an OS to a "maintenance mode" to update would be a good way of ensuring that a lot of users never update their OS. The likes of Microsoft, Apple and the various Linux vendors are having trouble ensuring people keep their Oses up to date with the mostly automatic systems in place now, how are they going to do that when people need to switch the os to a different mode? In the mean time, bad guys would merely find a way around the protection without switching to a separate mode..
-
-
-
Thursday 17th May 2012 12:50 GMT david 12
Re: Nice testing procedure
Nice if you read the article before posting.
3) It was possible to safely undo the mistake. By turning off the blocking. And for people who find that to difficult, it happened automatically when they brought out the update.
And, it didn't delete any files. It just a part of a system which (brokenly) blocked suspicious behavior.
And, you think users should be allowed to delete critical system files just by answering 'yes' to a warning? Sheesh. Glad I don't support your OS.
-
-
-
Wednesday 16th May 2012 13:29 GMT JimmyPage
Re: Brick?
semantics.
If my ONLY machine is a Windows machine, and I cannot use it to repair itself, then it is, to all intents and purposes, bricked. Now this scenario is unlikely in any commercial setting - ideally *someone* would have an unaffected machine, from which a BootCD could be burned, to help fix the other machines. However, to a lowly home user, especially a non-tech savvy one, then having their machine borked could be a big deal.
Quite a few one-man-band IT specialists have created their own Linux Distro, which they leave with clients, who can boot from it, in the event of a disaster. They establish an OpenVPN link back to the mothership, where remote jiggery-pokery can save the say.
-
Wednesday 16th May 2012 20:08 GMT John Stith
Re: Brick?
I agree. The word "brick" has come to have a very specific meaning--crippling a device (by overwriting firmware) to the extent that it is permanently unusable or so that only the factory can repair it. We would have the same complaint if a headline said "Bin Laden dead" when he'd only gotten a flesh wound.
-
-
Wednesday 16th May 2012 13:42 GMT Mostly_Harmless
so....
Don't use antivirus software and run the risk that every so often your machine will get cabbaged, causing you to spend time/effort to recover it to a working state....or....
...do use antivirus software and run the risk that every so often your machine will get cabbaged, causing you to spend time/effort to recover it to a working state
-
Wednesday 16th May 2012 13:53 GMT Dave 126
Re: so....
Have a system image created daily*. Boot from recovery media, go make a cup of coffee and look out of the window for a quarter hour...
*have a virus scan run before the image creation, otherwise Windows Backup will refuse to create it: - but only after most of the way through the process.
-
Wednesday 16th May 2012 14:51 GMT Anonymous Coward
@Don't use antivirus.....do use antivirus
Some years ago we got hit by a nasty virus infestation opened by an innocent secretary. Until then I worked on the principle uttered by another in this forum that if you administered properly you didn't need anti-virus. The dam' thing had compromised our recent backups before it was detected, and generally caused mayhem. Since then, I have a prevention is better than cure approach and if we have to sacrifice a little functionality for a lot of safety so be it. I would say that since the ISP's can see mailouts to all their users they could do more to help
-
-
-
Thursday 17th May 2012 08:55 GMT Anonymous Coward
Re: Easy...
MSE, doesn't sound like much protection according to this herbert. The only one he rates seems to be Kaspersky.
http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/
Run as a Windows user, remove unused applications, patch third party apps as well as Windows. Use Firefox with at least NoScript and Adblock Plus. That'll stop the drivebys.
Then you just have to make sure the Missus doesn't do something silly in Facebook like fall for the LilyJade, crossrider developed cross browser plugin ruse.
-
-
-
-
Thursday 17th May 2012 06:53 GMT Steven Roper
Re: Instincts
I used to to have Avira AntiVir on my system a few years ago, back when I was playing World of Warcraft.
Then the fucking thing minimised WoW, while I was tanking in an instance thus causing a group wipe, merely to show me a fucking ADVERT to try to get me to "upgrade" to the paid version.
Needless to say, it was immediately uninstalled, and subsequently no Avira product has gone anywhere near any computer under my control since. Behaviour like that is as bad as the malware it purports to protect against.
-
-
Wednesday 16th May 2012 16:01 GMT phear46
not totally relevant.....
I once went for a job interview and had a 'debate' with the interviewer on what made a decent antivirus solution. I said something that worked, and didn't much interrupt my day to day usage with rediculous resource hogging. (so basically anything but Norton/McAfee). He then argued 'if its slowing your computer down at least you know its doing SOMETHING'
Who was right? I didn't get the Job In the end.... Probably for the best.
-
Wednesday 16th May 2012 23:02 GMT Anonymous Coward
I don't know why people keep slagging off Windows....
I find it a great way to virtualize ubuntu.
Anyway, it's the antivirus that caused the issue with Windows, wheras if you host ubuntu in a virtual machine, and use that for your web-browsing, antivirus on windows becomes a lot less important....
-
Thursday 17th May 2012 02:04 GMT TeeCee
Avira
So it's previously managed to delete itself.
Now it's managed to delete the O/S.
Next week: "AVIRA DELETES TEH INTERNETS!!!111!!!!"
-
Thursday 17th May 2012 08:22 GMT DanceMan
Perspective
I've used Avira for years on several machines. Never had an OS go down, never had issues with it being a drag on resources, had it find a few nasties. Didn't cause either active machine any problems today either (home user). And if it had, given that reports have said recovery was relatively easy, I'd have said that was pretty reasonable, given how much it's given me for years, for free. I don't expect perfection, especially for free. If this issue applies to the paid version and to enterprise use, again, given performance over time and quality of response to the problem, honesty in quickly admitting the error and providing a solution would seem reasonable.
I make mistakes at work. It's the response to the mistakes that's important.
-
Thursday 17th May 2012 09:56 GMT Anonymous Coward
Re: Perspective
The main issue was with deployments out "in the field". Computers got the update, rebooted, then couldn't start up afterwards. Trying to talk users through booting into safe mode, then disabling the Proactiv module wasn't much fun at all.
I won't be dumping Avira, it's the least intrusive AV solution we've used, and we've tried quite a few. However, it was a pretty terrible couple of days talking marketing guys on the road through the process of fixing their PCs.
-
-
Thursday 17th May 2012 16:36 GMT Anonymous Coward
Bricked? Really?
Isn't "bricked" supposed to mean "turned a piece of hardware into something no more useful than a brick"?
If you can fix it by sticking a DVD in or whatever, the machine is not "bricked." I think we should reserve the term for things like irreversible bad firmware flashes and the like. I did manage to completely brick a router once, that was good fun.
This topic is closed for new posts.
Biting the hand that feeds IT
