back to article Malwarebytes declares Windows 'malicious', nukes 1,000s of PCs

A dodgy software update for virus-killer Malwarebytes disabled thousands of PCs before a fix was issued this week. Malwarebytes' database version v2013.04.15.12 erroneously flagged core Windows system files as malicious, resulting in unstable - and in some cases unbootable - machines. Windows system files were wrongly …

COMMENTS

This topic is closed for new posts.
  1. Graham Marsden
    Facepalm

    This is not rocket science...!

    How can any anti-virus company release an update without comprehensive testing on a range of machines with various generally expected software configurations to ensure that this sort of thing doesn't happen?

    1. Irongut

      Re: This is not rocket science...!

      Wow in future they're going to do basic testing. Wtf where they doing before?

    2. Anonymous Coward
      Meh

      Re: This is not rocket science...!

      "How can any anti-virus company release an update without comprehensive testing on a range of machines with various generally expected software configurations to ensure that this sort of thing doesn't happen?"

      If it's free, are you getting what you paid for? Quite seriously, if they aren't charging, is it reasonable to expect much in the way of testing (or development, or anything, really)? I'm a happy freetard, using a range of free software, but I accept that there's no redress.

      1. Shasta McNasty
        Facepalm

        Re: This is not rocket science...!

        Its free for personal use, but commercial users have to pay for it, so yes I'd expect them to at least have tested that it doesn't go berserk once installed.

      2. Graham Marsden
        WTF?

        @Ledswinger - Re: This is not rocket science...!

        "Quite seriously, if they aren't charging, is it reasonable to expect much in the way of testing (or development, or anything, really)?"

        I would ask "Are you serious?" but you appear to be...!

        If someone is offering a product which is designed to protect your computer from software which may damage it, but which has been inadequately tested and so *causes* damage to your system, then they cannot simply disclaim liability for that failure by saying "well, it was free, so people shouldn't expect it to work properly"!

        More importantly, the idea of the "free product" is to get people to sign up for the paid product, so making such a monumental cock-up as this is liable to damage confidence in your business and mean they go to another, more reliable, supplier.

        1. Rick Giles
          Linux

          Re: @Ledswinger - This is not rocket science...!

          "designed to protect your computer from software which may damage it"

          Windows IS a virus.

          1. Fatman
            Linux

            Re: Windows IS a virus.

            And the only cure is a Linux live CD!!!

          2. davidp231
            Thumb Up

            Re: @Ledswinger - This is not rocket science...!

            Windows IS a virus.

            Wrong - viruses are small and efficient in what they do...

            Source: Linux fortune cookie.

      3. Rob
        FAIL

        Re: This is not rocket science...!

        Whether it's the paid version or free version both products will still be using the same definition database.

    3. This post has been deleted by a moderator

      1. Steve Knox
        Boffin

        Re: This is not rocket science...!

        Ah, Eadon, you never fail to disappoint.

        How can a Software company release an OS that is VULNERABLE TO VIRUSES in the first place?

        Because it's impossible to release an OS that is invulnerable to viruses?

        1. Anonymous Coward
          Anonymous Coward

          @Steve Knox - Re: This is not rocket science...!

          No, it's not impossible. Take z/OS for instance or Linux for IBM pSeries....

          You seem to be young but you must know there actually was computing before Facebook.

          1. Steve Knox
            Holmes

            Re: @Steve Knox - This is not rocket science...!

            @AC -- Neither z/OS nor Linux are invulnerable. There may be no know viruses targeting them now, but that is by no means the same thing.

            As for my age, I've written assembler code for the Z80 processor. That should give you some idea.

            1. eulampios

              @Steve Knox

              This is just an algebra of predicates. You hear the statement "Ted is an A Math and Physics student, while John can barely get a D". You're rushing with "Ted is not Einstein!" Yes it most probably is a true statement, however this won't change and doesn't contradict the fact that Ted is still a good student and John is a really poor one.

              1. Steve Knox
                Facepalm

                Re: @Steve Knox

                No, eulampios, I heard the question "How can a Software company release an OS that is VULNERABLE TO VIRUSES in the first place?" The implication is clearly that any vulnerability is unacceptable.

                So I stated that invulnerability is impossible.

                AC then provided examples of some very secure operating systems, specifically to refute the statement that invulnerability was impossible.

                So a better parallel to the preceding conversation would be:

                Eadon: "How can a sports program produce an athlete WHO CANNOT FLY in the first place?"

                Me: "Because it's physically impossible for humans to fly?"

                AC: "No, it's not impossible. Look at how high Javier Sotomayor and Stefka Kostadinova can jump!"

                Me: "Sure they can jump very high, but that's not flying."

                I don't believe that invulnerability should be the standard, because it's an absurd standard. That was my point.

                1. eulampios

                  Re: @Steve Knox

                  Okay, Steve, let me give you my own view on this (and not only mine, as I believe).

                  MS Windows originally unlike the POSIX standards and Unix-like OS' did get a failing grade for security in both code and system design. So, to cover this void a whole AV industry had been created. MS have lately been partially improving their original amateur standpoint on this, not to the point when this industry would be totally redundant. AMOF, their code is getting more and more bloated and the Windows OS directory structure is still messy.

                  The point is that a particular system or a design is not made impregnable, but that it well-designed to minimize the risks versus when it still relies on some extraneous database-based and empirical scanning tools.

            2. Anonymous Coward
              Anonymous Coward

              Re: @Steve Knox - This is not rocket science...!

              Can't speak with absolute certainty for Linux, but I can for z/OS. z/OS is immune to all known virus technologies, not just known viruses.

              Inside z/OS it's impossible for a virus to execute replication code, and because the OS won't execute EoP, DoS, spoofing or pivoting exploits (buffer overrun and similar are equally non-applicable) which in other systems may allow execution even when the Execute bit is set to Off, the operating system can effectively be considered to be immune.

              Enough major systems run on z/OS to make it an absolutely golden target for malicious software writers, so it's by no means security by obscurity.

              1. Steve Knox
                Boffin

                Re: @Steve Knox - This is not rocket science...!

                ...z/OS is immune to all known virus technologies...

                Agreed, but note the highlight.

                All we can ever do is ensure that the baddies have to be cleverer than we are.

          2. Tchou
            Pint

            Re: @Steve Knox - This is not rocket science...!

            @AC 19th April 20:09

            The only way for a modern OS to be invulnerable to viruses is to not run programs at all.

            Or... to have the OS loaded in ROM, like a computer from the 80's (in this case the OS is safe, but the virus still can damage YOUR files).

      2. Jamie Jones Silver badge
        Gimp

        @Eadon: Re: This is not rocket science...!

        "Here's another rhetorical question. How can a Software company release an OS that is VULNERABLE TO VIRUSES in the first place?"

        You forgot to end with:

        MS-RELEASE-VIRUS-VULNERABLE-OS FAIL

    4. This post has been deleted by its author

    5. Wzrd1

      Re: This is not rocket science...!

      I remember a handful of years ago, Symantec put out new definitions and any Windows system running in Chinese got whacked.

      It happens, it shouldn't happen, but it does. Insufficient testing or in this case, apparently, zero testing.

  2. Gordon Pryra

    Their response

    "Antivirus updates from Malwarebytes will now get tested on a virtual server before they are pushed out "

    Sweet Jesus........

    1. thesykes

      Re: Their response

      I had to read that a couple of times as I just could not believe it.

  3. Babbit55

    That explained why after running a Malwarebytes scan my pc got crippled and I had to do a system restore!

  4. Jon Green
    Facepalm

    So malwarebytes ends up as malware.

    Kinda ironic.

  5. Anonymous Coward
    Anonymous Coward

    I remember Norton doing that... a lot

    At uni had norton installed on my PC, suddenly "Virus detected, deleting infected file" okay fair enough "explorer.exe deleted" wait what?

    Computer dies and I cannot do anything anymore, had to copy explorer.exe over manually and replace it, only for norton to try pulling the same shit again.

  6. Anonymous Coward
    Anonymous Coward

    Cure worse than disease

    What's wrong with MS Security Essentials etc?

    Google: Symantec Sucks - start at bottom.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cure worse than disease

      MSE is nice, but it's not effective enough. I tested it myself in a vitual enviroment several times on live malware links and it really could not detect a lot of ransomeware from hijacking my virtual PC. The best combo that I found, after loads of extensive testing was using PrivateFirewall together with Prevx/Webroot. Stopped EVERYTHING in it's tracks, one way or another, nothing else did as an effective job, and no false positives that I can recall.

    2. toadwarrior

      Re: Cure worse than disease

      It's rates as one of the worst at catching problems. What did you expect from a freebie that generates no revenue?

      1. Richard 12 Silver badge
        FAIL

        Re: Cure worse than disease

        Erm, MSE is the 'free for personal use' version of MS System Center 2012 Endpoint Protection.

        It's no different to the other 'free version of paid corporate' AV systems.

        As to whether it's any good - well, none of them are substitutes for good surfing practice.

    3. Anonymous Coward
      Anonymous Coward

      Re: Cure worse than disease

      "What's wrong with MS Security Essentials etc?"

      A user's PC came in recently with XP running slow. The installed MSE had not detected any problems - but an offline Norton scan found a "high risk" Trojan. After it had deleted it the XP ran smoothly again. The user is now going to use Norton.

      A few year's ago a PC had the free AVG belatedly installed - which found over twenty infections. However it still had obvious problems. A Norton scan found another twenty and fixed the problems.

      Norton obviously isn't perfect - but it does seem to work for my idiots user base.

      1. DragonLord

        Re: Cure worse than disease

        Unless something's changed in the last few years, the usual advice is that users should be running 2 or 3 different AV programs as none of them catch everything.

  7. Graham 24
    WTF?

    Not even signed

    Four of the files included in the download are not even digitally signed.

    An anti-malware firm wants me to download and run unsigned executables? That's what I call setting a good example!

    (Yes, I realise that just 'cos it's signed, doesn't mean it isn't malicious, but it's a good start).

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Not even signed

      Well spotted, I also noticed the same issue last year. I kicked up a big fuss about it with them, but they were arrogant and in my opinion dumb. They may be smart script kiddies, but they are ignoring the fundamentals.

      I evenetually replaced their software as both an on-demand or realtime extra layer and got Hitman Pro on-demand, run nightly, takes only 2-3 mins, and which uses about half a dozen other AV vendor databases. It's a great concept although it did quarantine one false-positive on one occasion, thankfully did not delete this digitally signed MS file which one of their vendor databases flagged as malware.

      No vendor is perfect, you just need to always ensure you have regular image backups....which reminds me, ahem!

    3. Ken Hagan Gold badge
      Facepalm

      Re: Not even signed

      Why does this not surprise me? Ah yes, if they knew about digital signatures, they would understand the wisdom of white-listing anything signed by the Windows kernel team.

      These idiots are now the umpteenth AV firm to destroy installations by allowing their "advanced heuristics" to trump the mathematical near-certainties of a digital signature. It's getting beyond a joke. This is not an unfortunate mistake. This is a fundamental design flaw. This is *negligence*.

  8. TeeCee Gold badge
    Facepalm

    Don't worry.

    Eadon will be along in a minute to tell us that Malwarebytes has actually got it right.

    1. edge_e
      Pint

      Re: Don't worry.

      Maybe he wrote the update?

  9. Number6
    Joke

    Why apologise?

    Unless it was for not nuking Windows much earlier?

  10. Winkypop Silver badge
    FAIL

    Testing eh?

    Always, it's the testing!

  11. Lamont Cranston

    Testing updates prior to release

    really does seem to have fallen out of fashion, in the software industry. Anyone know why, or is there just a general view that it's better to be seen to be busy, rather than actually being busy behind the scenes?

    1. AndrueC Silver badge
      Meh

      Re: Testing updates prior to release

      More people adopting scrum perhaps? At least the traditional waterfall method had a clearly defined sequence of 'develop then test'. I do like scrum but with increased freedom comes increased responsibility and a careless developer could forget to create a separate testing task for their PBI.

      Also pressure of management who just want a product out of the door on a certain date. Scrum aids that by allow efficiency gains but in a weak environment the gains could come through corner cutting.

      1. Crisp

        Re: Scrum Development Process

        If you're using a Scrum development framework, shouldn't you be designing unit tests as you go?

        1. AndrueC Silver badge
          Meh

          Re: Scrum Development Process

          shouldn't you be designing unit tests as you go?

          Absolutely but with some management styles standing up at the review meeting and saying you spent half your time writing code that would never be shipped to the customer could be unpleasant. There's nothing wrong with scrum if it's done properly but it seems to me that there is greater opportunity for steps to be missed or poorly executed. A team is after all a largely self-contained and self-policed entity. That's one of the advantages of the system - but also a weakness.

        2. DragonLord

          Re: Scrum Development Process

          "If you're using a Scrum development framework, shouldn't you be designing unit tests as you go?"

          Unit testing wouldn't have caught this issue...

          In fact the only thing that Unit testing does is save the real testers a little time at the cost of developer time. After all, integration, runtime, and clicky clicky user issues don't show up on unit tests.

    2. Crisp

      Re: Testing updates prior to release

      Because testing doesn't add value from a management perspective. Testing either reveals problems with the software, which then have to be fixed, which costs more time. Or Testing shows that everything is ok, in which case you might as well have skipped it anyway because it was obviously a waste of time.

      Testing gets labelled as non-productive time and sidelined.

      Until something goes wrong. Then some poor developer gets a kicking for making a mistake and not correcting it. Which is difficult when there's no decent testing process.

      1. Fatman

        Re: Testing updates prior to release

        From a management perspective, testing is a cost that needs to be cut, as it does not increase shareholder value.

        EOS!

    3. Ken Hagan Gold badge

      Re: Testing updates prior to release

      There's a perfectly good economic reason. Testing costs time. If your competitors reach the market first because you are stuck in testing, then even if you eventually deliver a better product, all your potential customers are now locked-into your rival. Your customers are then faced with the cost of switching to you versus the benefits of doing so. Therefore, unless your testing has produced a *markedly* better product (perhaps because your rival is truly dreadful), it doesn't make sense for the customer to switch and so you go bust.

      Doing no testing is idiotic, but so is trying to expunge all bugs. The sweet spot is somewhere in between and that means the sweet spot is "slightly buggy". For a complex product, the sweet spot will be "really quite buggy, actually".

  12. Arachnoid
    Flame

    Oh come on its not like Norton,AVG,Microsoft and other free or paid services haven't done the same thing with their updates at least they were quick enough to pull them off the shelf.

    1. Anonymous Coward
      Anonymous Coward

      Sophos also

      Sophos did the same thing recently - getting peacefully through "5 levels" of checks. Sophos deleted it's own updater (as well as lots of other software).

      It's the reason I didn't renew with Sophos this year, I thought they handled it badly, no compensation at all - even free renewals. When our Enterprise licence was up for renewal I went with someone else instead, there's no way I would reward a company with a renewal, you have to give large companies consequences for screwing up or else they will not improve.

      If Sophos remain without incident for the next three years, I might go back - I'll see.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sophos also

        We are in the process of pulling all of our clients from Sophos. Rumour has it they have serious internal issues and this seems to be borne out through their performance lately, starting with the updater issue. That being said, we did get compensation from them - discounted renewals etc.

  13. Michael H.F. Wilkinson
    Joke

    I patiently await

    A virus scanner that identifies itself as malware

    At least it will remove itself, or at least file harakiri.dll

    1. Combustable Lemon
      Facepalm

      Re: I patiently await

      This pretty much happened didn't it?

      http://www.theregister.co.uk/2011/10/26/avira_auto_immune_false_positive/

      Close enough, sadly i don't think it fell on it's own sword and instead it just had a bit of a fit.

  14. Nigel 11
    Unhappy

    Need for speed

    In partial and general defense of Anti-malware and Anti-virus software, it absolutely has to be released rapidly. This is at odds with the need to do comprehensive testing before release.

    No excuse if it breaks ALL Windows installs, but I can imagine cases where it passes all the vendor's tests and then screws up a small fraction of configurations that weren't covered by the quick-release tests.

    1. chris lively
      FAIL

      Re: Need for speed

      This is patently untrue.

      What's worse: taking an extra day to do it right or constantly run the chance of crippling your userbase with a bad update? Hint: self inflicted wounds are worse.

      It generally takes a bit for viruses to go across the globe. If you follow any type of standard practices like firewalls and regular OS patches you are already filtering the vast majority of the crap out.

      In the past 5 years I've seen more machines go tits up over a bad virus scanner update than from a virus themselves. Quite frankly I've only seen 2 positive infections in that time. One due to someone thinking kazaa was a good place to get music. Another due to a known security bug in an older version of Firefox. However in that same window I've seen 10s of thousands of machines have to be individually touched to recover from bad virus scanners.

      Lack of testing is unacceptable.

  15. tony2heads
    Trollface

    Look at the positive side

    At least it stops you getting into infinite boot loops!

    www,theregister.co.uk/forum/1/2013/04/19/bad_patch_bootable_repair_disk/

  16. Martin Maloney
    Boffin

    The fix

    One of the great features of Microsoft Security Essentials is that, when It encounters a file that it considers dodgy, it doesn't take a default action. Rather, it lets the user decide what to do with it.

    Malwarebytes, however, by default, quarantines files that it doesn't like.

    Open Malwarebytes and click on the Protection tab.You will see:

    Automatically quarantine flesystem threats detected by the protection module

    Uncheck the box to the left of that.

    (BTW, the icon choice is a joke.)

  17. Caesarius
    Joke

    Target

    "it branched out last September to target enterprises"

    In my line of business, a "target" is going to come off worse. Oh, now I get it...

  18. Rick Giles
    Linux

    I don't see the problem

    Sounds like it was doing exactly what it needed to do.

    BTW, you don't need all the crap on Linux.

  19. This post has been deleted by a moderator

    1. stephajn

      Re: MS Security FAIL Windows + Antivirus Considered Harmful (AGAIN)

      Wow dude! What took you so long?? Was starting to think one had slipped past ya!

  20. J 3
    Mushroom

    Malwarebytes declares Windows 'malicious', nukes 1,000s of PCs

    They took the jokes way too seriously, methinks...

  21. Lallabalalla
    Coat

    Sophos free works very well....

    ...on my iMac.

  22. bangers
    IT Angle

    seriously

    Roll on the -1's for honesty :p

    anyone recommending MSE has absolutely no clue what they are talking about.

    Malwarebytes has continuously been one of the best malware scanners out there, been using it for about 6 or 7 years

    (it does not register itself as an antivirus-nor does PrevX, - if you have either installed, windows security centre will tell you that there is no AV installed on your PC.)

    Avira, an truly excellent AV product ...did a similar thing last year -buggy updates crippling PCs, avg have done it twice in as many years. -guess QC testing didn't work then either?

    Norton, macafee etc., no one is/has been immune to bad definition updates.

    Normally the comments section on reg can be the most informative part of an article, this is not the case here imo

    I've worked in computer repair last 14 years, I've removed more malware than 99% of people reading this site.

    Malwarebytes is an excellent product, has been for years

    MSE is not, never has been..

    btw, the idea that some(any) €30 product can properly shield you from attack vectors is utter rubbish.

    All anti virus's are reactive not proactive(with exception of heuristics- which account for very little detections)

    NASA spend millions on security, and Gary Mckinnon got in on blank administrator passwords.

    rant over ;)

  23. Anonymous Coward
    Anonymous Coward

    Windows Declared Malicious

    At last. What took them so long?

  24. DJ
    FAIL

    All together now...

    Ready,

    shoot,

    aim!

    Duh.

  25. Camilla Smythe
    Boffin

    I'm dumb

    Given Windows is a Target for Miscreants and as a result Third Parties deliver stuff to prevent Borking then rather than Mistakenly Borking the Computah and Locking it into Multiple Reboot Syndrome themselves can't the Third Parties be given or create some 'Whoops Space' during Reboot that says "Perhaps We Have Borked Your 'Putah'. Click Yes to Go Back to the Time Before We Fucked it For You'.

    1. Caesarius

      Re: I'm dumb

      Given Windows is a Target for Miscreants and as a result Third Parties deliver stuff to prevent Borking then rather than Mistakenly Borking the Computah and Locking it into Multiple Reboot Syndrome themselves can't the Third Parties be given or create some 'Whoops Space' during Reboot that says "Perhaps We Have Borked Your 'Putah'. Click Yes to Go Back to the Time Before We Fucked it For You'.

      That over-arching program would need testing too, which would be even more tricky than testing the virus update program.

      (Sorry if I've made a serious comment about a joke, in which case perhaps both can stand.)

  26. ThePhantom

    Malwarebytes' flagged core Windows system files as malicious

    Yes, yes it is... malicious, that is. One more reason to switch operating systems to something that's not malicious.

  27. pixl97
    Devil

    New way to troll anti-virus companies.

    I've got a new idea.

    Write tens of thousands of viruses that contain chunks of windows system files from every version of Windows you can find. Cause more damage then the virus ever would have.

  28. hypernovasoftware
    FAIL

    Fitting ...

    Yes, malware does indeed bite the big one.

    Their name choice was prescient.

  29. Wythat
    Happy

    This is not the first time. This happened before many time from different vendors. Leave Windows security to Microsoft proprietary security apps as they know their file systems better while putting external protection as defence in depth from highly reputable security products.

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022