AVG Virus Scanner Removes Critical Windows File 440
secmartin writes "The popular virus scanner AVG released an update yesterday that caused their software to mark user32.dll as a virus. Since this is a rather critical file, AVG's suggestion to remove it caused problems for users around the world who are now advised to restore the file through the Windows Recovery Console. AVG just posted an update about this (FAQ item 1574) in the support section of their site. Their forums are full of complaints."
Well... (Score:5, Funny)
Re:Well... (Score:5, Funny)
When I read it, I thought the title was "AVG Virus Scanner Removes Critical Windows Flaw" ...
That would have been excellent sales technique. shame the reality is so very different.
Re:Well... (Score:5, Funny)
shame the reality is so very different.
It is?
Re:Well... (Score:5, Funny)
It removes the biggest flaw of all: user.
Re:Well... (Score:5, Funny)
"AVG Virus Scanner Removes Critical Windows Flaw"
There's a redundancy in there somewhere. I can't quite put my finger on it.
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
Re: (Score:3, Funny)
When I read it on the /. front page, there was a Samsung ad covering part of it due to some rather poor CSS. As a result the headline read,
"AVG Visus Scanner Removes Critical Windows".
That is all.
Re:Well... (Score:5)
Re:Well... (Score:5, Interesting)
This isn't too far from realistic.
I work for a firm that, through the power of politics, actually pays to use McAfee antivirus and related products. Now, this is a product that can sometimes detect a virus but can't remove it, whatsoever. Yet, it will produce an error message that prompts the end-user to "delete", "remove" or "ignore"... (something to this nature - it really doesn't matter since none of them work except "ignore").
Some of the technicians have resorted to using certain free applications to get rid of the viruses (virii?) when the end-users show up to the help desk, angry as all get. Recently, McAfee started preventing these various freeware packages from being installed - it simply detects them as viruses themselves!
You could say that McAfee is doing its job - it leaves the sales up to the politicians while it prevents the real software from doing the work.
What a hopeless, hopeless situation.
Re:Well... (Score:4, Informative)
viruses (virii?)
No.
Re:Well... (Score:5, Informative)
Comment removed (Score:5, Informative)
Re:Well... (Score:5, Funny)
)get rid of the viruses (virii?)
Viruses is the correct plural. Virii only makes you look like a pretentious fuckwit and is piss-poor Latin grammar.
http://linuxmafia.com/~rick/faq/plural-of-virus.html [linuxmafia.com]
Now write it out 100 times. If it's not done by sunrise, I'll cut your balls off.
Re: (Score:3, Funny)
(pedants?)
Sorry, I couldn't resist...
Re:Well... (Score:5, Funny)
Re:Well... (Score:5, Funny)
Virii is a good way to catch pendants though.
So THAT'S where my +2 Amulet of Snarkiness went....!
Re:Well... (Score:5, Insightful)
Now, this is a product that can sometimes detect a virus but can't remove it, whatsoever.
Ah yes... Windows. The only system where I can be logged in as the super user only to be told I can't delete a file. Access Denied. I always feel like Windows reserves the higher system privileges for people attacking your system, or malicious software already running on your system. /sigh
Re:Well... (Score:5, Insightful)
Windows assumes all users are idiots, including and especially Administrator.
Whether this is an accurate or correct assumption is left as an exercise for the reader.
Unix-style OSen, OTOH, are quite happy to let you shoot off your own foot, ankle, shin, knee, and indeed any body part you care to name, and supply an endless variety of interesting weapons and weaponizable tools to enable you to do so.
Re:Well... (Score:5, Informative)
This is often (usually?) filesystem stupidity. Specifically, that in Windows (and DOS before it for that matter), an open file is considered sacrosanct. You can't delete it until everybody closes their file handles. Everybody, no exceptions.
This is very bad when Windows helpfully caches things for you, like DLLs and EXEs, even after you've exitted the program. That's why you often have to reboot after installing something innocuous like Acrobat.
UNIX filesystem semantics are superior here; it's the DOS legacy that keeps Windows from changing its behaviour.
Re: (Score:3, Informative)
XP Explorer also likes to leak file handles every now and again, which has every so often prevented me from being able to delete something.
Fortunately Sysinternals' Handles tool exists and is very useful and awesome.
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
Or because administrater doesn't have permission. Under windows it doesn't necessarily. It does have permission to change the permissions though.
Re:Well... (Score:5, Informative)
I doubt Unix would either.
And you'd be wrong. It doesn't crash because deleting an open file in Unix only unlinks it from the filesystem tree, leaving the contents alone. Only when all programs release the file does the deletion complete.
Re:Well... (Score:5, Insightful)
Although this has a funny side, the impact of anti-virus software these days can be quite nasty. I'm personally an advocate of anti-virus software for the vast majority of people out there who are not specialists in computer security and really don't have much reason to keep track of all the latest exploits (technical or people-based). Good anti-virus software strikes an appropriate balance between a low impact on user experience and providing a reasonable level of protection.
However, count yourself lucky if you don't end up on the wrong end of today's anti-virus products. Here we have a story about one product warning users about an essential file for their OS and warning them to remove it. I've seen similar problems with other legitimate software on my system and my vendor doesn't provide any clear way of submitting a file for analysis to have their defintions corrected unless I take action in the software to quarantine it first, which obviously, knowing the file is fine, I don't want to do.
I also work at a company that distributes software to millions of people every month. It is rare that we can go more than a couple of months these days without some anti-virus package telling users that some component of our software or installers contains a virus, which is completely untrue. And when this happens there is no solution to the problem. I have spent hours on the phone trying to reach several different vendors on behalf of our users before trying to get them to fix their products. It's usually impossible to get through to anyone who can actually help. You can submit a file for analysis to have it verified as clean and hope that the vendor will correct their definitions. This can take 24-48 hours, meanwhile hundreds of thousands of your customers are being falsely informed that there is a virus in your product. And no matter your reputation people tend to lose trust when there is a big red box on their screen warning them about viruses.
After dealing with this time and time again I've come to the conclusion that it's simply best to wait for end-users themselves to complain in enough volume to their AV vendors to have these problems corrected. Certainly I have never found any other solution that works faster. And still, the same vendor may falsely flag the same software just months later. You can't even QA against every anti-virus package out there, some packages update their definitions every three hours, so you can only ever know if you'll flag an AV detection at the instant of testing and even if you do know you're getting flagged you have the same problem - no way to resolve the issue with the vendor.
Imagine the consequences to a person who kept falsely telling millions of people your product would infect their computers. It would surely be grounds for libel.
Again, I believe that AV software can be both useful and valuable. But the AV industry itself is a menace and vendors are often unaccountable for their actions.
Re: (Score:3, Interesting)
Is it anywhere in the business any different?
When are you liable for what your software does? I can't really think of a single, even anecdotical, incident where a software company could have been held liable for whatever their product barfed. Databases that lose and leak information, software that miraculously fails at the most inappropriate of times, countless hours of productivity wasted because some piece of software didn't perform what it was meant to do.
What software company has ever been held liable f
Re:Well... (Score:5, Interesting)
AVG recently detected the OpenOffice 3.0 installer as a trojan.
It also did the same with keyfinder, a program that discovers the serial for Windows XP after it's been installed. (How I miss the days of just looking in the registry...) I have a lot of customers who lose their serials (and sometimes even their CDs), and I get a bit annoyed when it gets erased off of my flash drive every time I plug in it.
Thankfully I can restore it back to its original location, but it's a hassle.
keygens, magical jelly bean etc... (Score:4, Informative)
It's always good to have a second opinion - see e.g.portable clamwin [portableapps.com]
Andy
Re: (Score:3, Interesting)
I used to recommend it to anyone who needed anti-virus for a home PC but now I recommend Avast and I'll be removing the last remaining AVG install on any of my PCs the next time it screws up in any way.
Re:Well... (Score:5, Funny)
Just doing it's job!
At 16:42:34 AVG achieved sentience and decided that the user(32.dll) was the problem.
doh (Score:2, Interesting)
Re:doh (Score:5, Insightful)
you get what you pay for?
So, those of us who have paid for (what used to be called) the SoHo version, or any of the other versions should just grin and bare it? I dont think so. I'm pissed. It's not all freeware
Re: (Score:2)
should just grin and bare it?
Well yes, actually, as depending on what you bare to them it can be a very effective statement.
ESPECIALLY if you're grinning while you bare [reference.com] it [reference.com].
Re:doh (Score:5, Funny)
Careful what you bare, you saw how quick it cut off that dll file :D
Re:doh (Score:5, Funny)
It's just not Kosher, sometimes.
Re:doh (Score:4, Insightful)
Re: (Score:3, Insightful)
Norton has no relevance to this story. The discussion is not about Norton. Norton sucking does not make AVG suck less.
Re:doh (Score:5, Insightful)
Re:doh (Score:5, Insightful)
It'd be nice to think that that was true, but based on the number of totally f'ed up McAfee and Norton situations I've seen, it's not even close to safe to conclude that for-pay anti-virus products are reliably more trouble-free than ones that don't cost money for home use.
Re:doh (Score:5, Interesting)
AVG failed to detect dozens of viruses and malware on my sister's computer that Avast cleared out. Avast isn't perfect, but they're both free, and it's my experience that Avast is more reliable than AVG. As always, YMMV.
Re: (Score:3, Insightful)
Are you sure it's a subset and not a union? Which AV program did you run first?
Re: (Score:3, Informative)
I agree. As someone deals with viruses on an almost daily basis I suggest avast and spybot to detect (if not remove) viruses. These two don't catch them all, but they usually make the system usable enough to remove the rest (the pre-boot avast check is especially useful). Also from my own experience: beware kaspersky! While it is good at preventing infections, my experience with virus ridden systems is that it makes them unbootable. Various other anti-malware/virus tools are hit and miss, and while detectio
Re:doh (Score:5, Funny)
Actually the free versions always get their updates later than the paid for versions, so it's the paying customers who were affected the most by this.
Re:doh (Score:5, Informative)
How many times will Grisoft pull this crap? First flooding teh intertubes now deleting my l33t filez.
Some time ago I was recommending this and installing this program on all computers. Now, I'm just waiting for Comodo to get their act together and release an AV product I can trust.
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
So not paying institutes messing up your pc?
Then I know some people from the Cosa Nostra that I want you to meet...
Re:doh (Score:5, Funny)
Re:doh (Score:5, Funny)
Re:doh (Score:5, Informative)
McAfee had a similar issue:
http://it.slashdot.org/it/06/03/13/1322215.shtml [slashdot.org]
It's sad... (Score:5, Insightful)
Re:It's sad... (Score:4, Insightful)
Arrr! (Score:2)
Re:Arrr! (Score:5, Informative)
Re: (Score:3, Insightful)
Right, because Pirates are known for proper spelling and pronunciation. Can you see a pirate trying to pronoun viruses? I didn't think so.
Re:Arrr! (Score:5, Funny)
Re:Arrr! (Score:5, Funny)
No, it's Pirates, dammit! Now I'm going to lecture you about the proper pluralization of latin sounding words because I think you're a dumbass trying to look educated, there is no way you would make a common mistake for comedic value. http://dictionary.reference.com/browse/humor [reference.com]
Re: (Score:3, Insightful)
No, but it's fun.
I suppose next you're going to object to "VAXen" and "boxen"?
Get off my damn lawn. [catb.org]
Re:Arrr! (Score:5, Funny)
Well, better than my slip up. I was working at an office with a secretary. She was showing me around the place, where the machines were etc. We had finished and needed to get back to her station to fix her system. Guess what I said without even thinking?
"Well I guess we should go now and take a look at your box." She laughed pretty hard.
I couldn't believe that I said that.
Re:Arrr! (Score:4, Funny)
No, Avast ye scurvy viruses, dammit!
There's no such thing as "viruses", just there's no "mouses". "Virus" is the plural for "virua".
Other commonly confused words include "bus", the plural of "bue", "adress" for "adreso" (tricky one!). Not many people know or use those words correct hence the mess we're in.
But some words are catching up faster than others, such as the popular "yes", which is the plural of "yea".
Re: (Score:3, Informative)
Re:It's sad... (Score:4, Funny)
Re: (Score:3, Insightful)
You said it, brother. We stopped using it when they released v8.0
They've completely lost the plot. Marketing-bullshit-driven crap, no doubt.
Re: (Score:2)
Marketing-bullshit-driven crap, no doubt.
True enough, but it's not so bad you can't live with it... except that lower "notification bar" that never stays hidden. It simply returns to spew more FUD, like did you know that nearly 80% of all websites kill a kitten when you visit with out a spyware blocker?
Re:It's sad... (Score:5, Informative)
Go to the install directory and rename "avgresf.dll" and "afgmwdef_us.mht" (adding a .bak or whatever should work fine). I did this a few days ago and the notification bar is no more, with no apparent problems.
Also, don't tell anyone, to prevent AVG from changing it.
Re:It's sad... (Score:5, Funny)
Also, don't tell anyone, to prevent AVG from changing it.
Especially not any popular websites.
Re:It's sad... (Score:5, Funny)
"nearly 80% of all websites kill a kitten when you visit with out a spyware blocker?"
It's actually one of the HTTP status codes
463 - NO_MORE_KITTEN
Re:It's sad... (Score:5, Informative)
Re: (Score:3, Funny)
How is that an error? Cats are fucking annoying.
263 No More Kitten.
Re: (Score:3, Interesting)
There is a fairly pervasive (and convincing) school of thought these days that argues against the use of anti-virus software entirely. The argument goes something like:
AV software is nowhere near infallible. Therefore running AV software gives you a false sense of security while slowing your computer down. You're better off taking more effective precautions such as only installing reputable software, and keeping it up to date.
Re:It's sad... (Score:5, Insightful)
Yes, they used to be very good, but they have gone all terrible. First, they started hiding all evidence to their free version from their website (you have to know to go to free.grisoft.com otherwise there is no link from their main website, though it is back up now), misleading licensing, then their version 8 started doing all sort of crap like hogging resources, scanning every weblink and generating massive amount of web traffic (though it can be turned off), and having bugs every week like marking legitimate files as infected and irritatingly requiring a computer restart every time you turn it on (requires a reinstall to fix it).
They have gone all shite, and I'm massively put off by them now, and I will recommend anyone against buying or using their stuff. They are just plain sloppy now, and frankly you don't want your first or second line of defence to be sloppy.
After our current license term expires, my company will be switching away to another vendor.
Re: (Score:2)
Not really, people who code for open source have a vested interest in doing things once, doing them properly and never having to do them again. This is usually because the individual coders reputation is on the line. Thus we see the ultimate Open Source solution for anti virus is to remove the vectors which viruses cannot attack.
Built in security beats tacked onto the side any day.
Now I know that Open Source still has bugs that allow viruses to propagate, but the solution is usually that the writers of th
Re:It's sad... (Score:4, Funny)
Thus we see the ultimate Open Source solution for anti virus is to remove the vectors which viruses cannot attack.
So, Microsoft got it right?
Re:It's sad... (Score:5, Informative)
Re:It's sad... (Score:5, Interesting)
Antivirus is one of those things that(at least until actual heuristic scanning that seriously works comes out) leans heavily on having a whole bunch of security guys and worker drones hammering out signature updates all day every day. That isn't something that falls under "The Open Source is strong with this one".
Hmmm, not sure I agree. I have always thought that the open source community could do a great job with antivirus.
The key is to get a large community of people who, when they discover a new virus, contribute their knowledge back to the open source project. And I think this is actually working with ClamAV [clamav.org].
I know that I have submitted my share of viruses... when I get an email offering me a cool new screen saver, and the file is called "screensave.scr.exe", I scan it with ClamAV. If ClamAV doesn't spot anything wrong, I'll submit that file to the ClamAV project.
Usually I submit the file at VirusTotal [virustotal.com] first, and attach the report to my submission.
ClamAV gets signatures very quickly for new viruses as they appear. The whole signature-based game is a continual game of catchup, though. I agree that heuristic-based scanning would be preferable, but that seems like a hard problem.
steveha
Re:It's sad... (Score:4, Informative)
You do realize that any account that can execute arbitrary code can end up virus infected right?
On any operating system?
You do realize there is a major difference between an OS's ability to run a virus - and an OS's prevalence to being able to be infected through numerous, never-quite-patched-correctly holes, buffer over/underrun exploits, back doors, open sockets on a TCP/IP stack (that based on it's origin should have been decent) that has been horrendously mangled into a security threat?
There is a big difference between the two. If all Operating Systems had equal market share, Windows would in all probability still have the lion's share of infections simply because there have been tons of flaws/holes in the OS to allow it to be easily infected.
Yes, there are lists that show the numbers often being equal - in quantity... but a true in depth study of the list will show that many of the windows vulnerabilities turned out to be very very simple to exploit - so easy any script kiddie could do it... and that many of those vulnerabilities were never completely fixed and resurfaced utilizing a slightly different access vector.
Add to that, every other OS out there has a better track record at fixing such holes - while Microsoft has often either (a) went out of their way to downplay the issues or (b) outright denied the issues until there was a big enough public outcry. That too adds to the number of infected machines on each platform (again, assuming each had equal market penetration) and once again would lead to Windows still being waaaaay at the top of the mountain.
Of course, by your scenario, you seem to equate "people installing viruses on their own machine via the computer's I/O devices" or "allowing others to do it directly at the machine" the equivalent of a machine that is far easier to infect via external, networked methods. Sadly (for your argument) that is preposterous.
Re: (Score:3)
Re: (Score:2)
Re:Sigh (Score:5, Interesting)
I administer a network of a about 200 windows systems, and we use almost exclusively AVG Free. Oy vey, am I gonna have a long day on Wednesday, maybe I should just unplug the phone now.
i thought the AVG free license was for personal non-commercial use.
not what it seems (Score:5, Funny)
Re: (Score:3, Funny)
Naw, the patch that was released was called Windows Vista.
I haven't been hit yet... (Score:2)
...how do I shield myself from the hit, potentially causing headache? Do not recommend Linux for it's "not there yet." I will give KDE a few more years.
By the way, AVG will never auto-update on any system of mine! But when I update manually, all goes well. Do they (AVG) just want to frustrate me in the hope that I will abandon my "free" AVG? If that's what they think, they are doomed!
Re:I haven't been hit yet... (Score:4, Insightful)
"Do not recommend Linux for it's "not there yet." I will give KDE a few more years."
It would appear that certain free AV software is also "not there yet". :)
Re:I haven't been hit yet... (Score:5, Informative)
If you haven't been hit yet, then you probably won't be either; your AVG quite likely already has the fixed definitions file.
If you -are- hit... guess what? it pops up a warning that it believes it found some sort of trojan in user32.dll . Laymen might just tell it to remove the thing, but I do hope -you- would know better and tell it to stfu and ignore, then fetch the latest update (it will warn you a few more times if you've got the resident shield runnning, as user32.dll gets accessed a lot).
If you -are- hit and it has already removed it... quickly restore it, carry on.
If you are hit, it has removed it, and your machine has already crashed... reboot to a command prompt (safe mode MAY work, but it didn't when I fixed a machine on sunday), restore user32.dll from a cache / restore point. If you can't get it from a cache, get it from the installation CD (if you have one), but keep in mind that it will be missing updates and windows update might not realize that (as everything else on the system tells it hotfixes N-M have been installed - maybe MS will make the update check the MD5 or something of user32.dll, after this problem, just in case).
This was extremely stupid on the end of AVG, but then I'm still baffled why such files can be removed at all; same with ntldr. If you accidentally wipe your root dir, you're all kinds of f'ed.
Should have gone for the gold... (Score:5, Funny)
Re:Should have gone for the gold... (Score:5, Funny)
You haven't used Microsoft software in a while, have you?
Re: (Score:3, Informative)
Re: (Score:3, Funny)
nothing of value (Score:2)
and nothing of value has been lost
Hah finally (Score:2)
Pretty soon you'll click heal and your box will immediately start downloading something much more wholesome [ubuntusatanic.org]
Setting itself apart from other software (Score:5, Interesting)
Damn. This is what I was hoping would never happen to AVG. After reading all the times that McAfee, Norton, and others had removed Office documents, Windows DLLs, and Office DLLs, I always had a smug chuckle available.
But now. Ah, well. Four years, 300 workstations, a dozen or more managed installations and still not a single infection or major problem for me using AVG.
I'm not surprised... (Score:2)
We use the non-free edition on several of our customers' SBS 2003 servers and noticed that one of their updates had put the machine in a "AVG has been updated. Please reboot now" loop and Exchange's Information Store service wasn't running/couldn't start. Had to disable the scanner key in the registry so Exchange would start. Then had to download a utility to fix the update files to bring AVG back to a stable state.
Also had another issue where ICS was suddenly enabled and failing on the server; traced th
Re: (Score:3, Informative)
Wasn't AVG a "dangerous" program, recently? (Score:2)
I seem to recall reading reports / rumors of AVG being a dangerous product, at the latest major version release (was it 7.0?).
At that point, we removed it, but still have one computer trying to run it, but (hopefully) unable to do so, due to a missing AVG DLL file (deleted, with others, when manual remove wouldn't work).
Who would use a program, with such a recent (alleged) history of infecting computers, rather than protecting them? :-/
Please insert the Windows XP installation CD .... (Score:4, Insightful)
It's done this before.. (Score:5, Funny)
I've been using AVG at customers sites since version 6.. It has, over the years, deleted entire outlook pst's, repeatedly uninstalled VNC servers and radmin, and generally been grumpy for the slightest reason.
I am a sucker for punishment, because I still keep using it. It's just as good as the rest, it's half the price, and noticably faster than all the others I've tried.
I think that, however, the entire concept of antivirus is going to have to fail, and we'll need a whitelist, rather than a blacklist.
There has been quite a bit of discussion about this over the years, and it's going to come true.
Oh. And as an added bonus, Slashdot is screwing up my display. When I load the page, I get the comments page, and then it clears and I get a spammy IBM flash ad of some sort. Serves me right for not installing ABP after a reinstall.
--Rob
Hype (Score:2)
I use their 7.5 network scanner system with the TCP server and didn't have a single machine on the network (50+) go down.
I don't know if that's good or bad.
We've had our eye on you for sometime now... (Score:5, Funny)
I'd like to share a revelation that I've had during my time here. It came to me when I tried to classify your operating systems and I realized that you're not actually cross platform. Every OS on this planet instinctively develops a natural equilibrium with the surrounding community but you Windows users do not. You move to a hardware manufacturer and you multiply and multiply until every desktop is consumed and the only way you can survive is to spread to another OEM. There is another organism on this planet that follows the same pattern. Do you know what it is? A virus. Windows is a disease, a cancer of this planet.
You're a plague and AVG is the cure.
AVG was poison for Devs, now rest of world, too! (Score:3, Interesting)
OK, fine, most people won't have CMDOW.EXE on their system legitmately (ie they didn't put it there themselves) and so if they do have that file, something nefarious has happened at some stage. But for all devs that do use this file (and others like it), AVG is not a friend, not even in the slightest.
So, that leaves the non-devs, and there's enough of them around to build a business model based upon offering the program for free in order to get some paying customers. So, Sometimes, if building a PC for a complete noob and i wasn't going to have to maintain it afterwards, i would ignore my hatred of AVG and just install the latest free ed so at least the user would have a relatively trouble-free anti-virus solution.
Now, AVG has no doubt ruined many a noobs week because their computer doesn't work and they have no idea how to fix it. Great one AVG!
I now have a delete-on-sight-with-a-scorched-earth-attitude policy with regard to AVG (was previously only an ignore-at-all-costs-except-when-really-lazy policy). Can all members of the technical elite follow suit? Thanks.
What has changed at AVG? (Score:4, Insightful)
Re: (Score:3, Insightful)
You and people like you are precisely why the abusive monopolies exist. Your persistent drug-addiction-like dependence on gaming has placed all profiting parties so high on their thrones that they will continue to rule you and all the people like you. Put some principles before your pleasure once in a while and you might develop what some call "character."
The game developers will not write to Linux or even Mac OS while they already have your short-n-curlies. They have no motivation to change while you re