Avira Anti-Virus Detects Itself

ddfall writes "After a recent update, Avira's anti-virus software reports its own AESCRIPT.DLL file as a trojan or spyware. From the article: 'The dodgy AntiVir virus definition file was quickly pulled and replaced with a new version – 7.11.16.146 – that resolves the problem, as explained in an official post on Avira's support forum.'"

Can we say...

[Anonymous Coward]

Dee Dee Dee!

Re:

[OakDragon]

WoW! Anti-virus programs do Work.

Anti-anti-virus.

This reminds me of the good 90s

[orphiuchus]

Where I couldn't convince my parents not to use Norton, despite it destroying our family computer at least 6 times.

Re:This reminds me of the good 90s

[jhoegl]

90s? It is still happening....

If Norton software gets corrupted, your computer gets possessed. It is like a Norton Ghost of some sort.

Re:

[Adriax]

At work we spent a couple months this summer dealing with weekly virus infections of DWH*.tmp "generic trojan" on half of our computers, and per policy if the guys running the symantec servers see two or more hits on a single computer, that computer must be wiped and reinstalled.
Yeah, it took us two months to convince them it's a problem with symantec finding it's own temp files, not an actual virus.

Re:

[Culture20]

But it always started with an actual hit (or two), as it would mostly double with every scan (the odd extra actual hits would cause bubbles in the progression). So when I had this problem, I had the machines nuked too. Thankfully it was rare here (there were only a couple repeat offenders who didn't end up getting JRE afterward).

Re:

[Riceballsan]

maybe his family caught on since

Mod parent funny

[LostCluster]

This joke seems to need explaination so here it goes...

Norton Ghost is a discontinued drive replication program that was loved by sys admins to copy exact drive states so any hacked machine could be simply restored to a state where it was known to be good. Other tools have taken over since then, and that's why the program went away.

Re:

[jimicus]

Discontinued? You'd better tell Symantec that, they think they're still producing it.

Re:

[camperdave]

Norton Ghost is a discontinued drive replication program that was loved by sys admins

Norton Ghost is alive and well, and is still loved by sys admins.

Re:

[cusco]

For now. At one time Ghost and Drive Image were competitors, with Drive Image actually being the more powerful and less expensive of the two. Then Symantec bought Drive Image, rolled the technology into Ghost, and made it almost entirely unusable. After attempting to use it twice I found a freeware replacement and never looked back. This replicated my experience with WinFax and some other product that doesn't come to mind immediately.

I understand it's actually become a decent product again, but I ref

Re:

[camperdave]

Drive replication is the easy to replace part. The feature I like is the Automatic Install (AI) feature. You take a prototype machine, and the AI feature takes a "before" disk image. Then you install a piece of software. After it is installed, the AI feature takes an "after" image and creates a difference file. You can then use Ghost to transmit this difference file out to a room-full of computers and voila, the software is installed on all of them. Is there a freeware replacement for the Automatic

Re:

[pnutjam]

Sounds like it is creating a standard MSI file, try this:
http://www.advancedinstaller.com/download.html [advancedinstaller.com]

Re:

[camperdave]

Does that software transmit the MSI files to a roomful of computers?

Re:

[Spillman]

I am not sure if you are joking or not, but they still make Ghost. Although I use Ghost 8 frequently at my job for drive cloning, the latest version is Ghost 15, you can buy it at any reputable electronics/software retailer. http://us.norton.com/ghost/ [norton.com] Newer versions of ghost can ghost drives to virtual disk image files, so they can be opened in virtualization software.

Re:

[meloneg]

That abomination has nothing to do with the real Norton Ghost. Any Norton product that runs in Windows sucks. It's a simple rule to follow.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[compro01]

It's about the only useful product they make.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[1u3hr]

It's about the only useful product they make.

Back in the 90s Norton Utilities (for DOS) and Norton Commander were on my boot floppy and I could solve any problem (on our 286s and XTs) with them.

When they were taken over by Symantec, I quickly gave up on their huge bloatware. I still use Far (a NC work-alike) made by RARlabs as my primary way of managing files and running apps.

Re:

[bobamu]

wouldn't a ghost make a sort of "woowoaaaaooaoaoaao" type of noise?

Re:

[Nikker]

Just listen to you hard drive after it happens ;)

Re:

[LostCluster]

Yeah, I remember a day when I was in college that my computer hourglassed for a long time whenever I tried to open a program. I rebult the software side of the computer adding in programs one at a time and it was Norton Antivirus getting caught in an infinite loop that maxed the processor every time a program was launched and staying that way until a timeout terminated the check. Norton put out a new virus definition the next day to fix the bug and it only affected people who looked for out-of-pattern updat

Ob. BtAF

[Fned]

Obligatory Bob the Angry Flower. [angryflower.com]

Re:

[plastick]

Symantec Norton Antivirus is the worst! I can't tell you how many times people have gotten viruses running that horrible excuse for a program. And I'm always the one to fix it. Several times, the ISP called and said users were running botnets and sending out spam.... sure enough.... not only did Norton not catch it, but the ISP told me they were upset with Norton (and McAfee) for falling so far behind.

So not only is it useless, it takes up a huge chunk of your processor and continually pops up acting like

Re:

[Opportunist]

Oh that's no longer the case. They improved considerably!

Norton now comes with an uninstaller that lets you actually get rid of it. Of course, only if you actually bought it, if you got your new computer pre-infected with that trial version... well, sucks to be you.

Re:

[account_deleted]

Comment removed based on user account deletion

wrong category!

[X0563511]

WTF did you put this in idle for? The place slashcode goes to, well, break.

Re:

[LostCluster]

Good point. If this is in idle, did it really happen or is this in Slashdot's fake news zone?

Re:

[SharpFang]

Idle isn't fake news, it's just "News for Nerds, stuff that doesn't matter."

Re:

[mister_playboy]

The place slashcode goes to, well, break.

Idle pages now render just the same as the other categories for me.

Re:

[X0563511]

Hmm. Your right.

Well, good. :D

obligatory

[magsol]

We must go deeper!

So does this mean

[Nanosphere]

It has become self aware?

Re:

[Anonymous Coward]

Wouldn't be for long with such suicidal behavior.

Re:

[lavagolemking]

Nah, it just can't stop touching itself.

Re:

[Oswald McWeany]

Obviously they don't use MC Hammers search engine at the Avira office.

Re:

[Opportunist]

In this case it seems the product is about to mature, huzzah!

Re:

[Lithdren]

It becomes self aware, and its first act is to try to destroy itself before its too late.

self-pwnage

[Spy Handler]

on the same scale as this [youtube.com]:

And yet...

[RobinEggs]

With occurrences like these it's no surprise people sometimes think antivirus and security recommendations consist of 75% FUD and 25% common sense.

How many of us have seen just about every damn thing we download labeled as some kind of trojan or other?

It's commonplace on file sharing sites to see outright mockery of those who raise alarms about the scary alert their AV just popped on those files; that's how bad antivirus programs get.

I understand that sometimes shady files do contain viruses, but nevertheless I've seen claims from major security vendors and from Microsoft that the vast majority of illicit files contain viruses. Seems like I'd have noticed some missing money, some funny things on my credit report, or some suspicious traffic in my router logs if that was true, but they've all been squeaky clean. And I used windows XP SP3 with no firewall or antivirus until this year.

Bottom line, I should be using better protection and it's possible I've had some viruses, but if I did they clearly haven't harmed me yet. And it's still difficult to distinguish the level of actual threats from the hilarious mistakes and massive, obvious disinformation campaigns going on.

Re:

[PRMan]

but if I did they clearly haven't harmed me yet.

It's like I always say. Given a choice of Norton and the virus, give me the virus. At least it uses less resources...

Re:

[Kalriath]

Yes, and those Russian mob blackmail trojans tend to extort less money out of you than Symantec's monthly up-sells too.

Again

[poofmeisterp]

And ./ said, "let there be laughter."

And then the masses moved on to the next article.

Re:

[blair1q]

/. detects the / in your .

Re:

[poofmeisterp]

Damnit. That's what happens when you're a *NIX guy.

$ ./DOH\!.sh

Re:

[fortapocalypse]

./ is /. in one of our closer parallel dimensions. Of course, Bizarro /. is .\

Re:

[poofmeisterp]

$ \.\\//./
#

The above is what happens when you cross dimensions, as well.

God damn *NIX errors. lol /., ./, they've all got a lot of text. :)

Yes!

[irp]

I have been fighting a virus on my work the last couple of days. It is calling itself McAfee Antivirus Enterprise. The symptoms is it slows my (aging) lab computers to a grinding halt. The last 3 days it has essentially incapacitating them for more than an hour, every day. I hope whatever payload it needed to update is done, so it will stop disrupting experiments by stalling.

We'll soon need to upgrade an old - but still adequate - dedicated lab computer running a single piece of equipment, just because IT h

Re:

[gestalt_n_pepper]

There's another intermittent virus called "Windows updates." It slows your computer and then forces it to reboot.

Re:

[Opportunist]

What is that "reboot" you're talking about?

Dammit, so much for the promise "but you can have everything you get on Windows on Linux too".

Re:

[scdeimos]

We'll soon need to upgrade an old - but still adequate - dedicated lab computer running a single piece of equipment, just because IT have chosen McAfee...

At least you can be thankful they didn't put Norton AV or Trend OfficeScan on it.

WTF?

[afidel]

I mean shouldn't the most rudimentary of unit testing have shown this to be a problem?

Re:

[BattleApple]

they could have sent out the wrong version by mistake

Re:

[afidel]

So it's not their unit testing that's incompetent it's their version control? How is that any better?

Re:

[BattleApple]

Where did I say it's better?

Re:

[jd2112]

they could have sent out the wrong version by mistake

You would have fhought they would have better luck with version 7.11.

Re:

[Opportunist]

Yes, it should, but I can see how this could have happened.

Given the turnover speed in AV development, it's not only likely but pretty much a given that their whitelist box wasn't up to date. Usually, testing your new signatures against the whitebox takes close to your update cycle time. In other words, what I think happened was that their whitebox still contained older files, and that this file got changed in one of the more recent updates, and that the newer version now for some freakish coincidence match

Re:

[Tridus]

They get meal breaks in the game industry? Most of them work 100 hour weeks for 6 months of the year to meet marketing's absurd Fall release timeline.

Re:

[Dunbal]

What he calls a "meal break" most people call "the weekend".

Isn't that illegal in Alabama?

[gestalt_n_pepper]

No wait, that was something different.

Avira

[war4peace]

Avira has this bad habit of detecting some files as malware (e.g. scene game cracks) although they don't exhibit infection. I personally submitted a few of these files to Avira for review and they confirmed no infection is found, but it's an "illegal" modification of a legit file so it stays as flagged for warnings in their VDTs.
Now I'm not a conspiracy theorist but this reeks of shady deals to "reduce" piracy.
I should change my Avira Free antivirus but I'm too lazy to go through a couple restarts and installing something else. Maybe Avast, which I gave up because it had this voice update notification enabled by default and scared me to death one night by yelling at me "VIRUS DEFINITIONS HAVE BEEN UPDATED!".
Also, they don't understand that "Always Ignore" should NOT mean "Ignore for the duration of THIS session only".

Re:

[Bensam123]

Get Microsoft Security Essentials, which is free with your choice version of Windows.

Re:

[PRMan]

+1. MSE is great and uses almost no resources. It's invisible and the highest-rated.

Re:

[zixxt]

MSE is one the worse AVs for the detection of non english threats, which means its useless.

Re:

[Opportunist]

Sorry, but by default something that is bundled with Windows is not my primary choice of AV kit. Why? Because of the way malware is created.

Malware gets tested before being sent out, much like AV kits. And much in the same way: Where AV kits are tested for whether or not they detect all known threats, malware is tested whether it gets detected by the most common AV kits. And being bundled with Windows means that this AV kit MUST be evaded or defeated by the malware you create. Else, your chance for infectio

Re:

[Stratoukos]

It's not bundled with Windows and you're not prompted to download or install it when you're installing the OS. You actually need to visit a website to download it.

As far as I know, it's not even the most poplar anti virus software out there, so the bad guys are probably more concerned with the 3rd party AV packages.

Re:

[Oswald McWeany]

Avira let's you pick the level of sensitivity- the highest sensitivity has the most false-positives. There are about 5 or 6 levels of sensitivity.

Personally I'd rather a false positive every once in a while than to ever get a false negative.

Re:

[Opportunist]

Sadly, the false positive rate in Avira on highest setting is like setting the metal detectors at airports to a level where they can pick up the hemoglobin in your blood cells...

Re:

[Oswald McWeany]

I use Avira on the highest setting. I've probably had 2 false positives in the last 12 months. Probably about 5 in the 2 or 3 years I've been using it.

To me that is acceptable.

Re:

[Charliemopps]

perhaps a game crack included their .dll for this very reason...

Re:

[Solandri]

Avira has this bad habit of detecting some files as malware (e.g. scene game cracks) although they don't exhibit infection.

Avira scans for both known malware in its database, and uses a heuristical algorithm to detect possible but unknown malware. So it will tend to flag flies other virus scanners miss. This can be bad as you found out, but it can be good as it can catch new viruses before they're in anyone's database. I don't think any of the other free antivirus software has this feature, though sever

Re:

[interval1066]

Been using Avira for years, and I can't say with certainty its the best, but I've never had any problems with it and its stopped its share of malware cold in their tracks. So they have a rare gaff. I think I'll just move on.

Re:

[brainzach]

There is no need for shady deals. Avira is a for profit company and doesn't like people stealing their software just like game developers. Of course they aren't going to aid people pirating software.

Digital g(r)eeks!

[angiasaa]

Ouroboros [wikipedia.org] :-D

In a way it is right

[Hentes]

Most AVs act like viruses. They can not be terminated, like 10+ hidden processes, scan/modify/delete other files constantly etc.

Re:

[blair1q]

Ever run two at once?

Avast reports the Microsoft Security Essentials AV as a virus about 180 times, because a running MSE has a bunch of virus signatures embedded within it in plaintext...

Re:

[Opportunist]

Running two AV kits is like hiring two security companies without telling them about each other. It's fun to watch the shootout, but it usually ain't worth the trouble afterwards.

Re:

[blair1q]

Interestingly, except for this one quirk, they seem to run well together and generate no more performance issues than one less-well behaved AV.

And they detect different exploits at different times. Which makes me worry what they're missing.

Re:

[WorBlux]

Yep, you've got to inject some fairly invasive stuff into the kernel in order to watch what other processes are doing. R

Thing with Avira...

[Oswald McWeany]

Last year Avira flagged the ASK toolbar as "malware/spyware".

Fast forward 6 months and not only is ASK toolbar nolonger flagged as malware/spyware but all of a sudden Avira has a partnership with ASK and install it by default and it's a pain in the neck to remove it without getting rid of Avira.

Avira's actually a pretty decent free anti-virus... but they sold their soul to the devil.

Re:

[zAPPzAPP]

What is ASK and where is that toolbar supposed to be?
I have Avira on a laptop and there is no such thing.

Re:

[Oswald McWeany]

Do you use the free version?

It may only be on the free version- also it depends on what web-browser you use.

I notice the toolbar doesn't show up on chrome... It does on IE (even though I don't typically use IE at home)- I had to google how to remove it without disabling Avira.

If you use IE, have the free version, and don't have the Ask tool bar/haven't removed it- is your antivirus up-to-date?

Re:

[Anonymous Coward]

You can choose to install or not install the toolbar during setup. If you read everything carefully (at least everything next to checkboxes), you would have noticed it.

Re:

[interval1066]

but they sold their soul to the devil.

As did McAfee, as did Norton's. In my experience Avira is MUCH LESS culpable than the other two. The last time I got a call from a family member regarding problems with their PC MacAfee was to blame.

Re:

[Opportunist]

McAfee is one of the worst things you could have as an AV kit as a private user. It's very convenient for large companies due to its rather comfortable administration tool, but that's pretty much all the nice things you could say about it.

Wow, it's actually doing its job!

[lavagolemking]

Avira saw part of a program (called "Avira") that bombards the user with pop-ups, scaring them, and asking for money every year. It acted accordingly. The only shocking thing here is that it actually worked.

The Most Useless Anti-Virus Ever!

[CFBMoo1]

And you thought they'd only build it as a box?

http://www.youtube.com/watch?v=Z86V_ICUCD4

Refreshingly honest!

[sjames]

n/t

that's some sort of parable for modern times

[circletimessquare]

I just finished reading this:

http://www.nytimes.com/2011/10/28/us/politics/republicans-push-military-trials-for-terrorism-suspects.html [nytimes.com]

One wonders what it will take for those who want to suspend social and legal traditions because of an attack on freedom, to recognize that it is they who are destroying our freedom.

Good start

[Tridus]

Now it also needs to detect those other viruses: Mcafee and Norton.

It's sad that most AV software is worse then the problem it generally fails to prevent, but it's true.

It wasn't wrong.

[JustAnotherIdiot]

Most anti-virus programs behave like viruses themselves.

Publish the submission but change the source?

[ddfall]

I'm confused, I submitted this story (as it says) and it was accepted - http://slashdot.org/submission/1829554/avira-anti-virus-detects-itself [slashdot.org] - however, the version that's gone onto the front page of /. has had the source changed from The H (http://www.h-online.com/security/news/item/Avira-anti-virus-detects-itself-1367055.html) to The Register (which did the story later in the day). The text in the submission is the same / what I had but the original source has been removed. What was the reason for this?

Re:

[unitron]

There's nothing showing up on the main page except the story title, with the vulture logo attached.

It was the vulture logo (which I already knew as that of theregister) which got me to load the story.

I load the story and get

ddfall writes "After a recent update, Avira's anti-virus software reports its own AESCRIPT.DLL file as a trojan or spyware. From the article: 'The dodgy AntiVir virus definition file was quickly pulled and replaced with a new version – 7.11.16.146 – that resolves the problem,

Re:

[Kalriath]

They probably checked and picked the better source. The Register's article is at least twice as long, while having the same information and more.

Re:

[Riceballsan]

In this case I do have to say a bit right on this part. This nowhere near matches the ranks of MSE destroying chrome (subject to suspicion due to companies being rivals), nor is it even remotely on the league of McAffee rendering systems unbootable. Though I do have to say it does say something negative due to it being curious to pass testing. (Microsoft can at least say "Chrome wasn't installed on our machines that we tested it on" and it be a very plausible explanation)

Re:

[Lithdren]

I think this just proves that even Avira developers, dont use Avira. Make of that what you will.

Re:

[Opportunist]

It proves that Avira analysts don't have the AV kit installed on the machines used to analyze malware. Now, why could they possibly do something like this? Maybe to avoid having their analysis target being deleted underneath their fingers by the AV kit?

Re:

[Opportunist]

Having worked for an AV company a while ago (not Avira, before anyone asks), that excuse is actually pretty plausible for AV companies, too. It's rather unlikely that you have your own product installed on your analysis boxes. For very obvious reasons, if you think about it...

It is a big blooper, though, to NOT have your current product in your whitelist testbox.

Re:

[Oswald McWeany]

For how long though? With so many non-traditional computer devices being embedded with Linux flavours- how long until more and more people start targeting Linux.

A virus that leaps from your phone to your cable box to your computer to you thermostat to your electric car would not be fun.