F*cking DLL! Avast false positive trashes Windows code libraries

[Reefa]

A misfiring signature update from anti-virus developer Avast triggered all sorts of problems on Wednesday.

Avast acted promptly by withdrawing the definition update but not before numerous users had fallen foul of the problem. The withdrawn update incorrectly labelled various libraries (dlls) on Windows PCs as potentially malign, crippling software installations in the process.

More specifically, legitimate programs were classified as something called the "Kryptik-PFA" trojan, shuffled off to quarantine and blocked.

"We were affected with the removal of DLLs from TeamViewer rendering it useless, Corel, and MS XNA framework," one victim (Dan) told El Reg.

The security software maker confirmed the problem in response to our queries on the snafu, saying in a brief statement that the issue was limited to users running older versions of its security scanning software.

The false positives affected Avast users with older versions of Avast (5,6,7,8,. The Avast virus lab quickly released an update which resolved the problem. Avast users affected by the faulty virus signature update should do an Engine & virus definition/Program update.

A thread on the issue on an official Avast support forum can be found here and here. Reg reader Phil added:

"We got out of this relatively unscathed as we hit the forums early and told people not to reboot, seems others not so lucky".

False positives are a well known problem with anti-virus scanners that have affected all vendors from time to time down the years.

Even though testing procedures have been improved, mistakes still occur: mostly because the volume of signature definition updates has shot through the roof over the last decade in parallel with the boom in Windows malware.

Anti-virus false alarms cause the greatest problems where system files are falsely flagged as malicious and quarantined. That leaves you with systems that don't boot. The latest anti-virus update snafu from Avast is not as bad as some, but still hugely inconvenient to anyone caught up in the cross fire.

theregister.co.uk

[knowledge-Spammer]

False positives

nevergood

[sirri]

A misfiring signature update from anti-virus developer Avast triggered all sorts of problems on Wednesday.

Avast acted promptly by withdrawing the definition update but not before numerous users had fallen foul of the problem. The withdrawn update incorrectly labelled various libraries (dlls) on Windows PCs as potentially malign, crippling software installations in the process.

More specifically, legitimate programs were classified as something called the "Kryptik-PFA" trojan, shuffled off to quarantine and blocked.

"We were affected with the removal of DLLs from TeamViewer rendering it useless, Corel, and MS XNA framework," one victim (Dan) told El Reg.

The security software maker confirmed the problem in response to our queries on the snafu, saying in a brief statement that the issue was limited to users running older versions of its security scanning software.

The false positives affected Avast users with older versions of Avast (5,6,7,8,. The Avast virus lab quickly released an update which resolved the problem. Avast users affected by the faulty virus signature update should do an Engine & virus definition/Program update.

A thread on the issue on an official Avast support forum can be found here and here. Reg reader Phil added:

"We got out of this relatively unscathed as we hit the forums early and told people not to reboot, seems others not so lucky".

False positives are a well known problem with anti-virus scanners that have affected all vendors from time to time down the years.

Even though testing procedures have been improved, mistakes still occur: mostly because the volume of signature definition updates has shot through the roof over the last decade in parallel with the boom in Windows malware.

Anti-virus false alarms cause the greatest problems where system files are falsely flagged as malicious and quarantined. That leaves you with systems that don't boot. The latest anti-virus update snafu from Avast is not as bad as some, but still hugely inconvenient to anyone caught up in the cross fire.

theregister.co.uk

They never learn. Happen again and again... :o Thank God, Real Time AV was my past and already closed in my book. Who those affected, prepare your new installation..

cheers :wub:

[anakin206]

[VileTouch]

luckily i moved all of my clients away from avast a while ago.

the ones that are not on paid kaspersky, use free avira... wish there was a better option though. but at least i no longer have to deal with avast's shenanigans

[LeeSmithG]

This happens nearly every year.

A.V.G. once had this and people were vex.

I am sure Avast have done this before also.

[stylemessiah]

Funny, all the PC's i look after run Avast, and on wednesday i was on site with the largest group of them, i forced an update on all of them and well.....nothing happened

Run it on my own PC's and well....nothing happened.

[unknownasphyxiated]

Funny, all the PC's i look after run Avast, and on wednesday i was on site with the largest group of them, i forced an update on all of them and well.....nothing happened

Run it on my own PC's and well....nothing happened.

The false positives affected Avast users with older versions of Avast

maybe this is why its doesn't affect you

[silencer]

That's why I don't use any AV.

[banned]

Critical system files are digitally signed by Microsoft. AV products can help avoid false positives by double-checking whether or not the signature is valid.

(This is NOT to say, however, that we should trust third-party software just because it is digitally signed. There have been cases where private certificates leak and used to sign malicious software).

[CODYQX4]

Critical system files are digitally signed by Microsoft. AV products can help avoid false positives by double-checking whether or not the signature is valid.

(This is NOT to say, however, that we should trust third-party software just because it is digitally signed. There have been cases where private certificates leak and used to sign malicious software).

True. It's becoming the new plague in malware, slowly but surely.

That being said, if you are going to delete f*cking Kernel32.dll you better be sure that it is 100% a virus and destroying the OS is better than the ruin this virus will bring.

[anakin206]

A.V.G. once had this and people were vex.

hahaha! I remember when AVG screwed it too! It was a beautiful saturday with many clients complaining because their computers stopped working after restart. It was in Windows XP times.

[Reefa]

Funny, all the PC's i look after run Avast, and on wednesday i was on site with the largest group of them, i forced an update on all of them and well.....nothing happened

Run it on my own PC's and well....nothing happened.

Yeah i just thought i would post a fake news article for the fun of it.. :troll:

[CODYQX4]

I remember they were giving it away for free at college. I avoided as if they said "Free AIDS, just sit on this cucumber".

Then McAfee got in the news for destroying PCs, especially XP PCs. I'm surprised I never heard of any issues on campus from it.

[Lemonadez]

This is why you dont use any Anti-Virus. All of them are fake and slow ass down your Computer.

All you need Firefox + Ublock

Sandboxie

Why download warez game/crack if you know they will have 50/50% FUD That bypass AV Scanning, you should sandboxie that program in the first place.