Trend Micro Bug Hits Several Important Computers

dmarx writes "The Japan Times reports that a bug in Trend Micro's antivirus software has caused the CPUs of several important computers, including those at East Japan Railway, to grind to a halt. A bug free version was released on noon Saturday." From the article: "Kyodo News experienced LAN access failure from around 8:20 a.m. to shortly before noon. The Asahi Shimbun and Yomiuri Shimbun also had trouble with their LANs at their Tokyo and Osaka bureaus, but the problems did not affect editing or printing of their evening editions."

Before the flury of obvios train crash jokes start

That was East Japan Railway. The crash was on Japan Rail West.

Sounds familiar.

[bigtallmofo]

The buggy file slowed down computer performance substantially by making CPUs run at almost full capacity, the software company said.

Sounds like every interactively-scanning antivirus program I've ever installed. I wonder, when Microsoft releases server benchmarks, if they run them with antivirus software running in the background? I think this would give a 10%-15% edge to operating systems that don't require such measures of protection.

Re:Sounds familiar.

[fr0dicus]

Like what for example?

Re:Sounds familiar.

[bmalek]

This sounds like a study I recently read about the poor performance of Apache vs. IIS. If you read between the lines you find out that the reason why the Apache server performed so poorly is because it was using PHP as a module instead of being compiled into the server. Well duh, of course the Apache server is going to perform worse that way... As the saying goes: 'Lies, damn lies, and statistics' - Benjamin Disraeli

Re:Sounds familiar.

[biglig2]

No viruses on BeOS. Actually, no virus checkers either...

Re:Sounds familiar.

[Will2k_is_here]

Like what for example?

The obvious reference here is everything else. While viruses do exist for them, a good firewall and a smart user is enough to ensure security for them. And in the rare occasion of an infection, it's better to restore from a backup then to run an AV program all the time.

Re:Sounds familiar.

[Will2k_is_here]

No viruses on BeOS. Actually, no virus checkers either...

No users either...

Re:Sounds familiar.

[djbckr]

Hmmm, just this weekend my computer started consuming all CPU, and I use Trend-Micro (which by the way, I love).

I couldn't figure it out - had to boot to safe mode just to backup my files before I re-installed the OS.

Re:Sounds familiar.

[barzok]

Neither ASP nor ASP.NET are "compiled into" the web server itself - requests for ASP files are passed to ASP.DLL and ASPX is handled by the ASP.NET worker process. Both can be removed from the IIS configuration if desired, I'm pretty sure, using the same mechanism by which one installs the PHP processor (DLL) into IIS.

Re:Sounds familiar.

[cortana]

Overall, sounds like the ideal server platform to admin. :)

Re:Sounds familiar.

[mwood]

If it was like most of those studies, more likely the difference was due to a finely-tuned IIS running on a 4-way Xeon vs. Apache right out of the box running on a pocket calculator with half its memory disabled.

Re:Sounds familiar.

[kyojin+the+clown]

you re-install your OS before you look at the processes tab? blimey.

Re:Sounds familiar.

The different he's talking about with PHP is using mod_php as opposed to php.exe. If Apache uses mod_php, it goes out and hits php4.dll just like your asp.dll. If it's not using mod_php, it's going out and executing "php.exe %1" every time you hit a PHP page, waiting for the result, then sending it to the browser. This is much slower than the DLL approach.

You just need mod_php compiled in to Apache (the equivilent of ISAPI), *not* all of PHP, for this to work.

Re:Sounds familiar.

[Vo0k]

So...
I write a database that sorts the search using BubbleSort. Only. Nothing else.
There's a competing database where I can use arbitrary plugin for sorting, be this quicksort, bubblesort or bogosort. There are many. Most people use the fastest ones, but sometimes they use some odd sorting methods and replace the default quicksort plugin with their own.
So I start the benchmark, my database vs the other one. - set up to run on bubble sort.
Whoa, my database sorts data faster than the other one! I won! My database is faster!

Re:Sounds familiar.

[makomk]

Mod parent AC up. Of course, that's Windows-specific - on Linux it's mod_php4.so or something, but the principle's the same.

Re:Sounds familiar.

[jeffmeden]

no virus checkers huh... how can you be remotely certain then, that there are no viruses?

Re:Sounds familiar.

[djbckr]

Actually I did... The SYSTEM process was the thing using up my CPU. I don't know if the cause was Trend-Micro or not though...

Re:Sounds familiar.

[Ubergrendle]

No users either...

Isn't that because they're all dead? Oh wait, thats the OS...

(I kid! I kid!)

Re:Sounds familiar.

[SamThePondScum]

The SYSTEM process was the thing using up my CPU. I don't know if the cause was Trend-Micro or not though... It was. It "hit" U.S. computers late Friday (about 5:30p central) and was fixed a few hours later. Of course, we didn't know what the cause was to begin with, so that didn't keep those of us working a bit late Friday from working much later....

Re:Sounds familiar.

[Harassed]

Except for the small matter of there being no applications :)

Re:Sounds familiar.

[MrP-(at+work)]

SYSTEM isn't a process.. its the username thats running the process.. if you checked right next to it (usually on the left) you would have seen it was a trend micro sys file

Re:Sounds familiar.

[It'sYerMam]

While I don't use BeOS, I challenge you to infect a BeOS computer.
Or many of the other secure operating systems.

Re:Sounds familiar.

[Fjornir]

Are you certain of that, sir? With out computers the image name displayed as system and so did the user name.

Re:Sounds familiar.

[h8macs]

AVG is hardly noticed running in the background. Fantastic protection as well...

Re:Sounds familiar.

[bluGill]

Lack of apps just makes it even easier to admin. None of the non-existant users will be asking for any of the non-existant applications to be upgraded. Nor will they be getting any of the non-existant viruses.

The big problem with being a BeOS admin is there is no money in it. Otherwise it is perfect.

Re:Sounds familiar.

[jacksonj04]

I'd say the fact apache will run out of the box on a pocket calculator with half the memory disabled is far more impressive than just coming top in a benchmark.

Re:Sounds familiar.

[biglig2]

Because if anyone had written a BeOS virus it would be announced on BeBits - they need to get the application numbers up somehow.

Re:Sounds familiar.

[mwood]

I was being somewhat facetious -- I can't name a pocket calculator that's known to run Apache, although doubtless someone's tried it on a sufficiently husky palmtop. But you've seen that kind of "study" -- like the one that proved that it costs more to run Linux than Windows if you buy a PeeCee to run Windows and an AS/400 to run Linux.

Re:Sounds familiar.

[jacksonj04]

I've certainly seen the studies. They're the same ones which state (quite correctly) that ISS totally outperforms everything else, providing everything else is running on sub-par hardware and ISS is optimised to hell.

Now I'm gonna go try shove Apache onto my graphical calculator.

Re:Sounds familiar.

[chrish]

I'm sure BeOS' POSIX stuff would compile clamav without any problems.

Re:Sounds familiar.

[biglig2]

You start on that, I'll start on W32/Bagle.

I hope people don't think I'm being mean about BeOS, I love it. Just can't resist an obvious joke.

Re:Sounds familiar.

[wokie78]

i work in a company that has about 1000 clients, out of which about 3/4 are working with officescan AV. on friday we 1st tought part of our network was down then we saw a system process driving the processor 95%~99%. so we tought it was virus outbreak. but it came to our attention that the computers not using officescan where o.k., and also the part of the company that doesn't allow people to install messenger on computers. we got a box working when we tried installing norton, to do that we tought it was a good idea to stop all officescan services before (we had to do it on safe mode, which was the only way we could do anything) when the box was booted up again, it just ran smoothly. then we noticed a new update version was up. by then we had also noticed that the boxes that didn't have messenger where also windows 2000 boxes. in all the faulty update was pattern file 2.594.00 replaced about 2~3 hrs later with 2.596.00. The "infected" boxes had to had officescan's services disabled, except for the listener service so it could download the new file, and then had the whole box restarted. in all, all IT personnel had to stay until around 9:00 p.m. on friday to fix the boxes on the assembly line. lots of money was lost. and by the way, officescan's EULA states that their product is NOT without errors. here's a copy of an e-mail we received the next monday: Urgent Notification - Trend Micro Pattern File 2.594.00 Causes High CPU Utilization On April 22, 2005 at approximately 3:30 pm Pacific (11:30pm GMT) Trend Micro posted a pattern file (2.594.00) which had the potential to interact with certain computing configurations and cause computer performance issues for some users of PC-cillin, OfficeScan (including the OfficeScan component of Client/Server Suite for SMB, and Client/Server/Messaging Suite for SMB), and ServerProtect for NT. This specific pattern file was only available during an approximately 90-minute time window. Trend Micro removed the pattern file from our Web sites and Active Update servers at 5:02 pm (1:02am GMT), and immediately took steps to post a new pattern file. Subsequent pattern files do not cause these issues. For any customers experiencing instability, Trend Micro has provided a set of solutions which can be found under the Support section of Trend Micro's Web site. Additionally, Trend Micro has extended support hours especially to help those customers who were affected by this issue. Further information, instructions, and details can also be found on the Trend Micro Web site at: http://www.trendmicro.com/pattern594 We sincerely apologize for this incident and will continue to improve our processes so that problems such as this do not happen in the future. Eva Chen, CEO Trend Micro, Inc.

I expect 100 posts like this.

[muyuubyou]

... but in case you're wondering if this may have caused the derailment at Amagasaki, apparently it didn't. Amagasaki is located in western Japan (covered by JR-West).

Still, the coincidence in time makes me wonder. I sure hope they don't use Windows in the train system I use... just read the EULA. My life is pretty "mission-critical" to me.

Re:I expect 100 posts like this.

[Chryzo]

some of the trains here in Norway runs a *nix flavour. Yay!

Re:I expect 100 posts like this.

[shanen]

I think it may be too early to rule out any connection to the fatal derailment. There is some preliminary evidence that the engineer may have been pushing in an attempt to get back on schedule--and the delays may have been indirectly related to the train delays mentioned in this article.

However, I admit that it was more likely due to his youth and inexperience. He was 23 and had less than a year handling the trains--but they also need to reconsider any external factors that may have helped pressure him to make the fatal mistake.

On the main topic, I'm not sure why Virus Buster is not being mentioned here. One of my Japanese co-workers said that was the affected product. I think they may have been acquired by Trend Micro, but it's still marketed under that name (written in katakana), and I think it is still the top anti-virus product in the Japanese market. I worked in Akihabara some years ago, and it was definitely quite dominant at that time.

Who's to blame

[janek78]

I suppose the manufacturer of the faulty software is not liable in any way. Would we buy say TV sets if their Terms of use said that they are in no way guaranteed to work for the purpose they were bought for, nor are they safe to use (like exploding randomly - It's time for the penguin on the top of the TV to explode).

I understand software is a tad more complex than your average TV, but cars are not exactly simple either and they seem to work quite well (most of the time). Will we ever get software that just works or will we always have to buy something in the good faith that it will work, but if it does not, it is our tough luck?

BTW, I hope slashdotting another japanese server won't cause much additional damage...

Re:Who's to blame

[Vo0k]

Let me wake you up.
Car manufacturers fight really hard to stop this from getting more of media attention, but modern cars are known to have SERIOUS software bugs. Just google car software bug or similar for stories and references - running 100MPH down a motorway and have the engine switched off, everything shut down (and even the steering wheel blocked), or having the central lock imprison you in the car, so you can't get out, or having random pieces of equipment (wipers, windows, chair adjustment) to start at random... These are real stories. Cars aren't what they used to be...

Re:Who's to blame

[dkone]

google in this case is a verb, please post again when finished with 9th grade English.

Re:Who's to blame

[Analogy+Man]

Cars aren't what they used to be...

And that is a good thing...despite these software glitches cars are SIGNIFACTLY safer today due to computers:

• ABS Braking
• Structural Analysis software
• Vehicle dynamics / handling simulation
• CFD analysis for tires (they are quite efficient pumps really)

If cars are going to go fly by wire they need to be tested and maintained like airplanes instead of like disposable consumer electronics...but in balance computers have made cars safer.

Re:Who's to blame

[Patrik_AKA_RedX]

Software design is still a pretty young field of construction. Building construction has had more than 2 millenia to develop, while software design had about century (give or take a decade). In the early days (read: centuries) buildings were designed by rules of thumb. Only the last few centuries the real science of contruction was developed. (The metalurgical properties of steel wasn't researched until after WW2 when they figured out that welded ships couldn't handle the extreme cold of northern seas very well) In software design we're at the point where we're trying to come up with the science, but are still mostly using rules of thumb.

Given time software will reach a point where it's about as reliable as concrete buildings, but in the mean time we'll be stuck with the many kinds of blue screens.

Re:Who's to blame

[kfg]

RyanFenton, posting in the computerized cars for traffic control thread:

I'd MUCH rather trust a reasonably engineered computerized system than the thousands of other drivers around me on my way about town.

I didn't post there, but my very first reaction on reading was:

"And just where the hell do propose to find one of those?"

This story illustrates my reaction. Imagine thousands of cars around you on your way about town that have suddenly lost all control.

Without the introduction of computers cars are actually not that complicated. They consist of a relatively few number of parts mechanically linked in such a way that any child can intuitively grasp their operation. You can teach yourself a fair amount of auto mechanics through entirely empirical methods, just sitting down with the device, taking it apart, putting it back togehter, and grasping how the whole thing works by such observation.

Nobody's going to write a virus checker that way, or a car control system. The computer is too complicated, consisting of billions of invisible "parts" whose operation is entirely abstracted from their function.

To the extent that cars are complicated these days, to the further extent that even formally trained mechanics cannot figure out what's wrong with them without plugging them into a computer, it is because they now contain. . .computers.

So refering to cars as an example of something that's complicated but reliable is not factual ( and I myself have found myself sitting by the side of the road with a mechanically sound car that refused to run because a control chip died), but also begs the question.

KFG

Re:Who's to blame

[terraformer]

Yup, my 2004 saab 93 has more than a few of them. Sometimes the volume control on the steering wheel works, sometimes not (it seems to depend on whether or not I let the car POST before kicking over the engine). I get out of the car and low and behold, my reverse lights are on, nothing else though and I was not in reverse when I shut down the engine. Sometimes when I hit the remote to lock the drivers side door (the only one open) the other three doors open while the drivers side closes. Hit the lock button (as opposed to the unlock button which is seperate) again and the situation reverses and there is still an unlocked door. It takes starting the car back up and waiting to clear it. These are all minor but I would love to know what others are lurking...

Re:Who's to blame

[Beatbyte]

I agree. And because it's happened to me.

1998 GMC SONOMA SLS
Driving 70mph in heavy rain and my whipers quit. I quickly hit the brakes and drove off the road. I'm glad I had a little Rain-X left on the windshield. Otherwise I would have been about 20 feet down in a ditch.

The other time that truck tried to kill me was when the butterfly in the throttlebody stuck wide open. That was a hell of a ride!

Re:Who's to blame

[makomk]

if you are so feeble that you can not physically override a solenoid locking system by moving the lever by hand then you deserve to die in your car.

At least some Honda Civics are designed with a deadlock mode you can activate (from the outside only!) in which you can't open the car from the inside. Stops someone smashing a window and unlocking the door that way, I assume.

Besides, that doesn't help the failure mode where you're on your own on a quiet road at night miles from anywhere, you go outside to clean some stubborn mud off the headlights (for example), and the car locks you out. Oh, and your mobile's on the seat inside. I don't know of this happening to anyone, but...

Re:Who's to blame

[korbin_dallas]

Agreed.

Many Chrysler products have whats called a BCU (a Body Control Unit) that controls:
wipers, electric door locks, electric windows, instruments, interior lights, exterior lights, radio, heat/ac, etc.

The BAD design choices Chrysler engineers made:
1. including the odometer eeprom. this makes swapping the dam^ thing a PITA.
2. no diagnostic info, and
3. no Built in Test(BIT).

A firmware based component such as this should be a 60 second replacement. I bet you can change the fire control computer in a F-14 in 60 seconds, the paperwork takes longer.

This kind of stuff needs to be OPEN, so that 3rd parties can built cheap replacement parts.

WANTED: chrysler BCU source code. The next time someone hacks Chrysler computers please get that code.

Thanks.

Re:Who's to blame

[cybergibbons]

Jump starting cars improperly can sometimes trigger the central locking - when you are outside the car, with the keys in the ignition.

For this reason, when you are connecting up jump leads to a modern car, it's quite useful to have the keys of both cars in your hands to avoid this embarassing problem.

I think it may be that a flat battery in the second car produces a prolonged rapid surge which the ECU just wasn't designed to deal with.

Re:Who's to blame

[UWC]

Haha, would that I had mod points. It was all I could do not to laugh out loud. I'm just glad that cubicle walls mean that my face contorted in amusement went unseen.

Re:Who's to blame

[LoyalOpposition]

google in this case is a verb, please post again when finished with 9th grade English.

I took the parent post as a remark about verbification. By the way, you should have capitalized "Google" and your comma should have been a semicolon.

-Loyal

Re:Who's to blame

[greed]

The surge results in a voltage drop on the +12 rail of the "good battery" car. It's trying to bring the dead battery up to the exact same voltage, within the current limiting effect of the jumper cables. Lead-acid batteries have a very low internal resistance, so they won't slow things down much. (And that's how you get 800 "cold cranking amps" out of 'em.) A dead battery will be between 11.8 and 12.2 volts, and the good system should be up around 13.2 to 14 or so, depending on the regulator.

Many computers need to have /RESET held low for a few would-be clock cycles after power-up, to allow the power rails to stabilize and the master oscillator to start. Usually this is done by a capacitor which slowly (comparatively) charges up to supply volatage; when it crosses a certain voltage, it releases /RESET (they're usually active-low), and the CPU can start.

All well and good...

If you've got a situation where the power rail drops suddenly, the capacitor on /RESET starts to discharge to the power rail. Enough, and it activates the /RESET line on the CPU. Even though the power drop wasn't enough to wipe out the CPU, it was able to trigger the power-on-RESET circuit. (The fix is to put a diode in the computer's power supply connection, so that the computer's power supply capacitors never try to bring the +12 rail back into spec.)

Another fun thing that can happen, though probably not in automotive circuits, is GND and Vcc inversion.

This used to happen a lot on Amigas with defective monitors; you'd get a high-voltage discharge in the monitor to the GND line, which would momentarily bring GND over Vcc, triggering a /RESET. The fix there is to separate shield ground from signal ground; or you could just go bankrupt.

Given the number of modern cars which, apparently, tell you not to jump-start, there is an awful lot lacking in modern automotive design. It's not hard to cope with a jump-start, you just have to not cut all those corners.

(My 1998 Subaru has no such warning; I've only heard about that warning from GM owners--I've never seen it myself.)

Re:Who's to blame

[Richy_T]

I accidently found out with the Passat I used to have that if you left the headlights on and disconnected the + battery lead and tapped it against the battery terminal post a few times, the central locking would *unlock* the doors. Never found a use for it but I wrote to VW about it and they just blew me off.

RIch

Re:Who's to blame

[UWC]

I'd not heard about the jump-starting problem. And I really hate to sound like a luddite, but odd automated things like that are one of the reasons I've been reluctant to look around to replace my 1995 vehicle.

My family rented a 2003 Suburban for a vacation (family-sized vehicle was in the shop after a large tree-branch fell on it, distorting the roof and breaking windows) a couple of years back, and one scary "convenient" automation was that the doors unlocked when the vehicle was shifted into Park. That, to me, was a severe safety flaw. Here you are driving around in $40,000, and your doors unlock when you shift gears. Just so the driver doesn't have to press a button afterwards.

Re:Who's to blame

[jamesl]

Cars aren't what they used to be...

You never drove a 1967 Jaguar. Electrics by Lucas -- the Prince of Darkness.

Re:Who's to blame

[UWC]

I've been lucky enough to never experience a stuck throttle, but what did you end up doing? I've always assumed I could shift to Neutral if that happened, but if it's something you've not thought about before, I can definitely see that not immediately springing to mind while it's happening.

And the wipers: was it the motor or a problem with the controller that made them stop? My family has been using GM trucks for a while, and we've had to replace a few failed/failing wiper motors, though I think a 1992 was the most recent one to need that done.

I really can't complain about the major parts of my 1995 Sierra. The seat motor burned out and was messing with some parts of the electrical system until I disconnected it, and I think there might be a loose connection somewhere in there, as the battery meter on the dashboard occasionally jumps around, but the truck seems definitely mechanically sound, and I've never had problems with serious parts of it, except that the battery that was in it when I bought it was surprisingly underpowered and ended up failing. Had sulfur build-up all around the posts and such.

Re:Who's to blame

[Beatbyte]

I ended up slamming on the brakes and turning the truck off (locked steering and went flying into median). Once I got it apart and noticed the TPS was fine and the throttlebody was screwed up (still was stuck wide open), I screamed and cussed and bought another one.

The wiper problem was definitely the controller. They worked after I pulled the battery negative for 5 minutes, then reattached, started the truck and went driving.

Re:Who's to blame

[kfg]

Begs what question?

The complication of cars compared to computers.

KFG

Re:Who's to blame

[alc6379]

Verbing weirds language

Isn't it funny how the word that describes turning a noun into a verb is actually a noun turned into a verb? Verb that, will ya? Why I oughta...

Re:Who's to blame

[RomulusNR]

Generally, people don't add nearly as much operationally detrimental crap to their cars as they do their computers. If they did, cars would probably have as many problems as the average or power user's PC.

And cars certainly don't get something additional forcefully installed into them via a backdoor every time they visit some company's parking lot.

That would be novel, wouldn't it -- free parking, as long as we can secretly install a tracker that lets us know which drive-thrus and coffee shops you go to the most.

(Shut up, don't give them any ideas!)

Re:Tragic. That's the word to describe this

[commodoresloat]

This has nothing to do with antivirus software. The driver was driving too fast. They don't have computers that run new software like this controlling the trains!

Re:Tragic. That's the word to describe this

[Will2k_is_here]

Shame on the testers who didn't catch this.

No shit! I wasted several hours trying to get my computer running again. How come they didn't?!

though I had nothing better to do anyway :(

A lesson here.

This is why sysadmins should never roll out updates without testing them first. And what's even worse than non-testing is letting individual stations update directly from a vendor's site on the internet. Just asking for trouble.

Re:A lesson here.

[ats-tech]

Yes, updates should be tested, but, if this is like the McAfee 7.1 problem, cpu spikes to not happen on EVERY machine.

Re:A lesson here.

[Fjornir]

EVERY XP machine in my office was affected.

New sales slogan

[Alien+Being]

With Trend Micro, viruses are the least of your worries.

Re:New sales slogan

[MaTriXxx1]

I think that this is rather impressive, when M$ finds a bug, it could take weeks to fix, if they even bother fixing it in the first place. I still have a search function in my XP laptop that hasnt worked in months, despite re-installs. If T-Micro has a few bugs here and there, it shouldn't tarnish YEARS of quality software, especially if they have a track record of fixing issues within hours. But on the reverse angle, if my server was locked at 99% cpu usage due to software that I payed a small fortune for... id be rather pissed.

Re:New sales slogan

[KillShill]

very funny, i haven't had a good laugh like that in a while.

LPT$VPN.594?

Was this the issue with LPT$VPN.594?

The large bookseller I work for (think "Stables and Lords") got hit with that on Friday. All the XP machines (basically, the Manager's computers in the stores) and even a few of the XP computers in the Helpdesk (where I work) would lock up and freeze during boot.

Deleting the offending file fixed the issue.

Re:LPT$VPN.594?

Yeah, that was it:

Pattern File 2.594.00 may cause high CPU utilization

Overview of Issue

On April 22, 2005, selected OfficeScan, PC-cillin, ServerProtect for NT, Client/Server Suite for SMB and Client/Server/Messaging Suite for SMB customers began experiencing difficulties using their computers due to slow down or 100% CPU utilization. This was shortly after Trend Micro posted Official Pattern Release (OPR) 2.594.00 at 3:30 p.m. US Pacific Time (or 11:30 p.m. GMT), which was later found to potentially cause performance issues when certain computer configurations are met.

OPR or Pattern File 2.594.00 was therefore removed by Trend Micro from its websites and Active Update servers by 5:02 p.m. US Pacific Time of the same day (or 1:02 a.m. of April 23, 2005 GMT), and was only available for approximately 1 hour and 30 minutes.

Subsequently released pattern files (e.g., OPR 2.596.00 or higher) do not cause this issue.

Why did this happen?

To protect its customers against the growing threat of the WORM_RBOT family, Trend Micro enhanced the decompression ability of its Pattern File by supporting 3 new heuristic patterns, including UltraProtect decompression, in OPR 2.594.00.

Due to an isolated anomaly in the engineering, development and pattern release process, the UltraProtect decompression may, in certain circumstances, cause some systems to experience high CPU power consumption. This can lead to system instability when this specific file type is scanned using Pattern File 2.594.00.

Bug free?

[taobill]

A bug free version was released on noon Saturday.

They can prove that there are no bugs can they? That would be a neat trick.

And what's "on noon"?

How about: A fixed version was released at noon on Saturday.

Re:Bug free?

[Ulrich+Hobelmann]

No, they used the new, hot Software Engineering technique: Bug-free Software Engineering!

But I agree, it's sad that any company makes that claim.

Re:Bug free?

[Vo0k]

Actually there ARE techniques of "proving there are no bugs". A program can be mathematically proven to be correct and error-free.

As usually, there's a hook. Proving correctness of anything more complicated than 2-3 nested loops and a handful of conditional statements would require more computational power that exists in the whole world.

Not quite useless - 20-line routine about mixing fuel in a jet engine is something worth proving, and these things are subjected to this technique. But 3 megabytes of an antivirus - sorry...

Re:Bug free?

[sholden]

Actually there ARE techniques of "proving there are no bugs". A program can be mathematically proven to be correct and error-free.

As usually, there's a hook. Proving correctness of anything more complicated than 2-3 nested loops and a handful of conditional statements would require more computational power that exists in the whole world.

It'll need significantly more computational power than that. After all a program unintentionally entering an infinite loop is a bug. And since the Halting Problem is uncomputable - no computer (well, not without a *major* breakthrough) can determine whether an arbitrary program will have such a bug.

Not quite useless - 20-line routine about mixing fuel in a jet engine is something worth proving, and these things are subjected to this technique. But 3 megabytes of an antivirus - sorry...

Yes, if you remove the 'arbitrary' part you can prove lots of things about programs that are written in a restricted language (or a restricted subset of some language). If the program is running on Windows (or Linux or almost any OS) then the game is up before you start since you can't prove what they will do so does it matter if you prove your tiny bit of code works...

Re:Bug free?

[Vo0k]

It'll need significantly more computational power than that. After all a program unintentionally entering an infinite loop is a bug. And since the Halting Problem is uncomputable - no computer (well, not without a *major* breakthrough) can determine whether an arbitrary program will have such a bug.

Why? Not at all.
The process checks ALL branchings and ALL possible combinations of states of the program (that's why it's so computationally intensive), and once entering endless loop, the program will keep changing its state in a closed cycle - Pretty simple autocorelation analysis of the time-state function of given branch will reveal it's an endless loop and terminate analysis of the branch.
Actually, float/double variables, conditionals inside long loops etc are worse. And of course, multitasking, underlying OS etc will apply to (and kill) the solution if you take timing into consideration. If all you want is the result value in some finite time (not "realtime"), then you may neglect the the timing issues, just guarantee enough resources. Say, calculating stresses of a construction node in some CAD/FEM, as opposed to fuel mixing doesn't have to finish in 0.02ms, but just in such a time that the designer doesn't fall asleep - but it must be just as correct.

Re:Bug free?

[sholden]

Why? Not at all.
The process checks ALL branchings and ALL possible combinations of states of the program (that's why it's so computationally intensive), and once entering endless loop, the program will keep changing its state in a closed cycle - Pretty simple autocorelation analysis of the time-state function of given branch will reveal it's an endless loop and terminate analysis of the branch.

Well, for a computer with finite space you could analyse all possible states - but then again to do so you would need a comuter with a larger space, so how do you know that one is correct?

Tha halting problem is fundamental computer science. It is impossible for a Turing Machine to determine if another Turing Machine will halt on a given input. Now Turing Machines have infinite tapes, but a modern computer has tens and possibly hundreds of gigabytes of disk in which to store state - so though it's not infinite it's getting large.

Consider:

mpz_t n;
mpz_init(n);
mpz_set_ui(n,3);
while (true) {
if (xn_plus_yn_equals_zn_satisfiable(n))
return false;
}
mpz_add_ui(n, n, 1);
}

Re:Bug free?

[Vo0k]

Well, for a computer with finite space you could analyse all possible states - but then again to do so you would need a comuter with a larger space, so how do you know that one is correct?

Three outcomes are possible:
- Proven incorrect
- Proven correct
- Unprovable using available system.
You just treat "unprovable" as "proven incorrect" for mission-critical pieces. Sanity checks for running out of -its own- space on the proving system are quite simple. Yes, you need a large system, MUCH larger to that.
With the example given, you either inline all the functions and prove the program standard way, for all possible n, or if you can't, you take it is possible that "unknown" xn_plus_yn_equals_zn_satisfiable() and mpz_add_ui();
are incorrect (i.e. never return, or always return false) and thus prove the program incorrect. (program correct for certain values, and incorrect for other, IS incorrect as a whole.)

Re:Bug free?

[sholden]

The mpz_* functions are from a bignum library, so the rather 32 bit ints the integers can take up all of available memory...

xn_plus_yn_equals_zn_satisfiable simply returns whether x^n + y^n = z^n is satisfiable for n with some value of (bignum) integers x, y and z.

In other words the program halts if Fermat's Last Theorem is true and infinite loops if it is not.

Of course if you take "the prover couldn't find a problem after running for 3 days" as meaning the "code is invalid" then you can "prove" the correctness.

However, the "need a much larger" system part presents a problem. You have to prove the prover doesn't contain bugs, since what happens if it has a bug that makes it say some code is correct when it isn't?

It is mathematically impossible to prove an arbitrary Turing Machine halts on given input. And modern day computers are equivalent to Turing Machines (except for the fact that they have finite memory - but they have enough that brute forcing isn't practical).

So if you want to prove a piece of code is bug free you need to write it in a language that is restricted enough to make such a proof possible (you take away the arbitrary part).

Re:Tragic. That's the word to describe this

[dangitman]

Never trust any company with the word "Micro" in their name. Seriously, "micros" have a lower standard on everything compared to mainframes. You get what you pay for.

You want me to trust one of those finicky and new-fangled mainframes, when my slide-rule works perfectly reliably????? WTF?

Can anyone explain?

[0olong]

Why a bug in Trend Micro's antivirus software would appear in Eastern Japanese LANs specifically?

Does it like sushi?

Re:Can anyone explain?

[0olong]

Nevermind. I decided to read the article. Considering time zones, Japanese businesses probably were the ones with the earliest working hours.

Re:Can anyone explain?

[Fjornir]

Nice joke, but this took out my company Friday afternoon PDT.

Re:Can anyone explain?

[Spy+der+Mann]

Does it like sushi?

Hmmm why not call it the "Otaku" bug? :P <--- oops i meant to say ^^; (it's Japan we're talking about!)

The problem with AV

[Fished]

Antivirus checking is, by nature, an invasive procedure. Is it really surprising that these products have such a lousy reputation for impacting system stability?

Oddly, my Solaris and/or Linux and/or OSX servers are able to get by without any sort of AV protection (other than promptly installing patches). And, oddly enough, they are more stable.

Go figure. :)

Re:The problem with AV

[mikeumass]

Less market share. Windows is a much more apetizing market. Especially since most users wouldn't know if they had a trojan in the first place. How many people actually renew thier subscriptions with Norton or NA?

Re:The problem with AV

[Deffexor]

I actually ran into this problem at a customer's site this weekend. They had Trend Micro AV and the computer was utterly crippled. It was like it had some utterly malicious virus on it gobbling up all the cpu time.

Using SysInternal's Process Explorer, I was ultimately able to see that a module (running as a part of the "system" process) called "TmXPflt.sys" was running 4 simultaneous threads each using about 25% of the CPU. Since the "system" process is given higher priority than all other processes, the system naturally slowed to a crawl.

I rebooted into safe mode and renamed this file and restarted. The system behaved like normal again. The file said it was a Trend Micro "XP Post Filter" (mail filter?) - After all that, I thought that it was particularly weird that I hadn't read about some problem from Trend Micro on a major news outlet (like Slashdot) :-)

Re:The problem with AV

Then tell me, why is it that Microsoft's webserver is more vulnerable to exploits, viruses and trojans, http://www.google.com/search?q=+iis+apache+vulnera ble, than it's competitor Apache which has a market share of 70% http://news.netcraft.com/archives/2004/08/01/augus t_2004_web_server_survey.html

Re:The problem with AV

[antifoidulus]

Patches can do the same thing to your system though if they aren't up to snuff. I would be careful about being the first kid on your block to get a patch unless you think it is absolutely critical.

Re:The problem with AV

[Quikah]

Uh, did you fix their problem or was that it? You do realize that you disabled their AV scanning by renaming that file right? TmXPflt.sys is not a mail filter, it is the file that determines whether a file should be scanned or not.

Re:The problem with AV

[FrankNputer]

This is the common argument, but it misses the point that Windows is an EASIER target because of the way it's built.

Antivirus software on mission critical computers?

[mferrier]

Yet another example of why critical computer systems should be stripped down to the barebones tried-and-true software and isolated from any potential source of interference. This goes doubly for a system like this on which the local infrastructure depends!

Auto Update of Antivirus IS a secuirty risk

[csk_1975]

There was a discussion about auto update of both definitions and scan engines being a security risk some time ago on Full Disclosure (I think it started as a Windows Update thread). This event just goes to show that software which auto updates should be used with caution and controls are required if its going to be used on critical systems, ie any updates need to be tested prior to roll out. Whether or not this can be viewed as a security incident is debatable, but software which downloads updates that cause a DOS are usually viewed as malicious. I wonder about the cruft like Plaxo (and all that other supposedly safe stuff) which download updates all the time, I can't stop it (not for technical reasons ;) but I'm just waiting for the day an auto downloaded update craps out some VP's laptop.

Re:Auto Update of Antivirus IS a secuirty risk

[SatanicPuppy]

I keep thinking of that DNS cache poisoning exploit thats going around. What if you could poison a cache, then have a box upstream of the home user pretending to be Norton Auto-Update, or whatever...I'd be surprised if they didn't hasve a secure connection on their end, but it could still be possible.

Then you could have people automatically downloading malicious code with a program that is meant to protect against that very possibility.

Why AntiVirus?

[MindStalker]

What I want to know is why do the computers controlling the train system in Japan need antivirus. Are they attached to the internet? Do they have disk drives? This system should have neither, I can understand the reason for a seperated system to be connected to the net for reporting train schedules and problems. But connecting a control system like that? Running it on windows? Silly. Thats worse than having antivirus on an ATM.

Re:Why AntiVirus?

[MindStalker]

By disk drives I meant floppy drives/cdroms etc not hard drives.

Re:Why AntiVirus?

[guy-in-corner]

Even if a computer system isn't connected to the Internet, you can guarantee that -- if it's connected to any kind of network infrastructure -- some idiot is going to jack their laptop into it, or plug a USB key into one of the PCs.

This is how viruses can get onto supposedly 'private' networks.

It takes a significant amount of effort from the IT guys to harden a system against this -- managed switches, Windows group policy. They're guaranteed to forget something.

The right thing to do is to disable the AV updates over the Internet, and use internal update servers (assuming that your AV solution supports it).

This means that you can validate the AV software on a test rig before it ends up on mission-critical production kit.

Re:Why AntiVirus?

[MindStalker]

Guess I should have RTFA, states only some ticket office computers were affected, not the critical controlling ones. :(

Re:Why AntiVirus?

[statichead]

It takes a significant amount of effort from the IT guys to harden a system against this

Actually they have had these systems for years... They are called Main Frames;-)

Re:Why AntiVirus?

[advocate_one]

the "traditional" vector for virus infection has always been the technician's floppy disk with test programs on it... now replaced by the USB key stuffed full of usefull diagnostics instead... just waiting to pick up a virus from one customer's system and walk it into another customer's system...

A disassemble of this virus

[WetCat]

0x100000 hlt

Re:Tragic. That's the word to describe this

[shanen]

Actually, there is (or maybe was) a line that was running with a computerized system. I remember because they had a pretty serious problem with it a couple of years ago. Unfortunately, I can't recall the details now, though I think it was also near Osaka, but that no one was injured.

The train systems are becoming increasingly automated however. For example, the older lines have open platforms, but several of the newer lines have a wall at the edge of the platform, with elevator-style doors that align with the train doors. No way to fall off the platform in that situation. I'm pretty sure they use a computerized braking system to stop the trains precisely so that that the doors line up, and probably a computerized interlock system to synchronize the pairs of doors.

This crash brought to you by the letter 'P'

[DarkFencer]

Um... I really have to wonder at the QA testing that goes on at Trend Micro. It seems that there have been some pretty big screwups there that made it into their enterprise software.

In case anyone forgot this one:
Trend Micro Quarantines Letter P

Re:Servers do not need real time virus protection.

[grasshoppa]

Ok, pop quiz:

Your SQL server is infected with a trojan. Nevermind how, it's not important. Your manager wants to know why it wasn't protected.

You are building yourself into a glass house. Mistakes happen. They are made by your or others on your staff. You should plan for those mistakes, life has a way of teaching these kind of lessons on it's own. Typically painfully.

It should be part of the TCO

[RoLi]

Exactly. This is just part of the cost of running Windows. Any serious TCO-analysis should include the cost to purchase, install and update anti-virus software on Windows.

We had the same problem

[Xerxes1729]

The same thing happened at my school this weekend. At the beginning of the year, ITS required that anyone with a Windows machine install this Trend Micro program and give them the password to an administrator account*. By "securing" all the Windows machines, network outages would be prevented. Ironic, eh? Those of us who use other OSs, of course, were unaffected. And best of all, when they sent out a notice about fixing the problem, they didn't explain what had happened - we had to wait for one of the students who works there to tell us.

*They wanted me to give them my root password before they would turn on my network connection. I told the nice woman that if ITS expected me to trust them with my password, surely they would trust me with the password to one of the servers. She rolled her eyes and activated my connection.

Re:We had the same problem

[Ruprecht+the+Monkeyb]

The problem is with your IT department, then, not with Trend Micro. The TM client software can be deployed in a number of ways that don't require client interaction, much less giving them the admin password.

I use TM's enterprise stuff at a number of clients, and I've found it to be far more reliable than anything else. Most of my clients were using other products before I moved them over to TM, and nearly all of them were having problems with client interaction, updates not working, etc. And despite updating regularly, I've never been hit by any of the bugs reported.

Re:We had the same problem

[NoHandleBars]

Friday afternoon the issue began creeping throughout our network. The irony is that the mis-cued anti-virus patch effectively acted so much like a virus that we kept looking to Trend Micro for the solution, when it turned out to be the source. [sigh] Does anyone else feel like the space-time continuum just hiccuped and provided a brief repeat of the state of enterprise computing circa 1981?

Re:We had the same problem

Sorry I think you don't understand the situation the pattern file caused. Officescan (the corporate version of the software that was effected) has a remote admin/update/rollback feature built in. Normally this would be the way that issues are handled. The issue though was that the trend product runs at a very low level on the system and every-time it hit DLL and a few other file types it brought the kernel/system utilization up to 100%. The problem is that the real time scanner is almost always hitting DLL and those other types of files. When this was happening you could not even telnet to port 135 on the problem host. The only solution that seemed to work was either their emergency update tool (mind you they released this like 36+ hours after the networks were down) which bashed the host with commands to fix the issue until it responded (but needed the admin password), rebooting the machine in safe mode, or writing your own script/program to do the same thing (what I ended up doing).

The frustrating thing about this situation was that Trend would not even tell me if it was a bug or if their update server was hacked and this was a malicious code injection Friday (I spent 9 hours on the phone with them). They just gave me the runaround that the support managers and project managers were all on a conference call trying to work through the PR announcement. Very poor form. When the announcement was finally made it plays down the fact that most of their large install base clients use a product called control center that checks and pushes out pat updated in minute intervals. So the "only released for 1.5 hours" junk in the PR was meaningless -- all of their XP install base at large corporations were down because of this. One more frustrating part of the night was the 30 minutes or so it took me to discover that Trend was responsible for the issue -- I then called support and the person on the initial call made believe that he had not heard of an issue until I stated that I knew it was the 594 pattern file -- then he went into the rehearsed line "I can't comment on this issue as we are still investigating it and coming up with a press release." argh.

Re:We had the same problem

[elijahb80]

Same thing at my school. I wonder if we go to the same school.

Re:We had the same problem

[Xerxes1729]

Would your school happen to be in Iowa?

Re:We had the same problem

[elijahb80]

yup. grinnell?

Re:We had the same problem

[Xerxes1729]

Yup.

Helpful, NOT...

[timbo1234]

This hosed all our work computers until the update appeared. 99% CPU usage on all of them. No helpfull info on the Trend site either. Cheers guys...

Re:Helpful, NOT...

http://www.trendmicro.com/en/support/pattern594/ov erview.htm

The statement by trend micro.....

Re:Helpful, NOT...

[finse]

To bad this wasnt posted until 3 hours after we discovered the issue @ my shop...

So dual CPU makes sense...

[stm2]

Some weeks ago there was a news here about using 1 CPU just to run housekeeping software (AV, anti-spyware, firewall, and so on) and let the other for user's taks.
It seems it is not so bad idea after all (at least, for Windows users).

Re:So dual CPU makes sense...

[Drantin]

I believe the article was actually about dual-core CPUs rather than dual CPU setups...

Re:Servers do not need real time virus protection.

[grasshoppa]

Don't be a retard, the point of preventing intrusion is that if you do get hacked, no damage can be done because the server is so locked down it can't do anything other then act as an SQL server.

You and I have differing definitions of "locked down", and in any case, I wasn't specifically referring to trojans, I was simply using them for the example.

Shit happens. As network admin, it's your job to limit the damage using every available mean. By not using AV on all machines ( yes, virginia, linux boxes too ), you are being negligent in your duties.

Re:Before the flury of obvios train crash jokes st

[mwood]

It sounds like they are two different companies, which makes it somewhat likely that they run different AV products. But all of this is guesswork; let's wait for the facts.

Re:Antivirus software on mission critical computer

[Hasai]

Ah; you mean like rip-out the Microsoft OS and replace it with a minimalized Linux kernel? I'm all for that.... ;)

Re:Servers do not need real time virus protection.

[mwood]

"What kind of server do you have that requires [realtime AV]?"

File servers. You know, machines whose sole purpose is for end-users to stow files on them.

If your end users are keeping all of their critical files on their workstations you need to fire your admins and get some new ones who have a clue about disaster recovery.

that's the problem

[zogger]

They are starting to make the cars so complex that it drives the cost up significantly for initial purchase, and the repair costs get astronomical because it requires a specialist in most cases to *really* fix them, but they still only last a few years before they start to break down and become uneconomical for most people. Catch 22 now. Airplanes on the other hand have high initial cost, high repairs and maintenance costs, but are designed for decades of service, not just a few years. Where are the high tech safer cards with 20 year warranties? the cost has gone up tremendously compared to when I was a kid, yet they still seem to break as much and are much harder to work on for joe average.

No easy choices for joe consumer and land transportation. It's not like you can go buy a brand new cheap car that isn't infested with all sorts of electronic stuff that isn't really necessary. It may be useful, but it's not exactly necessary. You can get older cars of course, but even then it's a high cost to restore them and in a lot of cases they have to be modified to pass emissions, which lowers their actual practicality value by introducing complexity. More stuff bolted on = more stuff to break, simple as that. I mean, new cars now cost what houses used to cost not that long ago, and they still drop in value the same as they always did, drive off the lot, whoops, several thousand gone, then it goes downhill from there. It's a cost/benefits/practicality issue that's quite complex, I don't think it can be really stated that cars are that much more of a deal now just because of all the electronic controls, which are consistently the number #1 consumer complaint with cars and repairs, the electronic control systems nowadays. Blackbox voodoo stuff that even the dealer factory trained guys have a hard time dealing with once they develop bugs.

Re:that's the problem

[BrooksD_1]

Airplanes on the other hand have high initial cost, high repairs and maintenance costs, but are designed for decades of service, not just a few years. Well, it's not just design, but that high maintenance that allows this. Even the best maintained passenger car is no where near the standards of a poorly maintained private plane. Pretty much every component on an aircraft has a rated lifespan and is replaced long before it might fail. As a result the airframe itself is probably the only original part when an aircraft is in service long enough. I'm not sure if it's 20 years or 40 years before you get to that point, as I'm not an A&P ("Airframe and Powerplant" the main cert for Aircraft mechanics). The bottom line is that if you wanted to put this level of maintenance into a car - serious inspections of components at set intervals, replacing major components as they "time-out" rather than waiting for a failure or sign of failure, etc - You'd probably get this kind of life out of a car. Basically it boils down to economics, airplanes are expensive and the consequence of a minor failure can be pretty dire, so it's worthwhile to drop a LOT of money maintaining them. Cars are cheap, and you don't fall out of the air if the alternator dies, so it isn't worth spending more than the cost of the car to keep them going. To look at it another way: Big rigs get something in between (preemptive component replacement, etc) and they generally last somewhere in the millions of miles...

Re:that's the problem

[zogger]

That was one of my points. Cars used to be cheap, I remember it was very common to only get a 12 month loan on a new car, even for just a regular low on the economic totem pole blue collar guy (that would be me). Now they are 60 months, and they still break down about as much, and it's immensely harder to fix them once they break. All we have gained is more complexity,at a greater cost,initially and maintenance wise, but the reliability isn't 5 times greater, not even close. If it was, I'd say it was a fair trade and wouldn't complain, but it's not. Cars are a worse deal now than they used to be, but they do have more gadgetry to them. That's the tradeoff, I just don't think it's worth it. If I could, and if it was available, I'd much rather buy something like a new vw beetle (old style) or something like a basic two bench seats 6 passenger dodge dart (had both, both got slightly better than 25 MPG too), without all the complexity that new cars have, but you can not get them, all new cars have been electronically rube goldberged way out to eXtreme ludicrous land. Granted, maybe the fly by wire cars now handle better, but quite frankly, I seemed to have missed the necessity of 180 mph commuting lately, despite all the 4 wheel drifts shown in the car commercials. I like the olden days of two for 10$ shock absorbers and a simple tuneup costing 3$ in parts and taking 5 minutes to accomplish.

I see some good things with new cars,don't get me wrong, but as transpo, point A to B, there's nothing really new out there, they still got 4 wheels and an engine, you just pay through the nose now for it, whereas it used to be *cheap*. If they were designed and maintained like you suggest with airplanes, then maybe, but that would requitre government forcing that option, which I honestly wouldn't have a problem with. Too much throw away junk nowadays and it's beggaring people. I've watched it change over the years, people nowadays are living in la la land credit fantasy world, and it's been induced by this throw away culture and by stuff that isn't worth it to fix. A 20 buck do dad no biggee, but 20 to 40 grand cars start to get economically annoying to consider them throw aways.

Well, for some of us anyway, to other people that's still throw away toy price.

Re:Servers do not need real time virus protection.

As an admin my job is to keep the servers running acceptable and cost effectively.

Real time virus protection hurts SQL server performance. Real time virus protection hurts web server performance. Real time virus protection costs money on print servers. If no damage can be done, then why spend the money or take the performance hit?

Info on Full-Disclosure list

[tsvk]

There was discussion on this on the Full-Disclosure mailing list when posters suspected that the 100% CPU usage on their computers was because of some new unknown virus.

A repesentative of Trend Micro Germany made a post to the thread where he explained the situation, apologized for it and offered pointers to their support database so that people could get the malfunctioning virus signatures uninstalled.

Re:Servers do not need real time virus protection.

[BrainstormOC]

Guess everyone has a ton of money to throw around securing everything so perfectly. I WISH I could get that kind of funding for securing things. I've tried and tried to show the execs the importance of it all, and in the end it still gets shot down because the allocate the money to build an addition to our complex so more people will buyin and we'll have more money to play with, which of course will go towards improving that building or.....anything but improving the infrastructure already in place or funding security. Who do YOU work for? Not everyone gets that kind of money to play with Mr. Attitude.... *rolls eyes* sheesh.....

Re:Servers do not need real time virus protection.

Yes I do know this.

Physical access is restricted with a key code that is changed every week as well as a physical dead bolt.

Remote access is restricted to 3 IP's that are within the building.

User access is restricted by me and my two coworkers. If you request access, we need to how, why, when, where, and on whose authority you have permission to access said data. When you can answer all of those to our satisfaction you will be granted access to that one dataset at your own box, validated with your own login information, and set to expire exactly at the time you no longer need it.

This is our job, it is what we do. I don't know what you other people are talking about with "finding time" We get 40 hours a week to thin about this shit and implement it.

I am absolutely 100% sure that no damage can be done. I stake my job on it. We have not had an intrusion yet, (despite 500+ daily attempts, mostly from Korea).

Yes, god herself told me. Every morning I pray and ask god to help me through another day. SO far she has delivered. I think she is speaking to me when I wake up suddenly in the middle of the night and say "Shit, If I change this to this and that to that then I can make the network that much more secure" (I know it is sad, but it is true).

Re:Servers do not need real time virus protection.

[BrainstormOC]

hmmmm. maybe you're right....on both counts

Re:What wrong

[stevie-boy]

wit Mc Afee? it works well enough for me

That would be the McAfee that caused *every* NT4 box here to hang on bootup after it downloaded a corrupted dat file from our local mirror?

Re:Servers do not need real time virus protection.

[grasshoppa]

I am absolutely 100% sure that no damage can be done.

This would frighten me, were I your manager. People who are this sure of anything have been, in my experience, zealots for that OS or so egotistical that I don't want them making decisions.

Crap breaks, people make mistakes. I believe this to the core of my being, and I plan on it. Sure, I lose some performance, but given I can throw more hardware at that particular problem, I don't worry about it.

Re:Before the flury of obvios train crash jokes st

Crash appears, 14 hours after the event and therefore subject to modification AND to my interpretation, due to:

1) Train driver overshot the station, so backed up.

2) This put the train a couple of minutes behind schedule.

3) The driver ran faster than allowed through a descending 70 kph right-hand curve to catch up.

4) The train derailed and slammed into an apartment block.

5) The driver survived. Many others didn't. 12 hours after the crash at least 4 people were still trapped.

6) Trend's antivirus products had fuck all to do with this.

7) Supposedly "clueful" people can't help but mention Trend Antivirus and a random train accident in the same breath. Piss on such people who giggle over the deaths of dozens as long as they can make their silly little comments.

OS should provide protection

[booch]

The operating system should really prevent this type of problem. The whole purpose of the OS is to mediate access to resources such as CPU. So if one process is able to monopolize the CPU and prevent other processes from getting CPU time, then the OS has failed to do its job. (I'm not sure Linux would do a better job or not -- I've seen cases where it had similar problems.)

Re:OS should provide protection

[EddWo]

Except this was the antivirus software, a file system filter driver running in kernel mode. Its not a matter of one process taking up more resources, it was happening with kernel threads running at a high priority.

Re:Before the flury of obvios train crash jokes st

[SniperX]

Actually Japan Railway East and Japan Railway West were originally owned by the government until 1987, so the chances of them using the same system architecture and products is quite high. I wouldnt rule out a connection to the train wreck so quickly.

SniperX

Woopiee

[SnarfQuest]

Isn't it sad that a program specifically written to stop problems of this kind, is the cause of this problem?

I personally don't like the idea of having an extra add-on software package, designed to plug holes in the operating system, instead of fixing the operating system itself. And now MicroSoft is planning on including one of these in their OS, instead of actualy fixing the problems!

I think the virus writers and the spammers are trying to drive personal computers into the same oblivion as the CB radio. Take something useful, and fill it so full of crap that nobody can actually make use of it.

Re:Tragic. That's the word to describe this

[glassjaw+rocks]

I hope you aren't a linux man, saying "You get what you pay for". The irony.

Trend Micro

[Fjornir]

So -- this is the same Trend Micro that decided to quarantine Cygwin a month or so back, took out our entire development team. A couple of years back Trend Micro decided to quarantine all emails containing the letter 'p'.

Since my office was so seriously affected by this problem, it would be great if people could post other embarassing Trend Micro stories too!

Re:Trend Micro

[Kevria]

I have found that if you attempt to copy the same file twice off of a cd then I can get Trend Micro antivirus to chew up 100% of my CPU. I had this problem FRIDAY night and ended up uninstalling their crappy software. It is the SECOND time this has happened with it. I also had made the mistake of installing their personal firewall and it kept bouncing my internet connection every 45 seconds or so (my computer is sitting behind a hardware router).

Re:Trend Micro

[jonfelder]

Two questions.

1. Why is your office still using Trend Micro if it has given you problems in the past?

2. Why aren't the updates tested on a test machine before being passed to end users? Surely avoiding the problems you listed would easily pay for a centralized update system and a test rig.

Re:Trend Micro

[Fjornir]

1. Because our IT department is incompetent. Choice of virus scanner is tip-of-the-iceberg as far as proving that goes.

2. See 1.

Re:Trend Micro

[jonfelder]

That's unfortunate. In this case it appears that their incompetance is seriously affecting your ability to do your work.

Maybe a chat with management is in order. If that doesn't work...and they wouldn't let me manage my own machine, I'd be sending out resumes.

PC-Cillin

[ajs318]

Trend Micro make a product called PC-Cillin. What I have always wondered is, why on earth would anyone use an anti-virus tool named after a drug which is famous for not working against viruses?

Re:PC-Cillin

[ajs318]

That's exactly what I meant.

By the way, the singular of "virii" would be "virius". "Virus" doesn't have an "I" before the "U", so if you were going to {doubly incorrectly in this case: for one, when a foreign word imported into English acquires a new meaning, when it is used in the new sense it is pluralised according to English rules; and for another, "virus" is a stuff-word, not a thing-word, and so doesn't even have a plural form} follow Latin-style pluralisation rules, its plural would be "viri" with one I.

Happened to me here in the US

[Flint+Dragon]

Friday night I experienced the same thing. All of a sudden, my CPU usage pegged at 99% and could barely do anything. Any programs/windows I launched either took a very long time to execute, if at all. It took me a while to figure out what went wrong. After messing around with the services (services.msc), I figured out it was pc-cillin. I just disabled all of the services associated with the program and rebooted. Everything came up fine afterwards and I just did a uninstall/reinstall and now my machine is happily chugging along!

NOT A JOKE, but a Train did Crash today in Japan

[Displaced+Cajun]

Could this be related?

Train Rams Into Building in Japan; 50 Die

Windows O/S on mission critical computer...

... is proof that you must be smoking crack. Either that or the machine must not be as "mission critical" as you'd like to think it is.

Windows O/S is only valid for machines that need to be up and running *some* of the time.

urban legend?

[bobalu]

Crashed Computer Traps Thai Politician
Updated 14 May 2003
http://aardvark.co.nz/daily/2003/n051301.shtml

Thailand's Finance Minister Suchart Jaovisidha had to be rescued today from inside his expensive BMW limousine after the onboard computer crashed, leaving the vehicle immobilized.

Once the computer failed, neither the door locks, power windows nor air conditioning systems would function, leaving the Minister and his driver trapped inside the rapidly heating vehicle.

Despite the pair's best efforts, it took a full ten minutes before they were able to summon the attention of a nearby guard who freed the two men by smashing one of the vehicle's windows with a sledgehammer.

A report (http://www.bangkokpost.com/Business/13May2003_biz 12.html)
published in the Bangkok Post indicates that the vehicle was Mr Jaovisidha's own BMW 520 which was being used while his state-supplied Mercedes, was being repaired.

We too use Trend Micro...

... OfficeScan and ServerProtect on over 700 machines and did not experience any problems over the weekend. We used to be a McAfee shop and ditched them after two years of problems and then the company failing to honor our support contract with them. We tested Symantec's enterprise virus product and could not get the evals to do the "push" install and run correctly even after a couple hours on the phone with Symantec's support. Turned out that we'd have to manually touch each and every of the 700 desktop machine with a crew of support techs to clear out the old McAfee installation and reboot each one at least 3, possibly 4 times to get the Symantec product installed. Furthermore, the Symantec/Norton AV product felt like it just subtracted 200 MHz off the CPU speed of each machine once it was installed. We were not pleased with it at all. The Trend Micro eval install just simply worked right the frict time. The push installer removed the old McAfee and installed OfficeScan automatically with only a single reboot at the end of the installation. Of the 700 desktops on out network, we had to manually touch maybe 50 of them due to odd problems. Trend has been running fine for us for over 2 years now.

Re:Servers do not need real time virus protection.

[Fjornir]

If you're all that and a bag of peanuts start a security consulting firm.

Not the first time

[Clovert+Agent]

Trend's had some cross-product bugs in virus software before

But then so has McAfee and CA, (though the last was a licensing component at fault).

There definitely does seem to be an increasing trend in vulnerable AV software at the moment.

Re:Train crash in Japan

[Fjornir]

Virus/anti-virus aside the car-computer bugs mentioned elsewhere in the thread have had a terrible impact. Also google for the dive computer (SCUBA) which had a bug in its handling of NitrOx divers, worked out really nasty for several people diving aggressive dive plans.

Not just in Japan... US too

[RobertKozak]

We got hit with this on Friday at 3:30 PST. I work for a company in Los Angeles and I was one of the first hit in the company.

We thought it was a virus and it took us about an hour and half to figure out it was OfficeScan it self that was bad.

ANd these guys got a certification recently

[Madas]

link Checkmark labs recently gave out an award to the company for its spyware product. Spyware, as you know, slows down computers and makes them difficult to use. Oh the irony!!!

Down with antivirus software

[sshore]

Antivirus programs cause more problems than they fix. They cause significantly degraded performance. They cause unusual and unexpected problems with legitimate software. They give a false sense of security. In the end, though, they can only really protect against known malware, days or weeks after it's a problem. A combination of user training and regular software updates is more effective, in my opinion.

Re:Down with antivirus software

[sshore]

Trend had a signature the same day it was noticed The same day Trend noticed it. Probably hours to days after it was released. It's not necessary for a corporation. It is, in fact, dangerous for a corporation, because it replaces user training. Users believe that anything that makes it past the antivirus program is safe.

This was bound to happen, and it will happen again

[js9kv]

Two of my customers were hit with this at the same time on Friday around 4:50pm - the only good thing about it was that it hit at a time when many of the folks most affected by the bad update had gone for the weekend. They called, described the problem, and it hit almost completely in sync, all the machines that were running the latest XP with all the patches. We spent 3 hours that night troubleshooting and eventually figured out it was the AV software messing it up - and then about 20 minutes later on Trend Micro's site they had a "you gotta update from v594 to v596" to fix it. First off, lets face some reality here - it was only a matter of time before something this scale happened - AV software, if developed by a small group and not effectively tested, could be perhaps the least QA tested software on business PC's in the world today. Remember that response time is the major factor in AV protection - and getting your signatures out faster than the other guys, and faster than the virus spreads, is about the only success that these vendors know. For a long time now I've seen shoddy work from various AV vendors - Norton steals resources, Trend leaves stuff behind after an un-install and McAfee spams their own users after install. Thus far the only two that havn't bothered me that much are Zone Alarm and Grisoft's free AVG. For the last 2 years I've asked Trend Micro, Symantec and McAfee to add a single feature into their server-based email virus protection - and that is the smarts to know when to (and not to) respond to a message with a "this message contains a virus". Right now virus responses are a binary value - you either send them or you don't. Shouldn't the AV software be able to know from it's signature whether or not the senders email address is spoofed? Anyway, I digress. What it all boils down to is that AV vendors have a huge market penetration, and if some vendors aren't QA'ing their work (or if Microsoft is restricting updates by country) then it's inevitable that something nasty is going to be spread by the AV software. Also remember that it's not just the AV software - Microsoft's last round of updates seem to have broken more than just this.

Re:NOT A JOKE, but a Train did Crash today in Japa

[TerminaMorte]

You don't even have to read the article to know the answer to this... it's in the first post! (scroll up)

That was East Japan Railway. The crash was on Japan Rail West.

Re:Tragic. That's the word to describe this

[TerminaMorte]

Almost as ironic as something you paying for screwing you over, and something you got for free being reliable. One might even say 'You get what you don't pay for'. :)

Re:Servers do not need real time virus protection.

[grasshoppa]

It is a simple matter of risk vs reward

Yes, it is.

Are you 100% sure you will not be targeted for assassination by a rouge government agency

I think we will both agree that a computer on a network with other computers is at higher risk of catching something than your statement.

The reward, in terms of dollars and performance, is worth the miniscule risk we take by not running the real time protection.

Do yourself a favor, and ask this question to any manager type:

"Would you prefer to have a high performance server, or a server with slightly less performance running an AV?"

Don't even mention that you can make up the performance difference with extra hardware.

I think most reasonable types ( and managers too ) would agree that the trade off is well worth it.

Not just corporations got hit by this

[dykmoby]

I spent half of the weekend trying to fix what I though was a virus. After a system restore etc, I managed to get things working again. But then Trend found a couple of virii that had been on my machine for months and never detected before (despite daily checks). Not impressed at all, will be looking for another anti-virus solution. Any suggestions?

Re:Not just corporations got hit by this

[argent]

Not impressed at all, will be looking for another anti-virus solution. Any suggestions?

Apple's coming out with a really great one this Friday.

Re:Not just corporations got hit by this

[agrisea]

Try AVG Anti-Virus:
http://www.grisoft.com/

I use the Linux version (but clients use the Windoze version - works very well with XP, while 98se & ME require you to turn off AVG_CC in the startup-tab of msconfig.)

Fatal train wreck a result?

[Erris]

MindStalker asks and states:

What I want to know is why do the computers controlling the train system in Japan need antivirus. ... connecting a control system like that? Running it on windows? Silly.

I agree and wonder if the ensuing chaos had anything to do with this unusual and fatal accident. The engineer, of course, is being blamed for speeding. You have to wonder what was making him speed. Japanese trains usually run like clockwork.

Fifty two people died and hundreds were injured. You can see the pictures here.

Re:Servers do not need real time virus protection.

[exKingZog]

Unfortunately some of us work in small businesses, where the server room doubles as a store room for asbestos waste (don't ask) and stationary - we had to fight tooth and claw to get even that little desk, and our last great victory was a £300 UPS. We don't have 40 hours to spend on this because we are expected to do other work as well.

antivirus idea in general

[way2trivial]

video cards are to the point where they contain HIGHLY SPECIALIZED computations a bazillion times faster than they could by sharing the CPU

people are looking at the new intel dual core setups for among other things, dedicating one core to their antivirus checker, as norton lately has been bogging down the CRAP outta pc's

how hard is it to make a PCI/ISA/ slot card that is the CPU for antivirus.. yes- I propose someone build an anti-virus processor, and mount it on a card.. let it do everything that gets loaded onto the processor...