Slashdot Mirror
Anti-Virus Bug Briefly Identified Windows Explorer as Malware
SJ2000 writes "Windows Explorer was quarantined last week by Kaspersky Lab's antivirus software after being falsely identified as malicious code. The security company's systems had decided that a virus called Huhk-C was present in the explorer.exe file, leading to its confinement or, in some cases, deletion. The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users."
Windows identified as malware... why is this a bug?
Anti-Virus Bug "Correctly" Identified Windows Explorer as Malware
Viruses are small and efficient.
The Kai's Semi-Updated Website Thingy
that's not a bug, it's a feature
Sigs are too short to say anything truly profound so read the above post instead.
Shouldn't this have been caught by even the simplest test before releasing?
That's my first reaction, now I'm off to RTFA
You're right. But sometimes MS is in a hurry to get their product out.
...
Oh, you mean Kaspersky Labs
Bark less. Wag more.
Shouldn't this have been caught by even the simplest test before releasing?
[X] In Soviet Russia, IE tests YOU! ..."
[X] Only old Koreans bother with testing!
[X] "But it IS malware, boss!"
[X] Netcraft confirms it - testing is dead!
[X] I don't run IE, you ignorant clod!
[X] "We tried to test it on Vista, and we will, as soon as its finished booting
The bug was only live in the wild for two hours, and ended up affecting just one corporate customer and a handful of home users.
And yet it still made the front page of Slashdot.
Seven puppies were harmed during the making of this post.
I agree, today virus are not efficient at all, most of time customer discover they have virus because their system is getting very slow.
Any story that puts MS in a bad light or makes fun of them almost always gets the story about some guy enjoying another's feces.
I guess it's just too early still in Seattle... Maybe they will post it later.
Merry Christmas Bill!
Why not have the virus scanner, upon detection of a virus, check for a Microsoft digital signature in the binary, and maybe behave differently in this situation? Might just save a few systems in the future from incorrect signatures. I can't see this change in logic being beneficial to malware writers as they won't have a Microsoft signature, and if they can somehow change the anti-virus program to check for digital signatures against a different public key, you are already compromised.
It's not a virus, sure. Viruses tend to mature, become more efficient...
But Explorer sure feels like malicious code...
Don't put advice in your sig.
From TFA:
As Windows Explorer is the graphical user interface for Windows' file system, this made it difficult to perform many common tasks within the operating system, such as finding files.
Gee, makes it sound like losing explorer.exe is only mildly inconvenient.
Nothing to see here, move along. If it made news every time someone released something that broke explorer, we couldn't read about our beloved Beowulf clusters of toasters!
What's funny is, if I saw that explorer was missing on my system, by the time I reloaded the OS (cause *obviously* it's infected/broken/normal operating procedure), I never would've known the cause. It was pulled by the time I would've finished installing.
Of course, then I'd have to go and find my Gentoo CD so I could reload GRUB. That would've been more painful than the rest of the OS reload that I expect to do every six months anyway.
Very slow news day.
...last year, when Symantec flagged part of the Windows Server 2003 resource kit as a trojan. That one stayed in 'the wild' much longer, probably because the resource kit in particular wasn't a widely installed piece of software.
We've also had Norton 'false positive' on the Windows version of Oolite.
One of these days, a widely used, automatically updated virus scanner is going to detect something like KERNEL32 as malware and kill a whole lot of machines. Wasn't there a problem like this with the Chinese version of Windows earlier this year?
Oolite: Elite-like game. For Mac, Linux and Windows
http://www.huhk.com/intro_background.html Hmmm... Truly viral marketing.
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
Building fail-safes would make sense and might work.
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
Yesterday, we read about a dork playing jingle bells by hitting his video card fan. This story is an improvement.
echo 'cat sig | sh' > sig
Haha, I haven't seen netcraft confirms it in a long time - is netcraft dead? And Vista boots near instantly on my computer, but I understand it's a joke and also that I built my computer two months ago seeking out the best low-cost components possible, so my case may be something of an anomaly. But it's kind of funny because with XP I would usually hit the power switch, go take a piss or something, come back and find out that it still hasn't finished loading antivirus, firewall, etc... but that's more because of the sucky hardware than the OS.
All your base are belong to Wii.
So what does that mean? are we all fucked?
I know a guy who is Kaspersky happy, and installs it on everything he touches. All of the machines he touched were affected by this bug. I think it's more than a handful.
John Walsh once found me while looking for some other kid. He was not amused.
Except for the part where they give their consent. (Informed that only dirty hippies use OSX).
Touché! Well played, sir.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Now, of course they should not. Never. But they do. A few years ago, McAfee found MS Excel as malware (and acted accordingly, including detention or deletion, just like Kaspersky did with explorer now).
But how? Don't they test?
Of course they do. AV developers usually have some way to test against the most common software (and a few more software packages) before issuing a new signature. Though, as you can hopefully imagine, that takes time. The "whitelist" box that contains those "known good" files contains literally gigabytes (and soon terabytes) of software. As you can imagine, it takes a LOT of time to scan it all.
Time, though, is of the essence in the malware fight. You NEED that signature out before the proverbial shit hits the fan (i.e. before your customer opens that infected spam mail that was just distributed a few billion times globally). So your sig update has to go out NOW. Preferably it should've been out an hour ago.
How do you solve that quandary?
There are a few strategies. But they all come down to one single problem: Having a current version of every file you want to whitelist. So what most likely happened is this:
MS pushed an update for the file in question, most likely another of their infamous "silent" updates. You know, the ones you don't even notice. Now, if it wasn't a "silent" one, then one should wonder whether Kaspersky was sleeping (because they didn't fit it into their whitelist box in time) or whether it was pushed JUST at that time when they committed that update. Unfortunately such coincidences do happen.
Now, I'm not working at Kaspersky. Rather, I'm working at one of their fiercest competitors. So I should probably rejoice at their blunder (and I'm fairly sure my boss will be in a GOOD mood on Thu, time to ask for a raise, I guess). But it can, did, does and will happen. To anyone in the biz. No matter how good you are and how good your false positive alarms and nets are, it can happen to everyone. If anything, this proves it. Kaspersky IS one of the key players in the business, and they usually know what they're doing.
That's one of the reasons why I do highly recommend that you set your AV tools on "ask me before any action" mode. Yes, it bugs you every now and then, but it also means that things like this won't happen to you should your AV tool manufacturer have a similar problem one day.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Know what all that means? shit...
Ctrl-Shift-Esc, Alt f n, "powershell.exe" (or "cmd.exe" for old-timers).
Bah. Explorer. Who needs it?
What's purple and commutes? An Abelian grape.
Yesterday, AVG Free identified Quake4.exe as a trojan on my machine. I had to disable AVG and run the Quake 4 update to get it running again.
BTW, is pressing "ctrl-z" ( / edit -> undo) really that much housekeeping work?
What's purple and commutes? An Abelian grape.
Then it's a good thing Kaspersky doesn't have voice recognition. I don't want to be confined for something I say.
oops. shh, don't want to give the government any more ideas here..
Note to anti-virus companies: ask the user what to do, instead of automatically deleting files you don't own. I stopped using all anti-virus software on my Windows machine because of rubbish like this.
Also, always good to see another Vista user. Now I'll have someone to get my back when I defend Vista against haters. ;)
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
Hmm where to start... first, you have been trolled and possibly unintentionally (by giving a serious response to a joke). Second, while you might have had a valid objection to the GP, you failed to use it; thus the entirety of your post can be summed up as "Follow the crowd and no one will ever think you're dumb!" That's great, if being a sheep and taking the path of least resistance is what makes you feel fulfilled.
To claim that the popularity of Windows is an inherent virtue of the OS is just plain silly. It's an arbitrary decision that was heavily influenced by marketing and made in large part by people (regular end-users, phb's, etc) with no real computing expertise. This is a hell of a business accomplishment and what Microsoft has done in the computing industry is what every other company would like to do in its own industry. That's great for Microsoft and their shareholders, but you have done nothing to defend the intelligence of users who go along with it.
P.S. if the near-ubiquitous quality of Windows means anything, it means that Microsoft's software failures are automatically magnified (think botnets, which are greatly facilitated by a monoculture). They will care about this only to the degree necessary to ensure that it doesn't become a marketing failure.
Now make sure that, whatever you do, you do NOT reply to my post. That way you can follow the crowd and be like every other AC who can't follow the discussion.
It is a miracle that curiosity survives formal education. - Einstein
Yeah, I'm sure as time passes more and more people will be using Vista and realizing there's nothing really fundamentally wrong with it once you disable UAC (which I didn't really want to do because of the security feature but I really know what I'm doing and don't need 3 prompts when I want to change something in Program Files). And by the time Windows 7 rolls around everyone will be like "You can pry my Vista SP2 from my cold dead hands!" etc.
All your base are belong to Wii.
Yeah, I don't know where they got there numbers from. But I was apart of the handful.... :(
Without any information about the "virus detection" at the time, I took the only safe path I could...
Doing a full backup and reinstalling Windows and Linux. Wasted an entire day, thanks kasperkey
A customer brought in their computer because they thought they had a virus because the computer was running slower. So they installed Kaspersky and it "found a virus" which happened to be explorer.exe. Sadly for this guy, it ended up costing him $120. Is it possible he could get his money back from Kaspersky? I doubt it. I seriously doubt it happened to just a handful of people if I happened to get a customer with this issue.
Kaspersky has made TWO major mistakes in a week's time.
First, back on the 14th, they screwed up and issued update that had SERIOUS consequences for quite a few people running large networks. One guy had 700 machines down. Turns out they had a bug in the code since 1996, which was only discovered when they switched Microsoft compilers for version 7. The Linux compilers caught the bug and so the Linux version of KAV didn't have a problem. But the Microsoft compilers compiled the bug with no warnings or error messages, so it slipped through. At least that was the explanation Eugene Kaspersky put out on the forum.
Second, this latest bug with Explorer which was fortunately caught within a couple hours. My client's machines never even saw it because their update cycle was longer.
I've just started installing KAV 6.0 on one of my client's machines. He was suspicious of using a Russian company in the first place, but I told him it was okay since they're a high detector, got a management kit, good price for his 24 machine, etc.
Then this shit happened. Doesn't make me look good, either. Fortunately it didn't drop our machines, it just caused a message to pop up saying the application launch didn't work.
And recovering has not been easy, since the Admin Kit apparently still has the crap in it's source directory used for installing KAV on client machines. I'm going to have to uninstall and reinstall the Kit to make sure the buggy components are not there as I finish installing the rest of the machines.
But what someone else above said is likely true - sooner or later some AV is going to drop thousands of scores of thousands of machines. This is obviously true when you consider that AVs are programs that burrow deep into the OS AND have almost continual updates of both signatures and software components. It's like running Windows Update every hour of every day! Sooner or later there's going to be a catastrophe. It's just not a sustainable process.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
The point I was making, which should be clear to you, was that there is no merit in making a choice just because it is popular. I can choose to eat food because "everyone else does" and it means nothing; I can choose to eat food because my survival as an organic being depends on it and this is a rational decision. You could claim that jumping on the Windows bandwagon is a sign of intelligence due to business realities; you could conversely claim that the truly intelligent find ways to deal with compatibility issues without needing to use a single Microsoft product. Both claims mean next to nothing without some reasoning and perhaps evidence to back them up, and for all I know a serious study might determine no correlation with intelligence at all. The only reason why I used the word "fulfilled" is because some of us make decisions using additional criteria other than how much cash is invested in something. You can treat that concept as a stumbling block and willfully miss the point I was making if you like, but this does not negate what I am saying.
All I said is that popularity does not determine actual merit. To say that this must mean I think I am the "all knowing one" is an emotional knee-jerk response that attempts to turn this into a personal matter and does nothing to address what I was saying. You don't like what I am saying, that's fine, but to act like this gives you license to automatically declare it false and make assumptions about my character is the very arrogance of which you seem to be accusing me.
The bottom line is, whether the popularity of Windows is due to inherent merit and good design cannot be assessed objectively in the current marketplace (I am putting this mildly). That claim could only be made if 1) all PCs were shipped with blank hard drives and did not come with an operating system of any kind and it was up to the user to separately obtain and install one and 2) all users were technically skilled enough, as well as willing and able, to independently evaluate the stability, performance, and security of all major (PC) operating systems before choosing the one to use. Unless you could arrange for both of these to be true, what popularity is measuring is the marketing skill, business acumen, and incumbency of Microsoft and not the actual merit or design of Windows.
It is a miracle that curiosity survives formal education. - Einstein
but it says INFORMED consent