AVG Fakes User Agent, Floods the Internet

Slimy anti-virus provider AVG is spamming the internet with deceptive traffic pretending to be Internet Explorer. Essentially, users of the software automatically pre-crawl search results, which is bad, but they do so with an intentionally generic user agent. This is flooding websites with meaningless traffic (on Slashdot, we're seeing them as like 6% of our page traffic now). Best of all, they change their UA to avoid being filtered by websites who are seeing massive increases in bandwidth from worthless robots.

I discovered this the hard way

[brunascle]

A couple months ago, a random article on my company's site got around 20 times the number of hits that the top story of the day should be getting. I checked the logs, and saw legit-looking IE user agents, but they didnt look normal. None of them had any cookies, and none of them were downloading the CSS or image files that they should have been. The IP addresses were from all around the world. WTF?

I found out that Google was doing one of its things where it changes the google logo for some special occasion, and it links to a search. That article was on the first page of the results.

I did a search for the exact user agent and discovered it was AVG. When you go to a Google search, AVG downloads each result looking for malware. Hooray for falsified user agents.

Though, I suspect the reason they use a legit-looking IE user agent is because malware sites could sniff the AVG user agent and serve up an innocent page for them, and malware for everyone else.

Alternative Anti-Virus Software?

[sjbe]

So if AVG has turned to the dark side, what free/cheap non-bloatware options are out there worth trusting? I know of a few but it's a little hard to know who to trust.

Seems like every anti-malware software maker these days bloats their software into a 50+MB beast of a package that accomplishes little more than to slow your computer down. I have more trouble with their software than I do with actual mal-ware.

Apache Rewrite Rules!

Try this on Apache servers:

#Here we assume certain MSIE 6.0 agents are from linkscanner
#redirect these requests back to avg in the hope they'll see their silliness
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1.$" [OR]
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813.$"
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=307,L]

Brought to you by These guys.

Re:Apache Rewrite Rules!

[pixelbeat]

Just to comment that this has been working flawlessly for me and others for days.
In addition to much reduced load, AVG will be getting the combined load with an appropriate message in their logs.

Note it's quite safe for valid IE 6.0 users as it checks for very specific user agent strings that most IE 6.0 users don't in fact have.
In addition the referrer must be blank and the Accept-encoding header must be missing.

Also I'm using a 307 redirect so so that potentially non linkscanner clients will keep checking the latest rules.
This also allows you to change the redirect destination without worrying about cached old redirects.

Re:One Word

[BadAnalogyGuy]

When the AVG Free forced upgrade came out, I went in search of another antivirus software product and picked Avira too, but it also seems to enjoy popping up useless dialog boxes, more so than even AVG ever did.

Is there a good AV software package that is free and up to date and doesn't suck ass?

Re:One Word

[lukas84]

Please note that ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware.

Yeah, and embedded virus scanning is all that is currently good for. It does not have an On-Access scanner, making it almost useless in a desktop environment.

YOU are clicking on every link!

[hudsucker]

Let's say that your Google search returns some links that are NSFW, or could be considered illegal to view. As a far as anyone looking at server logs is concerned, you are choosing to view those links.

How long before someone gets fired or arrested, and tries to explain that it was their anti-virus software that was viewing the child pr0n?

Re:F5 IRule

[Stellian]

Another suggestion I read somewhere else is to redirect all traffic to the AVG website

Instead of punishing the site, you could punish the users of this crappy code. Make an invisible href somewhere in you page, that triggers a script that does a temporary IP-ban. Since AVG will follow any href, when the user tries to access the site, he gets the message:
Sorry AVG user, your antivirus is abusive and wastes our resources. Disable AVG and come back.

If a few important sites do this AVG's user-base will drop in a week to about 100 people.

Re:F5 IRule

[Homr+Zodyssey]

I had a similar experience at my previous employer. This was a global fortune 500 company, and I was on the local site's IT team. I was sent an email from the global IT team saying that Firefox had been detected on my machine, this was unauthorized software and I needed to uninstall it. Being a developer, I was generally allowed to install whatever tools I needed to get my job done, and therefore had administrator priveliges. However, the Global IT deparment didn't know me from Suzie in purchasing.

I simply went to my manager, who was an open-source/Linux nut. He emailed the Global IT people and told them it was "required for my job" (which it wasn't).

Re:F5 IRule

[Jeff+DeMaagd]

That doesn't work for me. I'm moving away from AVG just because it's suddenly more work than it is worth. AVG 8 is what did it for me, everything before was fine with me. The link scanning was irritating, turning it off triggers a non-removeable notice that I don't need to see. I don't remember being asked if I wanted the search bar in Firefox, and I install using the "advanced" mode.

The biggest thing is that a virus scan noticeably lugs down my computer, which is an accomplishment because I've never had that with any other program.

Re:F5 IRule

[westyvw]

Once again: Why stop at dealing with AVG? Get rid of the whole mess. Every time I move some one from Windows to Linux the "what shall I do about spyware/adware/printer/windowsupdate" questions just go away. I used to recommend AVG about 4 years ago. Since then, I just recommend an OS without a need for antivirus software.

Re:F5 IRule

[kesuki]

well, with the dancing pigs problem, universal java exploits (i mean JRE exploits not javascript here) it could be you're telling people to move to a platform where sophisticated anti-malware doesn't exist, with the fallacy that 'it's linux, it's not targeted by hackers'

of course, pure linux exploits don't exist, but an exploit of a p2p application written in java or python, oh heck, even a bad site, that runs a java exploit as part of say 'free movie downloads' it's possible to write once, run anywhere code that can equally infect mac and linux desktops that thanks to the dancing pigs problem relies on closed source, 'feature' software that doesn't come 'default' with linux, but which they're going to install the first time a website doesn't work without it.

all the most popular bittorent software all comes in a 'universal' language, either java or python... and they're all in the 'multiverse' repositories... making them easy for linux users to install...

sure, in a write once, run anywhere situation, you can't do as much to a linux machine, as to a windows machine, but the basic stuff, but depending on what the hacker hopes to do, it could be super simple.

linux isn't kryptonite to good hacker.