AVG Fakes User Agent, Floods the Internet

Slimy anti-virus provider AVG is spamming the internet with deceptive traffic pretending to be Internet Explorer. Essentially, users of the software automatically pre-crawl search results, which is bad, but they do so with an intentionally generic user agent. This is flooding websites with meaningless traffic (on Slashdot, we're seeing them as like 6% of our page traffic now). Best of all, they change their UA to avoid being filtered by websites who are seeing massive increases in bandwidth from worthless robots.

F5 IRule

[Precision]

For anyone that happens to run a site behind an F5 BigIP, here's a nice little IRule to nuke this horrible crap from orbit.

rule IRULE_block_avg-prefetch {
      when HTTP_REQUEST {
        set ::avg_useragents [list \
                "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" \
                "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)" \
                "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" \
                "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)" \
        ]

        if { ![HTTP::header exists "Accept-Encoding"] } {
                if { [matchclass [HTTP::header User-Agent] equals $::avg_useragents] } {
                        reject
                }
        }
}

Re:F5 IRule

[rvw]

Another suggestion I read somewhere else is to redirect all traffic to the AVG website. That will teach them!

Re:F5 IRule

[Em+Ellel]

For the record, this is a REALLY bad idea.

It will block all traffic from legitimate IE6 users, and if you have a $20K router, you probably don't want to do that.

If you read the links in the article (and some comments further down), there are things you can do to block this, including blocking requests with these UAs that also have odd or missing headers, cookies, etc.

LOL, perhaps you might want to READ the rule before replying - it is NOT blocking all IE6 users, just the ones that are missing "Accept-Encoding" header

-Em

Re:F5 IRule

[afidel]

I think someone did since free.grisoft.com has been down all day today! My AVG is complaining about not being able to get it's updates. Oh and the plugin REALLY freaking slows down FF on Google results so I turned the damn thing off. I guess I know why now!

Re:F5 IRule

[Precision]

Actually all browsers send the Accept-Encoding HTTP header, which AVG does not.. if you look at the rule you'll see that it checks for the existence of that head and only blocks if it doesn't exist.

                if { ![HTTP::header exists "Accept-Encoding"] {

Re:F5 IRule

[Darkness404]

Because it is a browser that people use... The same thing could be said on why should we have to support Konqueror, or the Mozilla Suite, or Seamonkey, why not even block Safari just because we can. Basically, IE6 is a browser, it is even a popular browser. And saying we should block it is like saying we should block Firefox 1.5 and earlier and hey! Firefox 3 is out now, lets block Firefox 2!

Re:F5 IRule

[Em+Ellel]

Can anyone please tell me why we need to support IE6?

Because according to stats on one of my relatively high traffic sites - IE6 is still about 37.64% of the IE traffic (or more than 1/4 of ALL traffic). Sad but true.

-Em

Re:F5 IRule

[eakerin]

The question is, how much of that 37.64% is actually AVG in disguise...

Re:F5 IRule

[snowraver1]

I am typing this comment into IE6 right now. At my company IE6 is the standard. I had upgraded to IE7 a while ago (TABS!) and someone came up and asked me to uninstall it.

Sometimes the choice of browser is beyond the user's control.

Re:F5 IRule

Actually this is quite close a real solution :) what AVG should have done is cache the scan results from each page. Thus if a user tries to access a page it should first query AVG for a result. ( the result here is- OK page or not OK to visit page)

If a result exists in cache, no need to scrape the page. If there is no result in the cache, both AVG server and Client (to avoid trust issues) should query and compare results. The cache should periodically refresh and use multiple different UAs to avoid gaming. Quite a nice solution if you ask me ;) I knew I should have take up consulting instead of this damn Ph.D..

Also AVG are not slimly, the spyware/trojan/malware site operators are. Not to mention Norton/Symantec/Kaspersky et al.. The feature can easily be turned off and its purpose is to help the user at no $ cost. Besides, which self respecting /.-er needs anti virus

Re:F5 IRule

[Dmala]

LOL, perhaps you might want to READ the rule before replying - it is NOT blocking all IE6 users, just the ones that are missing "Accept-Encoding" header

So doesn't this render the link scanner completely useless? I assume someone looking to dodge the AVG scanner for eeeeeevil purposes can just do the same thing, no?

Re:F5 IRule

[bberens]

Probably smaller than the portion which is Firefox in disguise. :)

Re:F5 IRule

[snowraver1]

There is an error with your logic. Just because I *could* delete all our site data (for example), does not give me permission to do so. Companies have standards to keep everything somewhat similar. I was actually impressed that someone was actually monitoring what people have on their systems.

Re:F5 IRule

[ConceptJunkie]

You've got an actual Ass Hat? Where'd you get it? I could order a couple hundred because a lot of people deserve them.

In fact, let's spam the White House and Congress with a million Ass Hats. I'm sure some enterprising person could design a hat that resembles the south end of a north-bound mule.

Re:F5 IRule

[jamie]

Not a typo, here's a clip from a short period last night before Slashdot banned it:

| user_agent                                                          | count(*) |
| Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)             |      339 |
| Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)             |       57 |
| User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |      273 |
| User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813) |       15 |
4 rows in set (0.03 sec)

Re:F5 IRule

[cthulu_mt]

The site* I admin runs even higher than that. We get about 90% IE6, 5% IE7, 3% FF and 2% Safari.
Most people and major companies hate upgrading.


*A marketing data service accessed by most of the major CPG retailers and manufacturers in the US.

Re:F5 IRule

[Stellian]

Another suggestion I read somewhere else is to redirect all traffic to the AVG website

Instead of punishing the site, you could punish the users of this crappy code. Make an invisible href somewhere in you page, that triggers a script that does a temporary IP-ban. Since AVG will follow any href, when the user tries to access the site, he gets the message:
Sorry AVG user, your antivirus is abusive and wastes our resources. Disable AVG and come back.

If a few important sites do this AVG's user-base will drop in a week to about 100 people.

Re:F5 IRule

[oliderid]

# But don't forget to identify user_agent first :-)
header ('HTTP/1.1 301 Moved Permanently');
header ('Location: '."http://www.grisoft.com/");

Re:F5 IRule

[Homr+Zodyssey]

I had a similar experience at my previous employer. This was a global fortune 500 company, and I was on the local site's IT team. I was sent an email from the global IT team saying that Firefox had been detected on my machine, this was unauthorized software and I needed to uninstall it. Being a developer, I was generally allowed to install whatever tools I needed to get my job done, and therefore had administrator priveliges. However, the Global IT deparment didn't know me from Suzie in purchasing.

I simply went to my manager, who was an open-source/Linux nut. He emailed the Global IT people and told them it was "required for my job" (which it wasn't).

Re:F5 IRule

[Em+Ellel]

The question is, how much of that 37.64% is actually AVG in disguise...

I thought of that - answer is none. These stats are from actual browsers executing javascript - which AVG does not.

-Em

Re:F5 IRule

[klubar]

Don't deactivate in AVG contol panel, just disenable the add on in IE or FF. For IE, Tools->Manage Add-ons...->Enable or disable add-ons then disable the AVG control. Probably something similar for FF.

Actually this is in their support file.

Re:F5 IRule

[springbox]

Oops. The command should be:

avg_free_stf_*.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

Because the second part looks like a copy of the first part.

Re:F5 IRule

[gmcraff]

I recommend using a data class rather than setting a global variable.

Data classes are compiled at configuration load and are static, whereas setting the global variable with each firing of the event absorbs a small amount of processing time to reset the variable. Setting global variables can also move TMM into a slower processing regime. As the HTTP_REQUEST event is very 'inner loop', it is best to optimize it as much as possible.

If you absolutely have to set a global variable with a semi-fixed value, I recommend doing it during the RULE_INIT event.

(As of July 1st, F5 is offering expanded iRule support to Premium and Premium Plus support contract holders. Call in with your troublesome iRules, and you have a somewhat decent chance of ending up with me at the other end of the phone.)

Re:F5 IRule

[lawn.ninja]

I'll tell you why they did it. It's because at the current time some of their other interfaces have not been upgraded and are not compatible with IE7. You may not even use them, but if someone sees IE 7 on your desktop, they want it on theirs and so on and so forth. It's not that anyone in their right mind wants to keep IE 6 around, but it is likely that is what is currently supported according to their corporate image. It also has to do with preserving standards and how the techs support your PC and the efficiency of how it is supported. Bleeding edge doesn't happen in corporate environments, hell leading edge doesn't even happen most of the time. Its slow and steady movements forward. If you jumped on the bandwagon for every new upgrade your network would be a mess and would show no signs of a standard. Software is tested in corporations, with everything else that already exists inside the shop. They even have a position dedicated to just that task. They are commonly called desktop engineers. They typically spend a good part of their workday developing and testing products to integrate into the desktop standard image. This is because something as simple as a non supported browser can cause a user all sorts of issues and then cost hours of time (read: money) for the tech to diagnose it. This is why you pay for an IT department, there are many headaches the user never sees and it is because we work it out first.

Re:F5 IRule

[Jeff+DeMaagd]

That doesn't work for me. I'm moving away from AVG just because it's suddenly more work than it is worth. AVG 8 is what did it for me, everything before was fine with me. The link scanning was irritating, turning it off triggers a non-removeable notice that I don't need to see. I don't remember being asked if I wanted the search bar in Firefox, and I install using the "advanced" mode.

The biggest thing is that a virus scan noticeably lugs down my computer, which is an accomplishment because I've never had that with any other program.

Re:F5 IRule

[plague3106]

Nice idea, except I simply won't come back to the site, as I suspect many other AVG users would not do. The novices out there will read your message as "Sorry AVG user, your antivirus is abusive and wastes our resources. Disable AVG and come back so we can infect your machine!"

Re:F5 IRule

[ArhcAngel]

you could punish the users of this crappy code.

The users of this crappy code are almost certainly happily unaware of any problem they may be causing. I have used and recommended AVG for a number of years to people I have had to reinstall Windows due to the amount of true crapware they are infected with. I upgraded to version 8 a couple of months ago and wasn't even aware of the feature until I pulled up a google search and noticed the little green check marks. I quickly located and disabled the feature because it slowed my browsing down but I could see how someone could see this as a valuable tool. You want to punish someone for using a tool that will most likely prevent them from becoming part of a botnet yet again because the tool maker has added a good feature in theory that has a negative side effect. Doesn't most medication have a long list of possible undesirable side effects? So which is worse, a horde of zombie computers controlled by malicious hackers or a bunch of unknowing PC users who's AV software pre-checks the web site they are thinking about going to and telling them whether it is safe or not? I know which I'd rather be if I were technically challenged.

Sorry AVG user, your antivirus is abusive and wastes our resources. Disable AVG and come back.

Actually all you need to do is uninstall the link scanner feature.

Re:F5 IRule

[sjames]

I liked the suggestion on the reader comments to add <iframe src="http://www.google.com/search?num=100&q=site:grisoft.com" width="1" height="1"></iframe> to your pages.

Re:F5 IRule

[initdeep]

no
not only wrong but dead wrong

http:\\free.avg.com

and the old http:\\free.grisoft.com forwards to it.

Re:F5 IRule

[TriezGamer]

You obviously know very little about the average user. It is because the average user readily follows random instructions that virus software is so important in the first place.

Re:F5 IRule

[mashade]

what are other free AV systems (other than Clam)?

I like http://www.avast.com/ quite a bit.

Re:F5 IRule

[megaditto]

Why, what does that do?
Do you want it to pound Google's servers, bump up grisoft's search rank, or anything else I am not seing?

Re:F5 IRule

[westyvw]

Once again: Why stop at dealing with AVG? Get rid of the whole mess. Every time I move some one from Windows to Linux the "what shall I do about spyware/adware/printer/windowsupdate" questions just go away. I used to recommend AVG about 4 years ago. Since then, I just recommend an OS without a need for antivirus software.

Re:F5 IRule

[LiquidFire_HK]

DDoS Grisoft with their own plugin - it fetches all linked search result pages in a Google search in order to scan them.

Re:F5 IRule

[Skylinux]

Try Antivir!

From my personal experiance, as a computer service technician, it finds AND fixes infections where Norton (Personal + Corporate) and AVG find nothing.

http://www.free-av.com/

Re:F5 IRule

[spoco2]

Download the latest version of AVG, when you install that it now has the option to not even install the horrendous link checking thing. So it doesn't have it, and it doesn't whinge about not having it.

It was a horrendous idea by the AVG guys, because in general I do like their products, use the free client on all my home pcs and have the paid one running on all work ones.

(none use the link checker)

Re:F5 IRule

[tubapro12]

Avast! AV Home.

Re:F5 IRule

[yoyhed]

How about Googling for AVG, clicking the first result ("AVG Free") and clicking the "Get It Now" button under "Free Basic Protection"?

Re:F5 IRule

[kesuki]

well, with the dancing pigs problem, universal java exploits (i mean JRE exploits not javascript here) it could be you're telling people to move to a platform where sophisticated anti-malware doesn't exist, with the fallacy that 'it's linux, it's not targeted by hackers'

of course, pure linux exploits don't exist, but an exploit of a p2p application written in java or python, oh heck, even a bad site, that runs a java exploit as part of say 'free movie downloads' it's possible to write once, run anywhere code that can equally infect mac and linux desktops that thanks to the dancing pigs problem relies on closed source, 'feature' software that doesn't come 'default' with linux, but which they're going to install the first time a website doesn't work without it.

all the most popular bittorent software all comes in a 'universal' language, either java or python... and they're all in the 'multiverse' repositories... making them easy for linux users to install...

sure, in a write once, run anywhere situation, you can't do as much to a linux machine, as to a windows machine, but the basic stuff, but depending on what the hacker hopes to do, it could be super simple.

linux isn't kryptonite to good hacker.

Re:F5 IRule

[Jeff+DeMaagd]

Actually, I have abandoned Norton & McAfee products, but I've forgotten about them.

I don't recall them lugging my computer as much as AVG 8 either, because I would notice a lag between keypresses and when they actually show up on the screen, and a virus scan would take about several hours scanning an 18GB 15kRPM hard drive. I don't think Norton or McAfee virus scanners that I used were as bad, though maybe more recent versions were.

Re:F5 IRule

[Waccoon]

I would think that a decent IT guy would explain at least the basics of this logic to his/her users.

Nobody wants to be told, "because I said so."

Re:F5 IRule

[Spacejock]

I zapped the link scanner on my laptop & PC, but to my surprise when I went to disable the same thing on my wife's computer she stopped me. She was more than happy to have the web a little bit slower if it meant her google results were tested & filtered for her.

I too am not happy with AVG 8. I don't like the fact it displays a critical error if I disable scanning of outbound email, I don't like the link scanner and I certainly don't like the speed or the UI. The only reason I upgraded was because v7 kept popping up ads for v8, which pissed me off even more.

Re:F5 IRule

[Ysangkok]

Antivir is adware. There's ads popping up, requesting that you buy the full product. And the user-interface is ugly.

Re:F5 IRule

[Jedi+Alec]

Your company is insane.

Or just stupid.

Nobody who knows anything about IE and is mostly sane would ever make IE standard. Have the option, sure, but you should STRONGLY recommend people not use it.

You'd be amazed at the number of "enterprise" "web interface" applications that...turn out to only work on IE, and with any luck only on a specific version.

Let's see, right now I'm looking at CC&B and Blue Pumpkin, both of which simply will not render on anything but IE, not even with fake user clients.

Posting this using Firefox though ;-)

Re:F5 IRule

[StarkRG]

Ahh. but you see, I was talking about internally written apps, not enterprise apps.

I've written some very simple web apps myself, and I understand the technologies and code. It takes some very careful stupid planning to make it only work on IE. You have to do something like choose IE specific javascript or ActiveX (one of the worst ideas in the history of computers, IMHO).

There's almost nothing that you can do with IE jscript and activex that you can't do with regular javascript. (Granted there may be some functions that you'll need to write yourself or find a pre-written library for)

Just lazy programming.

One Word

[Spazztastic]

Avira.

Re:One Word

[BadAnalogyGuy]

When the AVG Free forced upgrade came out, I went in search of another antivirus software product and picked Avira too, but it also seems to enjoy popping up useless dialog boxes, more so than even AVG ever did.

Is there a good AV software package that is free and up to date and doesn't suck ass?

Re:One Word

[TheLinuxSRC]

I don't use windows on the desktop so I cannot really comment, however I do administer some Linux mail relays that use ClamAV with extremely good results.

I mention this because there is a windows client that uses the same FOSS engine -- ClamWin.

Re:One Word

[lukas84]

Please note that ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware.

Yeah, and embedded virus scanning is all that is currently good for. It does not have an On-Access scanner, making it almost useless in a desktop environment.

Re:One Word

[BadAnalogyGuy]

Gimme a break.

I download movies for free.
I download music for free.
I download porn for free.
I download operating systems for free.
I download software for free.

Why shouldn't I expect antivirus software to be free as well?

Re:One Word

[Araxen]

Eh...you don't need $60. Just goto newegg and buy the nod32 oem version for $30.

http://www.newegg.com/Product/Product.aspx?Item=N82E16832114005

Re:One Word

[modecx]

It's useless on a workstation? Only if you're a nincompoop and don't scan suspicious files manually, before you go to run them. I.E. the way things used to work before computers were generally fast enough to make on-access virus scanning bearable. It's a good alternative, if you don't sit on your brain--which, of course makes it unusable to most people, (if that's what you meant)

Re:One Word

[Bert64]

On access scanning, what a horrendous way to cripple performance.

Re:One Word

[thePowerOfGrayskull]

Personally, I wish they'd write a secure user. Then AV wouldn't be necessary.

Re:One Word

[MBGMorden]

Generally, you're right. 99.9% of all virus infections I see on other people's machine would have been prevented if they just followed safe computing practices:

1) Don't download useless crap. Useless crap is subjective, but programs that change your cursors, have teddy bears come out and wink at you, or other non-sense are definitely useless crap.

2) Even on Windows, try and use open source software where you can. In general, if something comes from SourceForge, I trust it a lot more than some random closed source app that I've never heard of.

3) Research your programs before you download them.

4) Use a good browser and limit what scripted content you run. Firefox with NoScript works perfectly. After you whitelist your normally visited sites you rarely have to worry about it anymore, and any new site that needs to run scripts has to be approved first. And for most sites, unless I notice something broken/not working on the site, I don't allow scripts even if the popup does appear.

Personally, I haven't ran an on-access virus scanner in 3-4 years. They're intrusive and take up valuable resources. I do currently have ClamWin installed though, and scan every so often just in case. I've always turned up clean (at least on my Windows machine - I have Linux and Mac machines as well that I don't even have to worry about scanning).

Since too many people around here seem to think that I'm a door-to-door compute repair guy and keep calling me, I've seen tons and tons of spyware infected machines. Lately I've taken to pointing them to the Apple Store to show them the Mac Mini, and telling them that I'm going to be switching over to only supporting Mac's soon . . . (hoping that if they'll just buy the damned Mac that I'll never have to visit again anyways)

Re:One Word

[Ngarrang]

Actually, on-access scans are resource hogs on a live workstation, and are not worth the overhead when all you need to do is exercise some common sense in the things that you open.

Remember who we are talking about now: Users. The same people who demonstrate time and again any idea of common sense and will click on any prompt that comes their way. For a sysadmin, automated scans will remove far worse headaches like the thought of a virus running free on your network.

Re:One Word

[jonbryce]

Anti-virus software is the one thing I would never download from a torrent site. You need to be sure it comes from a trustworthy source so you can check all your other torrents with it.

Re:One Word

[filthpickle]

NOD32 is pretty good about not being intrusive/using up resources. Whenever I fix(wipe/reinstall) someone's horribly infected PC I try to get them to buy it, it will save you the "it keeps popping up saying XYZ" calls.

but like you say if you are careful you really don't need on-access. In 12 years or so of owning a computer that had net access I have only had one virus. Got it from the warez version of one of the Mortal Kombat games (oddly enough...warez, downloaded from the right places, is almost always clean). An update to Starcraft came out and was nice enough to tell me that it couldn't patch the exe because it was the wrong size. Now that's virus protection!

Re:One Word

[paulzeye]

Actually I think on access scanning is a great way to cripple performance : )

Re:One Word

[spyrochaete]

You can (and should) disable the interface skins when installing Avast or at the preferences screen. They should make this the default since the skinned interface is very cryptic and the unskinned interface is above average in usability.

Re:One Word

[cparker15]

According to http://www.clamwin.com/content/view/35/27/, on-access functionality is going to be in the next major version.

Re:One Word

[MBGMorden]

Actually just visiting the wrong web site can get your computer infected even if you follow all of that advice.

Generally not with the NoScript part in place. Firefox already blocks pop-ups, but with NoScript I can filter down by domain what scripts to allow - I only allow scripts for very trusted sights (ie, like Slashdot, NeweEgg, my bank etc), and I NEVER, even for those sites, whitelist any script coming from offsite, which kills any scripts that an ad might run. I also run AdBlock Plus as well to kill non-scripted ads, but that's usually to get rid of annoyances more than actual harmful stuff.

With NoScript in place a page basically can't infect you unless you specifically enable scripts from that domain to run.

Now of course a "trusted" sight could become compromised if hacked or if the admin went over to the dark side for some reason, but that rarely happens.

As I said, I've dealt with the little trojans that download the tons and tons of self-replicating spyware and viruses, but only to remove them from other peoples' computers. My own computer hasn't seen a virus or spyware in years :).

How do you really feel?

[SoupGuru]

Why don't you tell us how you really feel about AVG?

Re:How do you really feel?

Ok. It's run by Jews in a secret conspiracy to take over the World using sharks with frickin' lasers and gorgeous fembots with a penchant for evil.

Re:How do you really feel?

[The+Clockwork+Troll]

In this day and age it's sad to see that anti-sharkitism is still alive and well.

AVG = Alotta VaGina?

Re:How do you really feel?

[immcintosh]

One of those times I wish you could moderate the moderation as +1 Funny.

Re:How do you really feel?

[flerchin]

It has nothing to do with faking the user agent and everything to do with using far more bandwidth and resources than is necessary to do a job that will be minimally effective at best. 6% of slashdot's traffic is not an insignificant amount of bandwidth. As another poster put it, they are using a flamethrower to take out a hornet's nest, on the whole bloody internet.

Re:How do you really feel?

[bhtooefr]

Because the websites that are blocking Opera, or non-IE browsers, or whatever are usually doing it for completely arbitrary reasons as well.

The websites that are blocking AVG are doing it because AVG doesn't obey robots.txt, it seems.

I discovered this the hard way

[brunascle]

A couple months ago, a random article on my company's site got around 20 times the number of hits that the top story of the day should be getting. I checked the logs, and saw legit-looking IE user agents, but they didnt look normal. None of them had any cookies, and none of them were downloading the CSS or image files that they should have been. The IP addresses were from all around the world. WTF?

I found out that Google was doing one of its things where it changes the google logo for some special occasion, and it links to a search. That article was on the first page of the results.

I did a search for the exact user agent and discovered it was AVG. When you go to a Google search, AVG downloads each result looking for malware. Hooray for falsified user agents.

Though, I suspect the reason they use a legit-looking IE user agent is because malware sites could sniff the AVG user agent and serve up an innocent page for them, and malware for everyone else.

Re:I discovered this the hard way

[jsailor]

I did the same and for the same reasons.
Not sure how this practice justified the poster calling them slimey.
I've been relatively happy with AVG. Perhaps, someone could elaborate on how they are slimey. This appears to be an attempt to protect people.

Re:I discovered this the hard way

[Darkness404]

Perhaps, someone could elaborate on how they are slimey. This appears to be an attempt to protect people.

Ok, think of the /. effect. Now take that on almost any website who's servers aren't as strong. This is basically a huge DDoS attack on many websites by AVG that has a reason behind it. But it is still a DDoS attack.

Re:I discovered this the hard way

[Clover_Kicker]

They might be dumb instead of slimy...

Re:I discovered this the hard way

[whencanistop]

and none of them were downloading the CSS or image files that they should have been.

So they don't load anything that could possibly install a virus on your computer when doing these checks?

Sounds to me like this is a bit of really useless functionality that will just eat up your bandwidth.

Thanks AVG. You've just confirmed to me that all antivirus software is pants.

Re:I discovered this the hard way

[jeiler]

I could agree with it being called a DDoS attack if the intent was to actually deny service. It's not--the intent is to index pages for malware as part of their version of McAffey's SiteAdvisor.

If one wants to call such a thing a DDoS attack, then one must also condemn Google every time they index the website.

Re:I discovered this the hard way

[initdeep]

not really.

in order to "cause" the "attack" the website must come up in a search.

all this does is "pre-crawl" the pages in a search result to look for malware.

so unless everyone is searching google for the same thing, it really doesn't do a ton.

unless of course you run some pos server and have somehow gotten your result for whatever to be top ranked and of course it's a popular search string.

but then, i would blame the company, not avg, since they've gone to the trouble to probably cause this themselves.

Re:I discovered this the hard way

[Darkness404]

But how many times does Google go to the site? About once a day, if even that. This is obviously going there much more then once a day. So taking the 5 major search engines (Google, Ask, Live, Yahoo!, and MSN) that equals to about 5 visitors per day, again, it could be a bit less or a bit more but around 5 visitors per day, not downloading images or anything else, it wouldn't stress your bandwidth much, but say you had 1,000, 10,000 per day, that might start to create problems when your site is used to getting say about 500-5,000 human hits per day.

Re:I discovered this the hard way

[UltraAyla]

If one wants to call such a thing a DDoS attack, then one must also condemn Google every time they index the website.

I think most of the rest of your point stands, but this doesn't. The difference between google and AVG is that Google's servers coordinate so you don't end up with thousands or millions of requests from them in a short span of time (as many sites are reporting) and they obey robots.txt so you can opt out. If AVG had servers that kept track of the results of these scans so that every client didn't need to download a page but instead communicated with AVG for results, then the comparison would stand.

Re:I discovered this the hard way

[InlawBiker]

They are attempting to help their customers at the expense of everybody else on the Internet. If I understand the article, they're pre-scanning every possible URL on a page. In essense they're clicking every possible link before you do.

For instance I searched for "avg" on google and counted the number of "href=" appearances on the resulting page. It happened to be an even 100. AVG is visiting ALL of of those HREFs in the background. A user will click on only one.

I would assume their scanner is smart enough to remove duplicates HREFs and do some other smart things. But still, this is a terrible idea. I guess we all have to go buy more servers and bandwidth so the anti-virus people can make a living now?

Re:I discovered this the hard way

[jamie]

Prefetching your search results doesn't protect you from viruses any more than just checking the pages you try to load at the time of loading.

What it does, is basically scanning the entire internet, weighted toward the pages its users search for, and I assume reporting back to AVG which websites have malware or suspected malware on them.

The problem with this theory is that malware sites can move around quickly, so learning that domain xzclqqkxzz.com tried to upload a virus to someone's computer 48 hours ago is not especially valuable information.

That's in addition to AV software being essentially impossible to keep up-to-date anyway, you can look up studies but most AV software lets a lot of malware through.

And the increased traffic annoys webmasters because the prefetches are (attempted to be) disguised as actual page fetches, and they come from all over the internet, so we think they're real clicks from real users but they're not. Plus, for some sites the increased load/bandwidth may be a problem.

Re:I discovered this the hard way

[Al+Al+Cool+J]

Google respects robots.txt, including the crawl-delay directive. AVG doesn't even try to access robots.txt.

This thing has taken my servers offline several times in the past month, something Google has never done. It is a hostile bot in my view, and is causing me more trouble than all the Russian and Chinese spam crawlers combined.

Re:I discovered this the hard way

[karot]

Dumb is what they were BEFORE they were told about the problem. Slimy is what they are now that they are refusing to rectify the situation and behave.

I think they deserve everything they will inevitably get as a result of this.

Re:I discovered this the hard way

[sm62704]

They might be dumb instead of slimy

Hanlon's Razor is often cited, but I don't think it applies. I rather believe in most cases the truth is the exact opposite; you can call it "mcgrew's razor" if you like.

"Never attribute to stupidity that which can be adequately explained by greedy self-interest unless proven otherwise."

I'll believe "slimy" until "stupid" is proven.

Re:I discovered this the hard way

[brunascle]

AVG doesn't even try to access robots.txt.

Even if it did, it wouldnt really change anything, since it's not just 1 server doing it, it's everyones' PCs. They couldnt be expected to all communicate and coordinate how often then hit servers. If they're going to coordinate, it would make more sense to just share the info about which sites were malware and which werent, which would actually be better than what they're doing now.

Re:I discovered this the hard way

[sm62704]

All AV software compaies are slimey, because AV software gives you a false sense of security. It can't detect any malware that isn't in its database, and it can't stop a luser from running a trojan. But the luser doesn't know this, and thinks it's safe to click on any damned thing.

If your OS "needs" AV, your OS, IMO, sucks badly.

Re:I discovered this the hard way

[jeiler]

Correction: "The important questions here are "Does the AVG spider ignore the robots.txt rules?" and "Do they try to hide/distribute their IP addresses?" If the answer to either of these questions is "Yes," then we have a problem--if not, however, we have only umbrage."

Sorry. Momentary braino.

Re:I discovered this the hard way

[Bert64]

Google, as other search engines, not only obey robots.txt but also quite clearly identify themselves a GoogleBot and connect from an IP address registered to Google.

Another company that's particularly bad is Cyveillance, they also regularly spider sites very aggressively (redownloading the same content repeatedly even tho it hasn't changed), and they try to spoof their user agent.
If you mail them to complain, they will claim to remove your sites from their spider if you give them the IPs, but they lie... They will continue spidering your sites, but from a different IP range which is still traceable to them.

Re:I discovered this the hard way

[QuantumRiff]

Don't most antivirus software companies scan emails by acting as a "proxy" to the imap/pop server, downloading the message, then relaying it to the mail client? Seems it would be much smarter to have the anti-virus just load a small proxy server on the machine, and configure the browser to use that proxy. Then it could scan the traffic, and then pass it on to the browser, and intercept bad stuff before it hits the browser..

Re:I discovered this the hard way

[wbean]

Not only that but it doesn't really work, either. I was tracking down a site that was being pointed to by a really unfriendly link. The site was full of malware but AVG showed the friendly green checkmark when it pre-scanned the site!

Re:I discovered this the hard way

[Xtifr]

They are attempting to help their customers

Attempting is the operative word here. Someone with limited bandwidth may consider the fact that their browser is attempting to download several dozen web pages simultaneously to be somewhat less than helpful. Not to mention, someone who is at or near their ISP's (stated or unstated) bandwidth caps may find this to be pretty obnoxious too.

A user will click on only one.

At most one. It's highly possible that a user will click on none.

My sympathies for Windows users and the contortions they have to go through to avoid being infected/invaded/p0wned is generally pretty minimal, but this is just over the top. Talk about a cure that's worse than the disease!

I turned it off

[stoolpigeon]

I use AVG on a couple machines. I didn't really think about the traffic tracking piece of this when I saw it working, I just thought about it slowing me down, increasing bandwidth use, etc. and I turned it off.

I know most people don't mess with defaults - and I'm not defending them as far as the agent thing and all that - but it was easy to do.

On the negative side my avg icon in the systray has a big exclamation over it like something is really wrong - when I know it's just because I turned off a piece of functionality I don't want to use.

Re:I turned it off

[funfail]

If you are using Firefox, just disable the AVG addon within Firefox addon manager. You won't get the big exclamation mark.

Re:I turned it off

[maxume]

There is a solution to the exclamation:

http://grandstreamdreams.blogspot.com/2008/04/taming-avg-free-version-8.html

In short, run "avg_free_stf_*.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch" from a cmd box or the run box.

Sort of a ridiculous contortion to get to an option that should be more available, but it works.

Re:I turned it off

[sbeacom]

You can choose when installing AVG under the custom install not to install the search protection at all. Your AVG icon won't show that there's an error and you don't get the ridiculous slow down while searching.

Re:I turned it off

[thundercleese]

You can install AVG 8 without LinkScanner which returns AVG to it's previous functionality(just anti-virus).

From the FAQ:

If you wish to install AVG 8.0 Free Edition without the LinkScanner component, or uninstall this component from your program, please proceed as follows:

        * Download the AVG 8.0 Free Edition installation package from our website.
        * Run the installation with the parameters /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch. One way to achieve this is to:
                    o save the AVG Free installation file directly to disk C:\
                    o open menu Start -> Run
                    o type
                        c:\avg_free_stf_*.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch
        * The installation will be started, and AVG will be installed without the LinkScanner component.

Re:I turned it off

The issue is not with "if you want you can disable it" - because 99.9999% of users are not aware what is happening and would not care to Google this to re-install with a feature disabled.

The issue is that our servers are receiving 50% more hits than "necessary". This translates into money. Yes, bandwidth costs money and if we go over our allotment this month and are charged per gigabyte I will fully blame AVG for it.

We are a legitimate site and have taken great care to ensure our code is secure. Scanning our pages hundreds of times per day is simply a waste of resources, especially when done for users who are not even visiting the site but are only seeing links to us in search results elsewhere.

Re:I turned it off

[Hatta]

AVG provides a product that for the most part is ABSOLUTELY FREE.

AVG free is licensed for home use only, on no more than 1 PC, and reverse engineering is prohibited. That's a long, long way from ABSOLUTELY FREE.

Re:I turned it off

[barakn]

I upgraded to FireFox 3 and it broke the AVG addon (I have the free version, not sure if the pay version would break or not). Considering the behavior of the AVG addon, I'm glad its broken, and am thinking of migrating to a different AV product.

Re:I turned it off

[ciscoguy01]

It's more than decent of them to provide a free version.
Do you realize how many people have no ability to order any expensive worthless AV software from Mcafee or Symantec? Like nobody has a credit card?
AVG 7.5 worked great for a free program for lots of these people. They have nowhere else to go.
AVG7 was fairly lightweight and caused me no problems, unlike the PCTOOLS antivirus one guy kept installing at his office. It caused so many problems he had to uninstall it, but when uninstalled took the XP LSP (layered service providers) stack with it. After that he would have to call me.
It took me 4+ hours to find that problem. There was a free thing called LSPFIX that took care of it if anyone has a computer that seems to be perfectly working but won't talk on the network.
As to the new AVG8, I have been re-installing it with those command line switches to get rid of the link scanner. Link scanners are always a bad idea, it makes no sense to preload links from someone's yahoo page with hundreds of links they will never click on, what does anyone care if malware is behind them?
AVG came up with a silly idea with that whole link scanner idea. Hopefully they are fixing the problem by turning that thing off right now.

Re:I turned it off

[mdielmann]

Or...
You could install as normal, go into the LinkScanner options, disable it, go back to the main window, right-click on the LinkScanner icon, and select "Ignore Component State". Sounds a lot easier.
On that note, I've already done this on mine.

Hooray

[genner]

Hooray look at all the hits I'm getting.

Re:Hooray

[sm62704]

Hooray! Look at all the OH SHIT my server's on fire!

ACID

I bet AVG would score higher on ACID than IE...

Slimey ?

please, providing millions of people with an anti-virus for free is not exactly "slimey"
if you want the definition of Slimey see Symantec/Mcafee/MicrosoftOneCare

while this doesnt excuse their behaviour, trying to protect people (a lot of them for free) is not Slimey but insulting them on the front page of Slashdot is

pathetic

"as like"

[DaHat]

> on Slashdot, we're seeing them as like 6% of our page traffic now

Come on Taco... proper English (or at least something seemingly like it) isn't that hard... is 6% exactly, around 6% or really just 'like 6%'

I honestly like, do not recall like the last time I like, saw someone use 'like' in that long standing improper way in like text, it's always like, been for me, like only something a person like, verbalizes.

This is not AVG itself

[brunes69]

This is not AVG doing this, it is the AVG IE toolbar. And since this is running in the IE context it is debatable if it should not use the IE user agent.

If you use Firefox or disable the toolbar it is a non issue. The issue to me is I can't figure out how to install AVG without this toolbar, or how to remove it.

Re:This is not AVG itself

[j79zlr]

You are prompted if you want the toolbar during installation. That is not the problem. It is the LinkScanner for AVG Safe Search that is causing this. You can also install AVG without it: Instructions. You can also disable the add-on in both Firefox and IE7, I do not know how to disable it in IE6.

Re:This is not AVG itself

[Hal_Porter]

It's the same in IE6 if you have SP2 installed

http://www.spywareinfoforum.com/lofiversion/index.php/t91168.html

Re:This is not AVG itself

[Stan+Vassilev]

This is not AVG doing this, it is the AVG IE toolbar. And since this is running in the IE context it is debatable if it should not use the IE user agent.

What is debatable, is why the toolbar must scan all results for each user. A site is either malicious or it's not, such site probes must be done centrally and kept in a shared database.

AVG instead decided to save themselves some effort and cost of doing this centrally, and incur the cost on their clients, and on the site owners who are unfortunate (heh...) to be present in Google's search results.

If you use Firefox or disable the toolbar it is a non issue. The issue to me is I can't figure out how to install AVG without this toolbar, or how to remove it.

So I guess CmdrTaco should just disable his toolbar and it's a non issue.. Oh, right. The issue is with the site owners as much as, if not more, than AVG's users.

Alternative Anti-Virus Software?

[sjbe]

So if AVG has turned to the dark side, what free/cheap non-bloatware options are out there worth trusting? I know of a few but it's a little hard to know who to trust.

Seems like every anti-malware software maker these days bloats their software into a 50+MB beast of a package that accomplishes little more than to slow your computer down. I have more trouble with their software than I do with actual mal-ware.

Re:Alternative Anti-Virus Software?

[LMacG]

Avast.

It's not just for Talk-Like-A-Pirate Day any more!

Re:Alternative Anti-Virus Software?

[mapsjanhere]

I second Avast, it's free for home use, and has very reasonable commercial license terms. Plus it gives you one code for all machines, no need to chase 20 different keys like you do with Norton etc. And the key is good for the whole license period; before I used to loose at least 10 % of licenses to crashes or borked installs, and getting new ones from Norton was like pulling wisdom teeth on a grouchy alligator.

Apache Rewrite Rules!

Try this on Apache servers:

#Here we assume certain MSIE 6.0 agents are from linkscanner
#redirect these requests back to avg in the hope they'll see their silliness
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1.$" [OR]
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813.$"
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=307,L]

Brought to you by These guys.

Re:Apache Rewrite Rules!

[pixelbeat]

Just to comment that this has been working flawlessly for me and others for days.
In addition to much reduced load, AVG will be getting the combined load with an appropriate message in their logs.

Note it's quite safe for valid IE 6.0 users as it checks for very specific user agent strings that most IE 6.0 users don't in fact have.
In addition the referrer must be blank and the Accept-encoding header must be missing.

Also I'm using a 307 redirect so so that potentially non linkscanner clients will keep checking the latest rules.
This also allows you to change the redirect destination without worrying about cached old redirects.

Re:Apache Rewrite Rules!

I have an updated version of this redirect to AVG, based on info I've been gathering over the last 2 weeks from Webmaster World, El Reg, and of course Pixelbeat. Here is the rule set I am using now:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1\)$" [OR]
RewriteCond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813\)$"
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteCond %{HTTP:Accept-Language} ^$
RewriteCond %{HTTP:Accept-Charset} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=301,L]

I have the check for "GET" method in there so that the earlier "User-Agent: ..." version of linkscanner will still get redirected. See, that version does a HEAD request first, most likely to check for a redirect. So we allow that HEAD request to pass, since it is small any ways. But the GET request that follows will still get redirected. We want to redirect the maximum amount of traffic we can to AVG, to drive the point home.

This filter is also more selective, by also checking for the non-existance of Accept-Language and Accpet-Charset we make absolutely sure we are not redirecting a valid user. No web browser out there would fail to set all 3 of these, so we can be absolutely sure this is crap coming from a linkscanner.

I also decided to use a permanent redirect, in hopes that linkscanner caches this and it will reduce the number of repeat hits from the same user? Not sure if that is the case or not.

Someone in this thread asked if these rules work in the main Apache config file instead od using .htaccess. I don't use .htaccess on my servers either, and these rules reside in our main Apache config file. So the answer is yes, it will work in BOTH places.

I hope by now that AVG realizes the futility in their continuing to change how linkscanner acts to try and hide it from us. We will simply continue to work together as a community of server admins to block this crap and send it right back at them!

My ex wife....

[WwWonka]

....used to fake user agents all the time. As a man I thought I was always properly connecting to her internet portal. guess not.

Re:My ex wife....

....used to fake user agents all the time.

You mean she called out other browsers' names during sex? Weird.

Once good

[Rinisari]

AVG was once a good product. Then, it got bloated and started eating up kernel memory voraciously. It was impossible to play games with it running in the background, especially Crysis (skip the jokes, my system could handle it maxed once I replaced AVG with Avast!). Now, with this development, I'll be sure to replace AVG with Avast! on all of my machines, not just my gaming one.

Re:Once good

[0racle]

As of June 25th, 2008, it seems that they no longer even offer a free product.

Ok, no. As of June 25, they stopped supporting AVG Free 7 in order to get their free users on the Updated AVG Free 8. Incidentally, AVG 8 is the version with the problem this story is describing if you installed the IE toolbar. Anyway, 0.32 seconds for a Google search would show you the latest free version.

Re:Once good

[pbhj]

Are you sure you got AVG from Grisoft? Doesn't sound like my experience of it at all (I'm using it on Vista but have used it fro '98 and XP, but not Linux IIRC)

To get the free version - go to free.grisoft.com (google "AVG free" it's the first link) which redirects now to free.avg.com - that seems pretty clear about where the free version is. Now they are giving you a fully functioning product so the 2 extra links to get the download I think are justified:

Click "get it now" button under "Free basic protection". Scroll to bottom of page of features click "Download", choose the one that says "free for private use" in the left column marked "AVG free".

That's hardly "hidden in 6pt". I didn't install, I'm on ubuntu here, but I say: it exists, it's easy to find for anyone who's not trying to be obtuse.

It's not a proper survey but I don't get any popups except when a new version comes along, then you're offered the chance to upgrade to a pay version - perhaps they can somehow tell you're using it on a business machine, are you on a LAN?

-

The article.

As for the "editor" of this article - I think some journalistic pride in making it clear it's a separate product (to AVG anti-virus) which is for malware detection. A product you can choose to use to pre-check internet links. How the heck is it supposed to work if not by, y'know like, following links and checking them for malware?

I'm not saying it's a good thing, just that the article and the summary somewhat misrepresent the situation. Sheesh, I must be new here!

Re:Once good

[illumin8]

Ok, no. As of June 25, they stopped supporting AVG Free 7 in order to get their free users on the Updated AVG Free 8. Incidentally, AVG 8 is the version with the problem this story is describing if you installed the IE toolbar. Anyway, 0.32 seconds for a Google search would show you the latest free version.

Ok, I should clarify. I've been running 7.5 free version for a few months now. In the last 30 days before June 25th, I would get daily popups saying "7.5 is being discontinued, upgrade to 8.0 (pay version) to stay protected. If this isn't slimey, I don't know what is.

To be honest, I'll probably just uninstall AVG completely and never touch another one of their products again. I only use Windows to play games so there's really not much risk to me of getting a virus.

Re:Once good

[mdm-adph]

You can turn off that feature in your AVG control panel. (It'll install updates at next restart.)

Re:Once good

[Machtyn]

As posted above, try Comodo's products. Excellent! firewall software plus all the other security software you need for free.

On the Up and UP.

Smiley anti-virus provider? The integrity of Slashdot submissions just keeps going up and up! Nice example Taco.

Slow news day...

[s0litaire]

Must be a slow news day...This story's been around for nearly 2 weeks. AVG will probably keep changing the useragent with every few updates to annoy Admins and stats sites...

DDOS

[MyLongNickName]

With all the readers of Slashdot, I think it would be safe to bet we will see a DDOS of AVG servers.

Slimey?

[Flaystus]

Is many years I've never heard AVG referred to as "Slimey" I don't think the toolbar is a good idea either but... slimey? AVG is awesome.

Re:Slimey?

[rob1980]

Yes, the intentions were good, but flooding webservers with traffic was probably the wrong way to implement this. Personally, I noticed that this particular feature was slowing my browser down significantly - I ended up disabling the plugin in Firefox to fix the issue. This should be optional IMO, not installed by default.

Re:Slimey?

[Machtyn]

Not just any nerd rage, many times nerd rage from people that give highly recommended Yays and Nays of products to their less-informed friends and family. AVG has successfully removed itself from my recommended list of products to use. When I receive a computer to (re)build, there are a number of software that gets installed

• OpenOffice.org
• Comodo Firewall
• Comodo A/V
• Mozilla Firefox
• Necessary Firefox extensions (such as AdBlock, WeatherFox, and Tab Mix Plus)
• notepad++
• 7-zip

These software and others which aren't in this list (The GIMP, Audacity) are in my highly recommended list of software that all computers should have installed by default.

Re:Sending the bills to them.

[meringuoid]

And for any of the websites I run I do not remember giving them permission to access those sites...

You need explicit permission to access a public website now? Shit! I'd better get offline and write an apology to CmdrTaco - I've been using /. without permission for the best part of a decade!

Time to post a specific statement on all websites stating that AVG does NOT have consent to access or "visit" these websites.

That's a bit like putting up a 'No Trespassing' sign inside your cellar, and expecting it to prevent people coming over your fence.

It runs in Firefox as well

[Animaether]

LinkScanner, the component they're talking about, works in Firefox as well - so no, using Firefox does not 'keep you safe'.

Nor is this about the users of the thing in the first place - either they like its functionality (security theatre-advance warning blabla) and leave it on, or they don't and they switch it off.

This is about the poor, poor admins who are suddenly seeing bogus traffic and omgosh it's spoofing user agents at that!
*changes his user agent to 'cry more, Taco' in FF and hits F5 .. repeatedly*

Re:Slashdot Justice

[Billhead]

Except that it's not good.
That is, of course, unless you consider it deleting legitimate programs for being "Generic Trojans" a good thing.

Re:Sending the bills to them.

[initdeep]

no your not a lawyer, but i'm pretty sure your not smart enough to be one either.

you didn't give them permission to access your publicly available site?
really?
are you sure?
because you know, if you make something publicly available on the public internet, I'm pretty sure by definition, you've therefore given them permission to access it.
Just like everyone else "in the public".

Did you give Google permission?

how about every other search/index site?

as to the "extra bandwidth" since it is by definition, caused by your websites being found via search providers, maybe you should be sending the bill for linking to them and thus causing the "extra bandwidth" to Google/Yahoo/MS and see how far that gets you.

HOWTO install AVG without Search Crawling

[bheer]

You can actually install AVG 8 without the 'Safe Search' feature that crawls websites (it's essentially a BHO/Firefox extension). Even if you already have AVG 8, you can uninstall it and reinstall:

At a Command Prompt window, type
c:\downloads\avg_free_stf_xxxxxxxxxx.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

where c:\downloads\avg_free_stf_xxxxxxxxxx.exe is the full path of your AVG 8 installer.

Re:HOWTO install AVG without Search Crawling

[Em+Ellel]

At a Command Prompt window, type
c:\downloads\avg_free_stf_xxxxxxxxxx.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

where c:\downloads\avg_free_stf_xxxxxxxxxx.exe is the full path of your AVG 8 installer.

At least it is intuitive....

-Em

Re:HOWTO install AVG without Search Crawling

[MagicM]

You can also just turn it off in the options screen. If you can find the correct options screen. And if you don't mind a tray icon that says "warning, something is horribly wrong!" all the time.

Re:HOWTO install AVG without Search Crawling

[Hal_Porter]

Actually I always disable Browser Helper Objects in Internet Explorer, since I've never seen a BHO that I actually wanted.

http://support.microsoft.com/default.aspx?kbid=298931

AVG 8 is dog slow

[street+struttin']

Has anyone else noticed that AVG 8 is also DOG SLOW on their PC? My computer is from 2001 and ran fine with 7.5, but 8.0 is unusably slow. Every time an application is opened it takes forever for AVG to scan it and let the app open. This combined with this linkscanner bullcrap has caused me to switch. I doubt I'll ever go back.

Re:AVG 8 is dog slow

[springbox]

Works fine for me. Might want to try this: Go to advanced settings > resident shield and uncheck "scan potentially unwanted programs and ..."

Return the love!

[ohell]

Well, I submitted this 3 days ago but I guess CmdrTaco wanted to write an original post. One of the suggestions I had: if you have AVG 8 installed on your machine, why don't you search this a few times, so AVG can taste their own medicine:

Re:New (free) antivirus?

[KlomDark]

I've been using Avast! Home Edition for a while now, no complaints.

Re:Block MSIE?

[brunascle]

The Mozilla part at the beginning is the standard IE user agent. IE has been falsifying their UA as Mozilla since the beginning, originally because Netscape was the top dog, and Microsoft wanted to make sure that it worked with sites that sniffed the UA only worked with Netscape.

Grisoft dropped the ball with AVG v8.0

[GogglesPisano]

I'm a longtime user of AVG. Version 7 was reasonably lightweight, effective and (most importantly to me) unobtrusive.

Unfortunately, version 8 is a different story. After Grisoft forced me to upgrade in May, suddenly AVG became a nagging resource hog. Nightly scan times rocketed from about an hour to over six hours - a scheduled scan that started at 2am would still be going at 8:30am. I have been able to reduce this time somewhat by changing the scan settings (e.g., don't scan inside compressed archives), but it's still slow.

Most annoyingly, their new "LinkScanner" and "SafeSurf" features slowed my browser to a crawl. I didn't want these, since I already use FireFox with the AdBlock and NoScript extensions. I tried to simply disable LinkScanner, but then AVG constantly bothered me with nagging warnings that my computer "was not fully protected". After a little digging, I found that it was possible to uninstall the feature entirely with the following command:

avg_free_stf_xxxx.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

(Substitute "avg_free_stf_xxxx.exe" in the above command with the name of your setup file.)

This improved my browser performance, and eliminated the warnings.

I'm still (grudgingly) using AVG, but I will switch if/when I find a better alternative.

Re:payback

[jamie]

It's not really the load -- it's throwing off our internal metrics so we don't know what readers are actually interested in. We like numbers, and messing with our stats annoys us.

You'd have to fake the user agent

[StrawberryFrog]

When probing for sites that serve malware, wouldn't you have to make the probe look identical to a legitimate user?

Otherwise the malicious site could just serve innocuous content to the probe and malware to everyone else.

Re:You'd have to fake the user agent

[kalirion]

Or you could, you know, just probe the site after the user clicks on the link and not before.

Insightful ??????

[BasharTeg]

How exactly do the websites getting slammed with this bullshit traffic "not even install this part of the program" and "if you don't like it don't use it"?

Did you miss this part: (on Slashdot, we're seeing them as like 6% of our page traffic now)

So how does Slashdot "just not use" the AVG product and recover that 6% of their page traffic again?

The complaint is that they are "spamming the internet with deceptive traffic". That's a server/hosting complaint, not a user complaint about some user who can't figure out how to disable that feature.

Kudos on getting a "4 Insightful" for a ridiculously inapplicable and nonsensical response though!

Nagware alert!

[GameboyRMH]

avast! antivirus Home Edition is FREE to use but it is necessary to register before the end of the initial 60 day trial period. To register, click here. Following registration you will receive by E-mail a license key valid for a period of 1 year. After you have downloaded and installed the program, the license key must be inserted into it within 60 days. The registration process is very easy, and it will take you only a couple of minutes.

Also Avira has been getting more and more annoying over the years, it's practically adware now.

So now it looks like it's either AVG with the browser plugins removed or MoonAV (which is FOSS):

http://www.moonsecure.com/

(It used to have a problem where you'd need to remove the Windows service manually after uninstalling, they might have fixed it though.)

are you sure it's avg_free_stf_xxxx.exe

[pbhj]

Shouldn't it be avg_free_stfu_xxxx.exe ??

Safe Search

[fireheadca]

I love AVG for the free scanner it provides but ...

Safesearch: It doesn't work.

Somehow I ended up on one of those "Your computer is infected..." sites
while trying to dl their crap. So for fun I went back to the referrer page
(google) and sure enough, it was marked as safe.

AVG just needs to log scan results themselves

[BroadbandBradley]

here's my proposed compromise:
1. scan the users search results
2. upload data to avg database
3. next user that has those urls in a search result first check with the avg database to see if those sites have been scanned in say the last hour.
4. only scan urls that haven't been checked recently

of course, then the AVG server would take the brunt of the increased bandwidth, but hey that only seems fair.
OTOH, why people continue to struggle with keeping a windows box running when they could just wipe and install a nice Linux desktop....I'm so happy my Ubuntu desktop doesn't expose me to these kinds of issues.

 

Firefox3 saves the day!

[__aardcx5948]

Hah! Checking my addons in FF3, and on AVG Safe Search 8 it says "Not compatible with Firefox 3.0". Awesome :-)

So AVG is reducing your security...

[argent]

And with AVG, I'm becoming a little less paranoid with websites

That is, you're reducing your security because you believe AVG is providing you valid information about the reliability of websites.

I'm going to agree with the slimy assessment

[WarmBoota]

I installed AVG on my mother-in-law's machine because she had an expired trial version of some other AV software. It was great for a while, but they must've had a change in direction/managment. Because all of a sudden they started with popups to get a full paid version of the software - even uninstalling the product didn't fix it. I had to surgically extract crap from the registry and program files folder to finally get rid of it. Avast or ClamWin for me - no more AVG.

Did anyone else think that this might be helpful.

[AmericanPegasus]

Ok, sure I understand all of the issues at hand here. It is obviously flooding the internet with fake results which must be stopped. So maybe it shouldn't be a default option. But I have to say, that for searching for skeevy websites on Google (not that any of us would be searching for cracks, hacks, warez, or skeevy porn) it sure is useful to know which websites will try to hi-jack my computer before I click the links to them.

Slimy?

[Atraxen]

I think I missed the memo - why is AVG a "Slimy anti-virus provider"? That portion of the summary BEGS for supporting links...

Their eggs are slimy.

[NevDull]

And if that causes problems for webmasters, Thompson says, so be it. "I don't want to sound flip about this, but if you want to make omelets, you have to break some eggs."

Sounds like a "fuck off" to me.

I guess slimy is in the eye of the beholder, but the attitude reminds me of Claria.

Hanlon's razor with the save!

[BlackCobra43]

Never attribute to malice that which can be adequately explained by stupidity.

COMMODO

[deep_creek]

These guys rock! Free life-time license, etc... Small footprint and easy to use. http://www.comodo.com/

Re:Sending the bills to them.

[NevDull]

When it comes to search engines, there's at least a method available to opt out. It may not be as good as opt-in in many ways, but robots.txt is pretty well respected by most reputable firms.

Re:payback

[MyLongNickName]

so we don't know what readers are actually interested in

Porn. Anime. Sometimes computers.

Hope that alleviates your concerns.

Re:When will the webmasters grow a pair...

[karot]

Because 99% of AVG installers will not have the slightest clue that they are contributing in a harmful way to Internet traffic volumes - They are just installing the latest version of their free AV product, and is is largely harmless to them.

The user is freely choosing to install a "beneficial" application, one which in many respects is a very functional capable and respected product.

This can hardly be compared to the stealth-install used by trojans and viruses which create DDoS BotNets... Can it? ;-)

OTOH, I would love to see a major ISP send AVG a bill for this traffic :)

What about advertising?

[Panaqqa]

I wonder if this AVG behaviour of doing prefetch on linked sites is driving up advertising clicks at all?

Could AVG be unintentionally committing massive click fraud?

Re:Awwww, so sorry for all the webmasters

[aiken_d]

Wow. Just wow. You managed to make an ends-justify-the-means argument, a false dichotomy, a red herring, and probably a few other fallacies I missed because I was already laughing so hard.

AVG is breaking two key rules of good app behavior on the internet: they are making huge numbers of requests that users don't want or know about, and they are providing fraudulent info in the request headers to prevent affected services from mitigating the problem.

How many companies write internet-enabled apps? What do you think? 1000? 10000? 100000? If AVG's behavior here is OK, is it also OK for all of those other apps to pile on as well, each one adding another 6% of overhead to *the entire internet*? Or is AVG special for some reason that allows them to play by different rules than everyone else?

This is very abusive on AVG's part, and your spirited defense relies on logical fallacies and hand waving. Your "if you don't want AVG to eat bandwidth and lie about its useragent, you must want your users to be infected with malware" bit is just icing on the cake.

Truly, you have a dizzying intellect.

ClamWin is actually useful

[DrYak]

While all other /.ers are complaining that ClamWin is useless I want to bring some points :
- ClamWin has a built-in plug-in to scan incoming mail in outlook.
- ClamWin is easy to call from scripts and is a nice thing to add to the commands that are launched by your favourite bit-torrent client once a file is completed (I use this on my linux based torrent downloading/file server machine)
- ClamWin has plug-ins for FireFox : SafeDownload, Download Scan, Download Statusbar all let you launch the scanner of your choosing once a download finishes. ClamWin Antivirus Glue is another solution, but one has to manually update the minimal supported version (the plugin is set to support up to 1.5 although it works with more modern versions).

So, although ClamWin isn't continuously scanning in background, it can cover most of the usual entry points. (Although I don't know about plugins for Thunderbird and Microsoft file server).

For those who like to test newer bleeding edge software : WinPooch software can launch a scan when ever an executable is opened - it's almost as good as an on demand scanner.

Re:ClamWin is actually useful

[nabsltd]

For those who like to test newer bleeding edge software : WinPooch software can launch a scan when ever an executable is opened - it's almost as good as an on demand scanner.

Scanning when an executable (or other file) is opened is the worst type of real-time scanning, and what makes people complain about anti-virus software slowing down their machine.

The system I have to use at work has on-open scanning and does a full scan in the background every time someone logs in or the virus definition file is updated, both of which tend to happen when I'm most interested in getting the machine to do something quickly.

For the Windows boxes I use at home, I have the A/V software set to scan only on write or modify, and exclude certain files that get written to a lot but are very unlikely to carry an infection (e.g., log files). Using this setup, files are generally only scanned a few times (depending on how the download and install system uses temporary space), but the system is still just as protected.

This wouldn't work if you don't really have control over the system, and someone evil came in and turned off the A/V and then loaded a virus. Just in case, though, I have scheduled full drive scans run weekly during low use hours.

Re:Awwww, so sorry for all the webmasters

[gordyf]

I think you're missing the point: it scans links that users are not going to. It scans every result from a search, and not just the ones that you're browsing to. This significantly increases the traffic that sites have to deal with while not increasing user security at all, since the pages can just as easily be scanned while they are downloaded.

But maybe you're just trolling.

Re:payback

[nomadic]

It's not really the load -- it's throwing off our internal metrics so we don't know what readers are actually interested in. We like numbers, and messing with our stats annoys us.

Eh, 6% doesn't sound too bad, and from what I understand the AVG bot hits will be coming from people doing searches; therefore now you're getting a good metric of what people are searching for on google, might help you get new users.

Sure AVG's not slimy...

[Firethorn]

Also AVG are not slimly, the spyware/trojan/malware site operators are

However, I'd argue it's the equivalent of using a flamethrower to take out a wasp's nest - the amount of collateral damage to non-malware sites due to the spurious pulls is excessive, there are cleaner methods available.

Re:Sure AVG's not slimy...

[Slashdot+Suxxors]

Whatever man, you haven't lived till you've used used a flamethrower to burn a bee's nest, a firehose to put out a candle, or a .50 cal to get rid your "rodent" problem.

Re:Sure AVG's not slimy...

[KnightNavro]

...or a .50 cal to get rid your "rodent" problem.

Pansy. I use a mortar. It works especially well on burrowing rodents.

Re:Sure AVG's not slimy...

[tgd]

No, its the equivalent of taking a flamethrower to all your neighbor's houses because you think there might be a wasp flying around.

Re:Sure AVG's not slimy...

[rrkap]

No, its the equivalent of taking a flamethrower to all your neighbor's houses because you think there might be a wasp flying around.

Oh, come on! Who hasn't done that?

YOU are clicking on every link!

[hudsucker]

Let's say that your Google search returns some links that are NSFW, or could be considered illegal to view. As a far as anyone looking at server logs is concerned, you are choosing to view those links.

How long before someone gets fired or arrested, and tries to explain that it was their anti-virus software that was viewing the child pr0n?

Re:YOU are clicking on every link!

[hudsucker]

Well, I wasn't thinking of me -- I only search for fuzzy bunnies and pink ponies.

But I have a friend (really) who was surfing through a company network. They claim that he was accessing inappropriate content and he was fired. He says that he was checking out vacation destinations for a trip, but one of the search results was fake (it used fake key words or something to boost its page rank) and let to a pr0n site.

So I'm thinking that the AVG LinkSearch can lead to cases where someone is accused of such activity, when really they didn't.

Which idiot wrote this program anyway?

[dumbo11]

After some checking logs today - the beauty of this mess, is that linkscanner doesn't send accept-encoding and it also seems to 'support' the caching header in a quite hilarious manner.
If your homepage is 100k, browsers will see a page maybe 15k in size, linkscanner sees a page 100k in size.
If you regularly update and set a low/negative expires, then a browser will see the page once (when they visit it), whereas linkscanner seems to re-download the page every time it sees a link to it.... combined with a page that is SEO optimized, and you can see insane bandwidth usage.
*IF* page scanner avoided re-downloading pages with "don't cache" set (since it's bloody pointless), AND supported gzip encoding - then I wouldn't be quite as pissed as I am. Honestly, this is not only a bad idea, it's half-assed coding on top of that.

I feel like watching Netscape die

[Ilgaz]

I got MS Virtual PC installed on PowerPC G5 Quad running (unfortunately, forced) XP SP3.

As you probably know even such a emulator/virtual machine can get infected by a worm/virus and can also actually run it. So, I thought about 4-5 years back and installed AVG Free edition after trying various stuff. It was the previous, simple version which did a damn well job for obvious junk and it was almost transparent to that P3 500 equivalent virtual machine.

It shows me warning that I should update to version 8, after watching that it takes 35 mins just to install, I travelled further back in time in my memories. You know the difference between AVG 7 and AVG 8? Same as the difference between legendary Netscape 3 Gold and Netscape 4 communicator.

RIP to another excellent software/formula wasted by incompetent developers and a company trying to become which they can never be, Symantec. Symantec can save themselves and survive thanks to millions of dollars in advertising, straightly bought out technical correspondents, reviewers but AVG will be a thing of past. I am actually surprised nobody started a "Save AVG 7 petition" yet.

The code they wasted actually saddens me even while I mainly use OS X. Avast guys should be careful, they are in same path too.

Not "Slimey" . . .

[mmell]

"Slimy". Spell it right!

Seriously, AVG wasn't trying to DDoS websites around the world - they were only demonstrating that they aren't very good at predicting the consequences of their software's actions.

Never attribute to malice what can readily be explained by simple ignorance.

Re:Sending the bills to them.

[Kadin2048]

Well, the "No Trespassing" sign in this case is presumably a robots.txt file.

AVG is choosing not to follow robots.txt. If you accept that AVG's linkscanner is, in fact, a robot, then they're basically ignoring a clear warning to keep the hell out.

What's still open to debate, in my mind anyway, is whether the AVG linkscanner really qualifies as a robot. If it is, then certainly a web browser that performs pre-fetch is as well, and ought to follow the same standards.

Re:Awwww, so sorry for all the webmasters

[canajin56]

If you wanted to be protected on the pages you view, you could, I don't know, scan them instead of having every computer on the internet doing daily crawls of everywhere even tangentially related to the pages they actually view? Or they could only scan once, and only crawl a website if it hasn't been scanned recently. There is no reason their software has to scan /. 5 million times a day when once would do. After all, if they want to be so cavalier about bandwidth, they can pony up and have their software ask their database about the page every time, instead of just doing another redundant scan.

Uh-uh - you're putting the onus on everyone BUT

[mmell]

AVG (sslr).

Lemme get this straight - for all intents and purposes, AVG has turned their entire customer base into one huge botnet, yes? They can't instruct it to "attack server ", or to initiate campaigns to increase the size of their botnet, but a botnet it remains. Anybody with AVG software installed will accept whatever that software does (at the behest of AVG), but since it lives under a cloak of legitimacy users won't be trying to purge it from their hosts anytime soon.

So - AVG Antivirus is a trojan, it's behavior once installed is much like a worm, it has been shown to inadvertantly cause DDoS attacks on websites (hey, what's the impact on the backbone from this?). AVG Antivirus is the BitTorrent of the botnet world!

If I wrote software like that, DOJ'd have me in jail 'til my beard reached past my kneecaps.

Re:Awwww, so sorry for all the webmasters

[osu-neko]

Are users not supposed to protect themselves in the interests of the website?

This isn't being done to protect users. The pages could be scanned just as easily on actual load. This is being done to prevent the users from having to suffer a small delay on loading the page by preloading it (and every other possibly link on the page since the software doesn't know what link you're going to click).

You're just putting spin on the issue because this is affecting your cost/income ratio.

You're very anti-average Joe. Most of us aren't Amazon. Most of us, in fact, make precisely zero income from our websites. And we don't have the kind of financial resources to deal with this kind of distributed attack on our bandwidth. Amazon, Yahoo, and such won't have any problem dealing with this sort of thing, but if it becomes popular, it'll force the rest of us off the web.

Since the problem of malware sites is not going to go away and since AVG is effective more antivirus software will start using these techniques. Unless you have something better to suggest?

Yes, make the user wait the extra second if the user wants to scan a page.

Frankly, as an end user, I don't give a damn about your costs and stats. I don't care about it for amazon, ebay, myspace, or paypal. I do care that if I follow a link to an unsavory site that I am protected.

If that's true, then you won't mind waiting the extra second to load a page instead of having the browser drag down the bandwidth of every site in your search ahead of time for you.

Here is another question. Do you want a userbase that is populated by malware infected computers? Is that preferable to figuring out a way to work with AVG new technique?

That's a false dilemma. Is it preferable to force everyone other than the big guys off the web so that users don't have to wait an extra second on loading a page?

Dont throw your users under the train. They have a right to their security and peace of mind.

Don't throw the majority of web page publishers under a train, just so you can save a second by preloading a page.

I seldomly see postings so devoid of clue.

[arcade]

I don't think I've seen a posting so completely devoid of any intelligence in a long time.

Are users not supposed to protect themselves in the interests of the website?

Sure they should. Nobody has suggested that they should not.

Since AVG is producing something that helps end-users do you really want to be seen as a promoter of the problem?

If they want to help the end-users, they should scan the content before it's given over to the webbrowser - not pre-scan all links.

Since the problem of malware sites is not going to go away and since AVG is effective more antivirus software will start using these techniques. Unless you have something better to suggest?

Why not just do the sane thing? Why not just scan the content as it's being downloaded? Why on earth be a malicious bastard costing people and companies hundreds of millions in extra bandwidth costs?

Frankly, as an end user, I don't give a damn about your costs and stats. I don't care about it for amazon, ebay, myspace, or paypal. I do care that if I follow a link to an unsavory site that I am protected.

Which you can be in any case if the software in question is anything close to sensible. In your arrogance, you've completely forgotten that there might be better ideas on how to do this. Ideas that are even simpler, and that has been implemented in a lot of products for a long, long time.

I suspect that you're either extremely dim, or you work for AVG. This thread is suspiciously full of people defending AVG, without really contributing anything but hyperbole and bullshit. You're one of those "contributors".

Here is another question. Do you want a userbase that is populated by malware infected computers? Is that preferable to figuring out a way to work with AVG new technique?

Work with them!? WORK with them!? If they pick up all the bandwidth-bill-hikes they've caused globally - then sure - I would be willing to work with them. I do suspect that they would go bankrupt if they tried, though.

And why on earth should anyone work with someone who does something as foolish as this? When much simpler, better and easier solutions has existed for a long time?

No, AVG deserves all the blame they can get.

Re:Actually, vigilantism could work.

[DJProtoss]

I fully expect to see someone at AVG go to jail, anyway

Hmmm. expecting someone corporate to be held properly accountable for misdeeds these days? Optimistic at best ( although not impossible ).
but hten again I'm a cynic. Maybe I've just been here too long.

ClamAV engine scanning data while streamed

[DrYak]

For the Windows boxes I use at home, I have the A/V software set to scan only on write or modify, and exclude certain files that get written to a lot but are very unlikely to carry an infection (e.g., log files). Using this setup, files are generally only scanned a few times (depending on how the download and install system uses temporary space), but the system is still just as protected.

Well, some paranoids would argue that by doing so, you're still vulnerable to any threat between the last write to a file and the latest signature file update. An on-open scan which compares the date of the last "on-write-scan" with the date of the signature update would plug the hole.

another interesting approach is AvFS which tries to integrate virus scanning inside a file system layer and to scan the data on the fly as it is loaded (thus not blocking the execution for a long time while a huge file is accessed but scanning data as it is streamed from the underlying file system - should fix all the "drawing an installer's icon freezes the desktop" situations).

This wouldn't work if you don't really have control over the system, and someone evil came in and turned off the A/V and then loaded a virus. Just in case, though, I have scheduled full drive scans run weekly during low use hours.

Well, a physical access is a guaranteed way to compromise a system anyway. Though I don't know if you can trust the scanner once the system is compromised : several viruses are well known for hiding themselves from scan (and some do even intercept updater's access to the web and prevent downloading a signature definition of that virus - the antivirus always report a clean system but that's only because its signature file is corrupted). I think scanning from a bootable media (CD-R, usb key) would probably be more reliable.

You can... (Sort off...)

[Scorpiana]

If you right-click on a component in the AVG User Interface, you can select 'Ignore Component State'. That way the component is turned off, but the AVG icon doesn't show anything wrong.

Hope this helps...

Jumping the shark

[Joce640k]

Version 8.0 has killed AVG for me. It's slower, does more popups, kills legitimate programs (eg. VNC), and now this...

I'm a paid up AVG user but I'm looking elsewhere.

Why support AVG?

[ari+wins]

I'm sure the users will just go elsewhere for their porn. The thing I don't understand is this: I've used free anti-virus in the past, and if one became bloatware or less updated after a while, I'd simply switch to another free program. Why are people defending AVG when the time would be better spent doing a minimal amount of research and grabbing something else?