AVG Fakes User Agent, Floods the Internet

Slimy anti-virus provider AVG is spamming the internet with deceptive traffic pretending to be Internet Explorer. Essentially, users of the software automatically pre-crawl search results, which is bad, but they do so with an intentionally generic user agent. This is flooding websites with meaningless traffic (on Slashdot, we're seeing them as like 6% of our page traffic now). Best of all, they change their UA to avoid being filtered by websites who are seeing massive increases in bandwidth from worthless robots.

F5 IRule

[Precision]

For anyone that happens to run a site behind an F5 BigIP, here's a nice little IRule to nuke this horrible crap from orbit.

rule IRULE_block_avg-prefetch {
      when HTTP_REQUEST {
        set ::avg_useragents [list \
                "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" \
                "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)" \
                "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" \
                "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)" \
        ]

        if { ![HTTP::header exists "Accept-Encoding"] } {
                if { [matchclass [HTTP::header User-Agent] equals $::avg_useragents] } {
                        reject
                }
        }
}

Re:F5 IRule

[rvw]

Another suggestion I read somewhere else is to redirect all traffic to the AVG website. That will teach them!

Re:F5 IRule

[Em+Ellel]

For the record, this is a REALLY bad idea.

It will block all traffic from legitimate IE6 users, and if you have a $20K router, you probably don't want to do that.

If you read the links in the article (and some comments further down), there are things you can do to block this, including blocking requests with these UAs that also have odd or missing headers, cookies, etc.

LOL, perhaps you might want to READ the rule before replying - it is NOT blocking all IE6 users, just the ones that are missing "Accept-Encoding" header

-Em

Re:F5 IRule

[afidel]

I think someone did since free.grisoft.com has been down all day today! My AVG is complaining about not being able to get it's updates. Oh and the plugin REALLY freaking slows down FF on Google results so I turned the damn thing off. I guess I know why now!

Re:F5 IRule

[Precision]

Actually all browsers send the Accept-Encoding HTTP header, which AVG does not.. if you look at the rule you'll see that it checks for the existence of that head and only blocks if it doesn't exist.

                if { ![HTTP::header exists "Accept-Encoding"] {

Re:F5 IRule

[Darkness404]

Because it is a browser that people use... The same thing could be said on why should we have to support Konqueror, or the Mozilla Suite, or Seamonkey, why not even block Safari just because we can. Basically, IE6 is a browser, it is even a popular browser. And saying we should block it is like saying we should block Firefox 1.5 and earlier and hey! Firefox 3 is out now, lets block Firefox 2!

Re:F5 IRule

[Em+Ellel]

Can anyone please tell me why we need to support IE6?

Because according to stats on one of my relatively high traffic sites - IE6 is still about 37.64% of the IE traffic (or more than 1/4 of ALL traffic). Sad but true.

-Em

Re:F5 IRule

[snowraver1]

I am typing this comment into IE6 right now. At my company IE6 is the standard. I had upgraded to IE7 a while ago (TABS!) and someone came up and asked me to uninstall it.

Sometimes the choice of browser is beyond the user's control.

Re:F5 IRule

Actually this is quite close a real solution :) what AVG should have done is cache the scan results from each page. Thus if a user tries to access a page it should first query AVG for a result. ( the result here is- OK page or not OK to visit page)

If a result exists in cache, no need to scrape the page. If there is no result in the cache, both AVG server and Client (to avoid trust issues) should query and compare results. The cache should periodically refresh and use multiple different UAs to avoid gaming. Quite a nice solution if you ask me ;) I knew I should have take up consulting instead of this damn Ph.D..

Also AVG are not slimly, the spyware/trojan/malware site operators are. Not to mention Norton/Symantec/Kaspersky et al.. The feature can easily be turned off and its purpose is to help the user at no $ cost. Besides, which self respecting /.-er needs anti virus

Re:F5 IRule

[Dmala]

LOL, perhaps you might want to READ the rule before replying - it is NOT blocking all IE6 users, just the ones that are missing "Accept-Encoding" header

So doesn't this render the link scanner completely useless? I assume someone looking to dodge the AVG scanner for eeeeeevil purposes can just do the same thing, no?

Re:F5 IRule

[snowraver1]

There is an error with your logic. Just because I *could* delete all our site data (for example), does not give me permission to do so. Companies have standards to keep everything somewhat similar. I was actually impressed that someone was actually monitoring what people have on their systems.

Re:F5 IRule

[ConceptJunkie]

You've got an actual Ass Hat? Where'd you get it? I could order a couple hundred because a lot of people deserve them.

In fact, let's spam the White House and Congress with a million Ass Hats. I'm sure some enterprising person could design a hat that resembles the south end of a north-bound mule.

Re:F5 IRule

[jamie]

Not a typo, here's a clip from a short period last night before Slashdot banned it:

| user_agent                                                          | count(*) |
| Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)             |      339 |
| Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)             |       57 |
| User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |      273 |
| User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813) |       15 |
4 rows in set (0.03 sec)

Re:F5 IRule

[Stellian]

Another suggestion I read somewhere else is to redirect all traffic to the AVG website

Instead of punishing the site, you could punish the users of this crappy code. Make an invisible href somewhere in you page, that triggers a script that does a temporary IP-ban. Since AVG will follow any href, when the user tries to access the site, he gets the message:
Sorry AVG user, your antivirus is abusive and wastes our resources. Disable AVG and come back.

If a few important sites do this AVG's user-base will drop in a week to about 100 people.

Re:F5 IRule

[Homr+Zodyssey]

I had a similar experience at my previous employer. This was a global fortune 500 company, and I was on the local site's IT team. I was sent an email from the global IT team saying that Firefox had been detected on my machine, this was unauthorized software and I needed to uninstall it. Being a developer, I was generally allowed to install whatever tools I needed to get my job done, and therefore had administrator priveliges. However, the Global IT deparment didn't know me from Suzie in purchasing.

I simply went to my manager, who was an open-source/Linux nut. He emailed the Global IT people and told them it was "required for my job" (which it wasn't).

Re:F5 IRule

[Em+Ellel]

The question is, how much of that 37.64% is actually AVG in disguise...

I thought of that - answer is none. These stats are from actual browsers executing javascript - which AVG does not.

-Em

Re:F5 IRule

[klubar]

Don't deactivate in AVG contol panel, just disenable the add on in IE or FF. For IE, Tools->Manage Add-ons...->Enable or disable add-ons then disable the AVG control. Probably something similar for FF.

Actually this is in their support file.

Re:F5 IRule

[springbox]

Oops. The command should be:

avg_free_stf_*.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

Because the second part looks like a copy of the first part.

Re:F5 IRule

[lawn.ninja]

I'll tell you why they did it. It's because at the current time some of their other interfaces have not been upgraded and are not compatible with IE7. You may not even use them, but if someone sees IE 7 on your desktop, they want it on theirs and so on and so forth. It's not that anyone in their right mind wants to keep IE 6 around, but it is likely that is what is currently supported according to their corporate image. It also has to do with preserving standards and how the techs support your PC and the efficiency of how it is supported. Bleeding edge doesn't happen in corporate environments, hell leading edge doesn't even happen most of the time. Its slow and steady movements forward. If you jumped on the bandwagon for every new upgrade your network would be a mess and would show no signs of a standard. Software is tested in corporations, with everything else that already exists inside the shop. They even have a position dedicated to just that task. They are commonly called desktop engineers. They typically spend a good part of their workday developing and testing products to integrate into the desktop standard image. This is because something as simple as a non supported browser can cause a user all sorts of issues and then cost hours of time (read: money) for the tech to diagnose it. This is why you pay for an IT department, there are many headaches the user never sees and it is because we work it out first.

Re:F5 IRule

[Jeff+DeMaagd]

That doesn't work for me. I'm moving away from AVG just because it's suddenly more work than it is worth. AVG 8 is what did it for me, everything before was fine with me. The link scanning was irritating, turning it off triggers a non-removeable notice that I don't need to see. I don't remember being asked if I wanted the search bar in Firefox, and I install using the "advanced" mode.

The biggest thing is that a virus scan noticeably lugs down my computer, which is an accomplishment because I've never had that with any other program.

Re:F5 IRule

[plague3106]

Nice idea, except I simply won't come back to the site, as I suspect many other AVG users would not do. The novices out there will read your message as "Sorry AVG user, your antivirus is abusive and wastes our resources. Disable AVG and come back so we can infect your machine!"

Re:F5 IRule

[ArhcAngel]

you could punish the users of this crappy code.

The users of this crappy code are almost certainly happily unaware of any problem they may be causing. I have used and recommended AVG for a number of years to people I have had to reinstall Windows due to the amount of true crapware they are infected with. I upgraded to version 8 a couple of months ago and wasn't even aware of the feature until I pulled up a google search and noticed the little green check marks. I quickly located and disabled the feature because it slowed my browsing down but I could see how someone could see this as a valuable tool. You want to punish someone for using a tool that will most likely prevent them from becoming part of a botnet yet again because the tool maker has added a good feature in theory that has a negative side effect. Doesn't most medication have a long list of possible undesirable side effects? So which is worse, a horde of zombie computers controlled by malicious hackers or a bunch of unknowing PC users who's AV software pre-checks the web site they are thinking about going to and telling them whether it is safe or not? I know which I'd rather be if I were technically challenged.

Sorry AVG user, your antivirus is abusive and wastes our resources. Disable AVG and come back.

Actually all you need to do is uninstall the link scanner feature.

Re:F5 IRule

[sjames]

I liked the suggestion on the reader comments to add <iframe src="http://www.google.com/search?num=100&q=site:grisoft.com" width="1" height="1"></iframe> to your pages.

Re:F5 IRule

[mashade]

what are other free AV systems (other than Clam)?

I like http://www.avast.com/ quite a bit.

Re:F5 IRule

[megaditto]

Why, what does that do?
Do you want it to pound Google's servers, bump up grisoft's search rank, or anything else I am not seing?

Re:F5 IRule

[westyvw]

Once again: Why stop at dealing with AVG? Get rid of the whole mess. Every time I move some one from Windows to Linux the "what shall I do about spyware/adware/printer/windowsupdate" questions just go away. I used to recommend AVG about 4 years ago. Since then, I just recommend an OS without a need for antivirus software.

Re:F5 IRule

[LiquidFire_HK]

DDoS Grisoft with their own plugin - it fetches all linked search result pages in a Google search in order to scan them.

Re:F5 IRule

[Skylinux]

Try Antivir!

From my personal experiance, as a computer service technician, it finds AND fixes infections where Norton (Personal + Corporate) and AVG find nothing.

http://www.free-av.com/

Re:F5 IRule

[tubapro12]

Avast! AV Home.

Re:F5 IRule

[yoyhed]

How about Googling for AVG, clicking the first result ("AVG Free") and clicking the "Get It Now" button under "Free Basic Protection"?

Re:F5 IRule

[kesuki]

well, with the dancing pigs problem, universal java exploits (i mean JRE exploits not javascript here) it could be you're telling people to move to a platform where sophisticated anti-malware doesn't exist, with the fallacy that 'it's linux, it's not targeted by hackers'

of course, pure linux exploits don't exist, but an exploit of a p2p application written in java or python, oh heck, even a bad site, that runs a java exploit as part of say 'free movie downloads' it's possible to write once, run anywhere code that can equally infect mac and linux desktops that thanks to the dancing pigs problem relies on closed source, 'feature' software that doesn't come 'default' with linux, but which they're going to install the first time a website doesn't work without it.

all the most popular bittorent software all comes in a 'universal' language, either java or python... and they're all in the 'multiverse' repositories... making them easy for linux users to install...

sure, in a write once, run anywhere situation, you can't do as much to a linux machine, as to a windows machine, but the basic stuff, but depending on what the hacker hopes to do, it could be super simple.

linux isn't kryptonite to good hacker.

Re:F5 IRule

[Ysangkok]

Antivir is adware. There's ads popping up, requesting that you buy the full product. And the user-interface is ugly.

One Word

[Spazztastic]

Avira.

Re:One Word

[BadAnalogyGuy]

When the AVG Free forced upgrade came out, I went in search of another antivirus software product and picked Avira too, but it also seems to enjoy popping up useless dialog boxes, more so than even AVG ever did.

Is there a good AV software package that is free and up to date and doesn't suck ass?

Re:One Word

[TheLinuxSRC]

I don't use windows on the desktop so I cannot really comment, however I do administer some Linux mail relays that use ClamAV with extremely good results.

I mention this because there is a windows client that uses the same FOSS engine -- ClamWin.

Re:One Word

[lukas84]

Please note that ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware.

Yeah, and embedded virus scanning is all that is currently good for. It does not have an On-Access scanner, making it almost useless in a desktop environment.

Re:One Word

[BadAnalogyGuy]

Gimme a break.

I download movies for free.
I download music for free.
I download porn for free.
I download operating systems for free.
I download software for free.

Why shouldn't I expect antivirus software to be free as well?

Re:One Word

[Bert64]

On access scanning, what a horrendous way to cripple performance.

Re:One Word

[thePowerOfGrayskull]

Personally, I wish they'd write a secure user. Then AV wouldn't be necessary.

Re:One Word

[MBGMorden]

Generally, you're right. 99.9% of all virus infections I see on other people's machine would have been prevented if they just followed safe computing practices:

1) Don't download useless crap. Useless crap is subjective, but programs that change your cursors, have teddy bears come out and wink at you, or other non-sense are definitely useless crap.

2) Even on Windows, try and use open source software where you can. In general, if something comes from SourceForge, I trust it a lot more than some random closed source app that I've never heard of.

3) Research your programs before you download them.

4) Use a good browser and limit what scripted content you run. Firefox with NoScript works perfectly. After you whitelist your normally visited sites you rarely have to worry about it anymore, and any new site that needs to run scripts has to be approved first. And for most sites, unless I notice something broken/not working on the site, I don't allow scripts even if the popup does appear.

Personally, I haven't ran an on-access virus scanner in 3-4 years. They're intrusive and take up valuable resources. I do currently have ClamWin installed though, and scan every so often just in case. I've always turned up clean (at least on my Windows machine - I have Linux and Mac machines as well that I don't even have to worry about scanning).

Since too many people around here seem to think that I'm a door-to-door compute repair guy and keep calling me, I've seen tons and tons of spyware infected machines. Lately I've taken to pointing them to the Apple Store to show them the Mac Mini, and telling them that I'm going to be switching over to only supporting Mac's soon . . . (hoping that if they'll just buy the damned Mac that I'll never have to visit again anyways)

Re:One Word

[jonbryce]

Anti-virus software is the one thing I would never download from a torrent site. You need to be sure it comes from a trustworthy source so you can check all your other torrents with it.

Re:One Word

[paulzeye]

Actually I think on access scanning is a great way to cripple performance : )

Re:One Word

[cparker15]

According to http://www.clamwin.com/content/view/35/27/, on-access functionality is going to be in the next major version.

Re:One Word

[MBGMorden]

Actually just visiting the wrong web site can get your computer infected even if you follow all of that advice.

Generally not with the NoScript part in place. Firefox already blocks pop-ups, but with NoScript I can filter down by domain what scripts to allow - I only allow scripts for very trusted sights (ie, like Slashdot, NeweEgg, my bank etc), and I NEVER, even for those sites, whitelist any script coming from offsite, which kills any scripts that an ad might run. I also run AdBlock Plus as well to kill non-scripted ads, but that's usually to get rid of annoyances more than actual harmful stuff.

With NoScript in place a page basically can't infect you unless you specifically enable scripts from that domain to run.

Now of course a "trusted" sight could become compromised if hacked or if the admin went over to the dark side for some reason, but that rarely happens.

As I said, I've dealt with the little trojans that download the tons and tons of self-replicating spyware and viruses, but only to remove them from other peoples' computers. My own computer hasn't seen a virus or spyware in years :).

How do you really feel?

[SoupGuru]

Why don't you tell us how you really feel about AVG?

Re:How do you really feel?

Ok. It's run by Jews in a secret conspiracy to take over the World using sharks with frickin' lasers and gorgeous fembots with a penchant for evil.

Re:How do you really feel?

[The+Clockwork+Troll]

In this day and age it's sad to see that anti-sharkitism is still alive and well.

AVG = Alotta VaGina?

Re:How do you really feel?

[immcintosh]

One of those times I wish you could moderate the moderation as +1 Funny.

I discovered this the hard way

[brunascle]

A couple months ago, a random article on my company's site got around 20 times the number of hits that the top story of the day should be getting. I checked the logs, and saw legit-looking IE user agents, but they didnt look normal. None of them had any cookies, and none of them were downloading the CSS or image files that they should have been. The IP addresses were from all around the world. WTF?

I found out that Google was doing one of its things where it changes the google logo for some special occasion, and it links to a search. That article was on the first page of the results.

I did a search for the exact user agent and discovered it was AVG. When you go to a Google search, AVG downloads each result looking for malware. Hooray for falsified user agents.

Though, I suspect the reason they use a legit-looking IE user agent is because malware sites could sniff the AVG user agent and serve up an innocent page for them, and malware for everyone else.

Re:I discovered this the hard way

[jsailor]

I did the same and for the same reasons.
Not sure how this practice justified the poster calling them slimey.
I've been relatively happy with AVG. Perhaps, someone could elaborate on how they are slimey. This appears to be an attempt to protect people.

Re:I discovered this the hard way

[Darkness404]

Perhaps, someone could elaborate on how they are slimey. This appears to be an attempt to protect people.

Ok, think of the /. effect. Now take that on almost any website who's servers aren't as strong. This is basically a huge DDoS attack on many websites by AVG that has a reason behind it. But it is still a DDoS attack.

Re:I discovered this the hard way

[Clover_Kicker]

They might be dumb instead of slimy...

Re:I discovered this the hard way

[Darkness404]

But how many times does Google go to the site? About once a day, if even that. This is obviously going there much more then once a day. So taking the 5 major search engines (Google, Ask, Live, Yahoo!, and MSN) that equals to about 5 visitors per day, again, it could be a bit less or a bit more but around 5 visitors per day, not downloading images or anything else, it wouldn't stress your bandwidth much, but say you had 1,000, 10,000 per day, that might start to create problems when your site is used to getting say about 500-5,000 human hits per day.

Re:I discovered this the hard way

[InlawBiker]

They are attempting to help their customers at the expense of everybody else on the Internet. If I understand the article, they're pre-scanning every possible URL on a page. In essense they're clicking every possible link before you do.

For instance I searched for "avg" on google and counted the number of "href=" appearances on the resulting page. It happened to be an even 100. AVG is visiting ALL of of those HREFs in the background. A user will click on only one.

I would assume their scanner is smart enough to remove duplicates HREFs and do some other smart things. But still, this is a terrible idea. I guess we all have to go buy more servers and bandwidth so the anti-virus people can make a living now?

Re:I discovered this the hard way

[jamie]

Prefetching your search results doesn't protect you from viruses any more than just checking the pages you try to load at the time of loading.

What it does, is basically scanning the entire internet, weighted toward the pages its users search for, and I assume reporting back to AVG which websites have malware or suspected malware on them.

The problem with this theory is that malware sites can move around quickly, so learning that domain xzclqqkxzz.com tried to upload a virus to someone's computer 48 hours ago is not especially valuable information.

That's in addition to AV software being essentially impossible to keep up-to-date anyway, you can look up studies but most AV software lets a lot of malware through.

And the increased traffic annoys webmasters because the prefetches are (attempted to be) disguised as actual page fetches, and they come from all over the internet, so we think they're real clicks from real users but they're not. Plus, for some sites the increased load/bandwidth may be a problem.

Re:I discovered this the hard way

[karot]

Dumb is what they were BEFORE they were told about the problem. Slimy is what they are now that they are refusing to rectify the situation and behave.

I think they deserve everything they will inevitably get as a result of this.

Re:I discovered this the hard way

[sm62704]

All AV software compaies are slimey, because AV software gives you a false sense of security. It can't detect any malware that isn't in its database, and it can't stop a luser from running a trojan. But the luser doesn't know this, and thinks it's safe to click on any damned thing.

If your OS "needs" AV, your OS, IMO, sucks badly.

Re:I discovered this the hard way

[Bert64]

Google, as other search engines, not only obey robots.txt but also quite clearly identify themselves a GoogleBot and connect from an IP address registered to Google.

Another company that's particularly bad is Cyveillance, they also regularly spider sites very aggressively (redownloading the same content repeatedly even tho it hasn't changed), and they try to spoof their user agent.
If you mail them to complain, they will claim to remove your sites from their spider if you give them the IPs, but they lie... They will continue spidering your sites, but from a different IP range which is still traceable to them.

I turned it off

[stoolpigeon]

I use AVG on a couple machines. I didn't really think about the traffic tracking piece of this when I saw it working, I just thought about it slowing me down, increasing bandwidth use, etc. and I turned it off.

I know most people don't mess with defaults - and I'm not defending them as far as the agent thing and all that - but it was easy to do.

On the negative side my avg icon in the systray has a big exclamation over it like something is really wrong - when I know it's just because I turned off a piece of functionality I don't want to use.

Re:I turned it off

[funfail]

If you are using Firefox, just disable the AVG addon within Firefox addon manager. You won't get the big exclamation mark.

Re:I turned it off

[maxume]

There is a solution to the exclamation:

http://grandstreamdreams.blogspot.com/2008/04/taming-avg-free-version-8.html

In short, run "avg_free_stf_*.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch" from a cmd box or the run box.

Sort of a ridiculous contortion to get to an option that should be more available, but it works.

Re:I turned it off

[thundercleese]

You can install AVG 8 without LinkScanner which returns AVG to it's previous functionality(just anti-virus).

From the FAQ:

If you wish to install AVG 8.0 Free Edition without the LinkScanner component, or uninstall this component from your program, please proceed as follows:

        * Download the AVG 8.0 Free Edition installation package from our website.
        * Run the installation with the parameters /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch. One way to achieve this is to:
                    o save the AVG Free installation file directly to disk C:\
                    o open menu Start -> Run
                    o type
                        c:\avg_free_stf_*.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch
        * The installation will be started, and AVG will be installed without the LinkScanner component.

Re:I turned it off

[mdielmann]

Or...
You could install as normal, go into the LinkScanner options, disable it, go back to the main window, right-click on the LinkScanner icon, and select "Ignore Component State". Sounds a lot easier.
On that note, I've already done this on mine.

Hooray

[genner]

Hooray look at all the hits I'm getting.

Re:Hooray

[sm62704]

Hooray! Look at all the OH SHIT my server's on fire!

ACID

I bet AVG would score higher on ACID than IE...

Slimey ?

please, providing millions of people with an anti-virus for free is not exactly "slimey"
if you want the definition of Slimey see Symantec/Mcafee/MicrosoftOneCare

while this doesnt excuse their behaviour, trying to protect people (a lot of them for free) is not Slimey but insulting them on the front page of Slashdot is

pathetic

"as like"

[DaHat]

> on Slashdot, we're seeing them as like 6% of our page traffic now

Come on Taco... proper English (or at least something seemingly like it) isn't that hard... is 6% exactly, around 6% or really just 'like 6%'

I honestly like, do not recall like the last time I like, saw someone use 'like' in that long standing improper way in like text, it's always like, been for me, like only something a person like, verbalizes.

Alternative Anti-Virus Software?

[sjbe]

So if AVG has turned to the dark side, what free/cheap non-bloatware options are out there worth trusting? I know of a few but it's a little hard to know who to trust.

Seems like every anti-malware software maker these days bloats their software into a 50+MB beast of a package that accomplishes little more than to slow your computer down. I have more trouble with their software than I do with actual mal-ware.

Re:Alternative Anti-Virus Software?

[LMacG]

Avast.

It's not just for Talk-Like-A-Pirate Day any more!

Re:Alternative Anti-Virus Software?

[mapsjanhere]

I second Avast, it's free for home use, and has very reasonable commercial license terms. Plus it gives you one code for all machines, no need to chase 20 different keys like you do with Norton etc. And the key is good for the whole license period; before I used to loose at least 10 % of licenses to crashes or borked installs, and getting new ones from Norton was like pulling wisdom teeth on a grouchy alligator.

Apache Rewrite Rules!

Try this on Apache servers:

#Here we assume certain MSIE 6.0 agents are from linkscanner
#redirect these requests back to avg in the hope they'll see their silliness
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1.$" [OR]
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813.$"
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=307,L]

Brought to you by These guys.

Re:Apache Rewrite Rules!

[pixelbeat]

Just to comment that this has been working flawlessly for me and others for days.
In addition to much reduced load, AVG will be getting the combined load with an appropriate message in their logs.

Note it's quite safe for valid IE 6.0 users as it checks for very specific user agent strings that most IE 6.0 users don't in fact have.
In addition the referrer must be blank and the Accept-encoding header must be missing.

Also I'm using a 307 redirect so so that potentially non linkscanner clients will keep checking the latest rules.
This also allows you to change the redirect destination without worrying about cached old redirects.

Re:Apache Rewrite Rules!

I have an updated version of this redirect to AVG, based on info I've been gathering over the last 2 weeks from Webmaster World, El Reg, and of course Pixelbeat. Here is the rule set I am using now:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1\)$" [OR]
RewriteCond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813\)$"
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteCond %{HTTP:Accept-Language} ^$
RewriteCond %{HTTP:Accept-Charset} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=301,L]

I have the check for "GET" method in there so that the earlier "User-Agent: ..." version of linkscanner will still get redirected. See, that version does a HEAD request first, most likely to check for a redirect. So we allow that HEAD request to pass, since it is small any ways. But the GET request that follows will still get redirected. We want to redirect the maximum amount of traffic we can to AVG, to drive the point home.

This filter is also more selective, by also checking for the non-existance of Accept-Language and Accpet-Charset we make absolutely sure we are not redirecting a valid user. No web browser out there would fail to set all 3 of these, so we can be absolutely sure this is crap coming from a linkscanner.

I also decided to use a permanent redirect, in hopes that linkscanner caches this and it will reduce the number of repeat hits from the same user? Not sure if that is the case or not.

Someone in this thread asked if these rules work in the main Apache config file instead od using .htaccess. I don't use .htaccess on my servers either, and these rules reside in our main Apache config file. So the answer is yes, it will work in BOTH places.

I hope by now that AVG realizes the futility in their continuing to change how linkscanner acts to try and hide it from us. We will simply continue to work together as a community of server admins to block this crap and send it right back at them!

My ex wife....

[WwWonka]

....used to fake user agents all the time. As a man I thought I was always properly connecting to her internet portal. guess not.

Re:My ex wife....

....used to fake user agents all the time.

You mean she called out other browsers' names during sex? Weird.

Once good

[Rinisari]

AVG was once a good product. Then, it got bloated and started eating up kernel memory voraciously. It was impossible to play games with it running in the background, especially Crysis (skip the jokes, my system could handle it maxed once I replaced AVG with Avast!). Now, with this development, I'll be sure to replace AVG with Avast! on all of my machines, not just my gaming one.

On the Up and UP.

Smiley anti-virus provider? The integrity of Slashdot submissions just keeps going up and up! Nice example Taco.

Slow news day...

[s0litaire]

Must be a slow news day...This story's been around for nearly 2 weeks. AVG will probably keep changing the useragent with every few updates to annoy Admins and stats sites...

Slimey?

[Flaystus]

Is many years I've never heard AVG referred to as "Slimey" I don't think the toolbar is a good idea either but... slimey? AVG is awesome.

Re:Slimey?

[Machtyn]

Not just any nerd rage, many times nerd rage from people that give highly recommended Yays and Nays of products to their less-informed friends and family. AVG has successfully removed itself from my recommended list of products to use. When I receive a computer to (re)build, there are a number of software that gets installed

• OpenOffice.org
• Comodo Firewall
• Comodo A/V
• Mozilla Firefox
• Necessary Firefox extensions (such as AdBlock, WeatherFox, and Tab Mix Plus)
• notepad++
• 7-zip

These software and others which aren't in this list (The GIMP, Audacity) are in my highly recommended list of software that all computers should have installed by default.

Re:Sending the bills to them.

[meringuoid]

And for any of the websites I run I do not remember giving them permission to access those sites...

You need explicit permission to access a public website now? Shit! I'd better get offline and write an apology to CmdrTaco - I've been using /. without permission for the best part of a decade!

Time to post a specific statement on all websites stating that AVG does NOT have consent to access or "visit" these websites.

That's a bit like putting up a 'No Trespassing' sign inside your cellar, and expecting it to prevent people coming over your fence.

It runs in Firefox as well

[Animaether]

LinkScanner, the component they're talking about, works in Firefox as well - so no, using Firefox does not 'keep you safe'.

Nor is this about the users of the thing in the first place - either they like its functionality (security theatre-advance warning blabla) and leave it on, or they don't and they switch it off.

This is about the poor, poor admins who are suddenly seeing bogus traffic and omgosh it's spoofing user agents at that!
*changes his user agent to 'cry more, Taco' in FF and hits F5 .. repeatedly*

Re:Sending the bills to them.

[initdeep]

no your not a lawyer, but i'm pretty sure your not smart enough to be one either.

you didn't give them permission to access your publicly available site?
really?
are you sure?
because you know, if you make something publicly available on the public internet, I'm pretty sure by definition, you've therefore given them permission to access it.
Just like everyone else "in the public".

Did you give Google permission?

how about every other search/index site?

as to the "extra bandwidth" since it is by definition, caused by your websites being found via search providers, maybe you should be sending the bill for linking to them and thus causing the "extra bandwidth" to Google/Yahoo/MS and see how far that gets you.

HOWTO install AVG without Search Crawling

[bheer]

You can actually install AVG 8 without the 'Safe Search' feature that crawls websites (it's essentially a BHO/Firefox extension). Even if you already have AVG 8, you can uninstall it and reinstall:

At a Command Prompt window, type
c:\downloads\avg_free_stf_xxxxxxxxxx.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

where c:\downloads\avg_free_stf_xxxxxxxxxx.exe is the full path of your AVG 8 installer.

Re:HOWTO install AVG without Search Crawling

[Em+Ellel]

At a Command Prompt window, type
c:\downloads\avg_free_stf_xxxxxxxxxx.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

where c:\downloads\avg_free_stf_xxxxxxxxxx.exe is the full path of your AVG 8 installer.

At least it is intuitive....

-Em

Re:HOWTO install AVG without Search Crawling

[MagicM]

You can also just turn it off in the options screen. If you can find the correct options screen. And if you don't mind a tray icon that says "warning, something is horribly wrong!" all the time.

AVG 8 is dog slow

[street+struttin']

Has anyone else noticed that AVG 8 is also DOG SLOW on their PC? My computer is from 2001 and ran fine with 7.5, but 8.0 is unusably slow. Every time an application is opened it takes forever for AVG to scan it and let the app open. This combined with this linkscanner bullcrap has caused me to switch. I doubt I'll ever go back.

Re:AVG 8 is dog slow

[springbox]

Works fine for me. Might want to try this: Go to advanced settings > resident shield and uncheck "scan potentially unwanted programs and ..."

Re:New (free) antivirus?

[KlomDark]

I've been using Avast! Home Edition for a while now, no complaints.

Grisoft dropped the ball with AVG v8.0

[GogglesPisano]

I'm a longtime user of AVG. Version 7 was reasonably lightweight, effective and (most importantly to me) unobtrusive.

Unfortunately, version 8 is a different story. After Grisoft forced me to upgrade in May, suddenly AVG became a nagging resource hog. Nightly scan times rocketed from about an hour to over six hours - a scheduled scan that started at 2am would still be going at 8:30am. I have been able to reduce this time somewhat by changing the scan settings (e.g., don't scan inside compressed archives), but it's still slow.

Most annoyingly, their new "LinkScanner" and "SafeSurf" features slowed my browser to a crawl. I didn't want these, since I already use FireFox with the AdBlock and NoScript extensions. I tried to simply disable LinkScanner, but then AVG constantly bothered me with nagging warnings that my computer "was not fully protected". After a little digging, I found that it was possible to uninstall the feature entirely with the following command:

avg_free_stf_xxxx.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

(Substitute "avg_free_stf_xxxx.exe" in the above command with the name of your setup file.)

This improved my browser performance, and eliminated the warnings.

I'm still (grudgingly) using AVG, but I will switch if/when I find a better alternative.

Re:payback

[jamie]

It's not really the load -- it's throwing off our internal metrics so we don't know what readers are actually interested in. We like numbers, and messing with our stats annoys us.

You'd have to fake the user agent

[StrawberryFrog]

When probing for sites that serve malware, wouldn't you have to make the probe look identical to a legitimate user?

Otherwise the malicious site could just serve innocuous content to the probe and malware to everyone else.

Insightful ??????

[BasharTeg]

How exactly do the websites getting slammed with this bullshit traffic "not even install this part of the program" and "if you don't like it don't use it"?

Did you miss this part: (on Slashdot, we're seeing them as like 6% of our page traffic now)

So how does Slashdot "just not use" the AVG product and recover that 6% of their page traffic again?

The complaint is that they are "spamming the internet with deceptive traffic". That's a server/hosting complaint, not a user complaint about some user who can't figure out how to disable that feature.

Kudos on getting a "4 Insightful" for a ridiculously inapplicable and nonsensical response though!

Nagware alert!

[GameboyRMH]

avast! antivirus Home Edition is FREE to use but it is necessary to register before the end of the initial 60 day trial period. To register, click here. Following registration you will receive by E-mail a license key valid for a period of 1 year. After you have downloaded and installed the program, the license key must be inserted into it within 60 days. The registration process is very easy, and it will take you only a couple of minutes.

Also Avira has been getting more and more annoying over the years, it's practically adware now.

So now it looks like it's either AVG with the browser plugins removed or MoonAV (which is FOSS):

http://www.moonsecure.com/

(It used to have a problem where you'd need to remove the Windows service manually after uninstalling, they might have fixed it though.)

are you sure it's avg_free_stf_xxxx.exe

[pbhj]

Shouldn't it be avg_free_stfu_xxxx.exe ??

Safe Search

[fireheadca]

I love AVG for the free scanner it provides but ...

Safesearch: It doesn't work.

Somehow I ended up on one of those "Your computer is infected..." sites
while trying to dl their crap. So for fun I went back to the referrer page
(google) and sure enough, it was marked as safe.

Firefox3 saves the day!

[__aardcx5948]

Hah! Checking my addons in FF3, and on AVG Safe Search 8 it says "Not compatible with Firefox 3.0". Awesome :-)

So AVG is reducing your security...

[argent]

And with AVG, I'm becoming a little less paranoid with websites

That is, you're reducing your security because you believe AVG is providing you valid information about the reliability of websites.

I'm going to agree with the slimy assessment

[WarmBoota]

I installed AVG on my mother-in-law's machine because she had an expired trial version of some other AV software. It was great for a while, but they must've had a change in direction/managment. Because all of a sudden they started with popups to get a full paid version of the software - even uninstalling the product didn't fix it. I had to surgically extract crap from the registry and program files folder to finally get rid of it. Avast or ClamWin for me - no more AVG.

Slimy?

[Atraxen]

I think I missed the memo - why is AVG a "Slimy anti-virus provider"? That portion of the summary BEGS for supporting links...

Their eggs are slimy.

[NevDull]

And if that causes problems for webmasters, Thompson says, so be it. "I don't want to sound flip about this, but if you want to make omelets, you have to break some eggs."

Sounds like a "fuck off" to me.

I guess slimy is in the eye of the beholder, but the attitude reminds me of Claria.

Hanlon's razor with the save!

[BlackCobra43]

Never attribute to malice that which can be adequately explained by stupidity.

COMMODO

[deep_creek]

These guys rock! Free life-time license, etc... Small footprint and easy to use. http://www.comodo.com/

Re:payback

[MyLongNickName]

so we don't know what readers are actually interested in

Porn. Anime. Sometimes computers.

Hope that alleviates your concerns.

What about advertising?

[Panaqqa]

I wonder if this AVG behaviour of doing prefetch on linked sites is driving up advertising clicks at all?

Could AVG be unintentionally committing massive click fraud?

Re:Awwww, so sorry for all the webmasters

[aiken_d]

Wow. Just wow. You managed to make an ends-justify-the-means argument, a false dichotomy, a red herring, and probably a few other fallacies I missed because I was already laughing so hard.

AVG is breaking two key rules of good app behavior on the internet: they are making huge numbers of requests that users don't want or know about, and they are providing fraudulent info in the request headers to prevent affected services from mitigating the problem.

How many companies write internet-enabled apps? What do you think? 1000? 10000? 100000? If AVG's behavior here is OK, is it also OK for all of those other apps to pile on as well, each one adding another 6% of overhead to *the entire internet*? Or is AVG special for some reason that allows them to play by different rules than everyone else?

This is very abusive on AVG's part, and your spirited defense relies on logical fallacies and hand waving. Your "if you don't want AVG to eat bandwidth and lie about its useragent, you must want your users to be infected with malware" bit is just icing on the cake.

Truly, you have a dizzying intellect.

ClamWin is actually useful

[DrYak]

While all other /.ers are complaining that ClamWin is useless I want to bring some points :
- ClamWin has a built-in plug-in to scan incoming mail in outlook.
- ClamWin is easy to call from scripts and is a nice thing to add to the commands that are launched by your favourite bit-torrent client once a file is completed (I use this on my linux based torrent downloading/file server machine)
- ClamWin has plug-ins for FireFox : SafeDownload, Download Scan, Download Statusbar all let you launch the scanner of your choosing once a download finishes. ClamWin Antivirus Glue is another solution, but one has to manually update the minimal supported version (the plugin is set to support up to 1.5 although it works with more modern versions).

So, although ClamWin isn't continuously scanning in background, it can cover most of the usual entry points. (Although I don't know about plugins for Thunderbird and Microsoft file server).

For those who like to test newer bleeding edge software : WinPooch software can launch a scan when ever an executable is opened - it's almost as good as an on demand scanner.

Re:Awwww, so sorry for all the webmasters

[gordyf]

I think you're missing the point: it scans links that users are not going to. It scans every result from a search, and not just the ones that you're browsing to. This significantly increases the traffic that sites have to deal with while not increasing user security at all, since the pages can just as easily be scanned while they are downloaded.

But maybe you're just trolling.

Sure AVG's not slimy...

[Firethorn]

Also AVG are not slimly, the spyware/trojan/malware site operators are

However, I'd argue it's the equivalent of using a flamethrower to take out a wasp's nest - the amount of collateral damage to non-malware sites due to the spurious pulls is excessive, there are cleaner methods available.

Re:Sure AVG's not slimy...

[Slashdot+Suxxors]

Whatever man, you haven't lived till you've used used a flamethrower to burn a bee's nest, a firehose to put out a candle, or a .50 cal to get rid your "rodent" problem.

Re:Sure AVG's not slimy...

[KnightNavro]

...or a .50 cal to get rid your "rodent" problem.

Pansy. I use a mortar. It works especially well on burrowing rodents.

Re:Sure AVG's not slimy...

[tgd]

No, its the equivalent of taking a flamethrower to all your neighbor's houses because you think there might be a wasp flying around.

Re:Sure AVG's not slimy...

[rrkap]

No, its the equivalent of taking a flamethrower to all your neighbor's houses because you think there might be a wasp flying around.

Oh, come on! Who hasn't done that?

YOU are clicking on every link!

[hudsucker]

Let's say that your Google search returns some links that are NSFW, or could be considered illegal to view. As a far as anyone looking at server logs is concerned, you are choosing to view those links.

How long before someone gets fired or arrested, and tries to explain that it was their anti-virus software that was viewing the child pr0n?

Re:Awwww, so sorry for all the webmasters

[osu-neko]

Are users not supposed to protect themselves in the interests of the website?

This isn't being done to protect users. The pages could be scanned just as easily on actual load. This is being done to prevent the users from having to suffer a small delay on loading the page by preloading it (and every other possibly link on the page since the software doesn't know what link you're going to click).

You're just putting spin on the issue because this is affecting your cost/income ratio.

You're very anti-average Joe. Most of us aren't Amazon. Most of us, in fact, make precisely zero income from our websites. And we don't have the kind of financial resources to deal with this kind of distributed attack on our bandwidth. Amazon, Yahoo, and such won't have any problem dealing with this sort of thing, but if it becomes popular, it'll force the rest of us off the web.

Since the problem of malware sites is not going to go away and since AVG is effective more antivirus software will start using these techniques. Unless you have something better to suggest?

Yes, make the user wait the extra second if the user wants to scan a page.

Frankly, as an end user, I don't give a damn about your costs and stats. I don't care about it for amazon, ebay, myspace, or paypal. I do care that if I follow a link to an unsavory site that I am protected.

If that's true, then you won't mind waiting the extra second to load a page instead of having the browser drag down the bandwidth of every site in your search ahead of time for you.

Here is another question. Do you want a userbase that is populated by malware infected computers? Is that preferable to figuring out a way to work with AVG new technique?

That's a false dilemma. Is it preferable to force everyone other than the big guys off the web so that users don't have to wait an extra second on loading a page?

Dont throw your users under the train. They have a right to their security and peace of mind.

Don't throw the majority of web page publishers under a train, just so you can save a second by preloading a page.

You can... (Sort off...)

[Scorpiana]

If you right-click on a component in the AVG User Interface, you can select 'Ignore Component State'. That way the component is turned off, but the AVG icon doesn't show anything wrong.

Hope this helps...