AVG Fakes User Agent, Floods the Internet

Slimy anti-virus provider AVG is spamming the internet with deceptive traffic pretending to be Internet Explorer. Essentially, users of the software automatically pre-crawl search results, which is bad, but they do so with an intentionally generic user agent. This is flooding websites with meaningless traffic (on Slashdot, we're seeing them as like 6% of our page traffic now). Best of all, they change their UA to avoid being filtered by websites who are seeing massive increases in bandwidth from worthless robots.

F5 IRule

[Precision]

For anyone that happens to run a site behind an F5 BigIP, here's a nice little IRule to nuke this horrible crap from orbit.

rule IRULE_block_avg-prefetch {
      when HTTP_REQUEST {
        set ::avg_useragents [list \
                "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" \
                "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)" \
                "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" \
                "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)" \
        ]

        if { ![HTTP::header exists "Accept-Encoding"] } {
                if { [matchclass [HTTP::header User-Agent] equals $::avg_useragents] } {
                        reject
                }
        }
}

Re:F5 IRule

[Em+Ellel]

For the record, this is a REALLY bad idea.

It will block all traffic from legitimate IE6 users, and if you have a $20K router, you probably don't want to do that.

If you read the links in the article (and some comments further down), there are things you can do to block this, including blocking requests with these UAs that also have odd or missing headers, cookies, etc.

LOL, perhaps you might want to READ the rule before replying - it is NOT blocking all IE6 users, just the ones that are missing "Accept-Encoding" header

-Em

Re:F5 IRule

[Darkness404]

Because it is a browser that people use... The same thing could be said on why should we have to support Konqueror, or the Mozilla Suite, or Seamonkey, why not even block Safari just because we can. Basically, IE6 is a browser, it is even a popular browser. And saying we should block it is like saying we should block Firefox 1.5 and earlier and hey! Firefox 3 is out now, lets block Firefox 2!

Re:F5 IRule

[ConceptJunkie]

You've got an actual Ass Hat? Where'd you get it? I could order a couple hundred because a lot of people deserve them.

In fact, let's spam the White House and Congress with a million Ass Hats. I'm sure some enterprising person could design a hat that resembles the south end of a north-bound mule.

Re:F5 IRule

[klubar]

Don't deactivate in AVG contol panel, just disenable the add on in IE or FF. For IE, Tools->Manage Add-ons...->Enable or disable add-ons then disable the AVG control. Probably something similar for FF.

Actually this is in their support file.

Re:F5 IRule

[lawn.ninja]

I'll tell you why they did it. It's because at the current time some of their other interfaces have not been upgraded and are not compatible with IE7. You may not even use them, but if someone sees IE 7 on your desktop, they want it on theirs and so on and so forth. It's not that anyone in their right mind wants to keep IE 6 around, but it is likely that is what is currently supported according to their corporate image. It also has to do with preserving standards and how the techs support your PC and the efficiency of how it is supported. Bleeding edge doesn't happen in corporate environments, hell leading edge doesn't even happen most of the time. Its slow and steady movements forward. If you jumped on the bandwagon for every new upgrade your network would be a mess and would show no signs of a standard. Software is tested in corporations, with everything else that already exists inside the shop. They even have a position dedicated to just that task. They are commonly called desktop engineers. They typically spend a good part of their workday developing and testing products to integrate into the desktop standard image. This is because something as simple as a non supported browser can cause a user all sorts of issues and then cost hours of time (read: money) for the tech to diagnose it. This is why you pay for an IT department, there are many headaches the user never sees and it is because we work it out first.

Re:F5 IRule

[megaditto]

Why, what does that do?
Do you want it to pound Google's servers, bump up grisoft's search rank, or anything else I am not seing?

Re:F5 IRule

[LiquidFire_HK]

DDoS Grisoft with their own plugin - it fetches all linked search result pages in a Google search in order to scan them.

Re:F5 IRule

[tubapro12]

Avast! AV Home.

How do you really feel?

[SoupGuru]

Why don't you tell us how you really feel about AVG?

Re:How do you really feel?

Ok. It's run by Jews in a secret conspiracy to take over the World using sharks with frickin' lasers and gorgeous fembots with a penchant for evil.

Re:How do you really feel?

[The+Clockwork+Troll]

In this day and age it's sad to see that anti-sharkitism is still alive and well.

AVG = Alotta VaGina?

Re:How do you really feel?

[immcintosh]

One of those times I wish you could moderate the moderation as +1 Funny.

I discovered this the hard way

[brunascle]

A couple months ago, a random article on my company's site got around 20 times the number of hits that the top story of the day should be getting. I checked the logs, and saw legit-looking IE user agents, but they didnt look normal. None of them had any cookies, and none of them were downloading the CSS or image files that they should have been. The IP addresses were from all around the world. WTF?

I found out that Google was doing one of its things where it changes the google logo for some special occasion, and it links to a search. That article was on the first page of the results.

I did a search for the exact user agent and discovered it was AVG. When you go to a Google search, AVG downloads each result looking for malware. Hooray for falsified user agents.

Though, I suspect the reason they use a legit-looking IE user agent is because malware sites could sniff the AVG user agent and serve up an innocent page for them, and malware for everyone else.

Re:I discovered this the hard way

[Darkness404]

Perhaps, someone could elaborate on how they are slimey. This appears to be an attempt to protect people.

Ok, think of the /. effect. Now take that on almost any website who's servers aren't as strong. This is basically a huge DDoS attack on many websites by AVG that has a reason behind it. But it is still a DDoS attack.

Re:I discovered this the hard way

[jamie]

Prefetching your search results doesn't protect you from viruses any more than just checking the pages you try to load at the time of loading.

What it does, is basically scanning the entire internet, weighted toward the pages its users search for, and I assume reporting back to AVG which websites have malware or suspected malware on them.

The problem with this theory is that malware sites can move around quickly, so learning that domain xzclqqkxzz.com tried to upload a virus to someone's computer 48 hours ago is not especially valuable information.

That's in addition to AV software being essentially impossible to keep up-to-date anyway, you can look up studies but most AV software lets a lot of malware through.

And the increased traffic annoys webmasters because the prefetches are (attempted to be) disguised as actual page fetches, and they come from all over the internet, so we think they're real clicks from real users but they're not. Plus, for some sites the increased load/bandwidth may be a problem.

Re:I discovered this the hard way

[karot]

Dumb is what they were BEFORE they were told about the problem. Slimy is what they are now that they are refusing to rectify the situation and behave.

I think they deserve everything they will inevitably get as a result of this.

I turned it off

[stoolpigeon]

I use AVG on a couple machines. I didn't really think about the traffic tracking piece of this when I saw it working, I just thought about it slowing me down, increasing bandwidth use, etc. and I turned it off.

I know most people don't mess with defaults - and I'm not defending them as far as the agent thing and all that - but it was easy to do.

On the negative side my avg icon in the systray has a big exclamation over it like something is really wrong - when I know it's just because I turned off a piece of functionality I don't want to use.

Re:I turned it off

[funfail]

If you are using Firefox, just disable the AVG addon within Firefox addon manager. You won't get the big exclamation mark.

Re:I turned it off

[maxume]

There is a solution to the exclamation:

http://grandstreamdreams.blogspot.com/2008/04/taming-avg-free-version-8.html

In short, run "avg_free_stf_*.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch" from a cmd box or the run box.

Sort of a ridiculous contortion to get to an option that should be more available, but it works.

Re:I turned it off

[thundercleese]

You can install AVG 8 without LinkScanner which returns AVG to it's previous functionality(just anti-virus).

From the FAQ:

If you wish to install AVG 8.0 Free Edition without the LinkScanner component, or uninstall this component from your program, please proceed as follows:

        * Download the AVG 8.0 Free Edition installation package from our website.
        * Run the installation with the parameters /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch. One way to achieve this is to:
                    o save the AVG Free installation file directly to disk C:\
                    o open menu Start -> Run
                    o type
                        c:\avg_free_stf_*.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch
        * The installation will be started, and AVG will be installed without the LinkScanner component.

Hooray

[genner]

Hooray look at all the hits I'm getting.

Re:Hooray

[sm62704]

Hooray! Look at all the OH SHIT my server's on fire!

ACID

I bet AVG would score higher on ACID than IE...

Slimey ?

please, providing millions of people with an anti-virus for free is not exactly "slimey"
if you want the definition of Slimey see Symantec/Mcafee/MicrosoftOneCare

while this doesnt excuse their behaviour, trying to protect people (a lot of them for free) is not Slimey but insulting them on the front page of Slashdot is

pathetic

"as like"

[DaHat]

> on Slashdot, we're seeing them as like 6% of our page traffic now

Come on Taco... proper English (or at least something seemingly like it) isn't that hard... is 6% exactly, around 6% or really just 'like 6%'

I honestly like, do not recall like the last time I like, saw someone use 'like' in that long standing improper way in like text, it's always like, been for me, like only something a person like, verbalizes.

Apache Rewrite Rules!

Try this on Apache servers:

#Here we assume certain MSIE 6.0 agents are from linkscanner
#redirect these requests back to avg in the hope they'll see their silliness
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1.$" [OR]
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813.$"
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=307,L]

Brought to you by These guys.

Re:Apache Rewrite Rules!

I have an updated version of this redirect to AVG, based on info I've been gathering over the last 2 weeks from Webmaster World, El Reg, and of course Pixelbeat. Here is the rule set I am using now:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1\)$" [OR]
RewriteCond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813\)$"
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteCond %{HTTP:Accept-Language} ^$
RewriteCond %{HTTP:Accept-Charset} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=301,L]

I have the check for "GET" method in there so that the earlier "User-Agent: ..." version of linkscanner will still get redirected. See, that version does a HEAD request first, most likely to check for a redirect. So we allow that HEAD request to pass, since it is small any ways. But the GET request that follows will still get redirected. We want to redirect the maximum amount of traffic we can to AVG, to drive the point home.

This filter is also more selective, by also checking for the non-existance of Accept-Language and Accpet-Charset we make absolutely sure we are not redirecting a valid user. No web browser out there would fail to set all 3 of these, so we can be absolutely sure this is crap coming from a linkscanner.

I also decided to use a permanent redirect, in hopes that linkscanner caches this and it will reduce the number of repeat hits from the same user? Not sure if that is the case or not.

Someone in this thread asked if these rules work in the main Apache config file instead od using .htaccess. I don't use .htaccess on my servers either, and these rules reside in our main Apache config file. So the answer is yes, it will work in BOTH places.

I hope by now that AVG realizes the futility in their continuing to change how linkscanner acts to try and hide it from us. We will simply continue to work together as a community of server admins to block this crap and send it right back at them!

My ex wife....

[WwWonka]

....used to fake user agents all the time. As a man I thought I was always properly connecting to her internet portal. guess not.

Once good

[Rinisari]

AVG was once a good product. Then, it got bloated and started eating up kernel memory voraciously. It was impossible to play games with it running in the background, especially Crysis (skip the jokes, my system could handle it maxed once I replaced AVG with Avast!). Now, with this development, I'll be sure to replace AVG with Avast! on all of my machines, not just my gaming one.

Re:Alternative Anti-Virus Software?

[LMacG]

Avast.

It's not just for Talk-Like-A-Pirate Day any more!

Re:Sending the bills to them.

[initdeep]

no your not a lawyer, but i'm pretty sure your not smart enough to be one either.

you didn't give them permission to access your publicly available site?
really?
are you sure?
because you know, if you make something publicly available on the public internet, I'm pretty sure by definition, you've therefore given them permission to access it.
Just like everyone else "in the public".

Did you give Google permission?

how about every other search/index site?

as to the "extra bandwidth" since it is by definition, caused by your websites being found via search providers, maybe you should be sending the bill for linking to them and thus causing the "extra bandwidth" to Google/Yahoo/MS and see how far that gets you.

HOWTO install AVG without Search Crawling

[bheer]

You can actually install AVG 8 without the 'Safe Search' feature that crawls websites (it's essentially a BHO/Firefox extension). Even if you already have AVG 8, you can uninstall it and reinstall:

At a Command Prompt window, type
c:\downloads\avg_free_stf_xxxxxxxxxx.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

where c:\downloads\avg_free_stf_xxxxxxxxxx.exe is the full path of your AVG 8 installer.

Re:HOWTO install AVG without Search Crawling

[Em+Ellel]

At a Command Prompt window, type
c:\downloads\avg_free_stf_xxxxxxxxxx.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

where c:\downloads\avg_free_stf_xxxxxxxxxx.exe is the full path of your AVG 8 installer.

At least it is intuitive....

-Em

AVG 8 is dog slow

[street+struttin']

Has anyone else noticed that AVG 8 is also DOG SLOW on their PC? My computer is from 2001 and ran fine with 7.5, but 8.0 is unusably slow. Every time an application is opened it takes forever for AVG to scan it and let the app open. This combined with this linkscanner bullcrap has caused me to switch. I doubt I'll ever go back.

Grisoft dropped the ball with AVG v8.0

[GogglesPisano]

I'm a longtime user of AVG. Version 7 was reasonably lightweight, effective and (most importantly to me) unobtrusive.

Unfortunately, version 8 is a different story. After Grisoft forced me to upgrade in May, suddenly AVG became a nagging resource hog. Nightly scan times rocketed from about an hour to over six hours - a scheduled scan that started at 2am would still be going at 8:30am. I have been able to reduce this time somewhat by changing the scan settings (e.g., don't scan inside compressed archives), but it's still slow.

Most annoyingly, their new "LinkScanner" and "SafeSurf" features slowed my browser to a crawl. I didn't want these, since I already use FireFox with the AdBlock and NoScript extensions. I tried to simply disable LinkScanner, but then AVG constantly bothered me with nagging warnings that my computer "was not fully protected". After a little digging, I found that it was possible to uninstall the feature entirely with the following command:

avg_free_stf_xxxx.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

(Substitute "avg_free_stf_xxxx.exe" in the above command with the name of your setup file.)

This improved my browser performance, and eliminated the warnings.

I'm still (grudgingly) using AVG, but I will switch if/when I find a better alternative.

Re:payback

[jamie]

It's not really the load -- it's throwing off our internal metrics so we don't know what readers are actually interested in. We like numbers, and messing with our stats annoys us.

Insightful ??????

[BasharTeg]

How exactly do the websites getting slammed with this bullshit traffic "not even install this part of the program" and "if you don't like it don't use it"?

Did you miss this part: (on Slashdot, we're seeing them as like 6% of our page traffic now)

So how does Slashdot "just not use" the AVG product and recover that 6% of their page traffic again?

The complaint is that they are "spamming the internet with deceptive traffic". That's a server/hosting complaint, not a user complaint about some user who can't figure out how to disable that feature.

Kudos on getting a "4 Insightful" for a ridiculously inapplicable and nonsensical response though!

Hanlon's razor with the save!

[BlackCobra43]

Never attribute to malice that which can be adequately explained by stupidity.

Re:One Word

[thePowerOfGrayskull]

Personally, I wish they'd write a secure user. Then AV wouldn't be necessary.

YOU are clicking on every link!

[hudsucker]

Let's say that your Google search returns some links that are NSFW, or could be considered illegal to view. As a far as anyone looking at server logs is concerned, you are choosing to view those links.

How long before someone gets fired or arrested, and tries to explain that it was their anti-virus software that was viewing the child pr0n?

Re:Sure AVG's not slimy...

[Slashdot+Suxxors]

Whatever man, you haven't lived till you've used used a flamethrower to burn a bee's nest, a firehose to put out a candle, or a .50 cal to get rid your "rodent" problem.

Re:Awwww, so sorry for all the webmasters

[osu-neko]

Are users not supposed to protect themselves in the interests of the website?

This isn't being done to protect users. The pages could be scanned just as easily on actual load. This is being done to prevent the users from having to suffer a small delay on loading the page by preloading it (and every other possibly link on the page since the software doesn't know what link you're going to click).

You're just putting spin on the issue because this is affecting your cost/income ratio.

You're very anti-average Joe. Most of us aren't Amazon. Most of us, in fact, make precisely zero income from our websites. And we don't have the kind of financial resources to deal with this kind of distributed attack on our bandwidth. Amazon, Yahoo, and such won't have any problem dealing with this sort of thing, but if it becomes popular, it'll force the rest of us off the web.

Since the problem of malware sites is not going to go away and since AVG is effective more antivirus software will start using these techniques. Unless you have something better to suggest?

Yes, make the user wait the extra second if the user wants to scan a page.

Frankly, as an end user, I don't give a damn about your costs and stats. I don't care about it for amazon, ebay, myspace, or paypal. I do care that if I follow a link to an unsavory site that I am protected.

If that's true, then you won't mind waiting the extra second to load a page instead of having the browser drag down the bandwidth of every site in your search ahead of time for you.

Here is another question. Do you want a userbase that is populated by malware infected computers? Is that preferable to figuring out a way to work with AVG new technique?

That's a false dilemma. Is it preferable to force everyone other than the big guys off the web so that users don't have to wait an extra second on loading a page?

Dont throw your users under the train. They have a right to their security and peace of mind.

Don't throw the majority of web page publishers under a train, just so you can save a second by preloading a page.

Re:One Word

[paulzeye]

Actually I think on access scanning is a great way to cripple performance : )

Re:Sure AVG's not slimy...

[tgd]

No, its the equivalent of taking a flamethrower to all your neighbor's houses because you think there might be a wasp flying around.

Re:Sure AVG's not slimy...

[rrkap]

No, its the equivalent of taking a flamethrower to all your neighbor's houses because you think there might be a wasp flying around.

Oh, come on! Who hasn't done that?

You can... (Sort off...)

[Scorpiana]

If you right-click on a component in the AVG User Interface, you can select 'Ignore Component State'. That way the component is turned off, but the AVG icon doesn't show anything wrong.

Hope this helps...