Kaspersky Update Breaks Internet Access For Windows XP Users

An anonymous reader writes "Yesterday afternoon, Kaspersky Labs released a definition update that blocked all Internet and Intranet access on Windows XP workstations. While there has been no official communication from Kaspersky, their forum is lit up with angry customers relying on each other to find a fix." Update: 02/05 16:42 GMT by T : Thanks to an anonymous reader, who says that Kaspersky has issued a statement, and a fix (though the fix takes some manual labor to implement).

let me guess

they already have a fix you can download!

Re:let me guess

This will make XP less secure!

Quality Control 101

[DigiShaman]

Epic FAIL! All you AV providers need to be testing your damn defs before deployment to the public. Geez, how fucking hard is this?

Re:Quality Control 101

[SJHillman]

When you have millions of customers and no two have identical machines, it's damned hard to test for every case. It doesn't say if all XP machines are affected (which should have been tested for) or if just a large number of them have been (which may or may not have shown up in testing).

Re:Quality Control 101

[deathlyslow]

My clients that have this issue are all XP w/IE8. Various manufacturers and patch levels. When I say my client, I do their switch/route stuff not servers/workstations.

Re:Quality Control 101

[hairyfeet]

But seriously, how hard is it to put together a couple of PCs and have most of the bases covered? This is WinXP we're talking about, a legacy OS whose heyday has a pretty typical build to go with it.

From my years at the shop if someone asked me to hand them a "typical XP box" it would be a 2.2GHz-3.2GHz Pentium 4 with 512MB-1GB of RAM, a 160GB HDD and an Intel 8xx or 9xx IGP. If you wanted to get as perfect to "middle of the road XP" as possible a 2.6GHz with 512Mb of RAM along with a 160GB HDD and an Intel IGP...there, you just have covered a good 80%+ of the XP boxes out there. If you wanted to be thorough add a Pentium D and an Athlon at 2GHz and you'll have covered the vast majority of XP boxes out there.

Re:Quality Control 101

[SJHillman]

That covers the hardware, which is mostly irrelevant to anti-virus other than how long it takes to scan. What service pack is installed? What patches? Hotfixes? Third party programs? What malware is on there? What files are corrupt? What settings has the user changed? Is it Home or Pro? Once an XP machine has a year or two since the last OS reinstall, there's thousands of variables. Once an XP machine has four or five years with an average user, it's almost unrecognizable.

Re:Quality Control 101

[cusco]

A few years ago a McAfee update identified a .dll file necessary for the world's largest access control software as a virus. Our company was very busy for a few days fixing customer installations all over the region. Amusingly enough, McAfee itself used that access control package. Since McAfee's own security system didn't crash that would seem to indicate that they don't distribute their own updates internally before releasing them out into the wild.

Re:Quality Control 101

[DarwinSurvivor]

What other AV software is installed. It's not uncommon for people to install 2 or 3 of them and have no idea that they don't play nicely together.

Re:Quality Control 101

Well, it does seem as if lots and lots of the XP boxes out there got hit, so even if Kaspersky only had 13 boxes to test on, at least one of them would have caught this, would it not?

Re:Quality Control 101

[hairyfeet]

Well considering that even MSFT ended support for SP2 over 2 years ago I think a minimum of SP3 would be sensible, and since we are talking AV here and we all know how script kiddies use the patches to reverse engineer new hacks I think expecting the OS to be kept up to date really wouldn't be out of line.

Of course this is all ignoring the elephant in the room when it comes to XP, which is the rampant piracy of that OS. Damned near every out of date XP system that comes into my shop is running "XP Pro Corp Razr1911 Edition" with updates turned off by the guy that installed the hot copy of Windows. But I don't think its up to the AV companies to condone and support piracy so they should expect the OS to have the latest security patches and warn the user if it does not. If they choose to ignore that warning then its on them and like with any other unsupported piece of software if it works it works and if it don't it don't.

In Soviet Russia...

[davidwr]

In Soviet Russia... ...nevermind, too easy.

Re:In Soviet Russia...

[jones_supa]

In Soviet Russia, the viruses scan YOU!

Re:In Soviet Russia...

[gstoddart]

I thought in that case, the viruses scam you.

Re:In Soviet Russia...

[kelemvor4]

I thought in that case, the viruses scam you.

No, that's what happens everywhere. Not just soviet Russia.

Strong Protection

[stewsters]

Sometimes the only way to win the game is not to play. It seems like Kaspersky has learned that the only way to secure Windows XP is to disable the internet connection. Now if they disable the USB ports next, I think we will have a good security model going. Unfortunately that update will be harder to push.

Re:Strong Protection

[magic+maverick+]

That was my thoughts as well. Considering XP could be 0wned in an average of four minutes, it suggests that old XP is just not safe on the Internet. (XP with service packs and built-in firewall is apparently fine.)

Isn't that the goal?

[tanveer1979]

To be the perfect AV
No internet means
No virus
No Botnet
No Adware
No Spyware ......

Or maybe the program became self aware and realized that the internet is a disease, a virus, needing to be squashed

Re:Isn't that the goal?

[UnknownSoldier]

You may laugh, but originally that was the only way for Windows NT to get C2 certification. :-)

* http://support.microsoft.com/kb/93362
" Microsoft has opted not to include certain components of Windows NT in the evaluation process, ... It may be enough to consider networking to be another subsystem, ... "

Re:Isn't that the goal?

[DanielOom]

The only thing worse than a computervirus is an antivirus.

Re:Isn't that the goal?

The only thing worse than a computervirus is an antivirus.

So true. Which is why I don't use antivirus - and therefore, no software that actually needs antivirus functionality. Ditch windows, it is not good enough because it needs this huge timewaster called "antivirus". Slowing the machine because the OS is not immune, requiring constant updates, and even then - it doesn't catch all those viruses. Nice not to have such artifical problems.The Internet is not a dangerous place -for me.

Actually, they don't.

[mschaffer]

Right now, the "temporary" fix is to disable their Web AV.

Re:Actually, they don't.

[oobayly]

At least you can do that. I had a mate that installed McAffee (because it came bundled with BT's broadband package). His machine refused to connect to the internet, though ICMP packets were allowed. My first thought was "Disable everything that even resembles McAffee", but to no avail. In the end I did what I should have done initially - wipe every mention of McAffee from the machine - job done. I still don't know what was blocking the traffic.

Re:Actually, they don't.

In the end I did what I should have done initially - wipe every mention of McAffee from the machine - job done.

Same strategy that the nation of Belize used. Worked pretty well for them too.

Re:Actually, they don't.

[pele_smk]

but this is not McAfee....this is Kaspersky I'm confused or I think you're confused.

Re:Actually, they don't.

[oobayly]

What I was trying to say was that at least in this case you can disable the Kaspersky components so you can connect to the internet to download the update without resorting to sneakernet.

LOL

Seems that AV software is a prescription worse than the disease.

Re:LOL

[Custard+Horse]

Seems that AV software is a prescription worse than the disease.

I always though McAfee was akin to Thalidomide in that respect. It would appear that Kapersky is cut from the same cloth...

Is Norton Security Suite (or whatever it is/was called) still the ultimate cyanide pill for a well-configured system?

Link to fix

[davidwr]

http://forum.kaspersky.com/index.php?showtopic=255508&st=20&p=1978848&#entry1978848

Text of fix, credit the forum poster known as "omaudio":

from Kaspersky-

"We apologize for the inconvenience. It does appear that there was a hiccup with an Update pushed out causing Windows XP machines to lose internet connectivity. An update was just released that should address the issue, what I will need you to do is:

To get XP users internet connectivity (temporarily), please disable the Web AV component of your protection policy for your managed computers. After doing so;

In Security Center (or Admin Kit):

1.) Go to the Repositories section >> (Right click) Updates >> All Tasks >> Clear updates repository.
2.) Go to the Repositories section >> (Right click) Updates >> Download Updates

After taking this step, please run your group Update task for Managed Computers. After the update has been pushed to your workstations, please re-enable your Web AV component in your protection policy. This should resolve the issue. "

We don't need no stinkin' testing...

[mschaffer]

I'll bet they don't even have an XP machine to do the testing on. Besides, if they did, would they be having problems with it...?

Re:We don't need no stinkin' testing...

[catchblue22]

With Windows XP, not having access to the internet might be the most secure option. The only way I usually run XP is on a virtual machine with the networking turned off, so Windows doesn't even know the internet exists (just like early Windows 95).

Re:We don't need no stinkin' testing...

[tehcyder]

Yes I'm sure all of the businesses running XP on old machines because it still works, not to mention the millions of home users with crappy old computers, are just dying to start messing around with virtual machines.

Re:We don't need no stinkin' testing...

[KiloByte]

Er, I don't think anyone would be irresponsible enough to release official builds even for a minor open source project without having a set of VMs, one with each major supported version of Windows. There's usually something wrong. Like, in Dungeon Crawl (not so minor a project, but not big either), Windows builds for 0.11.0 worked fine, 0.11.1 would crash on startup on Win7 (but not XP, 2k or 8) if I didn't catch it, 0.11.2 built fine again. Quite puzzling -- why would a strictly bugfix point release suddenly fail? Turns out there's something wrong in mingw for LTO compilation (final builds get optimized up the wazoo, nightlies don't). So there's simply no way to skip a test rig.

It's hard to believe in such a level of incompetency. On the other hand, this is Kaspersky...

They are right

[kurt555gs]

Cutting off internet access is one of the very best methods for Windows XP security. What's the problem?

Re:They are right

The same can be said about every piece of software.

Re:They are right

Cutting off internet access is one of the very best methods for Windows XP security. What's the problem?

Even if internet access is cut off, the government can still cause mocking, derisive messages to appear on your screen using high-powered directed beams on satellites.

Re:They are right

[tehcyder]

Cutting off internet access is one of the very best methods for Windows XP security. What's the problem?

Reality. That is always the problem, and I know a lot of people here have difficulties with it.

Don't worry, they are already working on a fix

[Hentes]

The next update will fix the issue, you'll just have to download it...oh, wait.

About time they recognized MS Windows as malware

About time they recognized Windows as malware.

How can they be discussing it on forums?

If their internet access is broken...

Re:How can they be discussing it on forums?

[Runaway1956]

Good question - ASSuming that the XP box is the only box they own, how can they discuss their problem on an internet forum? It's not like XP owners are likely to live near a library, or have a relative, or an internet cafe nearby. None of them live near a campus with internet access. Geeez, this is an insurmountable problem, isn't it? Unless, of course, someone actually does backups, and restored his system to a pre-update status.

Phhhht - silly questions form silly AC's.

Re:How can they be discussing it on forums?

[Dunbal]

Good question - ASSuming that the XP box is the only box they own

No, it's a terrible question. Your assumption is incorrect. And most of them probably have an internet-capable smart phone. Wake up, it's the 21st century.

Good Guy Kaspersky

[Apotekaren]

Protecting users of more up to date Windows versions from those malware infested botnet-targets.

Re:Good Guy Kaspersky

[noldrin]

agreed, it sounded like a good feature to me.

Thus

[hduff]

Thus making Windows XP completely secure!

Re:Thus

[slew]

Thus making Windows XP completely secure!

Sadly, it merely disabled user web surfing (HTTP traffic) to allow the malware on your PC full access to your internet bandwidth...
No need for that pesky user web surfing tying up your pipe when you have a botnet to manage... ;^)

When does AV become more risky than the virus?

[Alioth]

I have to wonder at which point workstation AV software becomes a bigger risk than the actual malware.

So far in our organization, we've had two AV incidents. One several years ago when a user brought in an infected laptop with one of the Microsoft RPC exploiting worms. We got the worm before the AV vendor (Symantec at the time) had a signature for it, so the AV software was totally useless. The other event was when Symantec erroneously flagged a Windows Server 2003 resource kit program as malware and quarantined it (fortunately, a program we didn't rely on). So so far, for us - AV has failed to catch our only malware infection and has broken a non-infected program. Strict filtering (both inbound AND outbound) has done a lot more to stop malware in our organization than AV software ever has.

I also remember an incident a few years ago when a prominent AV vendor's software (I think it was Norton) erroneously quarantined a system file in the Chinese version of WinXP, and rendered the workstation unbootable, affecting a very large number of users.

I also wonder if any of the AV companies have independently verified and verifiable procedures for making their updates; a malicious employee at one of the big AV vendors could cause a lot of damage by releasing an update that results in an important system file getting quarantined. What safeguards do each AV vendor have in place to prevent this happening? How is it verified that the companies are actually carrying out the policies if they have them to ensure updates are not malicious, and how is it verified that these policies are actually watertight?

Re:When does AV become more risky than the virus?

[benzaholic]

To some extent, that kind of verification is market driven.
If somebody blows it too many times, or if someone else discovers that an AV package has become malicious, that vendor's reputation will be impacted, and reputation is a very big part of who gets the big money in the AV game.

Also, did you check the AV logs from all of your organization's workstations before claiming that the stuff has been useless?
 

Re:When does AV become more risky than the virus?

Not to mention the resources that most AV software needs, which makes it the only reason sometimes that old computers are upgraded. Office and internet are running fine on pretty old systems, if you remove things like AV.

Re:When does AV become more risky than the virus?

[Sigg3.net]

Windows Update in Vista and newer sometimes does the same thing if there is an update for the wireless card (especially Atheros) in optional updates.

How about that? "I can see an update for your wireless card. Let me disable all internet access for you!"

Disabling WU may not help. Instead remove the Atheros card in device manager, reboot, go online and get the latest driver (your card should now show as a Qualcomm device in dev man).

I've started doing this on all atheros wifi cards as a preventive measure.

"There has been no official communication..."

[hobarrera]

there has been no official communication from Kaspersky

It seems they were using Windows XP.

people still use windows xp?

i thought microsoft ended support for XP on April 14, 2009. it is 2013 and people still use and 11 year old operating system? Just asking. everyone that i know uses windows 8 on intel i7 or Amd FX computers.

Re:people still use windows xp?

[Gaygirlie]

everyone that i know uses windows 8 on intel i7 or Amd FX computers.

So, you don't know anyone besides yourself?

Re:people still use windows xp?

[vlm]

LOL the first link I found was a w3schools one where apparently 1/5 of wanna-be web developers were using XP as of two months ago. Its been dropping about 10% per year for several years now, so that will sunset around 2016 or so.

If a fifth of the techno-elite (LOL) are using XP I think in the wider market the numbers must be 50% or so.

I know MANY megacorps still stuck on XP. There are huge issues with being unable to give a "better" computer to a "lower" status employee that really screw up rollouts, not to mention corporate demanding certain software versions and the division demanding certain versions and the local team demanding certain software all adding up to its quite possible an upgrade is impossible until some bean counter 2000 miles away finally stops using some oddball thing. Or more likely they stopped back in '07 but no one has updated the official list since then and lots of CYA about what if they needed to access files using that antique app...

Re:people still use windows xp?

[cusco]

The new security model in Vista/Win7/Server 2008 breaks a lot of software. Lots of it. Tons. Especially building automation, medical equipment, factory automation, robotics, SCADA, pretty much any piece of equipment that needs to work 24x7 for years at at time without upgrades or updates and which costs more than $100,000 is going to run XP until physically replaced.

Place I used to work had a knee-high pile of Compaq 386 laptops sitting in the radio room. I offered to surplus them and the radio guys almost had a heart attack. The company had bought a half million dollar state-of-the-art radio system in the 1990s, and the control software would only run on a 386 running DOS 4. The manufacturer was purchased almost immediately afterwards by another company, which discontinued that hardware and its support. That stack of laptops was their backup for the control program.

There are multi-million dollar CNC lathes that use Windows NT, sawmills which will only run on Win2k, and PET scanners which will never upgrade higher than XP SP2. It's not about "status", it's about having functioning equipment.

Re:people still use windows xp?

[BenSchuarmer]

It works. I'm running it on my 6-year-old PC at home. I had considered upgrading to Windows 7 (or getting a new PC with Windows 7), but that's not an option anymore.

Re:people still use windows xp?

[Pi+Is+A+Rational]

There's still a CNC stuff out there that will only run on DOS 4. Basically the same situation as the radio story.

Re:people still use windows xp?

[jawtheshark]

Yes, exactly.... That is what so many people here on slashdot fail to see: it works, it does the job, replacing it costs money and for the majority of people it isn't a high priority thing to do, or even totally necessary. I have one laptop running XP and it works perfectly fine. If you are moderately knowledgable about Windows XP, it is pretty easy to run a Limited User account for day to day operations and only log in as Admin when necessary for maintenance. Making it nearly as secure as Vista/7/8, in some senses more secure, because UAC won't ask you permission. You'll be denied permission and either will have to use the Run-As feature or log in as Admin. I never needed to reinstall that machine, it's still in very good condition (Machine was bought in January 2007)

My only concern is indeed the lack of support, but then, I'm not even all that worried.

i didnt realise

i didnt realise people actually connected windows xp machines to the internet!?!

Not the first time

[swb]

Not the first time a KAV update has broken something. KAV for Exchange has had several updates come out that stomped on Store.EXE and kept it from running at all without uninstalling KAV for Exchange.

Client-side breakage seems less common, but unless you're running an SSD RAID-10 disk system with an 8 core CPU, you're always wise to dial back some of the Kaspersky defaults or you will find your machine unusable.

It also helps to reduce the frequency of updates. The default is something ludicrous like every hour or two. This provides two benefits -- one, when the update kicks off it generates a crushing amount of disk and CPU activity that throttles lesser machines, the other benefit is that you're much less likely to suck down broken definition updates as it's likely that the bad ones will be found and removed or fixed before you update.

It's not just with WinXP.

[andywest]

This is not Kaspersky's only problem with its anti-virus product. I have been asked to install a 'technical update'. When I did so, it crashed the anti-virus so badly that it no longer worked at all. I had to physically remove its folder from the Program Files area and reinstall the program from scratch. And this was with Windows 7. That was back in November. When I got the same message in January, I thought Kaspersky might have fixed the problem. Nope: Install -- crash -- scrape up mess -- reinstall from scratch. You kind of wonder what has Kaspersky been doing over the past six months.

Re:It's not just with WinXP.

[WhatAreYouDoingHere]

I had to physically remove its folder from the Program Files area...

I just got this mental picture of someone opening up their hard drive and scraping a section off one of the platters.... :)

Re:It's not just with WinXP.

Mod up because I did too.

Re:It's not just with WinXP.

[andywest]

Okay, on reflection maybe I should not have used the adverb 'physically'. But I did have to remove the Kaspersky folder from the Program Files. Otherwise the install program would crash while reinstalling the software.

Re:It's not just with WinXP.

[tehcyder]

I had to physically remove its folder from the Program Files area...

I just got this mental picture of someone opening up their hard drive and scraping a section off one of the platters.... :)

Oh, you're not supposed to do that when you delete something? No wonder I get through so many hard drives.

Re:It's not just with WinXP.

[tehcyder]

Okay, on reflection maybe I should not have used the adverb 'physically'. But I did have to remove the Kaspersky folder from the Program Files. Otherwise the install program would crash while reinstalling the software.

You should have stuck with the ever-popular "literally"

Then that means that....

[RLU486983]

WinXP users can uninstall the product since there is no longer a threat of getting their machines infected! Kaspersky has done the ultimate preventative measure for them. ;-)

Good

[Feanorian]

They shouldn't have fixed it. anyone using Windows XP should have upgraded years ago. Perhaps this would be encouragement to move to Windows 7....or Linux :D

Re:Good

[1s44c]

They shouldn't have fixed it. anyone using Windows XP should have upgraded years ago. Perhaps this would be encouragement to move to Windows 7....or Linux :D

Some applications still need Windows XP. Yes the applications should have been designed better.

Re:Good

[tehcyder]

They shouldn't have fixed it. anyone using Windows XP should have upgraded years ago. Perhaps this would be encouragement to move to Windows 7....or Linux :D

Anyone who wanted to move to Linux has been perfectly free to do so for years.

Windows 7 requires a higher spec to run than XP, so a lot of people who are perfectly happy running an old 600 MHz Pentium 3 laptop with 128mb memory on XP probably aren't going to be able to upgrade to Windows 7.

Re:Good

[Feanorian]

Like I said, they needed to upgrade a decade ago. Turn that old P3 into a linux server and buy a new machine FFS. Tax time is here, spend 300 bucks and get a better machine.

Re:Good

[Feanorian]

Then stop using shitty apps?

Wait a second......

[Dega704]

I have seen this exact thing happen dozens of times on Norton, Mcafee, and Trend Micro. Usually the only fix was to uninstall the client. Then Kaspersky does it and it makes the news? DOES NOT COMPUTE.

Re:Wait a second......

At least all this one did was disable internet access and had a relatively simple fix. Analogous situations in other AVs have required booting in safe mode, deleting the update in the AV, updating it to the latest version and then restoring the system file from the quarantine or system restore or repair installation.

Why use Kaspersky or any independent AV software..

..when MS has released MSE for XP.

And suddenly millions of zombieboxes were silenced

That's why the net is so fast today : )

Anti Virus Software

[akbor]

Kaspersky Is a most important antivirus software. that's killed strong virus. Like as, Malware virus, torjan horse virus, win 32 virus. Kaspersky is most reliable and good software. It use handle very easy. http://mastlists.com/

Re:Anti Virus Software

[futhermocker]

Many wishful thank yous my goodest friend. Kaspersky will soon wire money you earn so well by shill being.

Fix is right there on the internet

[Geoffrey.landis]

So, they broke internet access, but it's ok, because you can download the fix from the internet.

That reminds me of the failure of the Russian Phobos-1 mission, which occurred when they sent an (incorrect) command stating, roughly, "point the receiving antenna away from the Earth, and wait for further instructions."

* (greatly simplified)

Business plan

1. Disable internet access for WinXP instead of getting arrested for murder in Belize like the competition.
2. ???
3. PROFIT!!!!

Rollout to 12k PCs...and breaks them....

[bodland]

Some guy bitching on the forum linked above....I guess they didn't bother testing a patch before sending it out....typical windows admin....

Test better

[1s44c]

Kaspersky - I need this probably as much as I need another hole in the head.

Thanks,

Your customer

Not Just Internet Access

[cluedweasel]

It broke Intranet access for us, which caused a few applications not to run. We uninstalled the workstation 6 R2 product and installed Kaspersky Endpoint security instead and that took care of the issue.

Re:Why use Kaspersky or any independent AV softwar

[1s44c]

Because Kaspersky catches a lot more nasties than Microsoft Security Essentials. And I mean a LOT more.

Re:Why use Kaspersky or any independent AV softwar

[mythosaz]

...in corner cases, not against real-world data.

"According to Microsoft, although AV-Test’s results indicated that Microsoft’s antivirus products detected only 72 percent of all “zero-day malware,” Microsoft knows from its telemetry data—from hundreds of millions of systems around the world—that fully 99.997 percent of its customers hit with any zero-day attack did not in fact encounter the malware samples tested in this test (basically a 100 percent success rate in the real world). AV-Test’s sample size was just 100 pieces of malware."

Re:Why use Kaspersky or any independent AV softwar

[whoever57]

Think about what Microsoft is saying here. All MS is saying is that the sample was too small.

What Microsft is saying is that an unknown number of Microsoft customers was hit with some kind of zero-day attack. It doen't equate to a 100% success rate in real life, it says nothing about MSE's success rate in catching zero day attacks. All it says is that the sample size of zero-day attacks was too small for meaningful analysis.

dafdsaf

Who uses XP anyway I have a computer with an XP disc on top of it. It has been sitting there two years. Let the stupid windows fuck bitches cancel internet of XP. Please somebody buy it

And Finally

[Greyfox]

Security has been achieved!

I'm trying and trying...

[rocket+rancher]

...but I really don't see the problem.

This is exactly...

why I keep my AV program two updates behind the current one.

Landesk AV unaffected?

Surprisingly Landesk AV (which uses Kaspersky at it's core) hasn't caused any issues at my workplace which still has a handful of XP machines.

Still uses a boat load of ram though. Yay, antivirus.