Slashdot Mirror
Botched Security Update Cripples Thousands of Computers
girlmad writes "Thousands of PCs have been crippled by a faulty update from security vendor Malwarebytes that marked legitimate system files as malware code. The update definition meant Malwarebytes' software treated essential Windows.dll and .exe files as malware, stopping them running and thus knocking IT systems and PCs offline, leaving lots of unhappy users and one firm with 80% of its servers offline."
...is all I use these days.
Of course since Windows is "out of favor" here, one does not necessarily mention that Microsoft's "Security Essentials" is easily as good as most commercial Windows anti-malware packages, and much more "light weight". And free. And yes, everyone knows that Microsoft purchased the original technology (so what?) ...
If you want news from today, you have to come back tomorrow.
"I don't understand... it worked fine in the lab."
#fuckbeta #iamslashdot #dicemustdie
Just was in the process of downloading a beta client for their new online backup system to fiddle around with on a virtual machine (it is similar to Mozy/Carbonite.)
Always use Genuine Microsoft Products
“He’s not deformed, he’s just drunk!”
For once I'm happy that I'm too lazy to regularly update programs like that.
How many viruses your antivirus caught recently? How many CPU cycles the same antivirus burned through as you were opening files on your computer?
Maybe I'm doing something wrong, but I haven't seen a virus in a decade. The majority of successful attacks are based on social engineering and on 0-day exploits of vulnerable code. An antivirus is not such a great help here. But antivirus companies are sitting pretty because the audience is conditioned that any PC must have an antivirus.
for using microsoft servers
Of course, had they been using free software. None of this would have happened.
Why on earth would someone update software like this on production systems, instead of testing it in a lab environment first?
Anyone that knocked 80% of our servers offline by applying this patch would be packaged out the next day.
I wish I was a neutron bomb, for once I could go off...
Maybe I'm doing something wrong, but I haven't seen a virus in a decade.
There is no way to prevent these things from happening. It is just not possible to test them on all the individual versions of a platform. On the protection side, AV only works against older threats, it is basically useless against new ones. There is no replacement for careful users and good software engineering.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
So glad I use Linux.
Except those are the most common form of malware https://en.wikipedia.org/wiki/MS_Antivirus_(malware) I'm going to skip over active X and Macro Virus or even .asf. In contect of this article Security Essentials anti-virus software has failed to gain the latest certificate from the AV-TEST institute. http://www.theverge.com/2013/1/17/3885962/microsoft-security-essentials-fails-anti-virus-certification-test
What the hell are you doing running malwarebytes on your servers? Why would you need that software on a server, most of the malware it finds is installed from desktop use.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Microsoft's popular Security Essentials anti-virus software has failed to gain the latest certificate from the AV-TEST institute. http://www.theverge.com/2013/1/17/3885962/microsoft-security-essentials-fails-anti-virus-certification-test "In antimalware testing against a range of products, AV-TEST failed to certify AhnLab V3 Internet Security 8.0, Microsoft Security Essentials 4.1, and PC Tools Internet Security 2012 out of a total of 25 different vendors. Microsoft's own anti-virus software failed to adequately protect against 0-day malware attacks, scoring an average of 71 percent vs. the industry average of 92 percent."
Nobody cares whether its original they care if it works.
It identified the malware, disabled it, and everyone gets upset...
no pleasing some people
it really only did average on the zero day stuff, which is not the strong point of essentials. on the known malware it still does very well. the tests by AV-Test really don't provide a good way for the average user to judge products as most are not under attack from zero day malware and viri.
"AV-TEST institute" is well known to require financial investment for a top rating, their recommendations - such that they are - are highly suspect.
If you want news from today, you have to come back tomorrow.
The problem is the solutions that may do a bit better catching the 0-day malware are also the ones that are so heavyweight they noticeably affect the performance of your system. There is a tradeoff at some point between resource usage and coverage. One thing MSE definitely has going for it is it doesn't badly degrade performance like McAfee, Norton, recent AVG, etc do.
OTOH it seems every one of those "passing" AV solutions at one time or other have marked a critical Windows file as a virus and made the system unbootable. Now, whether or not you can recover from that or reinstall from scratch is a good question.
MSE fails because it's less strict, probably because you don't want it to quarantine some valuable Windows file that makes it unbootable.
Sure Microsoft could crank up the heuristics and mark more malware, but you risk accidentally tagging a legit file - and the inconvenience of having to restore your system from a backup (if you have one) is extreme
Given UAC means you can't install drivers and such without prompting the user, most malware these days remain usermode to hide themselves. It means they can't install themselves into the kernel nor hide themselves from Task Manager, but for what malware authors need, it's Good Enough. And it means that once a new threat is positively identified, MSE can easily remove it rather than remove it by killing the system.
Plus, you do have to wonder about AV test companies - sponsored by the big guys like McAfee and Symantec. I'm sure there's absolutely no interest in making it appear that their products are better than the rest, especially free ones. Better to pay $50/year than free! And they have to have popups telling you all the work they do, rather than sit quietly in the corner apparently doing nothing.
ObXKCD. How appropriate, as well.
Did this vendor NOT test the update on a spare Windows machine before releasing it?
Rhetorical questions: based on the large-surface high-impact outcome, wouldn't this qualify as a blatant case of cyber-terrorism or cyber-war? Now, where's that nuclear strike from NATO?
(my point: before trying to stop vulnerability exploitation by moronic laws or DCMA-export treaties, wouldn't it pay better to clean your own yard? You know? It may be beneficial no matter who if the "aggressor" is a script-kiddie or North Korea.
But... who am I kidding? Doing this require some competence and thus would be too expensive)
Questions raise, answers kill. Raise questions to stay alive.
I think personal AV software is much of a waste. People with computer literacy know how to avoid problems, and the people without will manage to wreck their Windows installation and get themselves suckered whether they have AV or not.
The ratio of real disasters avoided to the amount of time, electrical energy and computer resources consumed by your AV software must be adismal even for computer novices.
It works fine, the Zero Day threats are the least important for an AV product, none are ever a guarantee against zero day. The important metric is how it does against known malware, which it scores a 99% in latest tests (or equal to pretty much all the leaders but without the shit that all the other products place on your system).
Nobody cares whether its original they care if it works.
But only if it doesn't hose your system in the process. MSE might not be the most water tight security app out there, but is hits a pretty nice sweet spot for 'good enough" security as well as "low enough" impact on performance. It's also free which makes it pretty hard to beat for a client based malware solution.
False positives.
File under 'M' for 'Manic ranting'
Basically "stop doing stupid things with your computer".
Why a firm needed Malware Bytes on it's servers in the first place is the real question here.
All you need to know about dealing with viruses in the subject. OK, I might add, "use an ad blocker" so maybe I can't fit that in a Slashdot subject. Maybe a tweet would also have enough to add "don't punch the monkey".
Everything else is social engineering, IMHO and would work on any system. If you're stupid enough to follow a link in an e-mail and enter your bank credentials, no software can save you. What we really need to do is prevent regulated institutions from putting links in e-mails and to make it widely known that real banks never put links in there. They would just tell you to visit their site, with no link.
Of course that's not going to prevent them from telling you to visit their "new URL". Nothing is fool proof...
I don't use MSE to protect my PC from 0 day exploits. I don't consider my online behavior to be that risky, and so far that assumption has held true. MSE is there mainly for the random drive-by attacks that can still happen. Better 0 day detection also results in more false positives, and this is definitely something I don't want when I'm not even engaging in risky behavior to begin with.
Having worked as a shop tech for years my rule of thumb has been that if it's a single user PC and they are a responsible person MSE is sufficient. If the PC is shared, especially with children, teens, or roommates, you should probably purchase a retail product that is more proactive.
Microsoft's popular Security Essentials anti-virus software has failed to gain the latest certificate from the AV-TEST institute.
Because their test is predominantly zero-day malware, the kind of stuff most people don't get so it's pointless having a bloated, heavyweight system doing analysis which is why effort on MSE isn't in heuristics.
Nobody cares whether its original they care if it works.
And for 99% of people it does.
Where can I get ' Microsoft Security Essentials ` for Linux?
AccountKiller
http://www.passmark.com/ftp/antivirus_win8-performance-testing-ed1.pdf
I have an odd problem with Malwarebytes; I won't use their products.
If I question a file I'll Google it. Many times the results are Malwarebytes forums discussions.
Not a one of them have helped me out in any way. They start as some poor soul who's looking
for help and a quick fix; the moderators have them run program after program to post the results
of each before being given yet another to run.
I can't remember ever seeing a positive result, as two, three days into this the poster (OP) quits the thread.
I've seen some people last quite awhile; as the list of programs requested of them to run are seemingly endless.
The hit's I get for a Malwarebytes Google query are of the file in question being in one of the outputs produced (no help).
The only time I've ever used a help desk (or ask for assistance) was over a Robotics 14.4 HST/DS modem,
but those who do expect fairly quick results I would think.
Basically "stop doing stupid things with your computer".
Why a firm needed Malware Bytes on it's servers in the first place is the real question here.
I was wondering this exact same thing. IT Manager Fail.
If their results can be bought, Microsoft would have bought them.
failed to gain the latest certificate from the AV-TEST institute
I have a very nice bridge, and it is for sale. For you it has a very nice price. This is a very good deal. You should jump on it right now since it seems your are i a particularly gullible state of mind.
They have a low zero-day detection rate just because they want to avoid false positives like the plague -- a perfectly valid design choice for an anti-virus. There's a price that comes with the 92% industry average. I have never had MSE incorrectly flag anything, which is much better than I can say for other AV packages.
While there are lots of reports of bad updates from the various AV vendors in news articles, does anyone consistently track the history of these bad updates by vendor, date, and ideally impact?
Andrew Yeomans
as most are not under attack from zero day malware and viri.
this is the second comment that claims that average users are not under attack from zero day threats... I cannot understand how you can back that up. Zero day threats would be my biggest concern.
1.) I've been using MS Security Essentials for YEARS without issue and have it running on many machines also without issue, not it does not catch EVERYTHING; but nothing does. It does a pretty damn good job for something ad-free, shitware-bundle free. Other than the occasional annoying "OMG YOU HAVEN'T SCANNED ANYTHING!@#!@ orange flagged monopoly house ! warning, is pretty unobtrusive.
2.) All Windows versions prior to 8 could also use Windows Defender in addition, if you want to, but they've been rolled together under the Windows Defender name and are included by default in Windows 8.
3.) Microsoft also has a Malwarebytes-like scanner called Safety Scanner although it auto-expires after 10 days and has to be reinstalled for subsequent use; no idea why.
4.) 0-day exploits by definition would be more or less impossible to defend against, wtf is the problem? I'm no MS fanboy, but the hate here is unwarranted, they're basically risking massive lawsuits against them again for anti-trust by even doing this and frankly it's about fucking time they should have had all of these tools available from its inception.
5.) Malwarebytes has gone from a must-have awesome malware scanner to total shit adware in the typical bait-and-switch style business model of the day which goes something like a.) build something awesome b.) give it away for free c.) change to paid model with your own bundled malware and bullshit once it gets popular d.) crash and burn e.) laugh all the way to the bank.
Where I work uses Sophos, I would say it's far worse (and used more as an attempt at draconian control than really A/V, and does next to nothing for malware, updates fail constantly, etc), and I've actively advised people to not use Macfee and Norton for a very long time because of all their dumb bullshit problems. Clamwin is still pretty terrible and ridiculously slow, after all these years. I think the only one I've never used at all is Kapspersky, or whatever.
$.02
What I don't understand is this. There is a company with 80% of it's servers down. But why would anyone install anti-malware software on a server? You don't browse the internet on a server do you? I'd get it if you had disabled workstations, but servers?
The clue is in the name.
I mean seriously...who makes this kind of mistake? Including system files in a definition update?? Right. I think it was intentionally done by either a hacker or a disgruntled employee.
One, two, three, four.
I declare a shill war.
Science is all about firing a drunk pig out of a cannon just to see what happens.
Why would they?
1) I don't think making lots of money from AV software is a big part of their business strategy.
2) It'll just get them in bigger trouble from the antitrust brigade.
They're giving away MSE for free already.
Yes there's Forefront or whatever they call it nowadays, but who uses it anyway?
... don't belong on a production server - isn't it *.so obvious the problem here
They deserved to be kicked offline, you don't run Windows in the server room. As for the other uses, anyone who's computer is overseen by IT better not be using a third party solution because they can run though firewalls and filters and for the home user that just really sucks!
Then that would make you not an average user, yes?
even the best AV products don't protect well against Zero Day. AV-Test have a very small sample of Test Zero days which lets some products look ok. most AV products are updated daily and realistically you are far more likely to get hit by something common, Zero Day stuff you are a moron if you rely on ANY AV product as your source of protection.
I've been using them for years and I've never had a problem (in fact they've saved my ass on several occasions); it was just one mistake so I think I'm going to keep using them.
Why? They are not selling anything. MSE comes built in to Windows 8 and is a free download for their older systems. It exists to reduce their support costs and make Windows itself more secure, more or less transparently to the user. It doesn't try to scare you with dire warnings about tracking cookies and there is no up-selling or paid version.
MSE isn't competing with anti-virus software so there is no reason to try to game these kinds of tests.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The best solution for windows is to start it as a fresh VM at each reboot. No problem of malware or virus or performance degradation. I can reboot windows without stopping my work.
The services that servers provide are sometimes vulnerable to infection. Say someone found a way to create a new SQL based worm, for example. If it is a file server you might also want it to scan said files periodically. Anti-virus for servers is a good idea, although perhaps you were questioning the user of Malware Bytes in particular in which case I might agree it seems like a somewhat odd choice.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
actually pays for the product as its license terms require?
My first and only story on /. was about when this happened before. Last time around, Malwarebytes removed atapi.sys from affected computers, leaving them unable to boot.
> Why a firm needed Malware Bytes on it's servers in the first place is the real question here.
If they're Windows servers, they're vulnerable to the same infections as a desktop. Email server, filestorage, or Active Directory (and more, I'd bet) put the machine at risk the same as any other on the network.
Why a firm runs WIndows on its servers is the real question here.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Typically due to the skills their staff have (limited to Windows, and typically the desktop product) and the knowledge of management (yeah - lets hire people who only know Windows).
I think if you know what you're doing AV is a complete waste of time and energy, and over time just sap your computers speed and time between re-installs In 2 decades of computers I have gotten 2 viruses, both times my AV didn't stop them. So about 4 years ago a trusted friend told me he stopped, and hadn't had problems. I just practice safe computing which means all files I use are received via my web email service which has built in AV scanning (gmail), I don't download applications illegally which is where most viruses come nowadays, and do occasionally scan with MalwareBytes which hasn't found one thing in 4 years.
If you're a "nerd" you really don't need an AV as you know the main attack vectors.
the infection vector for 99%+ of viri and malware are the user. properly managed servers have very little risk of malware infection and most definitely are not as vulnerable to infection as your average desktop. After all only a moron would be running a browser or instant messenger platform, pdf reader, flash etc etc on a server and these are what cause the majority of infections.
Antivrus, catching bad malware as well as predicting the weather.
I had one of those heuristic false positives come up with Symantec Endpoint.... from the April Fool's xkcd comic of all things. Turns out that it flagged the font downloaded by the comic as a potential risk using a long patched exploit in the font rendering system.
What versions of windows has this been confirmed to effect?
Just ran this on a Windows XP Pro machine this week and no damage. About to test on Windows 7 x64 Enterprise.
Tens of millions? Equally relevant news: _two_ rabbits have been run over in our neighbourhood in as many weeks.
"Consensus" in science is _always_ a political construct.
MSE for Corporate customers is Forefont. So yes, there is a "pay version" it's just reserved for business use.
...the rest used Linux, I wonder? If their management shout loud enough in a year 100% will run Linux
This is what happens when you believe in magic anti virus software rather than practicing good habits around your information security. AV is a sham and causes more harm than good.
OTOH, MSE doesn't constantly annoy, slow your PC to a crawl or constantly ask for credit card details just to keep on running.
Unless you try to install it on an eleventh PC in an organization. Organizations with at least 11 PCs running Windows are expected to buy a Windows Server and then buy Microsoft System Center 2012 Endpoint Protection (formerly Forefront), which appears to cost $1,323 per server per 24-month period plus $22 per client per 24-month period.
I know I do all my casual web browsing on production servers.
If you have at least 11 Windows PCs in your organization, you can't install MSE on more than ten of them. For that, it appears you need to upgrade to a Windows Server running System Center 2012 Endpoint Protection.
I saw this at my shop the other day but unlike morons who put this on the server and hit delete on everything blindly, I thought "WTF" and did not delete them. In fact, you'd have to be pretty stupid to see those results and not think something was a bit suspicious. As for professional active mode, who knows.
Also, what in the hell were they thinking putting software like that on a server? It sucks! It's a cheapo scanner that misses about 75% of malware. Yeah it's fast and popular but it's just awful. Even spy sweeper, ad-aware, and spybot all have better detections despite being way slower and having less user-friendly interfaces. I would never ever ever let crap like that on my servers.
Antivirus is for checking that executables and libraries are free of malicious code. I just cannot possibly fathom why an executable or library could be running on a server if nobody had checked it beforehand.
It's not necessarily that the executable is running on a server. If a server is responsible for proxying the web or storing mail, some users will expect it to have a feature that classifies downloaded or attached files as viruses or not viruses, just as it classifies mail as spam or not spam.
So for a sense of security against unknown threats, you give an autonomous, externally controlled process, that is by design almost impossible to analyse, unfettered administrator access to your entire system.
If a server runs Windows, the operating system itself is "an autonomous, externally controlled process, that is by design almost impossible to analyse," which the server's owner has given "unfettered administrator access to your entire system."
A Linux machine that needs virus scanning is probably a mail server that scans attachments that pass through it. For that, ClamAV is probably sufficient.
Companies do. MSE is for the home user, while the corporate/enterprise version of it is ForeFront.
It's all the same engine however, between the Malicious Software Removal Tool, MSE, what was OneCare, and ForeFront.
All I know is I had less issues - there was a point in time when our group had a bunch of people suddenly reporting issues with delayed write failures. one of the things attempted was switching out from Symantec to ForeFront (the company was slowly migrating anyways). It worked for some, didn't work for others.
A few months later, and a bunch of people started getting bluescreens daily. But others didn't - it turned out it was Symantec interacting with the disk encryption software. IT narrowed it down to Symantec, and a bunch of us who converted earlier chimed in that we never had issues going to ForeFront
And it is priced very competitively. Lots of industries need to check the "enterprise-wide AV scan" box and their product is pretty similar to all the others in that regard.
If their results can be bought, Microsoft would have bought them.
Come on mods. I know its popular to bash M$ on here, but +4 Insightful for this? I'm out of mod points, otherwise this nonsense would be "Troll".
Well.. they are pretty evil..
Malwarebytes have been giving me false positives for years. I have several licenses that I don't actively use because it alerts you to just about every activity as dangerous. It's a good tool for getting rid of malware after infection.
Likely because often times, management makes the software purchasing decisions. Most products pitched to management will be running on Windows. A good IT staffer doesn't necessarily care what it runs on, provided they have the proper knowledge to secure and maintain each platform.
I've always thought that Windows was Malware. Glad to see the industry catching up.
Because, perhaps, they're hosting applications that require Windows?
It will be interesting to see how they deal with this.
A similar thing happened to Sophos not long ago, where an update made it think anything that did on-line updating was malware and blocked/erased it.
This included its own updater which made recovery very difficult; You couldn't even repair/remove the program manually because the MSI system would freak out for some reason.
As soon as I went to their homepage, there was a large link to their fix KB page which had an analysis and basic instructions on how to fix it.
The next day, fully automated scripts, and then network-wide fix instructions for use with Group Policy and then executable, all the while refining the fix to require as little effort to use as possible.
I was very impressed as I was expecting to have to figure out the problem and fixes my self which has traditionally been par for the course for companies like Norton, AVG, McAfee etc.
So far, I haven't been as impressed by malwarebytes; Their front page is just the same bland page and it is not obvious where to go to get any kind of help with this; The normal business and consumer support links still try to direct you through normal channels and there isn't a banner on the forum or anything.
Without going into every subforum, it isn't immediately obvious where to go for help on fixing the problem.
I found the restore tool easiest via the blog.
I might have a simplistic view of all this.
I run Linux but have seen nearly every Microsoft product up to Windows 7. I know Linux is hackable, but something really simple has bothered me a great deal about Windows. It is that Microsoft's business partners get to nag you about buying their services, i.e. Norton, even as you boot windows for the first time. unsolicited, from the Internet. It may not take much imagination or smarts for a hacker to exploit that, and not setting Administrator password, or asking for information over an unsecured link, only makes things easier for the bad guys. I think you start with a leg down just by booting Windows. It happens to be on many systems I've owned because of the OEM agreement Microsoft extorts from commercial PC-makers, which should be declared illegal under anti-trust law. And from time to time I have to boot a Windows system, but it makes me uneasy, and I try to avoid it, using Wine whenever I can to run Windows apps when I need to.
Give me one good reason why I SHOULDN'T run it on a server?
Why does MS pay money to prop up their HTML compatibility for IE?
Why does MS do anything? They likely don't know.