Slashdot Mirror
Botched Security Update Cripples Thousands of Computers
girlmad writes "Thousands of PCs have been crippled by a faulty update from security vendor Malwarebytes that marked legitimate system files as malware code. The update definition meant Malwarebytes' software treated essential Windows.dll and .exe files as malware, stopping them running and thus knocking IT systems and PCs offline, leaving lots of unhappy users and one firm with 80% of its servers offline."
...is all I use these days.
Of course since Windows is "out of favor" here, one does not necessarily mention that Microsoft's "Security Essentials" is easily as good as most commercial Windows anti-malware packages, and much more "light weight". And free. And yes, everyone knows that Microsoft purchased the original technology (so what?) ...
If you want news from today, you have to come back tomorrow.
"I don't understand... it worked fine in the lab."
#fuckbeta #iamslashdot #dicemustdie
Just was in the process of downloading a beta client for their new online backup system to fiddle around with on a virtual machine (it is similar to Mozy/Carbonite.)
Always use Genuine Microsoft Products
“He’s not deformed, he’s just drunk!”
For once I'm happy that I'm too lazy to regularly update programs like that.
How many viruses your antivirus caught recently? How many CPU cycles the same antivirus burned through as you were opening files on your computer?
Maybe I'm doing something wrong, but I haven't seen a virus in a decade. The majority of successful attacks are based on social engineering and on 0-day exploits of vulnerable code. An antivirus is not such a great help here. But antivirus companies are sitting pretty because the audience is conditioned that any PC must have an antivirus.
Of course, had they been using free software. None of this would have happened.
Why on earth would someone update software like this on production systems, instead of testing it in a lab environment first?
Anyone that knocked 80% of our servers offline by applying this patch would be packaged out the next day.
I wish I was a neutron bomb, for once I could go off...
Maybe I'm doing something wrong, but I haven't seen a virus in a decade.
There is no way to prevent these things from happening. It is just not possible to test them on all the individual versions of a platform. On the protection side, AV only works against older threats, it is basically useless against new ones. There is no replacement for careful users and good software engineering.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Except those are the most common form of malware https://en.wikipedia.org/wiki/MS_Antivirus_(malware) I'm going to skip over active X and Macro Virus or even .asf. In contect of this article Security Essentials anti-virus software has failed to gain the latest certificate from the AV-TEST institute. http://www.theverge.com/2013/1/17/3885962/microsoft-security-essentials-fails-anti-virus-certification-test
What the hell are you doing running malwarebytes on your servers? Why would you need that software on a server, most of the malware it finds is installed from desktop use.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Microsoft's popular Security Essentials anti-virus software has failed to gain the latest certificate from the AV-TEST institute. http://www.theverge.com/2013/1/17/3885962/microsoft-security-essentials-fails-anti-virus-certification-test "In antimalware testing against a range of products, AV-TEST failed to certify AhnLab V3 Internet Security 8.0, Microsoft Security Essentials 4.1, and PC Tools Internet Security 2012 out of a total of 25 different vendors. Microsoft's own anti-virus software failed to adequately protect against 0-day malware attacks, scoring an average of 71 percent vs. the industry average of 92 percent."
Nobody cares whether its original they care if it works.
It identified the malware, disabled it, and everyone gets upset...
no pleasing some people
it really only did average on the zero day stuff, which is not the strong point of essentials. on the known malware it still does very well. the tests by AV-Test really don't provide a good way for the average user to judge products as most are not under attack from zero day malware and viri.
"AV-TEST institute" is well known to require financial investment for a top rating, their recommendations - such that they are - are highly suspect.
If you want news from today, you have to come back tomorrow.
The problem is the solutions that may do a bit better catching the 0-day malware are also the ones that are so heavyweight they noticeably affect the performance of your system. There is a tradeoff at some point between resource usage and coverage. One thing MSE definitely has going for it is it doesn't badly degrade performance like McAfee, Norton, recent AVG, etc do.
OTOH it seems every one of those "passing" AV solutions at one time or other have marked a critical Windows file as a virus and made the system unbootable. Now, whether or not you can recover from that or reinstall from scratch is a good question.
MSE fails because it's less strict, probably because you don't want it to quarantine some valuable Windows file that makes it unbootable.
Sure Microsoft could crank up the heuristics and mark more malware, but you risk accidentally tagging a legit file - and the inconvenience of having to restore your system from a backup (if you have one) is extreme
Given UAC means you can't install drivers and such without prompting the user, most malware these days remain usermode to hide themselves. It means they can't install themselves into the kernel nor hide themselves from Task Manager, but for what malware authors need, it's Good Enough. And it means that once a new threat is positively identified, MSE can easily remove it rather than remove it by killing the system.
Plus, you do have to wonder about AV test companies - sponsored by the big guys like McAfee and Symantec. I'm sure there's absolutely no interest in making it appear that their products are better than the rest, especially free ones. Better to pay $50/year than free! And they have to have popups telling you all the work they do, rather than sit quietly in the corner apparently doing nothing.
ObXKCD. How appropriate, as well.
Rhetorical questions: based on the large-surface high-impact outcome, wouldn't this qualify as a blatant case of cyber-terrorism or cyber-war? Now, where's that nuclear strike from NATO?
(my point: before trying to stop vulnerability exploitation by moronic laws or DCMA-export treaties, wouldn't it pay better to clean your own yard? You know? It may be beneficial no matter who if the "aggressor" is a script-kiddie or North Korea.
But... who am I kidding? Doing this require some competence and thus would be too expensive)
Questions raise, answers kill. Raise questions to stay alive.
Nobody cares whether its original they care if it works.
But only if it doesn't hose your system in the process. MSE might not be the most water tight security app out there, but is hits a pretty nice sweet spot for 'good enough" security as well as "low enough" impact on performance. It's also free which makes it pretty hard to beat for a client based malware solution.
False positives.
File under 'M' for 'Manic ranting'
Basically "stop doing stupid things with your computer".
Why a firm needed Malware Bytes on it's servers in the first place is the real question here.
I don't use MSE to protect my PC from 0 day exploits. I don't consider my online behavior to be that risky, and so far that assumption has held true. MSE is there mainly for the random drive-by attacks that can still happen. Better 0 day detection also results in more false positives, and this is definitely something I don't want when I'm not even engaging in risky behavior to begin with.
Having worked as a shop tech for years my rule of thumb has been that if it's a single user PC and they are a responsible person MSE is sufficient. If the PC is shared, especially with children, teens, or roommates, you should probably purchase a retail product that is more proactive.
Where can I get ' Microsoft Security Essentials ` for Linux?
AccountKiller
http://www.passmark.com/ftp/antivirus_win8-performance-testing-ed1.pdf
Basically "stop doing stupid things with your computer".
Why a firm needed Malware Bytes on it's servers in the first place is the real question here.
I was wondering this exact same thing. IT Manager Fail.
If their results can be bought, Microsoft would have bought them.
failed to gain the latest certificate from the AV-TEST institute
I have a very nice bridge, and it is for sale. For you it has a very nice price. This is a very good deal. You should jump on it right now since it seems your are i a particularly gullible state of mind.
They have a low zero-day detection rate just because they want to avoid false positives like the plague -- a perfectly valid design choice for an anti-virus. There's a price that comes with the 92% industry average. I have never had MSE incorrectly flag anything, which is much better than I can say for other AV packages.
While there are lots of reports of bad updates from the various AV vendors in news articles, does anyone consistently track the history of these bad updates by vendor, date, and ideally impact?
Andrew Yeomans
as most are not under attack from zero day malware and viri.
this is the second comment that claims that average users are not under attack from zero day threats... I cannot understand how you can back that up. Zero day threats would be my biggest concern.
1.) I've been using MS Security Essentials for YEARS without issue and have it running on many machines also without issue, not it does not catch EVERYTHING; but nothing does. It does a pretty damn good job for something ad-free, shitware-bundle free. Other than the occasional annoying "OMG YOU HAVEN'T SCANNED ANYTHING!@#!@ orange flagged monopoly house ! warning, is pretty unobtrusive.
2.) All Windows versions prior to 8 could also use Windows Defender in addition, if you want to, but they've been rolled together under the Windows Defender name and are included by default in Windows 8.
3.) Microsoft also has a Malwarebytes-like scanner called Safety Scanner although it auto-expires after 10 days and has to be reinstalled for subsequent use; no idea why.
4.) 0-day exploits by definition would be more or less impossible to defend against, wtf is the problem? I'm no MS fanboy, but the hate here is unwarranted, they're basically risking massive lawsuits against them again for anti-trust by even doing this and frankly it's about fucking time they should have had all of these tools available from its inception.
5.) Malwarebytes has gone from a must-have awesome malware scanner to total shit adware in the typical bait-and-switch style business model of the day which goes something like a.) build something awesome b.) give it away for free c.) change to paid model with your own bundled malware and bullshit once it gets popular d.) crash and burn e.) laugh all the way to the bank.
Where I work uses Sophos, I would say it's far worse (and used more as an attempt at draconian control than really A/V, and does next to nothing for malware, updates fail constantly, etc), and I've actively advised people to not use Macfee and Norton for a very long time because of all their dumb bullshit problems. Clamwin is still pretty terrible and ridiculously slow, after all these years. I think the only one I've never used at all is Kapspersky, or whatever.
$.02
The clue is in the name.
What I don't get is why companies in this day and age have 80% of their servers running windows when there are cheaper, better performing, safer, and stabler alternatives available. Either these companies have money to burn and are addicted to risk or they are ignorant of the alternatives.
I get that some companies need active directory and exchange but all the 'real' business apps run on some kind of Unix.
One, two, three, four.
I declare a shill war.
Science is all about firing a drunk pig out of a cannon just to see what happens.
Why would they?
1) I don't think making lots of money from AV software is a big part of their business strategy.
2) It'll just get them in bigger trouble from the antitrust brigade.
They're giving away MSE for free already.
Yes there's Forefront or whatever they call it nowadays, but who uses it anyway?
... don't belong on a production server - isn't it *.so obvious the problem here
I think it was intentionally done by either a hacker or a disgruntled employee.
Who up until now was relatively gruntled.
systemd is Roko's Basilisk.
I've been using them for years and I've never had a problem (in fact they've saved my ass on several occasions); it was just one mistake so I think I'm going to keep using them.
Why? They are not selling anything. MSE comes built in to Windows 8 and is a free download for their older systems. It exists to reduce their support costs and make Windows itself more secure, more or less transparently to the user. It doesn't try to scare you with dire warnings about tracking cookies and there is no up-selling or paid version.
MSE isn't competing with anti-virus software so there is no reason to try to game these kinds of tests.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The best solution for windows is to start it as a fresh VM at each reboot. No problem of malware or virus or performance degradation. I can reboot windows without stopping my work.
The services that servers provide are sometimes vulnerable to infection. Say someone found a way to create a new SQL based worm, for example. If it is a file server you might also want it to scan said files periodically. Anti-virus for servers is a good idea, although perhaps you were questioning the user of Malware Bytes in particular in which case I might agree it seems like a somewhat odd choice.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
My first and only story on /. was about when this happened before. Last time around, Malwarebytes removed atapi.sys from affected computers, leaving them unable to boot.
I get that some companies need active directory and exchange but all the 'real' business apps run on some kind of Unix.
They don't, unfortunately.
Oh, sure, the "real" business apps aimed at huge businesses - the banks and insurance companies of this world - they might run on Unix (or even OS/400, or whatever IBM are calling it these days). But there aren't very many of those companies - even walking down your high street, you'd be astonished how many well-known huge corporations with a presence in every town are mostly franchises.
And a franchised operation is not, in technology terms, a huge business. It's lots of small, nominally-independent businesses that while they might run the same software (in cases where the franchisor tells them what to run), it consists of lots of small instances that each serve maybe 1-6 branches, not thousands of branches across the whole country. They seldom report back management information in enormous detail; detailed management information is down to the franchisee to figure out for their own benefit. As long as the franchise fees keep coming in, the franchisor seldom cares how the franchisee does it. (This, by the way, is one of the main differentiating factors between franchises. The more well-known ones are very expensive and tell the franchisee precisely what they have to do right down to the shade of tiles used in the lavatories. Mess up, and the franchisor will send someone down to either sort you out or take away your right to the franchise. The less well-known franchises are cheaper and don't go into this level of detail. Mess up, and the franchisor will simply let your business collapse then find someone else to sell the franchise to).
This means there are a lot more small companies than you might think. And many of those small companies historically have got by with a couple of standalone PCs - their "upgrade path" would have been a Windows server running SBS and the next level up version of their accounts package. Which is exactly the same product only the backend database driver has been swapped out from, say, Jet to SQL Server.
Why a firm runs WIndows on its servers is the real question here.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I think if you know what you're doing AV is a complete waste of time and energy, and over time just sap your computers speed and time between re-installs In 2 decades of computers I have gotten 2 viruses, both times my AV didn't stop them. So about 4 years ago a trusted friend told me he stopped, and hadn't had problems. I just practice safe computing which means all files I use are received via my web email service which has built in AV scanning (gmail), I don't download applications illegally which is where most viruses come nowadays, and do occasionally scan with MalwareBytes which hasn't found one thing in 4 years.
If you're a "nerd" you really don't need an AV as you know the main attack vectors.
I had one of those heuristic false positives come up with Symantec Endpoint.... from the April Fool's xkcd comic of all things. Turns out that it flagged the font downloaded by the comic as a potential risk using a long patched exploit in the font rendering system.
Tens of millions? Equally relevant news: _two_ rabbits have been run over in our neighbourhood in as many weeks.
"Consensus" in science is _always_ a political construct.
This is what happens when you believe in magic anti virus software rather than practicing good habits around your information security. AV is a sham and causes more harm than good.
OTOH, MSE doesn't constantly annoy, slow your PC to a crawl or constantly ask for credit card details just to keep on running.
Unless you try to install it on an eleventh PC in an organization. Organizations with at least 11 PCs running Windows are expected to buy a Windows Server and then buy Microsoft System Center 2012 Endpoint Protection (formerly Forefront), which appears to cost $1,323 per server per 24-month period plus $22 per client per 24-month period.
If you have at least 11 Windows PCs in your organization, you can't install MSE on more than ten of them. For that, it appears you need to upgrade to a Windows Server running System Center 2012 Endpoint Protection.
I saw this at my shop the other day but unlike morons who put this on the server and hit delete on everything blindly, I thought "WTF" and did not delete them. In fact, you'd have to be pretty stupid to see those results and not think something was a bit suspicious. As for professional active mode, who knows.
Also, what in the hell were they thinking putting software like that on a server? It sucks! It's a cheapo scanner that misses about 75% of malware. Yeah it's fast and popular but it's just awful. Even spy sweeper, ad-aware, and spybot all have better detections despite being way slower and having less user-friendly interfaces. I would never ever ever let crap like that on my servers.
Our CRM, all of our other 3rd party software, Quickbooks, Active Directory, and ASP pages only run on Windows. That's our whole company.
Antivirus is for checking that executables and libraries are free of malicious code. I just cannot possibly fathom why an executable or library could be running on a server if nobody had checked it beforehand.
It's not necessarily that the executable is running on a server. If a server is responsible for proxying the web or storing mail, some users will expect it to have a feature that classifies downloaded or attached files as viruses or not viruses, just as it classifies mail as spam or not spam.
So for a sense of security against unknown threats, you give an autonomous, externally controlled process, that is by design almost impossible to analyse, unfettered administrator access to your entire system.
If a server runs Windows, the operating system itself is "an autonomous, externally controlled process, that is by design almost impossible to analyse," which the server's owner has given "unfettered administrator access to your entire system."
A Linux machine that needs virus scanning is probably a mail server that scans attachments that pass through it. For that, ClamAV is probably sufficient.
Companies do. MSE is for the home user, while the corporate/enterprise version of it is ForeFront.
It's all the same engine however, between the Malicious Software Removal Tool, MSE, what was OneCare, and ForeFront.
All I know is I had less issues - there was a point in time when our group had a bunch of people suddenly reporting issues with delayed write failures. one of the things attempted was switching out from Symantec to ForeFront (the company was slowly migrating anyways). It worked for some, didn't work for others.
A few months later, and a bunch of people started getting bluescreens daily. But others didn't - it turned out it was Symantec interacting with the disk encryption software. IT narrowed it down to Symantec, and a bunch of us who converted earlier chimed in that we never had issues going to ForeFront
Malwarebytes have been giving me false positives for years. I have several licenses that I don't actively use because it alerts you to just about every activity as dangerous. It's a good tool for getting rid of malware after infection.
Likely because often times, management makes the software purchasing decisions. Most products pitched to management will be running on Windows. A good IT staffer doesn't necessarily care what it runs on, provided they have the proper knowledge to secure and maintain each platform.
Because, perhaps, they're hosting applications that require Windows?
Never attribute to malice that which is adequately explained by stupidity.
I might have a simplistic view of all this.
I run Linux but have seen nearly every Microsoft product up to Windows 7. I know Linux is hackable, but something really simple has bothered me a great deal about Windows. It is that Microsoft's business partners get to nag you about buying their services, i.e. Norton, even as you boot windows for the first time. unsolicited, from the Internet. It may not take much imagination or smarts for a hacker to exploit that, and not setting Administrator password, or asking for information over an unsecured link, only makes things easier for the bad guys. I think you start with a leg down just by booting Windows. It happens to be on many systems I've owned because of the OEM agreement Microsoft extorts from commercial PC-makers, which should be declared illegal under anti-trust law. And from time to time I have to boot a Windows system, but it makes me uneasy, and I try to avoid it, using Wine whenever I can to run Windows apps when I need to.
Well.. they are pretty evil..
Is that because like many a business transaction, there is a conflict of interest between serving the customer and helping yourself into the customer's wallet, going so far as to plant malware to make it look like the system needs repair, expensive repair? I am suspicious of Microsoft having unbundled much of what should be a secure core of an OS to the third parties. It is as if they did only 80% of the job in order to allow for their business partners to charge even more for the extra 20% needed to make Windows a minimally secure system in which many users don't bother, because they aren't forced, to set secure passwords and enact other safeguards. I think many of the security problems in Windows are intentional aspects of its business partnerships.