Slashdot Mirror
Botched Security Update Cripples Thousands of Computers
girlmad writes "Thousands of PCs have been crippled by a faulty update from security vendor Malwarebytes that marked legitimate system files as malware code. The update definition meant Malwarebytes' software treated essential Windows.dll and .exe files as malware, stopping them running and thus knocking IT systems and PCs offline, leaving lots of unhappy users and one firm with 80% of its servers offline."
...is all I use these days.
Of course since Windows is "out of favor" here, one does not necessarily mention that Microsoft's "Security Essentials" is easily as good as most commercial Windows anti-malware packages, and much more "light weight". And free. And yes, everyone knows that Microsoft purchased the original technology (so what?) ...
If you want news from today, you have to come back tomorrow.
"I don't understand... it worked fine in the lab."
#fuckbeta #iamslashdot #dicemustdie
Always use Genuine Microsoft Products
“He’s not deformed, he’s just drunk!”
For once I'm happy that I'm too lazy to regularly update programs like that.
How many viruses your antivirus caught recently? How many CPU cycles the same antivirus burned through as you were opening files on your computer?
Maybe I'm doing something wrong, but I haven't seen a virus in a decade. The majority of successful attacks are based on social engineering and on 0-day exploits of vulnerable code. An antivirus is not such a great help here. But antivirus companies are sitting pretty because the audience is conditioned that any PC must have an antivirus.
Why on earth would someone update software like this on production systems, instead of testing it in a lab environment first?
Anyone that knocked 80% of our servers offline by applying this patch would be packaged out the next day.
I wish I was a neutron bomb, for once I could go off...
Maybe I'm doing something wrong, but I haven't seen a virus in a decade.
What the hell are you doing running malwarebytes on your servers? Why would you need that software on a server, most of the malware it finds is installed from desktop use.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Microsoft's popular Security Essentials anti-virus software has failed to gain the latest certificate from the AV-TEST institute. http://www.theverge.com/2013/1/17/3885962/microsoft-security-essentials-fails-anti-virus-certification-test "In antimalware testing against a range of products, AV-TEST failed to certify AhnLab V3 Internet Security 8.0, Microsoft Security Essentials 4.1, and PC Tools Internet Security 2012 out of a total of 25 different vendors. Microsoft's own anti-virus software failed to adequately protect against 0-day malware attacks, scoring an average of 71 percent vs. the industry average of 92 percent."
Nobody cares whether its original they care if it works.
It identified the malware, disabled it, and everyone gets upset...
no pleasing some people
"AV-TEST institute" is well known to require financial investment for a top rating, their recommendations - such that they are - are highly suspect.
If you want news from today, you have to come back tomorrow.
The problem is the solutions that may do a bit better catching the 0-day malware are also the ones that are so heavyweight they noticeably affect the performance of your system. There is a tradeoff at some point between resource usage and coverage. One thing MSE definitely has going for it is it doesn't badly degrade performance like McAfee, Norton, recent AVG, etc do.
OTOH it seems every one of those "passing" AV solutions at one time or other have marked a critical Windows file as a virus and made the system unbootable. Now, whether or not you can recover from that or reinstall from scratch is a good question.
MSE fails because it's less strict, probably because you don't want it to quarantine some valuable Windows file that makes it unbootable.
Sure Microsoft could crank up the heuristics and mark more malware, but you risk accidentally tagging a legit file - and the inconvenience of having to restore your system from a backup (if you have one) is extreme
Given UAC means you can't install drivers and such without prompting the user, most malware these days remain usermode to hide themselves. It means they can't install themselves into the kernel nor hide themselves from Task Manager, but for what malware authors need, it's Good Enough. And it means that once a new threat is positively identified, MSE can easily remove it rather than remove it by killing the system.
Plus, you do have to wonder about AV test companies - sponsored by the big guys like McAfee and Symantec. I'm sure there's absolutely no interest in making it appear that their products are better than the rest, especially free ones. Better to pay $50/year than free! And they have to have popups telling you all the work they do, rather than sit quietly in the corner apparently doing nothing.
ObXKCD. How appropriate, as well.
Sure there is. Kaspersky Anti-Virus Security Center has a Update Verification module built in, that allows a sysadmin to install the update to a known-clean test group and then run a virus scan BEFORE the update is applied to the rest of the machines. If the scan fails(ie, finds anything), the update is aborted and an email is sent to the admin. If Malwarebytes had that kind of thing(or if it did and the sysadmins actually used it), this wouldn't even be an issue.
I don't need to test my programs.. I have an error correcting modem.
Basically "stop doing stupid things with your computer".
Why a firm needed Malware Bytes on it's servers in the first place is the real question here.
I don't use MSE to protect my PC from 0 day exploits. I don't consider my online behavior to be that risky, and so far that assumption has held true. MSE is there mainly for the random drive-by attacks that can still happen. Better 0 day detection also results in more false positives, and this is definitely something I don't want when I'm not even engaging in risky behavior to begin with.
Having worked as a shop tech for years my rule of thumb has been that if it's a single user PC and they are a responsible person MSE is sufficient. If the PC is shared, especially with children, teens, or roommates, you should probably purchase a retail product that is more proactive.
http://www.passmark.com/ftp/antivirus_win8-performance-testing-ed1.pdf
If their results can be bought, Microsoft would have bought them.
1.) I've been using MS Security Essentials for YEARS without issue and have it running on many machines also without issue, not it does not catch EVERYTHING; but nothing does. It does a pretty damn good job for something ad-free, shitware-bundle free. Other than the occasional annoying "OMG YOU HAVEN'T SCANNED ANYTHING!@#!@ orange flagged monopoly house ! warning, is pretty unobtrusive.
2.) All Windows versions prior to 8 could also use Windows Defender in addition, if you want to, but they've been rolled together under the Windows Defender name and are included by default in Windows 8.
3.) Microsoft also has a Malwarebytes-like scanner called Safety Scanner although it auto-expires after 10 days and has to be reinstalled for subsequent use; no idea why.
4.) 0-day exploits by definition would be more or less impossible to defend against, wtf is the problem? I'm no MS fanboy, but the hate here is unwarranted, they're basically risking massive lawsuits against them again for anti-trust by even doing this and frankly it's about fucking time they should have had all of these tools available from its inception.
5.) Malwarebytes has gone from a must-have awesome malware scanner to total shit adware in the typical bait-and-switch style business model of the day which goes something like a.) build something awesome b.) give it away for free c.) change to paid model with your own bundled malware and bullshit once it gets popular d.) crash and burn e.) laugh all the way to the bank.
Where I work uses Sophos, I would say it's far worse (and used more as an attempt at draconian control than really A/V, and does next to nothing for malware, updates fail constantly, etc), and I've actively advised people to not use Macfee and Norton for a very long time because of all their dumb bullshit problems. Clamwin is still pretty terrible and ridiculously slow, after all these years. I think the only one I've never used at all is Kapspersky, or whatever.
$.02
The clue is in the name.
Why? They are not selling anything. MSE comes built in to Windows 8 and is a free download for their older systems. It exists to reduce their support costs and make Windows itself more secure, more or less transparently to the user. It doesn't try to scare you with dire warnings about tracking cookies and there is no up-selling or paid version.
MSE isn't competing with anti-virus software so there is no reason to try to game these kinds of tests.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
My first and only story on /. was about when this happened before. Last time around, Malwarebytes removed atapi.sys from affected computers, leaving them unable to boot.
A Linux machine that needs virus scanning is probably a mail server that scans attachments that pass through it. For that, ClamAV is probably sufficient.
Companies do. MSE is for the home user, while the corporate/enterprise version of it is ForeFront.
It's all the same engine however, between the Malicious Software Removal Tool, MSE, what was OneCare, and ForeFront.
All I know is I had less issues - there was a point in time when our group had a bunch of people suddenly reporting issues with delayed write failures. one of the things attempted was switching out from Symantec to ForeFront (the company was slowly migrating anyways). It worked for some, didn't work for others.
A few months later, and a bunch of people started getting bluescreens daily. But others didn't - it turned out it was Symantec interacting with the disk encryption software. IT narrowed it down to Symantec, and a bunch of us who converted earlier chimed in that we never had issues going to ForeFront