Avira Antivirus update cripples millions of Windows PCs

[tezza]

Avira has sent out a defective antivirus update that is causing paid versions of its product to block critical Windows processes and third-party software, effectively rendering millions of PCs unusable.

German security company Avira is experiencing serious technical difficulties. A defective antivirus update that has been downloaded millions of times is bringing Windows XP, Windows Vista, and Windows 7 computers to a screeching halt across the world, according to user reports (1, 2).

The update bumps the software version to 8.2.10.64 and the definitions file to 7.11.30.24. The result is that the AntiVirProActiv component starts detecting critical processes as malware, including the following:

• \windows\system32\dllhost.exe
• \windows\system32\explorer.exe
• \windows\system32\iexplorer.exe
• \windows\system32\notepad.exe
• \windows\system32\regedit.exe
• \windows\system32\rundll32.exe
• \windows\system32\taskeng.exe
• \windows\system32\wuauclt.exe

Those are just some of the false detected Windows processes. Avira sometimes kills them and stops Windows from booting, but that’s not the end of it.

The update is also blocking other Microsoft software (such as Microsoft Office and Microsoft Works) as well as various third-party applications, including Byki 4 Express, Documents To Go, Garmin, Google Talk, iPod and Palm services, Opera, OpenDNS Updater, Polipo, Shadow, Stickies, and many others. In other words, almost every executable file is being falsely detected by this update.

The good news is that the free edition (Avira AntiVir Personal) does not include ProActiv, so it is not affected. The bad news is that the paid consumer editions (Avira Antivirus Premium and Avira Internet Security) as well as business editions (Avira Small Business Security Suite, Avira Endpoint Security, and Avira Professional Security) do have it, and thus are affected.

The malformed update is a PR disaster. An Avira user who goes by the name of AaronH posted the following complaint:

Our enterprise uses Avira’s Business Bundle extensively. We have 100 centrally managed users at this site alone, and a dozen users we support on the road.

This update has been pretty catastrophic. The whole company ground to a standstill.

Upon arriving at work this morning, users were greeted with an Avira update prompting them to restart their machines. Most users did so.

Unfortunately, upon reboot, most users could not log in, as Pro-Activ was blocking the login process. Some users managed to log in, but they could not open Outlook, Excel, or any other apps, due to them being blocked by Pro-Activ.

We quickly informed all users not to reboot, but most had done so already, or ignored our advisory.

After checking this forum and finding the cause of the problem (while waiting on hold with business support), we pushed out a configuration update to disable Pro-Activ. Upon rebooting, on-site users could then log in.

However, the off-site users received the update, but are now unable to connect to the VPN to receive the centrally-deployed configuration update. Trying to support a dozen off-site users who cannot even start their computers is not much fun, that’s for sure.

I’ve been a big proponent of Avira within our company, but I think that may change when it comes time to renew our license in a few months.

An Avira forum moderator who goes by the name of marfabilis posted this solution:

Avira is analyzing and discussing this suspicious behaviour detections with high priority.

Meanwhile, you should see at Realtime Protection report file the processes blocked by Avira ProActiv (Go to Avira Control Center > PC protection > Realtime Protection > Click on Display Report file). Then, follow this workaround.

• Right-click on your Avira systray icon and choose Configure Avira Antivirus Premium 2012 or Avira Internet Security 2012
• Enable Expert Mode
• Go to PC Protection > Realtime Protection > ProActiv > Application Filter > Allowed
• Type each path (from Realtime Protection report file) in the empty field and click Add >>
• Click on Apply > OK

Given that some users are seeing this update block almost every single executable it can find, this is a terrible workaround. As such, the moderator offered up an alternative: “Avira is analyzing and discussing this suspicious behaviour detections with high priority. If the situation is too complicated to deal, then you can disable Avira ProActiv while a final solution is not provided.”

If you can manage to boot into Windows (try Safe Mode), here are the instructions for disabling ProActiv:

• Bring up the Task Manager. Hit CTRL + SHIFT + ESC, right-click on the task bar and choose “Start Task Manager,” or hit CTRL + ALT + DEL and click on “Start Task Manager.”
• Click on File, then “New task (Run…),” type “c:\program files\avira\antivir desktop\avconfig.exe” or equivalent, and then click OK. This will open the Avira Antivirus configuration window.
• Click on the Expert mode switch at top left.
• Click Realtime Protection on the left panel and then on Proactiv. Untick the check box for “Enable Proactiv” on the right. Click Apply.
• Restart your computer.

Again, this is not a final solution. Avira has released an update that reportedly fixes the issue, but users are still having problems. The moderator says the update fixed the issue for him, but not everyone in the threads agrees.

This is likely because those who now have crippled computers are finding it difficult to update Avira’s antivirus software. Remember, some people can’t even boot their Windows PCs. I would recommend trying to get into Safe Mode, disabling ProActiv, rebooting Windows, updating the antivirus, and re-enabling ProActiv.

http://www.zdnet.com...ndows-pcs/12129

[AlienForce1]

:oops: :wtf: Avira is the best :hehe: (?!?) :pos:

[Ambrocious]

What if all of those process' are actually hijacked by super secret malware by default, no computer is left uninfected, no other anti malware has yet to be able to detect this kind of infection, and Avir is the first to catch onto it!

Or maybe Avir just sucks...

[RealNeo]

In the near past some other AV product did this also. Even they make some mistakes. I still use Avira :)

[Alanon]

Everyone makes mistakes. Not to worry though. The only harm this will really do is to the compaly. The product will still remain the same be it good or bad.

I am very glad not to be running t, though. XDD

[khashim]

my inconsistent internet access has been a blessing in disguise

woohoo! avoided trouble

[threejay]

Reminds me of what happened to Webroot SecureAnywhere a little while ago...

[Avitar]

Well I installed it to a VM. Turns out, it disabled the cloak on these processes. They were apparently secretly using BITS (background intelligent transfer service) to send your data to microsoft!!? and injecting code into other executables! WTF?? Something is up. Removing the code avira detected as "malicious" left my VM unable to boot unless into safe mode. There I discovered that my machine ID and my remote registry service was being exploited... I don't know what this means, but all the processes, especially iexplore.exe was using BITS to lb1.www.ms.akadns.net [207.46.19.190]

[AlienForce1]

What if all of those process' are actually hijacked by super secret malware by default, no computer is left uninfected, no other anti malware has yet to be able to detect this kind of infection, and Avir is the first to catch onto it!

Or maybe Avir just sucks...

Let`s say that Ambrocious is right (really frightening guess ...) -> how come that nobody till now didn`t see it ??? :s

Yet , there are plenty of very good and talented programmers worldwide ...

[Eternal X]

Never used Avira never will, someone might get fired for releasing this update :lol: :showoff:

[threejay]

Amazing, I uninstalled it the evening before and I'm with F-Secure now... Phew.