AVG Fakes User Agent, Floods the Internet 928
Slimy anti-virus provider AVG is spamming the internet with deceptive traffic pretending to be Internet Explorer. Essentially, users of the software automatically pre-crawl search results, which is bad, but they do so with an intentionally generic user agent. This is flooding websites with meaningless traffic (on Slashdot, we're seeing them as like 6% of our page traffic now). Best of all, they change their UA to avoid being filtered by websites who are seeing massive increases in bandwidth from worthless robots.
I discovered this the hard way (Score:5, Interesting)
A couple months ago, a random article on my company's site got around 20 times the number of hits that the top story of the day should be getting. I checked the logs, and saw legit-looking IE user agents, but they didnt look normal. None of them had any cookies, and none of them were downloading the CSS or image files that they should have been. The IP addresses were from all around the world. WTF?
I found out that Google was doing one of its things where it changes the google logo for some special occasion, and it links to a search. That article was on the first page of the results.
I did a search for the exact user agent and discovered it was AVG. When you go to a Google search, AVG downloads each result looking for malware. Hooray for falsified user agents.
Though, I suspect the reason they use a legit-looking IE user agent is because malware sites could sniff the AVG user agent and serve up an innocent page for them, and malware for everyone else.
Alternative Anti-Virus Software? (Score:5, Interesting)
So if AVG has turned to the dark side, what free/cheap non-bloatware options are out there worth trusting? I know of a few but it's a little hard to know who to trust.
Seems like every anti-malware software maker these days bloats their software into a 50+MB beast of a package that accomplishes little more than to slow your computer down. I have more trouble with their software than I do with actual mal-ware.
Apache Rewrite Rules! (Score:5, Interesting)
Try this on Apache servers:
#Here we assume certain MSIE 6.0 agents are from linkscanner
#redirect these requests back to avg in the hope they'll see their silliness
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1; SV1.$" [OR]
Rewritecond %{HTTP_USER_AGENT} ".*MSIE 6.0; Windows NT 5.1;1813.$"
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP:Accept-Encoding} ^$
RewriteRule ^.* http://www.avg.com/?LinkScannerSucks [R=307,L]
Brought to you by These guys [pixelbeat.org].
Re:One Word (Score:3, Interesting)
When the AVG Free forced upgrade came out, I went in search of another antivirus software product and picked Avira too, but it also seems to enjoy popping up useless dialog boxes, more so than even AVG ever did.
Is there a good AV software package that is free and up to date and doesn't suck ass?
Re:Slashdot Justice (Score:2, Interesting)
That is, of course, unless you consider it deleting legitimate programs for being "Generic Trojans" a good thing.
Re:Slimey? (Score:3, Interesting)
Re:Sending the bills to them. (Score:1, Interesting)
As I do agree with both of the responses the interesting part is that is how the law is written.
It works just like the IT policies at work. You are not allowed to use work IT for personal.. Everyone uses it from time to time for personal. They only pull out the policy when the want to fire someone and do not have just cause.
Even I think its a stupidly written law, but it is one. And yes as stated in the law you do need permission to access any computer or network. So when you use the internet and the FBI shows up yes they can use this law against you.
interesting isn't it??
Re:One Word (Score:3, Interesting)
Yeah, and embedded virus scanning is all that is currently good for. It does not have an On-Access scanner, making it almost useless in a desktop environment.
AVG just needs to log scan results themselves (Score:3, Interesting)
here's my proposed compromise:
1. scan the users search results
2. upload data to avg database
3. next user that has those urls in a search result first check with the avg database to see if those sites have been scanned in say the last hour.
4. only scan urls that haven't been checked recently
of course, then the AVG server would take the brunt of the increased bandwidth, but hey that only seems fair.
OTOH, why people continue to struggle with keeping a windows box running when they could just wipe and install a nice Linux desktop....I'm so happy my Ubuntu desktop doesn't expose me to these kinds of issues.
Did anyone else think that this might be helpful. (Score:2, Interesting)
Re:This is not AVG itself (Score:2, Interesting)
It's the same in IE6 if you have SP2 installed
http://www.spywareinfoforum.com/lofiversion/index.php/t91168.html [spywareinfoforum.com]
Re:I discovered this the hard way (Score:1, Interesting)
A former employer of mine would put AVG on everything. They almost learned their lesson when a bunch of machines with AVG installed went to hell at the same time. The computers would get caught in an endless reboot cycle.
First came denial. They wouldn't admit that it was AVG's fault, even though that was the common thing on all machines. Then they contacted AVG and got a patch that would fix the problem, but we had to go all over town putting it on all kinds of machines
In the end we figured out that an AVG update would mess up machines that used to have Norton AV installed.
Re:Sending the bills to them. (Score:3, Interesting)
When it comes to search engines, there's at least a method available to opt out. It may not be as good as opt-in in many ways, but robots.txt is pretty well respected by most reputable firms.
Re:One Word (Score:2, Interesting)
It's useless on a workstation? Only if you're a nincompoop and don't scan suspicious files manually, before you go to run them. I.E. the way things used to work before computers were generally fast enough to make on-access virus scanning bearable. It's a good alternative, if you don't sit on your brain--which, of course makes it unusable to most people, (if that's what you meant)
Re:Grisoft dropped the ball with AVG v8.0 (Score:1, Interesting)
In the AVG program folder change this:
avgcmgr.exe
to this:
avgcmgr.exe.bak
This prevents the scanner from running but doesn't show up as an error. Also corrects some annoying illegal memory access errors I was getting.
- a happy AVG user
Re:F5 IRule (Score:3, Interesting)
The question is, how much of that 37.64% is actually AVG in disguise...
Re:Once good (Score:3, Interesting)
Ok, I should clarify. I've been running 7.5 free version for a few months now. In the last 30 days before June 25th, I would get daily popups saying "7.5 is being discontinued, upgrade to 8.0 (pay version) to stay protected. If this isn't slimey, I don't know what is.
To be honest, I'll probably just uninstall AVG completely and never touch another one of their products again. I only use Windows to play games so there's really not much risk to me of getting a virus.
Re:Apache Rewrite Rules! (Score:4, Interesting)
Just to comment that this has been working flawlessly for me and others for days.
In addition to much reduced load, AVG will be getting the combined load with an appropriate message in their logs.
Note it's quite safe for valid IE 6.0 users as it checks for very specific user agent strings that most IE 6.0 users don't in fact have.
In addition the referrer must be blank and the Accept-encoding header must be missing.
Also I'm using a 307 redirect so so that potentially non linkscanner clients will keep checking the latest rules.
This also allows you to change the redirect destination without worrying about cached old redirects.
Re:payback (Score:3, Interesting)
Eh, 6% doesn't sound too bad, and from what I understand the AVG bot hits will be coming from people doing searches; therefore now you're getting a good metric of what people are searching for on google, might help you get new users.
Re:Sending the bills to them. (Score:1, Interesting)
Look, I'm all for setting up a public water fountain and letting people drink from it. It's what I expect. But when someone brings a hose and they aren't even drinking the most of the water they suck out (i.e. the pre-crawling bit), then, yeah, I'm going to say "Quit it, and let other people have a drink", especially if I'm paying for the water.
It's inconsiderate and wasteful, and unnecessarily so. Slimey? No. But rude.
Re:I turned it off (Score:3, Interesting)
Do you realize how many people have no ability to order any expensive worthless AV software from Mcafee or Symantec? Like nobody has a credit card?
AVG 7.5 worked great for a free program for lots of these people. They have nowhere else to go.
AVG7 was fairly lightweight and caused me no problems, unlike the PCTOOLS antivirus one guy kept installing at his office. It caused so many problems he had to uninstall it, but when uninstalled took the XP LSP (layered service providers) stack with it. After that he would have to call me.
It took me 4+ hours to find that problem. There was a free thing called LSPFIX that took care of it if anyone has a computer that seems to be perfectly working but won't talk on the network.
As to the new AVG8, I have been re-installing it with those command line switches to get rid of the link scanner. Link scanners are always a bad idea, it makes no sense to preload links from someone's yahoo page with hundreds of links they will never click on, what does anyone care if malware is behind them?
AVG came up with a silly idea with that whole link scanner idea. Hopefully they are fixing the problem by turning that thing off right now.
Re:One Word (Score:2, Interesting)
but like you say if you are careful you really don't need on-access. In 12 years or so of owning a computer that had net access I have only had one virus. Got it from the warez version of one of the Mortal Kombat games (oddly enough...warez, downloaded from the right places, is almost always clean). An update to Starcraft came out and was nice enough to tell me that it couldn't patch the exe because it was the wrong size. Now that's virus protection!
YOU are clicking on every link! (Score:5, Interesting)
How long before someone gets fired or arrested, and tries to explain that it was their anti-virus software that was viewing the child pr0n?
Re:I discovered this the hard way (Score:3, Interesting)
Not only that but it doesn't really work, either. I was tracking down a site that was being pointed to by a really unfriendly link. The site was full of malware but AVG showed the friendly green checkmark when it pre-scanned the site!
I feel like watching Netscape die (Score:3, Interesting)
I got MS Virtual PC installed on PowerPC G5 Quad running (unfortunately, forced) XP SP3.
As you probably know even such a emulator/virtual machine can get infected by a worm/virus and can also actually run it. So, I thought about 4-5 years back and installed AVG Free edition after trying various stuff. It was the previous, simple version which did a damn well job for obvious junk and it was almost transparent to that P3 500 equivalent virtual machine.
It shows me warning that I should update to version 8, after watching that it takes 35 mins just to install, I travelled further back in time in my memories. You know the difference between AVG 7 and AVG 8? Same as the difference between legendary Netscape 3 Gold and Netscape 4 communicator.
RIP to another excellent software/formula wasted by incompetent developers and a company trying to become which they can never be, Symantec. Symantec can save themselves and survive thanks to millions of dollars in advertising, straightly bought out technical correspondents, reviewers but AVG will be a thing of past. I am actually surprised nobody started a "Save AVG 7 petition" yet.
The code they wasted actually saddens me even while I mainly use OS X. Avast guys should be careful, they are in same path too.
Re:F5 IRule (Score:5, Interesting)
Another suggestion I read somewhere else is to redirect all traffic to the AVG website
Instead of punishing the site, you could punish the users of this crappy code. Make an invisible href somewhere in you page, that triggers a script that does a temporary IP-ban. Since AVG will follow any href, when the user tries to access the site, he gets the message:
Sorry AVG user, your antivirus is abusive and wastes our resources. Disable AVG and come back.
If a few important sites do this AVG's user-base will drop in a week to about 100 people.
Re:F5 IRule (Score:5, Interesting)
I had a similar experience at my previous employer. This was a global fortune 500 company, and I was on the local site's IT team. I was sent an email from the global IT team saying that Firefox had been detected on my machine, this was unauthorized software and I needed to uninstall it. Being a developer, I was generally allowed to install whatever tools I needed to get my job done, and therefore had administrator priveliges. However, the Global IT deparment didn't know me from Suzie in purchasing.
I simply went to my manager, who was an open-source/Linux nut. He emailed the Global IT people and told them it was "required for my job" (which it wasn't).
Re:I discovered this the hard way (Score:3, Interesting)
They are attempting to help their customers
Attempting is the operative word here. Someone with limited bandwidth may consider the fact that their browser is attempting to download several dozen web pages simultaneously to be somewhat less than helpful. Not to mention, someone who is at or near their ISP's (stated or unstated) bandwidth caps may find this to be pretty obnoxious too.
A user will click on only one.
At most one. It's highly possible that a user will click on none.
My sympathies for Windows users and the contortions they have to go through to avoid being infected/invaded/p0wned is generally pretty minimal, but this is just over the top. Talk about a cure that's worse than the disease!
Let me tell you how I feel about the other guys... (Score:1, Interesting)
I thought that AVG were good guys like Google that put their customers first rather than the neo-conservative fascists that bought the White House. It's all the other A/V companies that scare me. Maybe all has changed since they acquired Linkscanner.
Let me tell you how I feel about the other guys. It all started with Cyberstorm I, back in 2006.
The Department of Homeless Insecurity claim that their exercises are on an imaginary parallel internet housed somewhere in the basement of the Pentagon (or somewhere like that). I personally believe that Cyberstorm I exercise was live although I do not wish to prove that, just speculate...
To my knowledge AVG/Grisoft were not a participant in Cyberstorm, however Symantec, M$, Cisco and other commercial players were. There were some really horrible viruses that did the rounds at the time, blackmailing people into believing that all their secrets had been passed on with the virus. Another twist was that the computer would 'self-destruct' at the end of the month. Viruses made it into the news at the time, hospitals having scanners put out and such like. I was amazed at how sophisticated those viruses were. They stripped out all A/V protection, deleting the files and registry entries. Obviously a script kiddy in somewhere like Hungary could have written them, but I thought the level of sophistication and timing was odd.
The whole idea of Cyberstorm 1 was to test whether an online anti-government word of mouth campaign could be contained. The government would not want the truth about how we got into this war to get out, and it was on the basis of Cyberstorm I that informed Rumsfeld that 'The War Against Terrorism' was here for 75 years or so. Rumsfeld was correct to focus on Cyberstorm instead of Iraq, but it could have been instrumental in his 'demise'.
Coupled with the 'not' live exercise was 'Full Spectrum Dominance', i.e. different stories in security blogs about what the viruses were about. I think the exercise lasted a fortnight or so, and a week or two before the exercise officially started. Cyberstorm II had a deeper focus on spoof blogs and 'Full Spectrum Dominance', however, I did not 'participate' in that one...
If AVG are now playing ball with the Department of Homeless Insecurity then the 4th generational cyber-warfare scene is getting hotter and hotter.
Warfare has always been information warfare, remember 'Enigma'? It matters more than anything that grunts with bullets and bombs. Warfare is notionally about an external threat, however, it is always about control of the domestic population. An internal threat is a lot, lot worse than an external one for the guys in the palaces. Cyberstorm has a political motive, no matter how flowery the official language. In all warfare - online or otherwise - there is propaganda and fog of war. Fog of war means that nobody really knows what is going on. Hence, only wildly speculative hypothesis can be used to make sense of it all - hard facts don't happen and pukka adversaries run feints. Nonetheless, the Department of Homeland Insecurity do hint at this in their official spiel:
"The Cyber Storm II scenario will be executed by persistent, fictitious adversaries with a distinct political and economic agenda. The Cyber Storm II adversary will use sophisticated attack vectors to create a large-scale incident requiring players to focus on response."
http://www.dhs.gov/xprepresp/training/gc_1204738760400.shtm [dhs.gov]
The document on Cryptome is a must read as this shows the whole game plan. It's scary:
http://cryptome.org/cyberstorm.pdf [cryptome.org]
Note that they is talking anti-globalisation, not al-make-believe or the Chinese or the Estonians...
A press release story from the time:
"Original Cyberstorm 1 bulletin (AP, Feb. 10, 2006):
The government concluded its "Cyber Storm" wargame Friday, its biggest-ever exercise to test how it would respond
Re:F5 IRule (Score:5, Interesting)
That doesn't work for me. I'm moving away from AVG just because it's suddenly more work than it is worth. AVG 8 is what did it for me, everything before was fine with me. The link scanning was irritating, turning it off triggers a non-removeable notice that I don't need to see. I don't remember being asked if I wanted the search bar in Firefox, and I install using the "advanced" mode.
The biggest thing is that a virus scan noticeably lugs down my computer, which is an accomplishment because I've never had that with any other program.
ClamAV engine scanning data while streamed (Score:3, Interesting)
For the Windows boxes I use at home, I have the A/V software set to scan only on write or modify, and exclude certain files that get written to a lot but are very unlikely to carry an infection (e.g., log files). Using this setup, files are generally only scanned a few times (depending on how the download and install system uses temporary space), but the system is still just as protected.
Well, some paranoids would argue that by doing so, you're still vulnerable to any threat between the last write to a file and the latest signature file update. An on-open scan which compares the date of the last "on-write-scan" with the date of the signature update would plug the hole.
another interesting approach is AvFS [sunysb.edu] which tries to integrate virus scanning inside a file system layer and to scan the data on the fly as it is loaded (thus not blocking the execution for a long time while a huge file is accessed but scanning data as it is streamed from the underlying file system - should fix all the "drawing an installer's icon freezes the desktop" situations).
This wouldn't work if you don't really have control over the system, and someone evil came in and turned off the A/V and then loaded a virus. Just in case, though, I have scheduled full drive scans run weekly during low use hours.
Well, a physical access is a guaranteed way to compromise a system anyway. Though I don't know if you can trust the scanner once the system is compromised : several viruses are well known for hiding themselves from scan (and some do even intercept updater's access to the web and prevent downloading a signature definition of that virus - the antivirus always report a clean system but that's only because its signature file is corrupted). I think scanning from a bootable media (CD-R, usb key) would probably be more reliable.
Re:YOU are clicking on every link! (Score:2, Interesting)
But I have a friend (really) who was surfing through a company network. They claim that he was accessing inappropriate content and he was fired. He says that he was checking out vacation destinations for a trip, but one of the search results was fake (it used fake key words or something to boost its page rank) and let to a pr0n site.
So I'm thinking that the AVG LinkSearch can lead to cases where someone is accused of such activity, when really they didn't.
Jumping the shark (Score:3, Interesting)
Version 8.0 has killed AVG for me. It's slower, does more popups, kills legitimate programs (eg. VNC), and now this...
I'm a paid up AVG user but I'm looking elsewhere.
Why support AVG? (Score:2, Interesting)
Re:F5 IRule (Score:5, Interesting)
Re:F5 IRule (Score:1, Interesting)
Bleeding edge doesn't happen in corporate environments, hell leading edge doesn't even happen most of the time
Brother, count yourself lucky. In my department, edge doesn't happen.
My last day for a shitty client is tomorrow; said client is a $3*10^9 US corporation. These gimps have never allowed any real testing in the six months that I've been here. And that's normal for both them and most of the larger clients I've worked with.
Thankfully, I'm a professional contractor and the fact that fantasy office politics is more important to them than the quality of clinical decision making is about to cease being my problem.
Appologies for the AC post but I've just realised that my SID could be related back to me professionally.
I've done my best, educated those around me, even given up my own time to help those who've been nice to me. As to the corporation: fuck 'em. I'm about to be the competition.
Re:F5 IRule (Score:4, Interesting)
well, with the dancing pigs problem, universal java exploits (i mean JRE exploits not javascript here) it could be you're telling people to move to a platform where sophisticated anti-malware doesn't exist, with the fallacy that 'it's linux, it's not targeted by hackers'
of course, pure linux exploits don't exist, but an exploit of a p2p application written in java or python, oh heck, even a bad site, that runs a java exploit as part of say 'free movie downloads' it's possible to write once, run anywhere code that can equally infect mac and linux desktops that thanks to the dancing pigs problem relies on closed source, 'feature' software that doesn't come 'default' with linux, but which they're going to install the first time a website doesn't work without it.
all the most popular bittorent software all comes in a 'universal' language, either java or python... and they're all in the 'multiverse' repositories... making them easy for linux users to install...
sure, in a write once, run anywhere situation, you can't do as much to a linux machine, as to a windows machine, but the basic stuff, but depending on what the hacker hopes to do, it could be super simple.
linux isn't kryptonite to good hacker.Re:F5 IRule (Score:3, Interesting)
Actually, I have abandoned Norton & McAfee products, but I've forgotten about them.
I don't recall them lugging my computer as much as AVG 8 either, because I would notice a lag between keypresses and when they actually show up on the screen, and a virus scan would take about several hours scanning an 18GB 15kRPM hard drive. I don't think Norton or McAfee virus scanners that I used were as bad, though maybe more recent versions were.
Re:F5 IRule (Score:3, Interesting)
I too am not happy with AVG 8. I don't like the fact it displays a critical error if I disable scanning of outbound email, I don't like the link scanner and I certainly don't like the speed or the UI. The only reason I upgraded was because v7 kept popping up ads for v8, which pissed me off even more.
Re:F5 IRule (Score:2, Interesting)
Your company is insane.
Or just stupid.
Nobody who knows anything about IE and is mostly sane would ever make IE standard. Have the option, sure, but you should STRONGLY recommend people not use it.
You'd be amazed at the number of "enterprise" "web interface" applications that...turn out to only work on IE, and with any luck only on a specific version.
Let's see, right now I'm looking at CC&B and Blue Pumpkin, both of which simply will not render on anything but IE, not even with fake user clients.
Posting this using Firefox though ;-)
Re:F5 IRule (Score:3, Interesting)
Ahh. but you see, I was talking about internally written apps, not enterprise apps.
I've written some very simple web apps myself, and I understand the technologies and code. It takes some very careful stupid planning to make it only work on IE. You have to do something like choose IE specific javascript or ActiveX (one of the worst ideas in the history of computers, IMHO).
There's almost nothing that you can do with IE jscript and activex that you can't do with regular javascript. (Granted there may be some functions that you'll need to write yourself or find a pre-written library for)
Just lazy programming.