Avira Antivirus update cripples millions of Windows PCs

Summary:Avira has sent out a defective antivirus update that is causing paid versions of its product to block critical Windows processes and third-party software, effectively rendering millions of PCs unusable.

German security company Avira is experiencing serious technical difficulties. A defective antivirus update that has been downloaded millions of times is bringing Windows XP, Windows Vista, and Windows 7 computers to a screeching halt across the world, according to user reports (1, 2).

The update bumps the software version to 8.2.10.64 and the definitions file to 7.11.30.24. The result is that the AntiVirProActiv component starts detecting critical processes as malware, including the following:

  • \windows\system32\dllhost.exe
  • \windows\system32\explorer.exe
  • \windows\system32\iexplorer.exe
  • \windows\system32\notepad.exe
  • \windows\system32\regedit.exe
  • \windows\system32\rundll32.exe
  • \windows\system32\taskeng.exe
  • \windows\system32\wuauclt.exe

Those are just some of the false detected Windows processes. Avira sometimes kills them and stops Windows from booting, but that's not the end of it.

The update is also blocking other Microsoft software (such as Microsoft Office and Microsoft Works) as well as various third-party applications, including Byki 4 Express, Documents To Go, Garmin, Google Talk, iPod and Palm services, Opera, OpenDNS Updater, Polipo, Shadow, Stickies, and many others. In other words, almost every executable file is being falsely detected by this update.

The good news is that the free edition (Avira AntiVir Personal) does not include ProActiv, so it is not affected. The bad news is that the paid consumer editions (Avira Antivirus Premium and Avira Internet Security) as well the business edition (Avira Professional Security) do have it, and thus are affected.

The malformed update is a PR disaster. An Avira user who goes by the name of AaronH posted the following complaint:

Our enterprise uses Avira's Business Bundle extensively. We have 100 centrally managed users at this site alone, and a dozen users we support on the road.

This update has been pretty catastrophic. The whole company ground to a standstill.

Upon arriving at work this morning, users were greeted with an Avira update prompting them to restart their machines. Most users did so.

Unfortunately, upon reboot, most users could not log in, as Pro-Activ was blocking the login process. Some users managed to log in, but they could not open Outlook, Excel, or any other apps, due to them being blocked by Pro-Activ.

We quickly informed all users not to reboot, but most had done so already, or ignored our advisory.

After checking this forum and finding the cause of the problem (while waiting on hold with business support), we pushed out a configuration update to disable Pro-Activ. Upon rebooting, on-site users could then log in.

However, the off-site users received the update, but are now unable to connect to the VPN to receive the centrally-deployed configuration update. Trying to support a dozen off-site users who cannot even start their computers is not much fun, that's for sure.

I've been a big proponent of Avira within our company, but I think that may change when it comes time to renew our license in a few months.

An Avira forum moderator who goes by the name of marfabilis posted this solution:

Avira is analyzing and discussing this suspicious behaviour detections with high priority. Meanwhile, you should see at Realtime Protection report file the processes blocked by Avira ProActiv (Go to Avira Control Center > PC protection > Realtime Protection > Click on Display Report file). Then, follow this workaround.

  • Right-click on your Avira systray icon and choose Configure Avira Antivirus Premium 2012 or Avira Internet Security 2012
  • Enable Expert Mode
  • Go to PC Protection > Realtime Protection > ProActiv > Application Filter > Allowed
  • Type each path (from Realtime Protection report file) in the empty field and click Add >>
  • Click on Apply > OK

Given that some users are seeing this update block almost every single executable it can find, this is a terrible workaround. As such, the moderator offered up an alternative: "Avira is analyzing and discussing this suspicious behaviour detections with high priority. If the situation is too complicated to deal, then you can disable Avira ProActiv while a final solution is not provided."

If you can manage to boot into Windows (try Safe Mode), here are the instructions for disabling ProActiv:

  1. Bring up the Task Manager. Hit CTRL + SHIFT + ESC, right-click on the task bar and choose "Start Task Manager," or hit CTRL + ALT + DEL and click on "Start Task Manager."
  2. Click on File, then "New task (Run...)," type "c:\program files\avira\antivir desktop\avconfig.exe" or equivalent, and then click OK. This will open the Avira Antivirus configuration window.
  3. Click on the Expert mode switch at top left.
  4. Click Realtime Protection on the left panel and then on Proactiv. Untick the check box for "Enable Proactiv" on the right. Click Apply.
  5. Restart your computer.

Again, this is not a final solution. Avira has released an update that reportedly fixes the issue, but users are still having problems. The moderator says the update fixed the issue for him, but not everyone in the threads agrees.

This is likely because those who now have crippled computers are finding it difficult to update Avira's antivirus software. Remember, some people can't even boot their Windows PCs. I would recommend trying to get into Safe Mode, disabling ProActiv, rebooting Windows, updating the antivirus, and re-enabling ProActiv.

I have contacted Avira for more information and will update you if I hear back.

Update at 9:30 AM PST - Administrator Stefan Berka has posted a link to the help document on Avira's website. As already mentioned, you can either add exceptions for all your affected applications or just disable ProActiv. The webpage has instructions for both.

Update at 1:15 PM PST - Avira still hasn't gotten back to me, but the company has confirmed that the problem has been fixed: ProActiv Application Blocking. Here's what you need to know:

This issue has been resolved. Your Avira products should now be functioning normally.

Issue details: On May 14 and 15, 2012, following the release of Service Pack 0 (SP0) for Avira Version 2012, the ProActiv feature blocked legitimate Windows applications on customers’ PCs.

We deeply regret any difficulties this has caused you. Thank you for your patience and understanding. If you still encounter the issue:

In the unlikely event that applications continue to be blocked by ProActiv, please update your software as follows:

  • Open the Avira Control Center.
  • Click on Update › Start product update.

No further steps are required.

Again, as I've already mentioned, if you are having trouble getting to the actual Avira software, try booting into safe mode first.

Update at 1:30 PM PST: Avira has responded.

"If you had problems with the ProActiv module after updating to the latest Service Pack, then please initiate a product update which will automatically fix the issue," an Avira spokesperson said in a statement. "All new users will not experience any issues and are not required to take any action. We deeply regret any difficulties that this may have caused you. Thank you for your patience and understanding!"

Update at 2:15 PM PST: Avira was unable to get an exact estimate of the number computers affected by this problem.

"We contacted all of our users to let them know about our fix to the ProActiv situation this morning," Avira COO Travis Witteveen said in a statement. "The issue only arose on 32bit windows premium, suite and professional products, whom had ProAktiv turned on (by default ProAktiv is a opt-in feature, so the infected base was not the entire base). We do not know the exact number of those impacted, but we are confident we reacted immediately and communicated thoroughly."

See also:

Topics: Software, Operating Systems, Security, Windows

About

Emil is a freelance journalist writing for CNET and ZDNet. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.