AVG and Rising signatures update detects Windows files as malware

AVG and Rising signatures update detects Windows files as malware

Summary: Yesterday, a signatures update pushed by AVG falsely labeled a critical Windows file as a banker malware, prompting the company to quickly fix the issue and issue a workaround, following end users complaints at its support forums.AVG's false positive causing downtime for Windows users is happening a week after Rising antivirus apologized to its customers for falsely detecting Outlook Express as malware leading to loss of emails, and yes, productivity too.

SHARE:
TOPICS: Security
20

AVG AntivirusYesterday, a signatures update pushed by AVG falsely labeled a critical Windows file as a banker malware, prompting the company to quickly fix the issue and issue a workaround, following end users complaints at its support forums.

AVG's false positive causing downtime for Windows users is happening a week after Rising antivirus apologized to its customers for falsely detecting Outlook Express as malware leading to loss of emails, and yes, productivity too.

The impact of the false positive leads to a continuous reboot cycle :

"An update for the AVG virus scanner released yesterday contained an incorrect virus signature, which led it to think user32.dll contained the Trojan Horses PSW.Banker4.APSA or Generic9TBN. AVG then recommended deleting this file; this causes the affected systems to either stop booting or go into a continuous reboot cycle. So far, the problem only appears to affect Windows XP, but there is no guarantee that other versions of Windows don’t have the same issue."

Rising AntivirusAVG's brief response to the situation, with the workaround posted at AVG's support section under the "False positive user32.dll" title :

"Unfortunately, the previous virus database might have detected the mentioned virus on legitimate files. We can confirm that it was a false alarm. We have immediately released a new virus update (270.9.0/1778) that removes the false positive detection on this file. Please update your AVG and check your files again.

We are sorry for the inconvenience and thank you for your help.

Best regards, Zbynek Paulen AVG Technical Support"

AVG and Rising aren't an exception to previous cases where components of Microsoft's Windows have been detected as false positives. In fact, in 2006 Microsoft's Anti-Spyware was detecting a competing solution as a piece of malware :

Response time is crucial in such a situation, so the best thing the vendors can do is go public and provide assistance in fixing the problem.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • And why would they not?

    Many Windows files are indeed malware, Rootkits, and spyware. Anything Microsoft places on a PERSONAL computer to control or manipulate the computer or the PERSON, and furnishing zero benefit to or approval of the user (person), is the perfect definition and description of "malware".

    Does not Activation, WGA, SPP, and DRM fit the definition and description perfectly? Punishing their "customers" instead of going after the real crooks (pirates) who are hijacking their products? Like the farmer going to the Farmer's Market and trying to arrest the innocent migrant fellows who offloaded that load of contraband watermelons. Or the innocent "customers" who bought them.

    Or even worse, ruling that no one can legally plant a watermelon seed and grow their own.

    Windows files say: "we own the market, lock,stock, and barrel".
    Ole Man
    • Undermedicated

      Did you miss your last Prolixin shot?
      dprozzo
      • No, he's quite correct

        When there's something on your computer that allows some other programmer to take control of your computer's functionality out of your hands and use it against your interests, it's called a code execution vulnerability. It's considered the very worst type of security hole, and Microsoft rushes to patch them, sometimes even releasing patches out of schedule if they're bad enough.

        ...unless they're put in by design to protect publishing interests. Then they call it DRM and Microsoft uses all the resources at your disposal to make sure that they remain able to hack your computer at will through their designated channels. The DMCA even contains a provision making it an official crime to try to "circumvent" a copyright owner's hacking of your computer. It's an outrage, and people need to be aware of it.
        masonwheeler
        • And this has just what to do with the topic?

          Sure, the DMCA is a crime against the property (the owners of the computers) and should be punished at the ballot box.

          But what does this have to do with detecting user32.dll as malware? Since your system won't run Windows at all without it, it's clearly not malware if your intent is to run Windows.

          Try not to discredit your position by spamming unrelated topics with anti-Windows or anti-DRM or anti-DMCA flames.
          bob.kerns2
  • Isn't the first time.

    This isn't the first time. I've had false positives with AVG before. It was bad enough at one point that now I never have it set to automatically "heal" anything. I always check what it's trying to remove. Usually the next update says "nevermind, that wasn't a virus after all." Grr.

    Frankly, false positives are getting out of hand. It's getting bad enough that I'm losing confidence that I'll be able to tell if a REAL virus hits or if it's just another false positive.

    I may be looking for another antivirus soon. AVG is nice and fast, but the false positive rate is getting crazy.
    CobraA1
    • Switch fast

      Switch to any other except AVG v8. Their Link Scanner is a mad hare brained idea, their v8 slows down powerful systems, updating is always problematic and the real clincher is that it sometimes deletes files it thinks are harmful without even asking you.

      The standard (unfriendly) forum reply is download the latest program file uninstall, reboot, reinstall, reboot, pray.

      This can cause serious data loss and lots of time involvement.
      Sandeep108
  • Any decent AV would quarantine Windows anyway.

    That way, the machine would be safe.
    fr0thy2
  • <moved>

    <moved>
    masonwheeler
  • RE: AVG and Rising signatures update detects Windows files as malware

    But MS Outlook IS Malware!
    glassangel
    • correction

      It was MS Outlook [b]Express[/b], not MS Outlook, guess that's why I didn't notice. I run my Win XP SP3 in a virtual machine on Mac Book and use Mail (going to switch to Thunderbird, soon. MS OE and MS O are not installed.
      dinosaur_z
  • RE: AVG and Rising signatures update detects Windows files as malware

    It's all just about income, create fear and then make money from it, the people who create virus's create anti virus software, its in their interest for anti virus software not to work very well, otherwise their income would dry up, i often hear an anti virus software program finds 95 percent of virus but what good is that? it means you still wll get the worst virus's, if you get a virus you are dead the law's of evolution say survival of the fittest and the worst virus will spread what a joke.
    paulymitch
  • AVG update detects Windows files as malware - LOL

    I'd say most of the readers have not been in the computing scene long enough to remember, that since as early as Windows 3.0 M$ has been placing spy linking into the OS... initially to look for NON M$ software installed on a computer - to slow that product down IF an equivalent M$ app was available to do the same job - and so make the M$ app., appear to do the job more efficiently !?!
    I still reckon the greatest belly laugh against M$ though was a couple of years back M$ bought up Sunbelt Anti-Virus. I had trialled it just prior to M$ buying it, and saw it had several false positives even then , and so uninstalled it. Just a couple of weeks later I saw that M$ had bought this AV package to be included as their own anti virus package, I was feeling bemused at the prospect. Several months later, M$ released this AV package as a security update. Then to the shock of many thousands of M$ supporters who had just received this update, when their computer restarted - this "anti-virus" update suddenly found the whole of Internet Explorer to be Malware, and promply deleted all trace of Internet Explorer from those computers !!!! LOL ... LOL ...
    There was a hurried appology from M$ for this "over sight" and a few rushed re-releases before this was quickly brushed under the carpet to be forgotten by most ... to become " Micro$oft's Windows Defender " ...
    Certainly wont be the last time something from Micro$oft comes up as a " ? False ? positive " [ or was it ? ]
    [ actually over the past 10 years I have personally had to report to various AV and anti spyware companies - many so called false positives, which the various companies have released special updates to remedy in their detections ]
    digitrog
  • RE: AVG and Rising signatures update detects Windows files as malware

    you know whats an outrage? illegal immigrants managing to change a country's local traditions; home invaders beating an disabled man and his carer senseless... i could go on forever.

    oh, i do apologise, i just realised this has nothing to do with the article reporting an ACKNOWLEDGED MISTAKE by AVG! those rants about windows malware and spooks hiding in my pc got me going...

    AVG made a mistake. good to see they're fixing it. and yeah, its a piss funny mistake!
    adamjames
  • AVG finally turned into a virus on Vista

    I had my AVG8 problems way before the weekend when it went mad on Vista and tried to delete everything including itself :-)

    Switch to Avast! with the Vista skin.
    graham.lv
  • RE: AVG and Rising signatures update detects Windows files as malware

    "..Microsoft Anti-Spyware false positive for Norton Antivirus
    - 2006..."
    Sounds like Microsoft Anti-Spyware was on the money on
    this one! :) It may not be so useless after all...
    unclefixer
  • RE: AVG and Rising signatures update detects Windows files as malware

    Today, AVG is telling me my Adobe Flash files are full of Trojans. Even when updating it from the Adobe website. I'm pretty sure it's a false reaction on AVG's part but it sure is annoying as you know what.
    john9010
  • RE: AVG and Rising signatures update detects Windows files as malware

    When trying to install the most recent update to VSO's
    DIVX to DVD, AVG reported a virus. Had to disable AVG to install. Since then, I have de-installed AVG - to much of a hassle to use an anti virus software that screws up.
    fernald1
  • RE: AVG and Rising signatures update detects Windows files as malware

    Well, I can't quite disagree with AVG about Winder$ being malware.
    rMatey
  • AVG screws this musician! I NEED MY COMPUTER!!

    What i think is.. well NM at all except how the hell am i going to fix my computer??? i tried all of their suggestions from their website like booting from a disk and flashdrive what am i left with.... NOTHING i am a very productive musician and all of my needed files are on my much needed computer!!! what is AVG so much going to do to help me????
    BradFromHC
  • RE: AVG and Rising signatures update detects Windows files as malware

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut