Avira Antivirus update cripples millions of Windows PCs

Avira Antivirus update cripples millions of Windows PCs

Summary: Avira has sent out a defective antivirus update that is causing paid versions of its product to block critical Windows processes and third-party software, effectively rendering millions of PCs unusable.

SHARE:

German security company Avira is experiencing serious technical difficulties. A defective antivirus update that has been downloaded millions of times is bringing Windows XP, Windows Vista, and Windows 7 computers to a screeching halt across the world, according to user reports (1, 2).

The update bumps the software version to 8.2.10.64 and the definitions file to 7.11.30.24. The result is that the AntiVirProActiv component starts detecting critical processes as malware, including the following:

  • \windows\system32\dllhost.exe
  • \windows\system32\explorer.exe
  • \windows\system32\iexplorer.exe
  • \windows\system32\notepad.exe
  • \windows\system32\regedit.exe
  • \windows\system32\rundll32.exe
  • \windows\system32\taskeng.exe
  • \windows\system32\wuauclt.exe

Those are just some of the false detected Windows processes. Avira sometimes kills them and stops Windows from booting, but that's not the end of it.

The update is also blocking other Microsoft software (such as Microsoft Office and Microsoft Works) as well as various third-party applications, including Byki 4 Express, Documents To Go, Garmin, Google Talk, iPod and Palm services, Opera, OpenDNS Updater, Polipo, Shadow, Stickies, and many others. In other words, almost every executable file is being falsely detected by this update.

The good news is that the free edition (Avira AntiVir Personal) does not include ProActiv, so it is not affected. The bad news is that the paid consumer editions (Avira Antivirus Premium and Avira Internet Security) as well the business edition (Avira Professional Security) do have it, and thus are affected.

The malformed update is a PR disaster. An Avira user who goes by the name of AaronH posted the following complaint:

Our enterprise uses Avira's Business Bundle extensively. We have 100 centrally managed users at this site alone, and a dozen users we support on the road.

This update has been pretty catastrophic. The whole company ground to a standstill.

Upon arriving at work this morning, users were greeted with an Avira update prompting them to restart their machines. Most users did so.

Unfortunately, upon reboot, most users could not log in, as Pro-Activ was blocking the login process. Some users managed to log in, but they could not open Outlook, Excel, or any other apps, due to them being blocked by Pro-Activ.

We quickly informed all users not to reboot, but most had done so already, or ignored our advisory.

After checking this forum and finding the cause of the problem (while waiting on hold with business support), we pushed out a configuration update to disable Pro-Activ. Upon rebooting, on-site users could then log in.

However, the off-site users received the update, but are now unable to connect to the VPN to receive the centrally-deployed configuration update. Trying to support a dozen off-site users who cannot even start their computers is not much fun, that's for sure.

I've been a big proponent of Avira within our company, but I think that may change when it comes time to renew our license in a few months.

An Avira forum moderator who goes by the name of marfabilis posted this solution:

Avira is analyzing and discussing this suspicious behaviour detections with high priority. Meanwhile, you should see at Realtime Protection report file the processes blocked by Avira ProActiv (Go to Avira Control Center > PC protection > Realtime Protection > Click on Display Report file). Then, follow this workaround.

  • Right-click on your Avira systray icon and choose Configure Avira Antivirus Premium 2012 or Avira Internet Security 2012
  • Enable Expert Mode
  • Go to PC Protection > Realtime Protection > ProActiv > Application Filter > Allowed
  • Type each path (from Realtime Protection report file) in the empty field and click Add >>
  • Click on Apply > OK

Given that some users are seeing this update block almost every single executable it can find, this is a terrible workaround. As such, the moderator offered up an alternative: "Avira is analyzing and discussing this suspicious behaviour detections with high priority. If the situation is too complicated to deal, then you can disable Avira ProActiv while a final solution is not provided."

If you can manage to boot into Windows (try Safe Mode), here are the instructions for disabling ProActiv:

  1. Bring up the Task Manager. Hit CTRL + SHIFT + ESC, right-click on the task bar and choose "Start Task Manager," or hit CTRL + ALT + DEL and click on "Start Task Manager."
  2. Click on File, then "New task (Run...)," type "c:\program files\avira\antivir desktop\avconfig.exe" or equivalent, and then click OK. This will open the Avira Antivirus configuration window.
  3. Click on the Expert mode switch at top left.
  4. Click Realtime Protection on the left panel and then on Proactiv. Untick the check box for "Enable Proactiv" on the right. Click Apply.
  5. Restart your computer.

Again, this is not a final solution. Avira has released an update that reportedly fixes the issue, but users are still having problems. The moderator says the update fixed the issue for him, but not everyone in the threads agrees.

This is likely because those who now have crippled computers are finding it difficult to update Avira's antivirus software. Remember, some people can't even boot their Windows PCs. I would recommend trying to get into Safe Mode, disabling ProActiv, rebooting Windows, updating the antivirus, and re-enabling ProActiv.

I have contacted Avira for more information and will update you if I hear back.

Update at 9:30 AM PST - Administrator Stefan Berka has posted a link to the help document on Avira's website. As already mentioned, you can either add exceptions for all your affected applications or just disable ProActiv. The webpage has instructions for both.

Update at 1:15 PM PST - Avira still hasn't gotten back to me, but the company has confirmed that the problem has been fixed: ProActiv Application Blocking. Here's what you need to know:

This issue has been resolved. Your Avira products should now be functioning normally.

Issue details: On May 14 and 15, 2012, following the release of Service Pack 0 (SP0) for Avira Version 2012, the ProActiv feature blocked legitimate Windows applications on customers’ PCs.

We deeply regret any difficulties this has caused you. Thank you for your patience and understanding. If you still encounter the issue:

In the unlikely event that applications continue to be blocked by ProActiv, please update your software as follows:

  • Open the Avira Control Center.
  • Click on Update › Start product update.

No further steps are required.

Again, as I've already mentioned, if you are having trouble getting to the actual Avira software, try booting into safe mode first.

Update at 1:30 PM PST: Avira has responded.

"If you had problems with the ProActiv module after updating to the latest Service Pack, then please initiate a product update which will automatically fix the issue," an Avira spokesperson said in a statement. "All new users will not experience any issues and are not required to take any action. We deeply regret any difficulties that this may have caused you. Thank you for your patience and understanding!"

Update at 2:15 PM PST: Avira was unable to get an exact estimate of the number computers affected by this problem.

"We contacted all of our users to let them know about our fix to the ProActiv situation this morning," Avira COO Travis Witteveen said in a statement. "The issue only arose on 32bit windows premium, suite and professional products, whom had ProAktiv turned on (by default ProAktiv is a opt-in feature, so the infected base was not the entire base). We do not know the exact number of those impacted, but we are confident we reacted immediately and communicated thoroughly."

See also:

Topics: Software, Operating Systems, Security, Windows

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

34 comments
Log in or register to join the discussion
  • Just use free Microsoft Security Essentials and be done with it !

    Install, set-autoupdate and forget about it. I am running one for last 3 years and no issues, no slow downs.
    ninjacut
    • MSE is junk

      Seriously. Its detect rate is average at best, but where it really falls down on its face is in malware removal. I installed it on a few PC's out of curiosity because of all the high rankings it received, despite my reservations about Microsoft having any effective security product. That turned out to be a big mistake on my part, and drilling down into forum discussions confirmed my suspicions. (That I had to drill down into discussion forums to get honest, technical appraisals was suspicious in and of itself.) The free version of Avira is vastly superior overall to MSE in everyday malware protection & removal, so I hope this little hiccup with their paid product doesn't hurt them too much.
      JustCallMeBC
      • MSE

        Is only part of Microsoft's security solution. You have to think of the overall picture of security embedded into IE, and Windows itself to get the complete package. The browser is the first line of defense nowadays, and if you're careless in your browsing, I wouldn't expect ANY antivirus to keep users safe.


        But I've been using it since it's release, and have even participated in the beta, and have had no issues with it whining or fussing over removing threats it's detected (two).

        It is also highly advised to run the MSRT as it comes down Windows Update each month.
        The one and only, Cylon Centurion
      • No it is not, it is just lesser in some areas but greater than other

        www.dottech.com did a detailed analysis covering Avira, Avast, AVG and MSE. They were far from agreeing with you. Here's what they had to say:
        "While there are some noteworthy aspects - such as Microsoft Security Essential's low false positive count or avast!'s lowest computer impact or Avira's best detection and removal performance - there is no one "winner" between Microsoft Security Essentials, Avira Free, avast! Free, and AVG Free. To try to determine which one is the "best" is like trying to split hairs; it is hard to do and it hurts. In real-life situations, all four programs will provide users with excellent protection." This has been my own personal experience.
        Where Microsoft particularly shined was its low false positive detection rate.
        Stuff is not junk just because it may not be as good. I don't believe I have ever tried Avira but I have tried some of the other free AV and they were often prompting about something. MSE takes the approach of being real quiet unless something very real is happening. To me this approach makes me pay more attention. It updates itself (software and definitions) and just stays out of the way and quiet unless there is a problem.
        MeMyselfAndI_z
      • Real world results trump "tests"

        @MeMyselfAndI_z There is an enlightening YouTube video with an annoying soundtrack self-explanatorily titled "Microsoft Security Essentials VS Avira Antivir Personal- Detection and Removal results" that well reflects what I've experienced (minus the annoying soundtrack.)

        The Jan/Feb 2012 comparison test by av-test.org had MSE second from the bottom (21st place) in protection on Windows XP PC's. Their Nov/Dec 2011 comparison test on Windows 7 PC's had MSE ranked dead last in protection.
        JustCallMeBC
      • Well, that's one incident, wouldn't call it a complete picture.

        Well, that's one incident, wouldn't call it a complete picture. MSE works fine on many machines.
        CobraA1
      • That wasn't one incident

        @CobraA1 It was all three of them in the course of about a year, which was a far, FAR higher rate than any other brand of AV in recent years (only McAfee from several years ago approached this degree of crappiness.) Fortunately, as I said, I only installed it on a few PC's mostly out of curiosity.
        JustCallMeBC
    • Apparently, you don't use Google's Chrome browser on Windows

      nt
      Rabid Howler Monkey
    • I'm all for Security Essentials...

      But what if you're in a business with more than ten computers? You can't use MSE then, you have to pay for something... and quite frankly, I wouldn't be paying for Forefront. I'd rather give Symantec or Kaspersky my money.
      douglasac10
    • It may be free but it is at the bottom list on actuall performace

      So why get a crappy product, when there are much better options for free??
      wackoae
  • millions?

    source???
    wendellgee2
    • A couple of years ago, Avira claimed it had 100 million customers.

      http://www.avira.com/en/about-avira/100_million_avira_users.html/
      Empro
      • Paying customers?

        I find it hard to believe that 10% of the entire Windows PC installed base purchased this product. Are you sure they aren't counting people who use the free version? If so, those people aren't affected, right?
        toddbottom3
      • I would assume they mean total users.

        I believe they are counting users of their free solution, which are not affected by this bug.
        Empro
      • then

        your headline should be 'POTENTIALLY cripples' shouldn't it??

        whatever.. i don't know why i bother. its not like half the people at zdnet are even remotely interested in reporting the news. Its all a competition about who can come up with the most sensational fact-twisting headline.

        carry on.
        wendellgee2
      • hmm

        Where did you get the "cripples millions of"? Is that an assumption based on the number of customers Avira has? Has that number been confirmed by Avira? If not, should it say "potentially cripples millions of" instead of absolute that it did?
        KevinN206
  • Hard to believe

    German firms are not known for cutting corners, or lacking thoroughness on pre- and post-production testing. But what a gaffe.
    klumper
  • How necessary is signature-based anti-malware software on end-points today?

    On Windows and OS X? For both consumers and the enterprise? Given that security features such as automatic updating, DEP, ASLR, firewall, default user accounts with non-Administrator privileges, sandboxing and whitelisting are built-in to the OS?

    I can understand signature-based anti-malware software running on email and file servers, as examples.
    Rabid Howler Monkey
    • Essential for home users

      It is essential for home users if only for trojans.

      [i]automatic updating, DEP, ASLR, firewall, default user accounts with non-Administrator privileges, sandboxing and whitelisting[/i]

      Out of this list, only whitelisting could be used to prevent the execution of unauthorized software but even that is only useful in a corporate environment. Non admin privileges were never the cure-all that ABMers made it out to be back when XP defaulted to giving regular users admin privileges. Flashback is a perfect example of malware that runs just fine, no problems, without having to touch a single system file. Users without admin have plenty of permissions to give the malware authors what they need.

      Actually, I'll modify what I said about whitelisting only being practical in a corporate environment. Mountain Lion might help a lot. Apple is fortunate that they can get away with it. Microsoft would get sued instantly if they tried to do it. Just another example of anti-trust hurting consumers.
      toddbottom3
    • I don't use it. Creates more problems than it solves.

      At least for me. I agree with toddbottom3 wrt trojans and the average user.
      ye