Sunday, June 15, 2008

Grisoft…Please stop the madness!

Madness One – When will AVG Free Version 7.5 End?

When is the fan favorite freebie going away?

Unfortunately there doesn't yet seem to be a clear answer.

AVG 7.5 - The Real Ending Date Is ? ~ The Blade by Ron Schenone, MVP

According to information in that post, the AVG Free v7.5 version may stop automatic updating by December 31st, 2008 (per a Free Forum moderator).

According to information in that post, the AVG Free v 7.5 version may stop automatic updating by June 25th, 2008 (per the Grisoft support and marketing).

Now, there has also been some suggestions on the net that the Free version will stop getting updates at the June date but the paid version may continue getting updates until the December date.  That makes a bit of sense to me.

If this is true, the next question that comes up to me is how long will Grisoft continue publishing AV DAT files that be used to manually update the product?

If the "automatic updates" get turned off but Grisoft continues to offer them for its paid customers, I'm betting die-hard 7.5 fans can continue it on life-support by manually downloading and installing the DAT files for a bit longer (December 2008).

Here's a link to them via Grisoft's official Download update (AVG 7.5) web-page.

Your mileage may vary….

Madness Two – AVG Linkscanner: Friend or Foe? Yes.

I’ve been fussing about AVG’s LinkScanner component of AVG Free version 8 for a while now.

Good in theory…weak in delivery.

As such, I’ve been strongly recommending that AVG Free version 8.0 users pass on these features (unless the users are just completely naive for web-dangers).

Comments in one or two of my AVG posts have touched on this component as well:

As a side note - I noticed a slight confusions in some of the posts regarding the LinkScanner technology. I think that Roger Thompson's blog provides some really interesting information about exploits and the necessity to protect while browsing

--Karel Obluk (AVG)

I get the Linkscanner feature.

Your FAQ also does a great job summarizing it: AVG Free FAQ's #1338 I had previously posted a link to it in one of my posts.

Yes, Roger Thompson's blog (and many others like it) point out the hazards that lurk behind many innoculous-appearing web-links. It takes a second to click but hours to clean and recover a system after a bad jump. Many (but not all) geekier-minded security folks already are cautious and security minded with link-hopping. However, as I have said before in my posts, a great many home-users are not so sophisticated and would find great-benefit in the LinkScanner feature of AVG v8.

The biggest hurdle for the rest of us is convincing us 100% that web-surfing performance is not impacted at between using/not using LinkScanner. And that AVG isn't doing any "data-collection" based on those checks...regardless if it is anonymous or not. Current discussion and comments from "power-users" is that they don't want to see a tool-bar, that LinkScanner feature does take a toll on system and web-surfing performance, and that for many folks, it is more of a burden than help.

--Claus Valca (me!)

I came across your website while Googling for a way to uninstall SafeSearch.
Being on a capped plan, I watch my downloads closely. After installing AVG Free 8.0, I noticed that my downloads had increased quite a bit, and I suspected that Safe Search was the culprit.

My suspicion stems from the fact that while SafeSearch is working out the safety rating for each link, my download indicator keeps flashing, which it never did as much with the previous version

I have just uninstalled SafeSearch, so it's a bit early to say if my suspicions are correct, but I would be interested to know if other users have similar suspicions.

--Albert

@ Albert:
The LinkScanner indeed appears to be the cause for increased download size. I captured some of the traffic caused by LinkScanner with Ethereal and found that on various links (especially links to forum pages) the LinkScanner gets mislead and downloads megabytes of data. I first thought I was botted or had a trojan, but it clearly seems to be the LinkScanner. The worst thing about it is that even if you change websites after having made your search, AVG continues to analyze these links, which can consume a significant amount of your bandwidth. The only way to stop these downloads is then to quit your browser. BAD! DISABLE!

-- Anonymous 

To install without "AVG Toolbar" and "LinkScanner".

=> avg_free_stf_*.exe /NOAVGTOOLBAR /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

I can understand what AVG Technologies (formerly Grisoft) was trying to do in theory. Its just that the implementation is problematic! :(

--aussiebear

So while these running comments have been going on in light of installation and PC end-user side performance versus the Greater Good™ of web-surfing safety I hadn’t even considered a far more dark-side of LinkScanner:  web-traffic and page analytics.

I first got wind of this via a small link inclusion in Dwight Silverman’s Saturday TechBlog post.

That linked to this Register article: AVG scanner blasts internet with fake traffic.

Six months ago, AVG acquired Exploit Prevention Labs and its Linkscanner, a tool that automatically scans search engine results before you click on them. If you search Google, for instance, and ten results turn up, it visits all ten links to ensure they're malware free.

Then, in late April, AVG rolled Linkscanner into its anti-virus engine, which has about 70 million active users worldwide. The company estimates that 20 million machines have upgraded to the tool's new incarnation, AVG version 8, and this has already cooked up enough ghost clicks to skew traffic not only on The Reg but any number of other sites as well.

Adam Beale, who runs a UK-based internet consultancy, says that across his small stable of clients, traffic has spiked as much as 80 per cent on some sites. And this is more than just an inconvenience. After all, sites live and die by their traffic numbers. And net resources aren't free.

"Although [the AVG Linkscanner] might be good for the security of users, it's a real pain for website owners and webmasters," Beale tells us, having blogged about this growing problem. "It's causing people to think their traffic is increasing, costing those who pay for bandwidth, and wasting disk space with large amounts of unnecessary lines in log files."

One of his clients, Beale says, normally pulls in 140GB of bandwidth a month, and for June, he predicts a 5 per cent jump.

When we spoke to AVG chief of research Roger Thompson earlier this week, he was unaware of these issues. But he defended the role of Linkscanner, which he designed while serving as CTO of Exploit Prevention Labs.

"There's so much hacking activity going on the web. The only way to really tell what's there is to go and have a look," he told us. "I don't want to sound flip about this, but if you want to make omelettes, you have to break some eggs."

Ron Schenone’s post AVG LinkScanner Causes More Problems picked up that one and led me to one “discoverer” of this new headache caused by AVG; Adam over at OSBlues.

His perspective provides great insight into the headache this is causing those who depend on web-stats as well as the detective work he did to uncover this trend.

AVG Destroys Web Analytics « OSBlues

In fact, LinkScanner analyses results from search engines (not just Google) and is browser independent.  This may sound like a good idea from a security point of view, however, from a webmaster/website owner point of view, this is not good at all.

If your site appears well in the search engines, as everyone strives to do, your website is or is going to be hugely affected by this.  Essentially this means, that everytime your site appears in a users results, regardless of whether they click on it, your website logfiles and thefore your statistics will show that person as a real visitor coming to your site.  Now, because the IP address is the users IP address, we can’t filter on that, at first look it would appear we can filter on this useragent, unfortunately I spotted another one

Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)

This one however, is even worst.  This time it’s a legitimate user agent which means you can’t filter it out or rewrite it to another page on your site without the risk of blocking or harming real visitors.  The first user agent is different, due to lack of a space (or plus) between the last semi-colon and the 1813, it doesn’t follow the standard pattern used by Microsoft.

So, we get to crux of the problem, AVG has destroyed web analytics for people who use a logfile analysis tool.  Not only have they done this, they are also wasting our bandwidth and our disk space on servers!

Adam has come up with a LogParser solution for filtering out much of the background noise this security add-on has created on the web: More AVG & LinkScanner Information « OSBlues

Even more from Adam here: Using LogParser With Awstats To Filter AVG Spam « OSBlues

At first the initial comments from Grisoft as quoted in The Register article comments seemed a bit distant and out-of-touch.  Donna’s SecurityFlash posted a followup comment from Grisoft that seemed to warm to the idea of working collectively with wise web-Jedi Masters to come up with a secure but harmonious solution.

Response by AVG regarding Linkscanner on AVG products – Donna’s SecurityFlash

Hi, folks. Pat Bitton from AVG here. This issue has clearly raised some concerns that we had not anticipated, and we acknowledge that we need to do something. Our primary purpose with LinkScanner, as Roger Thompson has pointed out, is to protect users against web-based threats that they cannot see. These threats are also usually invisible to web site operators, who presumably also don't wish to be unwittingly passing infections on to their visitors. This kind of problem can and does affect all types of web sites, big or small, and is extremely transient - which is why we don't use the static database approach cited by some as a viable alternative. Over the next few days, we will be exploring ways in which we can continue to deliver informed protection as unobtrusively as possible without adversely impacting site analytics. Any webmaster reading this post who is interested in working with us constructively to reach this goal is welcome to contact me at pat.bitton(at)avg.com.

Indeed Adam at OSBlues soon posted that he had been directly contacted by Pat Bitton looking to work with him (and others) to solve this issue: Contact from AVG  « OSBlues.

So there may yet be hope.

Maybe.

However while this may remedy the web-traffic garbage in web-master logs, it may not address the complaints about the traffic generated by AVG Version 8 users (Free/paid) on their own machines by the product.

Me? I’m passing and not installing this component on my system nor am I recommending others install it on theirs at this time.  It might indeed protect users from malicious and hostile web-sites, but if they toss out A/V-A/M protection after getting so frustrated with that class of product due to this component, I think that would be even worse.

Adding Insult to Injury: AVG Style

False positives seem to be a hallmark of anti-malware products. The real test is the frequency and seriousness of the false-positives found by an A/V product.

Grisoft’s AVG Free line has, in my experience, generated more than their fair share. That said they have always been fast to respond to fixes and have even included an “imbedded” method of reporting and submission for testing to the Grisoft labs in their AVG version 8 product.

Only this week their false-positive net bagged a biggie: SpywareBlaster.

I’ve long encouraged folks to use this free for personal use product to help insulate their system from web-based malware threats. It works by “…blacklisting the CLSID of known malware programs, effectively preventing them from infecting a protected computer.” Wikipedia. It also can block traversal to websites known to seed malware on systems as well as block tracking cookies.

Awesome and beneficial product.

Only somehow it recently managed to get classified as a threat by AVG. Specifically the sbautoupdate.exe component.

AVG False-Positive Detection on SpywareBlaster – Donna’s SecurityFlash

Fortunately, the crack-team of false-positive AVG checking specialists quickly corrected the issue and posted new DAT files to take care of the problem.

[Resolved] AVG False-Positive Detection on sbautoupdate.exe – Wilders Security Forum

Whew!

Like they Grisoft really needed that headache added to the mix.

AVG 8.0 SP1 – More tidbits in the kibble bowl

Good news is that based on this forum thread still crawling along, some other issues with AVG Free Version 8 might be resolved in the upcoming (mid June?) SP1 release of AVG Free v8.

When is the next version of AVG 8.0 coming out? -- Wilders Security Forum (thanks for the lead Ron!)

(if hbkh’s information is accurate…)

AVG 8.0 VERSION DESCRIPTION
===========================
Product: AVG Internet Security
Version: 8.0 (build 111) - SP1
FIXES & IMPROVEMENTS
====================
- Remake of internal communication to eliminate undesired program status appearance (hibernation, sleep mode, cold restart, ...).
- Display of the system tray icon representing running scan (that can be paused or stopped from the context menu).
- Added option to ignore the status of a component: the system tray icon then reports OK status even if a component is in error status.
- New tab added for the rootkit findings in the scan results overview.
- System restore point is created before launching a program update.
- Added new option verifying the ADMIN Server connection in the program's advanced settings.
- Improved EML file processing including scanning of user mailboxes.
- RAM requirements optimization.
- Improved statistics of detected objects in Email Scanner and resident Shield.
- New design of the system tray pop-up window, and more information provided.
- To eliminate AVG collisions with OS, only minimum drivers are installed in safe mode; then it is possible to launch on-demand scanning from the command line only, and a new GUI dialog has been added to ease the scan configuration.
- Added option of restoring a file from the Virus Vault to the original folder even if the folder has been removed.
- Added option of deleting the Resident Shield and Email Scanner history.
- Improved stability and design of GUI.
- Improved GUI accessibility (using keyboard).
- Fixed problem of GUI compatibility with some screereaders, e.g. JAWS.

From what I can tell from this thread, the Beta is out for private testing, but not yet released. Maybe it will be coming by mid-to-end June. Maybe. Word is that beta testing wraps up June 16th so if no majors are found, maybe a bit after that?

The forum also had a post showing that the defs in the version they were using were finding false-positives on yet another good pc system security company’s product: Prevx.

Sigh…

Haven’t I heard a quote that goes something like “Hope Springs Eternal” ?

Oh, my bad…it’s just those crazy brain compounds at work.

I must carry a higher dose in my brain than most….

We will see.

The AVG Free version 8 train-wreck watch continues….

--Claus

2 comments:

Anonymous said...

Re the bandwidth impact of Link-scanner:

It appears Google have implemented their own server based checking for malicious code in websites that they index. If this technique proves effective it should provide similar protection to Link-scanner within Google searches - which sounds much more efficient than every user checking every website themselves.

The Google Help article can be read here:
http://www.google.co.uk/support/bin/answer.py?answer=45449

The quote below is from this article:
http://www.darkreading.com/document.asp?doc_id=154607

The search giant (Google) last month quietly added a new, free service called the Safe Browsing Diagnostic Page that tells whether a site flagged by Google as potentially dangerous is hosting malware, or helps distribute malware, for instance.

Google’s new diagnostics service provides information about any bad behaviour by the site within the past 90 days. The idea is to give owners of the compromised Websites more information to assist in their remediation and cleanup of the site, and to provide users more information on why the site has been flagged.

Anonymous said...

@dougcuk - you are on target. I've covered that a bit here in the context of Mozilla's Firefox 3 browser which uses the information from Google's safe-search databases to flag/block phishing and "attack" websites:

Firefox 3 Security Blocker: Going In Deep

Curious Firefox Tidbits

Small Steps by Google...Big Help in Firefox 3

Even Opera is now getting into the mix with browser-integrated malicious-site checking -- Opera 9.5 Offers Anti-Malware Protection - Security Fix Washington Post blog.

So the question to me and many others is if browsers themselves have these features embedded, why would users want a second (or third) layer of more web-link checking? If one is good, two is better? The benefit of Mozilla's is that it seems to use both semi-static files downloaded to a SQLite file and "live" integration with the Google search pages.

I haven't researched the Opera method, but according to the Washington Post post, it works by checking every link against Haute's database on the fly. Supposedly with negligible impact on network traffic or browser performance. Time and testing will tell.

I'm all for web-link checking for safe browsing - Pre-Scanning of URL Links for Safe Web Surfing - but there has to be a balance between security, network traffic generation, and local system performance.

AVG's attempt just hasn't seemed to cut it yet.

Thanks for the links and comment!