November 11th, 2008
AVG and Rising signatures update detects Windows files as malware
Yesterday, a signatures update pushed by AVG falsely labeled a critical Windows file as a banker malware, prompting the company to quickly fix the issue and issue a workaround, following end users complaints at its support forums.
AVG’s false positive causing downtime for Windows users is happening a week after Rising antivirus apologized to its customers for falsely detecting Outlook Express as malware leading to loss of emails, and yes, productivity too.
The impact of the false positive leads to a continuous reboot cycle :
“An update for the AVG virus scanner released yesterday contained an incorrect virus signature, which led it to think user32.dll contained the Trojan Horses PSW.Banker4.APSA or Generic9TBN. AVG then recommended deleting this file; this causes the affected systems to either stop booting or go into a continuous reboot cycle. So far, the problem only appears to affect Windows XP, but there is no guarantee that other versions of Windows don’t have the same issue.”
AVG’s brief response to the situation, with the workaround posted at AVG’s support section under the “False positive user32.dll” title :
“Unfortunately, the previous virus database might have detected the mentioned virus on legitimate files. We can confirm that it was a false alarm. We have immediately released a new virus update (270.9.0/1778) that removes the false positive detection on this file. Please update your AVG and check your files again.
We are sorry for the inconvenience and thank you for your help.
Best regards,
Zbynek Paulen
AVG Technical Support”
AVG and Rising aren’t an exception to previous cases where components of Microsoft’s Windows have been detected as false positives. In fact, in 2006 Microsoft’s Anti-Spyware was detecting a competing solution as a piece of malware :
- CA’s eTrust false positive for a Windows component - 2006
- Microsoft Anti-Spyware false positive for Norton Antivirus - 2006
- Kaspersky’s false positive of Windows Explorer - 2007
- Symantec’s false positive of Windows XP - 2007
- Trend Micro’s false positive for Windows - 2008
Response time is crucial in such a situation, so the best thing the vendors can do is go public and provide assistance in fixing the problem.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
