ZDNet reports that Avira, German security company has sent a defective antivirus update which has been downloaded million of times results in creating a mess for a lot of users around the world, according to user reports [1][2]. The result is that the AntiVirProActiv component starts detecting critical processes as malware, including the following:
- \windows\system32\dllhost.exe
- \windows\system32\explorer.exe
- \windows\system32\iexplorer.exe
- \windows\system32\notepad.exe
- \windows\system32\regedit.exe
- \windows\system32\rundll32.exe
- \windows\system32\taskeng.exe
- \windows\system32\wuauclt.exe
The update is blocking number of applications including Microsoft Office and Microsoft Works, third-party applications, including Byki 4 Express, Documents To Go, Garmin, Google Talk, iPod and Palm services, Opera, OpenDNS Updater, Polipo, Shadow and Stickies.
An Avira user who goes by the name of AaronH posted the following complaint:
Our enterprise uses Avira’s Business Bundle extensively. We have 100 centrally managed users at this site alone, and a dozen users we support on the road.
This update has been pretty catastrophic. The whole company ground to a standstill.
Upon arriving at work this morning, users were greeted with an Avira update prompting them to restart their machines. Most users did so.
Unfortunately, upon reboot, most users could not log in, as Pro-Activ was blocking the login process. Some users managed to log in, but they could not open Outlook, Excel, or any other apps, due to them being blocked by Pro-Activ.
We quickly informed all users not to reboot, but most had done so already, or ignored our advisory.
After checking this forum and finding the cause of the problem (while waiting on hold with business support), we pushed out a configuration update to disable Pro-Activ. Upon rebooting, on-site users could then log in.
However, the off-site users received the update, but are now unable to connect to the VPN to receive the centrally-deployed configuration update. Trying to support a dozen off-site users who cannot even start their computers is not much fun, that’s for sure.
I’ve been a big proponent of Avira within our company, but I think that may change when it comes time to renew our license in a few months.
An Avira forum moderator who goes by the name of marfabilis posted this solution:
Avira is analyzing and discussing this suspicious behaviour detections with high priority.
Meanwhile, you should see at Realtime Protection report file the processes blocked by Avira ProActiv (Go to Avira Control Center > PC protection > Realtime Protection > Click on Display Report file). Then, follow this workaround.
Right-click on your Avira systray icon and choose Configure Avira Antivirus Premium 2012 or Avira Internet Security 2012
Enable Expert Mode
Go to PC Protection > Realtime Protection > ProActiv > Application Filter > Allowed
Type each path (from Realtime Protection report file) in the empty field and click Add >>
Click on Apply > OK
Avira has later confirmed that the problem has been fixed: ProActiv Application Blocking:
This issue has been resolved. Your Avira products should now be functioning normally.
Issue details:
On May 14 and 15, 2012, following the release of Service Pack 0 (SP0) for Avira Version 2012, the ProActiv feature blocked legitimate Windows applications on customers’ PCs.
We deeply regret any difficulties this has caused you. Thank you for your patience and understanding.
If you still encounter the issue:
In the unlikely event that applications continue to be blocked by ProActiv, please update your software as follows:
Open the Avira Control Center.
Click on Update › Start product update.
No further steps are required.
There is no news on how much numbers of users got affected by this, said COO Witteveen:
“We contacted all of our users to let them know about our fix to the ProActiv situation this morning,” Avira COO Travis Witteveen said in a statement. “The issue only arose on 32bit windows premium, suite and professional products, whom had ProAktiv turned on (by default ProAktiv is a opt-in feature, so the infected base was not the entire base). We do not know the exact number of those impacted, but we are confident we reacted immediately and communicated thoroughly.”
