Avast WEBforum

Avast Products => Archive (Legacy) => Avast Business => Avast Endpoint Protection => Topic started by: Jim85 on May 06, 2015, 08:28:38 PM

Title: Kryptik-PFA [Trj]
Post by: Jim85 on May 06, 2015, 08:28:38 PM
Users all over my network are getting infection alerts for Kryptik-PFA [Trj] after the latest 150506-3 update.  I think it's a massive false-positive reaction.  Can anyone confirm and fix on the next update?
Title: Re: Kryptik-PFA [Trj]
Post by: CSEIT on May 06, 2015, 08:29:29 PM
Users all over my network are getting infection alerts for Kryptik-PFA [Trj] after the latest 150506-3 update.  I think it's a massive false-positive reaction.  Can anyone confirm and fix on the next update?

Same here.
Title: Re: Kryptik-PFA [Trj]
Post by: Bassmaster on May 06, 2015, 08:34:59 PM
SAME HERE!
Title: Re: Kryptik-PFA [Trj]
Post by: jhowzr on May 06, 2015, 08:41:00 PM
We're seeing a major uptick in notifications for this virus too.
Title: Re: Kryptik-PFA [Trj]
Post by: CSEIT on May 06, 2015, 08:43:42 PM
What OS's? So far I haven't heard from anyone else. So far its just me with Windows 8.1
Title: Re: Kryptik-PFA [Trj]
Post by: ChrisYoungCCS on May 06, 2015, 08:44:42 PM
It has started blocking chrome.exe district-wide on almost 22,000 machines! I'm dying over here!!!
Title: Re: Kryptik-PFA [Trj]
Post by: Bassmaster on May 06, 2015, 08:52:16 PM
so far its only happening to our windows 8.1 PC's as well.
Title: Re: Kryptik-PFA [Trj]
Post by: CSEIT on May 06, 2015, 08:52:56 PM
Can you change your group settings to 'no action' for now?
Title: Re: Kryptik-PFA [Trj]
Post by: jhowzr on May 06, 2015, 08:54:08 PM
Our systems are 64-bit Windows 7 Pro.
Title: Re: Kryptik-PFA [Trj]
Post by: edanderson on May 06, 2015, 08:54:47 PM
We're seeing this in our school district, too. We're getting hits on 32-bit and 64-bit Windows 7 Professional.

We're getting false positives on "C:\windows\system32\MBWrp32.dll" mainly. I sent that file off to VirusTotal and got this back:

https://www.virustotal.com/en/file/8f9234b7efd9e06430c79615a3491f59e105622ad439db3042364ebbb0554e43/analysis/

We gotten a couple hits on "C:\Program Files\Google\Chrome\Application\39.0.2171.95\libglesv2.dll", too.

It sure looks like a false positive. I threw on a couple of exclusions to try and stem the tide.

Anybody know if there's an API that I can use to connect to the "Virus Chest" on a hundred PCs to restore this file, or am I better off just copying it with a script?

Edit:

It looks like this is going to be a chance to exercise an "Auxiliary Task" to restore previously-detected files from the "Virus Chest" that are no longer detected *once* Avast updates the definitions.  >sigh<
Title: Re: Kryptik-PFA [Trj]
Post by: emoore on May 06, 2015, 09:00:46 PM
Same here. Different files, machines all over the network.  Virustotal shows the files are clean, even by Avast.
Title: Re: Kryptik-PFA [Trj]
Post by: CSEIT on May 06, 2015, 09:04:53 PM
It looks like this is going to be a chance to exercise an "Auxiliary Task" to restore previously-detected files from the "Virus Chest" that are no longer detected *once* Avast updates the definitions.  >sigh<

Do you have a 'How to' on that? :)
Title: Re: Kryptik-PFA [Trj]
Post by: qwit2win on May 06, 2015, 09:11:27 PM
Same here
Title: Re: Kryptik-PFA [Trj]
Post by: ccs_chris on May 06, 2015, 09:12:03 PM
Same here :(
Title: Re: Kryptik-PFA [Trj]
Post by: ChrisYoungCCS on May 06, 2015, 09:12:30 PM
You guys/gals seeing this on 32-bit and 64-bit or just 32-bit?
Title: Re: Kryptik-PFA [Trj]
Post by: CSEIT on May 06, 2015, 09:13:37 PM
64 bit
Title: Re: Kryptik-PFA [Trj]
Post by: Jose5016 on May 06, 2015, 09:15:04 PM
It looks like this is going to be a chance to exercise an "Auxiliary Task" to restore previously-detected files from the "Virus Chest" that are no longer detected *once* Avast updates the definitions.  >sigh<

Please post how you do this if it works for you. I wonder if there is a way to rollback the definitions for all of the clients from the console to prevent the issue from spreading? Does anybody have a recovery plan for a situation like this you would like to share?

This is happening on most of our systems which are a mix of Win 7 and 8.1 64-bit, but luckily it is not flagging any important files that are affecting our users.
Title: Re: Kryptik-PFA [Trj]
Post by: JeffG on May 06, 2015, 09:15:49 PM
 ??? ???Same Here :'(
Title: Re: Kryptik-PFA [Trj]
Post by: Jim85 on May 06, 2015, 09:16:13 PM
We're seeing this on 32-bit and 64-bit, Windows 7 and Windows 8 (and 8.1).  It's killing DLL files associated with Office 2010 and Office 2013 - we can't use Excel, Outlook, Word, etc.
Title: Re: Kryptik-PFA [Trj]
Post by: pps789 on May 06, 2015, 09:20:12 PM
same here. win 8.1 64bit.
Title: Re: Kryptik-PFA [Trj]
Post by: edanderson on May 06, 2015, 09:21:20 PM
Based on what I'm hearing here I'm changing the "Action" on my "File System Shield" to "Do Nothing" across the board (at the root of my "Computer Catalog"). Hopefully this setting gets out to client computers quickly. (The last thing I want is for Office apps, Chrome, etc to start breaking). So far this hasn't been user-visible to anybody yet (or, at least, the Helpdesk isn't blowing-up.)
Title: Re: Kryptik-PFA [Trj]
Post by: Bassmaster on May 06, 2015, 09:33:30 PM
I'm only seeing it on windows 8.1 all 64 bit.
Title: Re: Kryptik-PFA [Trj]
Post by: Jim85 on May 06, 2015, 09:34:33 PM
Good call Ed - I'm changing my settings as well.  I think about 20% of my users are affected right now, hopefully this stems the tide until Avast releases an emergency definition to solve this.
Title: Re: Kryptik-PFA [Trj]
Post by: ChrisYoungCCS on May 06, 2015, 09:40:48 PM
The exclusions we put in for Chrome were:

*\chrome.exe
chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe

...and so far so good! Ed, I made the change you just suggested as well. Evidently there is NO TELLING what this is going to flag. From Office to Chrome to system .DLL files, nothing appears to be safe. Unfortunately the best move we can make now is to "disable" the AV altogether.
Title: Re: Kryptik-PFA [Trj]
Post by: Sterling on May 06, 2015, 09:52:57 PM
We are seeing it in our school district on a large percentage of our Windows 7 Pro computers that are 32 and 64 bit machines.  Avast has been rebooting the computers and scanning through the boot process.  I hope this can be resolved quickly as I feel like a plague has broken out.
Title: Re: Kryptik-PFA [Trj]
Post by: edanderson on May 06, 2015, 10:00:06 PM
We just started getting hits on addt'l files:


So far the "No Action" is working and I'm not getting files being placed into the "Virus Chest" anymore.
Title: Re: Kryptik-PFA [Trj]
Post by: nannunannu on May 06, 2015, 10:06:31 PM
150506-3 is a killer...  Intel storage drivers, sierra wireless drivers, Dell Desktop Authority, parts of internet explorer and chrome...  Just to name a few...

Really bad stuff going on...
Title: Re: Kryptik-PFA [Trj]
Post by: Jim85 on May 06, 2015, 10:07:48 PM
Ed's settings are working for us as well - annoying that it keeps telling you you're infected, but at least it's not damaging anything.

We are consistently seeing igdusc32.dll from the Office 2013 software.  It causes Office software to fail loading.  A repair of Office seems to solve it.
Title: Re: Kryptik-PFA [Trj]
Post by: jjunc on May 06, 2015, 10:08:22 PM
Is there a way to revert back to the VPS version before 150506-3, 150506-0?  I didn't receive any hits on anyone with the 150506-0 version.  The no action worked for me as a temporary measure, but not a good idea to run that way.  I guess I could just turn off auto-syncing mirror before restoring the previous version.
Title: Re: Kryptik-PFA [Trj]
Post by: AndrewR24 on May 06, 2015, 10:11:49 PM
Same issue here, flagging on Nvidia drivers and LibreOffice files so far. Disabled the File System Shield until they fix this mess.

Hoping most of our mobiles get disabled before it starts breaking about 100 laptops/tablets..
Title: Re: Kryptik-PFA [Trj]
Post by: qwit2win on May 06, 2015, 10:20:02 PM
Agreed

The exclusions we put in for Chrome were:

*\chrome.exe
chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe

...and so far so good! Ed, I made the change you just suggested as well. Evidently there is NO TELLING what this is going to flag. From Office to Chrome to system .DLL files, nothing appears to be safe. Unfortunately the best move we can make now is to "disable" the AV altogether.
Title: Re: Kryptik-PFA [Trj]
Post by: Jim85 on May 06, 2015, 10:22:09 PM
I find this ironic:  https://www.avast.com/en-us/virus-update-history

6.5.2015 - 150506-3

This VPS update contains only fixes to existing definitions or removal of false alarms.

Yeah - "removal of false alarms" didn't go so well.
Title: Re: Kryptik-PFA [Trj]
Post by: sappelhans on May 06, 2015, 10:23:08 PM
Same here, we have thousands of messages with files being moved to chest and its even flagging the Chrome executable.
the Virus page at avast shows that
https://www.avast.com/en-us/virus-update-history shows ...

6.5.2015 - 150506-3
This VPS update contains only fixes to existing definitions or removal of false alarms.

but we are still getting thousands of notifications.
Title: Re: Kryptik-PFA [Trj]
Post by: nannunannu on May 06, 2015, 10:27:16 PM
I find this ironic:  https://www.avast.com/en-us/virus-update-history

6.5.2015 - 150506-3

This VPS update contains only fixes to existing definitions or removal of false alarms.

Yeah - "removal of false alarms" didn't go so well.

Wow, May is a pretty strange month...   The 4th was "Starwars Day", the 5th was "Cinco de Mayo", I didn't realize the 6th was "tragically opposite day"...
Title: Re: Kryptik-PFA [Trj]
Post by: sappelhans on May 06, 2015, 10:30:43 PM
We have totally disabled the "File System Shield" for now.
USA - Midwest.

lots of Intel Graphics dlls, seems like dlls all across the board.
Title: Re: Kryptik-PFA [Trj]
Post by: lloyd hollins on May 06, 2015, 10:36:57 PM
My School district of 300 computers just got hit also
Title: Re: Kryptik-PFA [Trj]
Post by: HonzaZ on May 06, 2015, 10:38:59 PM
Hi all,
Thanks for the info, we are very well aware of this detection and we are currently investigating what happened. Measures have been already taken to mitigate the impact of this (what appears to be) false positive.
Sorry for any inconvenience - we will surely let you know more info as soon as possible!
Title: Re: Kryptik-PFA [Trj]
Post by: nannunannu on May 06, 2015, 10:41:24 PM
Hi all,
Thanks for the info, we are very well aware of this detection and we are currently investigating what happened. Measures have been already taken to mitigate the impact of this (what appears to be) false positive.
Sorry for any inconvenience - we will surely let you know more info as soon as possible!

Can you please rollback to 150506-0 to the mirrors so we can re-enable real time file system shields while you investigate the matter further?
Title: Re: Kryptik-PFA [Trj]
Post by: Infratech Solutions on May 06, 2015, 10:45:05 PM
Quote
Can you please rollback to 150506-0 to the mirrors so we can re-enable real time file system shields while you investigate the matter further?

+1
Title: Re: Kryptik-PFA [Trj]
Post by: HonzaZ on May 06, 2015, 10:51:20 PM
We already performed a rollback; however, this does not help those who already have the new VPS. Rollback merely stops new users from downloading the "-3" VPS.
Title: Re: Kryptik-PFA [Trj]
Post by: qwit2win on May 06, 2015, 10:52:52 PM
We already performed a rollback; however, this does not help those who already have the new VPS. Rollback merely stops new users from downloading the "-3" VPS.

Can't you release "new" that are the same as the previous release? then it will overwrite the bad ones.
Title: Re: Kryptik-PFA [Trj]
Post by: nannunannu on May 06, 2015, 10:53:13 PM
We already performed a rollback; however, this does not help those who already have the new VPS. Rollback merely stops new users from downloading the "-3" VPS.

Can we manually "downgrade the mirror" on SOA console if we download the VPS package from here:  https://www.avast.com/download-update


??
Title: Re: Kryptik-PFA [Trj]
Post by: nannunannu on May 06, 2015, 10:53:48 PM
We already performed a rollback; however, this does not help those who already have the new VPS. Rollback merely stops new users from downloading the "-3" VPS.

Can't you release "new" that are the same as the previous release? then it will overwrite the bad ones.

Yes, even better....  Re-relase -0 as -4, and let us all get the fix... 
Title: Re: Kryptik-PFA [Trj]
Post by: CSEIT on May 06, 2015, 10:56:51 PM
We already performed a rollback; however, this does not help those who already have the new VPS. Rollback merely stops new users from downloading the "-3" VPS.

Can't you release "new" that are the same as the previous release? then it will overwrite the bad ones.

Yes, even better....  Re-relase -0 as -4, and let us all get the fix...

This, please.
Title: Re: Kryptik-PFA [Trj]
Post by: qwit2win on May 06, 2015, 10:57:02 PM
Exactly.

We already performed a rollback; however, this does not help those who already have the new VPS. Rollback merely stops new users from downloading the "-3" VPS.

Can't you release "new" that are the same as the previous release? then it will overwrite the bad ones.

Yes, even better....  Re-relase -0 as -4, and let us all get the fix...
Title: Re: Kryptik-PFA [Trj]
Post by: BudG on May 06, 2015, 10:58:35 PM
We already performed a rollback; however, this does not help those who already have the new VPS. Rollback merely stops new users from downloading the "-3" VPS.

Can't you release "new" that are the same as the previous release? then it will overwrite the bad ones.

Yes, even better....  Re-relase -0 as -4, and let us all get the fix...

This, please.

Yes - Great idea! - Please do!
Title: Re: Kryptik-PFA [Trj]
Post by: schester on May 06, 2015, 11:06:32 PM
+1 on releasing the known good VPS as -4 so we can restore the files!
Title: Re: Kryptik-PFA [Trj]
Post by: jborillo on May 06, 2015, 11:26:38 PM
Luckily, I only have to deal with 30+ systems.  I know there are guys out there responsible for thousands.

I only hope that Avast finds a fix and releases an  updated definition soon.

The damage has been done...now we just need get Avast working properly and deal with the issues.
Title: Re: Kryptik-PFA [Trj]
Post by: HonzaZ on May 06, 2015, 11:27:14 PM
The problem is, we are not sure the -0 is a "good" one. The problem started showing up shortly after the -3 update, that much is true, but we are not sure if releasing -0 as -4 would fix the issue.

Furthermore, if we wanted to release -0 VPS again, it would have to be processed by all the common processes. And if those processes released the faulty (if it is caused by it at all) -3 VPS, how can we be sure that the -4 will not be faulty as well?

To put it simply, we have to make sure the new VPS is perfect before releasing it. Thank you for your patience!
Title: Re: Kryptik-PFA [Trj]
Post by: brantc on May 06, 2015, 11:28:37 PM
Pro-tip - turn on e-mail notifications. We caught this after a few minutes just by monitoring e-mails. After 1 or 2 calls, we knew there was going to be a serious issue if we didn't disable file system protection ASAP. Luckily our thousands of machines should be in good shape.

Good luck all!


Title: Re: Kryptik-PFA [Trj]
Post by: jborillo on May 06, 2015, 11:30:09 PM
The problem is, we are not sure the -0 is a "good" one. The problem started showing up shortly after the -3 update, that much is true, but we are not sure if releasing -0 as -4 would fix the issue.

Furthermore, if we wanted to release -0 VPS again, it would have to be processed by all the common processes. And if those processes released the faulty (if it is caused by it at all) -3 VPS, how can we be sure that the -4 will not be faulty as well?

To put it simply, we have to make sure the new VPS is perfect before releasing it. Thank you for your patience!

Thanks for the prompt reply, HonzaZ.

I hope your internal teams are able to resolve this ASAP and also come up with a way to minimize the damage done.

Good luck!
Title: Re: Kryptik-PFA [Trj]
Post by: HonzaZ on May 06, 2015, 11:36:41 PM
We found the cause of the issue and are rolling an update as we speak (or, more precisely, as I type :) ).
Just a quick note - this only affected VPS5.
I will let you know when the update is online (ETA = 1 hour)!
Title: Re: Kryptik-PFA [Trj]
Post by: Rednose on May 06, 2015, 11:45:20 PM
this only affected VPS5.

What is VPS5 ?

Greetz, Red.
Title: Re: Kryptik-PFA [Trj]
Post by: Victor T on May 06, 2015, 11:46:20 PM
We found the cause of the issue and are rolling an update as we speak (or, more precisely, as I type :) ).
Just a quick note - this only affected VPS5.
I will let you know when the update is online (ETA = 1 hour)!
for people lik me that did the reboot and deleted files, what can we do? :/
Title: Re: Kryptik-PFA [Trj]
Post by: jborillo on May 06, 2015, 11:49:18 PM
Pro-tip - turn on e-mail notifications. We caught this after a few minutes just by monitoring e-mails. After 1 or 2 calls, we knew there was going to be a serious issue if we didn't disable file system protection ASAP. Luckily our thousands of machines should be in good shape.

Good luck all!

Just curious.  Using e-mail notifications, how did you guys determine that the latest virus def was a bad one that was reporting false positives?

Seems to be the opposite of what one might do.  You get an alert that Avast has flagged some files as being infected and the first thing you do is disable file system protection?
Title: Re: Kryptik-PFA [Trj]
Post by: nannunannu on May 06, 2015, 11:49:47 PM
for people lik me that did the reboot and deleted files, what can we do? :/

Go into the virus chest and restore the files.
Title: Re: Kryptik-PFA [Trj]
Post by: jfogel on May 06, 2015, 11:51:02 PM
Unfortunately you are probably out of luck and will have to do a re-image/restore of the system. The thing about the boot time scan is that all the protections that prevent Bad Things from happening to important files are disabled. If you picked the delete option, those files are gone.
Title: Re: Kryptik-PFA [Trj]
Post by: HonzaZ on May 06, 2015, 11:53:36 PM
What is VPS5 ?
VPS5 is a version of virus database that is used by Avast 5 (rather old version), but for compatibility issues also by EndProtect (https://www.avast.com/endpoint-protection-suite). Avast for personal devices (99 % of our users) uses VPS9.
Title: Re: Kryptik-PFA [Trj]
Post by: Jim85 on May 06, 2015, 11:56:34 PM
Typically viruses hit individuals - not groups of people simultaneously.  I think his suggestion is that if you see multiple people reporting a virus hit at the same time, especially if it happens right after a VPS update, it's likely a false-positive storm.  Especially if it occurred randomly (one user got it while in Excel, the other got it while on the web, and the 3rd got it while reading e-mail).

If you see patterns you can make good decisions.  If three users report a virus hit and all three were browsing the web, then it's likely the website was infected.  If all three were opening a link or attachment in a blasted e-mail, then it's likely an infected e-mail or attachment.  But if all three were doing completely different things - I'd think it's a storm.

It just takes experience and a gut feeling on what you're seeing.
Title: Re: Kryptik-PFA [Trj]
Post by: BudG on May 06, 2015, 11:58:04 PM
Still not seeing any update rolling out...
Title: Re: Kryptik-PFA [Trj]
Post by: nannunannu on May 06, 2015, 11:59:01 PM
What is VPS5 ?
VPS5 is a version of virus database that is used by Avast 5 (rather old version), but for compatibility issues also by EndProtect (https://www.avast.com/endpoint-protection-suite). Avast for personal devices (99 % of our users) uses VPS9.

Just a quick note - this only affected VPS5.

Thanks for the transparency... 

Please share this with the team:  It is extremely important that you complete the merge of the code base (SOON!) so that the business users are getting the same attention and priority of updates as the home users.  This has become a real issue over the past year, and will continue to drive paying customers away from your products until it is resolved.
Title: Re: Kryptik-PFA [Trj]
Post by: Jim85 on May 07, 2015, 12:04:42 AM
He said it would take about 1 hour - that was 30 mins ago.
Title: Re: Kryptik-PFA [Trj]
Post by: Jim85 on May 07, 2015, 12:07:19 AM
Nan,

I agree with your sentiment, but I also understand their position on this.  The home users (free) are the test users.  The latest code goes to them first.  Only when it's stable does it get rolled to the paying corporate versions.  It's like the old adage "never install the first release - always wait for Service Pack 1".
Title: Re: Kryptik-PFA [Trj]
Post by: edanderson on May 07, 2015, 12:11:39 AM
Typically viruses hit individuals - not groups of people simultaneously.  I think his suggestion is that if you see multiple people reporting a virus hit at the same time, especially if it happens right after a VPS update, it's likely a false-positive storm.  Especially if it occurred randomly (one user got it while in Excel, the other got it while on the web, and the 3rd got it while reading e-mail).

...

It just takes experience and a gut feeling on what you're seeing.

I'd echo this, too.

For me, it started with a rash of email notifications about a file in "C:\Windows\System32\...". Since my users don't have Administrator rights this immediately set off a major red flag with me that a security incident might be occurring. I immediately extracted one of the files from the "Virus Chest" and examined it. Seeing that it had a good digital signature from a trusted publisher I opted to send the file to VirusTotal.

Around the time this happened I started seeing other files in the notifications. I went here to see if there was discussion about false positives and, shortly thereafter, opted to set "No Action" for the "File System Shield" on the root of my "Computer Catalog".

There's no magic formula for response to this kind of situation (and, over the years, I've seen it with multiple antivirus products).
Title: Re: Kryptik-PFA [Trj]
Post by: HonzaZ on May 07, 2015, 12:13:35 AM
The home users (free) are the test users. The latest code goes to them first.

This couldn't be further from the truth. All VPS versions are released at the same time to all our users. We do not have any test users - that is what we have our test servers for.
Title: Re: Kryptik-PFA [Trj]
Post by: Infratech Solutions on May 07, 2015, 12:14:45 AM
Paid business users are in v5 and free users are in V9. There is not a single version between business and home, there are a couple of years of development.
Title: Re: Kryptik-PFA [Trj]
Post by: HonzaZ on May 07, 2015, 12:21:56 AM
Just to clarify a bit more:
Bussiness product (EndProtect) uses VPS5, almost everything else uses VPS9 (providing the users wanted to update to newer version of Avast, of course). This DOES NOT mean that the bussiness version is inferior in any way - it just uses data in the older format.
To add to that, we are only talking about the VPS - the program itself (as well as the engine) gets regular updates, no matter the version.
Title: Re: Kryptik-PFA [Trj]
Post by: jbarclay on May 07, 2015, 12:25:09 AM
Breaking Teamviewer 9 Pro as well. All my remote clients are seeing files moved to virus chest and a boot time scan that then breaks the program.
Title: Re: Kryptik-PFA [Trj]
Post by: Infratech Solutions on May 07, 2015, 12:26:59 AM
Just to clarify a bit more:
Bussiness product (EndProtect) uses VPS5 and an engine in V8.
Free users use a VPS9 and an engine V10.
This DOES NOT mean that the bussiness version is inferior in any way, but the problem with FP is only in the business version.
Title: Re: Kryptik-PFA [Trj]
Post by: spam10 on May 07, 2015, 12:30:55 AM
Youre Guys are funny, if this will impact any of my customers(e.g. a Tax Man Company with 30 Employess) in 6 hours Germany Business time, i never will recommend to use Avast...
Title: Re: Kryptik-PFA [Trj]
Post by: brantc on May 07, 2015, 12:34:00 AM
Pro-tip - turn on e-mail notifications. We caught this after a few minutes just by monitoring e-mails. After 1 or 2 calls, we knew there was going to be a serious issue if we didn't disable file system protection ASAP. Luckily our thousands of machines should be in good shape.

Good luck all!

Just curious.  Using e-mail notifications, how did you guys determine that the latest virus def was a bad one that was reporting false positives?

Seems to be the opposite of what one might do.  You get an alert that Avast has flagged some files as being infected and the first thing you do is disable file system protection?

Between receiving a bunch of e-mails on infected files, a few phone calls, and a quick Google search (re: Kryptik) leading me to this forum, I made the educated guess that it was a bad definition file.
Title: Re: Kryptik-PFA [Trj]
Post by: Infratech Solutions on May 07, 2015, 12:45:39 AM
Quote
We found the cause of the issue and are rolling an update as we speak (or, more precisely, as I type :) ).
Just a quick note - this only affected VPS5.
I will let you know when the update is online (ETA = 1 hour)!
« Last Edit: Yesterday at 23:41:03 by HonzaZ »

New ETA?
Title: Re: Kryptik-PFA [Trj]
Post by: HonzaZ on May 07, 2015, 12:50:00 AM
New VPS5 is online on our servers!

(Hopefully without any problems now :) )

Thanks everybody for all the patience, you guys are wonderful ;D !
Title: Re: Kryptik-PFA [Trj]
Post by: Victor T on May 07, 2015, 12:55:53 AM
New VPS5 is online on our servers!

(Hopefully without any problems now :) )

Thanks everybody for all the patience, you guys are wonderful ;D !
so, is it safe to turn on my avast now? not even sure if I want to run it now.. I lost a lot of files and I don't really have a restore point to restore what I lost..
Title: Re: Kryptik-PFA [Trj]
Post by: spam10 on May 07, 2015, 01:06:44 AM
Received Update 3 minutes ago, tells it is 2 days old...
Title: Re: Kryptik-PFA [Trj]
Post by: phungn55 on May 07, 2015, 01:16:20 AM
Manually update the def from 150506-3 to 150506-5 from server. Looking good and will enable global file system shield.

Thanks for the patch
Title: Re: Kryptik-PFA [Trj]
Post by: spam10 on May 07, 2015, 01:25:06 AM
Manualy used, wants a reboot - will this needed on all systems?
Title: Re: Kryptik-PFA [Trj]
Post by: schester on May 07, 2015, 01:55:58 AM
Installed the update on computers, but haven't turned back on the file shield yet.

I've tried telling the computers to restore files from the virus chest through AEA and they don't appear to be going back as instructed. Anyone else having problems with this or am I missing something?
Title: Re: Kryptik-PFA [Trj]
Post by: Huan on May 07, 2015, 02:00:48 AM
same here. :-\
Title: Re: Kryptik-PFA [Trj]
Post by: schester on May 07, 2015, 02:04:19 AM
Installed the update on computers, but haven't turned back on the file shield yet.

I've tried telling the computers to restore files from the virus chest through AEA and they don't appear to be going back as instructed. Anyone else having problems with this or am I missing something?

I was able to restore the files manually on the computer and they went back. TeamViewer didn't appear to function after restoring TeamViewer_Desktop.exe, but it did after a restart, so I guess we have to go and touch each computer that put a file in the virus chest to manually restore them and then restart. That wasn't what I had planned tonight, that's for sure!
Title: Re: Kryptik-PFA [Trj]
Post by: spam10 on May 07, 2015, 02:12:09 AM
Avast just acted like a virus which it should protect from, please give me an adress where can i send my bill for the repairing of that!
Title: Re: Kryptik-PFA [Trj]
Post by: john-genus on May 07, 2015, 02:19:17 AM
Avast staff,

Please update us with official company response regarding what the issue was.  Please indicate what Avast is doing to prevent this from happening in the future.
Title: Re: Kryptik-PFA [Trj]
Post by: jetcosys on May 07, 2015, 02:26:57 AM
My servers have 150506-5 but the clients are slow to pull it.  Anyone know how to tell the clients in SOA to go get the latest file from the server?
Title: Re: Kryptik-PFA [Trj]
Post by: schester on May 07, 2015, 02:28:29 AM
My servers have 150506-5 but the clients are slow to pull it.  Anyone know how to tell the clients in SOA to go get the latest file from the server?

You should be able to right click on the group, run task on group, updating tasks, update VPS. This appeared to work for me.

You'll have to refresh the window to see the status as it doesn't update in real time and it takes a few minutes for the clients to check in.
Title: Re: Kryptik-PFA [Trj]
Post by: jetcosys on May 07, 2015, 02:40:38 AM
My servers have 150506-5 but the clients are slow to pull it.  Anyone know how to tell the clients in SOA to go get the latest file from the server?

You should be able to right click on the group, run task on group, updating tasks, update VPS. This appeared to work for me.

You'll have to refresh the window to see the status as it doesn't update in real time and it takes a few minutes for the clients to check in.

Thanks!
Title: Re: Kryptik-PFA [Trj]
Post by: tucsonmark on May 07, 2015, 07:34:27 AM
So, it looks like we've got an update from Avast that resolves this false positive issue. As I researched this problem looking for an answer, I found multiple instances of Kryptik generating false positive issues in the past. In 2012 it was Super Antispyware, in 2009 it was ESET.

It's worth noting that although this was a pretty big pain for those affected, the issue seems to have been limited to a very small number of Avast users. I sell and support  Avast, and I only know of two of my clients that ran into this problem (out of hundreds). In our shop we have EPSP, same update, no issue. I know that is no consolation to those of you who have to clean up after this mess, but it is a fact.

Hopefully those of you who were affected will be able to restore your quarantined files and get back up and running without too much trouble. I think the thing to remember here is that for an AV program to be effective it has to be aggressive and on occasion that can lead to false positives and other problems. If you've been in the network support game for awhile you know that all AV programs have had their issues, whether it be false positives or dirty uninstalls or ineffective protection.

I'd like to thank forum members for their positive suggestions and Avast for a speedy remedy.
Title: Re: Kryptik-PFA [Trj]
Post by: ChrisYoungCCS on May 07, 2015, 03:06:53 PM
tucsonmark, you sell it, support it and make a profit off of it, we use it. Big difference.

Do not come on here defending AVAST and pointing out it was only a few customers. It was not. I reached out to the entire State of NC through a listserve and got numerous responses back from them experiencing the same unfortunate circumstances.

We have over 24,000 machines that are being affected by this incident. So once again, don't tell me it's a minority of users that are being affected.

AVAST stated on this forum that they have test servers in which they roll out their VPS updates to see if anything is wrong before they release their VPS updates to the world. For applications such as Office 2010, Office 2013 and the Chrome browser to not have been affected on their test servers, but affected throughout the rest of the world is quite troublesome to me.

If I want an aggressive product I'll go with Malwarebytes. I do not expect this from a major AV company.
Title: Re: Kryptik-PFA [Trj]
Post by: ederm on May 07, 2015, 03:58:58 PM
Its still happening today as of 8:20am CST. Using VPS: 150507-0 Engine: 8.0.1603

Several clients affected on campus
Title: Re: Kryptik-PFA [Trj]
Post by: Kogure on May 07, 2015, 04:02:04 PM
Had to reset my password just to make this post. Big thanks, Avast! Before this latest update I had no clue that literally half of my drive was occupied by Kryptik! These damn trojans keep getting sneakier and sneakier. Now they install themselves in every single folder.

But seriously, I had it happen few minutes ago. The issue doesn't look very fixed to me.


EDIT:

Its still happening today as of 8:20am CST. Using VPS: 150507-0 Engine: 8.0.1603

Several clients affected on campus

I tried to update my virus database, and it said I have that exact version already. That "150507-0". And quite interestingly, it's only causing issues on my laptop. I also have a regular PC with the exact same version, and nothing is wrong here.
Title: Re: Kryptik-PFA [Trj]
Post by: kaidomac on May 07, 2015, 04:39:41 PM
tucsonmark, you sell it, support it and make a profit off of it, we use it. Big difference.

Do not come on here defending AVAST and pointing out it was only a few customers. It was not. I reached out to the entire State of NC through a listserve and got numerous responses back from them experiencing the same unfortunate circumstances.

We have over 24,000 machines that are being affected by this incident. So once again, don't tell me it's a minority of users that are being affected.

AVAST stated on this forum that they have test servers in which they roll out their VPS updates to see if anything is wrong before they release their VPS updates to the world. For applications such as Office 2010, Office 2013 and the Chrome browser to not have been affected on their test servers, but affected throughout the rest of the world is quite troublesome to me.

If I want an aggressive product I'll go with Malwarebytes. I do not expect this from a major AV company.

I've been working on this since 3:00pm yesterday afternoon.  I just finished getting everyone back up & running about 20 minutes ago.  I "only" had 200 users affected (one company I contract with that uses Avast), so it's not anywhere near the scale of 24k machines, but it was still a major headache.  The company had expensive engineers sitting around twiddling their thumbs as we worked through solutions.  Needless to say they were not happy with me or with Avast.

Also, it did eat some DLL's (in addition to blocking EXE's) for applications such as Office 2013, at least on our machines.  For example, users weren't able to open Outlook at all.  Got a variety of other programs as well.  Probably 90% of them were resolved with a couple reboots after the update got pushed out, a smaller selection started working after restoring everything back manually from the local desktop's virus vault, and a smaller percentage had to have some specific applications completely re-installed to get them working.  Big mess.  I am very tired & frustrated today.

I think my biggest complaint is that I did not receive any sort of contact from Avast regarding this issue.  No emergency email alert, no apology, nothing - just no contact on the issue that took an entire company's computer resources down.  I've been stuck here for the last 19 hours reading user-generated threads on this forum & manually working through individual machines on-site to get people working again.  I am 100% resolved now thanks to people sharing info here, but when I go to Avast.com, I don't see a big red emergency button to help fix my problem.   And fortunately they use a different A/V product on their servers to minimize issues like this, so at least it was only desktop users & not their entire network.
Title: Re: Kryptik-PFA [Trj]
Post by: kaidomac on May 07, 2015, 04:41:51 PM
Installed the update on computers, but haven't turned back on the file shield yet.

I've tried telling the computers to restore files from the virus chest through AEA and they don't appear to be going back as instructed. Anyone else having problems with this or am I missing something?

I did it locally (manually) and it worked for maybe 80% of the machines.  I think pulling files into the chest broke specific programs, which required me to reinstall them.  Fortunately Office 2013 took the restores just fine.  Fortunately I had a small-ish installation (200 users) so I could run around or remote in to fix everyone's issues.
Title: Re: Kryptik-PFA [Trj]
Post by: john-genus on May 07, 2015, 05:08:09 PM
I think my biggest complaint is that I did not receive any sort of contact from Avast regarding this issue.  No emergency email alert, no apology, nothing - just no contact on the issue that took an entire company's computer resources down.  I've been stuck here for the last 19 hours reading user-generated threads on this forum & manually working through individual machines on-site to get people working again.  I am 100% resolved now thanks to people sharing info here, but when I go to Avast.com, I don't see a big red emergency button to help fix my problem.   And fortunately they use a different A/V product on their servers to minimize issues like this, so at least it was only desktop users & not their entire network.

I agree completely.  Every tech who has been around for awhile understands problems can happen with these products.  However, getting complete radio silence from your vendor during an issue like this is very troubling.
Title: Re: Kryptik-PFA [Trj]
Post by: kaidomac on May 07, 2015, 05:24:23 PM
I agree completely.  Every tech who has been around for awhile understands problems can happen with these products.  However, getting complete radio silence from your vendor during an issue like this is very troubling.

Recent example - the Wink Hub failure (it's smarthome controller sold through Home Depot for home automation of lights etc.).  Apparently they failed to renew their SSL certificate, which caused all of the Hubs to lock themselves down (and completely lock themselves out of communicating with the server since it had a new & different certificate).  Very simple issue with huge negative consequences.  There was obviously a lot of kickback from users, but Wink also kept their Twitter, Facebook, etc. up-to-date as they worked to resolve it so that people were kept in the loop & knew that Wink was not only aware of the problem but working to fix it, and then updates were posted when the resolution was available.  Crap hits the fan sometimes; that's just how life goes - nothing is perfect.  But you have to keep your (paying) users informed of what's going on.  My trust in Avast has gone down significantly because it's nearly 24 hours later at this point & I haven't received any official communication.

I just barely checked their Facebook page (Facebook is blocked at most corporations I work at, so I didn't think to check) & their Twitter account and see that they put a note up on both of those pages, but I didn't think to check because I first checked my email, then the Avast home page, then the Avast blog, then the Avast forums - I don't typically rely on social media for business support, you know?  It is not even stickied here in the forum, so I had to search for it to make sure I wasn't the only one experiencing the issue.  Again, I've been very happy with the pricing & reliability up to this point, and I do understand the mistakes happen, I just think they should really really streamline their customer communication process.  My customer service experiences in the past with Avast have been what I'll call mediocre at best, so I'm not entirely surprised that this issue has largely been ignored in terms of informing paid clientele.  Would like to see that change for sure.  I like the product & service, but right now I am so tired that I want to throw up & still have an hour's drive home from this client, once I make sure everything is still smooth for the remainder of the business day.  I appreciate the somewhat fast response for the program/definitions update to resolve this, but feel very ignored from a business contact point of view.
Title: Re: Kryptik-PFA [Trj]
Post by: nannunannu on May 07, 2015, 05:58:58 PM
Just to clarify a bit more:
Bussiness product (EndProtect) uses VPS5 and an engine in V8.
Free users use a VPS9 and an engine V10.
This DOES NOT mean that the business version is inferior in any way, but the problem with FP is only in the business version.

Right, and when something like KB3000850 caused machines with Avast! to brick, VPS9 was updated same day...  Business products that rely on VPS5 weren't addressed for three days...  So not inferior in any way, just not as well supported and prone to experience problems when the other editions don't...  But, no, not inferior in any way.  Riiiiight.
Title: Re: Kryptik-PFA [Trj]
Post by: dixons on May 07, 2015, 06:53:44 PM
Sounds like I have something similar to kaidomac

This is a cut and paste form the email I just sent support.  Not sure it is entirely related but it started yesterday for us when those bad defs hit us.

--------------

We had the issue that started yesterday with the bad definitions.  Our PC’s have since updated but those that had the erroneous virus issue are still giving us fits.  I am not sure it is strictly related to just those PC’s either but that seems to be a common thread.

The false positives are gone (we have restored any files purged).  However we are seeing EXTREME performance issues.  This is only hitting our Windows 7 x64 PC’s.  The issue does not exist on Vista on 32 bit OS.

Basically what is happening – many of the PC’s will just sit and stall on the login Welcome screen.  If we try remotely attach to service or the eventlog it will timeout and/or give an RPC too busy error.

If we disable shields (leaving just the File Scanner) still no joy.  Same issue.  If we disable Avast completely and reboot, it is fine.

If we uninstall and reinstall Avast the same issue happens.  It only resolves itself if we uninstall AND run these commands to clean up all of Avast.

rem del /q /s "C:\ProgramData\AVAST Software\*.*"
rem del /q /s "C:\Program Files\AVAST Software\*.*"

rmdir /q /s "C:\ProgramData\AVAST Software"
rmdir /q /s "C:\Program Files\AVAST Software"

If we then reinstall everything works perfectly.

We had the exact same issue around our spring break – there was nothing on the forums at that time about an issue.  We went around to our PC’s and uninstall/reinstalled about 500 clients.

Sending the Avast Uninstall job would fail on most PC’s.  as soon as the PC was online for any amount of time – even if not logged in, it became too unstable to work on and/or uninstall Avast.

Symptoms we are seeing, internet browsing (Chrome and IE) just fail to do anything.  Excel, Word, Outlook all hand.  Opening PDF files fails.

In a weird twist – I just gave a loaner laptop to one of my administrators – it locked up on him in the same way.  The gotcha – it had not been on for a couple weeks so it went from a very old virus def update to 507-0 update, indicating it was not likely specific to the bad update.

Title: Re: Kryptik-PFA [Trj]
Post by: nannunannu on May 07, 2015, 07:21:10 PM
@dixons - I think there are some separate threads about filter drivers and performance issues like you've described.  If I find them I'll post cross links.  For curiosity's sake, On these windows 7 x64 machines, do you run the version of Avast with their software firewall (Plus?) or just the straight endpoint AV software with the windows firewall?
Title: Re: Kryptik-PFA [Trj]
Post by: dixons on May 07, 2015, 07:27:29 PM
I would appreciate the threads - I think we visited those last time we saw an issue like this and they gave us no joy.

We are running the straight Endpoint Protection with the Windows Firewall ( in many cases with the Windows Firewall off as well - but that varies).

Other odd part if it was related to filter drivers - it should affect all the same make/model PC that share the same image, and I would think it would be a constant problem

Thanks,

Scott
Title: Re: Kryptik-PFA [Trj]
Post by: nannunannu on May 07, 2015, 10:20:34 PM
In your machine group settings try setting the option for avast to load after other system services. 

Also, if you have cloud services enabled (reputation services in particular) and some of the machines are unable to reach, or slow in reaching the mothership, you can experience slowdowns.  Network conditions may vary for two machines cut from the same image.

Also...  If you uninstall avast, then look at what remains in the two folders you are removing manually? I bet it is some of the log files (how big is your avastnet.log file??) and other things in the ProgramData folder...  Inspect what is leftover for abnormally large or small files, corrupt or truncated .dat files, url.db file, etc...  One of those is probably the cause, or at least the mechanism of the problem, perhaps caused by an issue with the streaming updates, or etc...