Author Topic: Kryptik-PFA [Trj]  (Read 24996 times)

0 Members and 1 Guest are viewing this topic.

Offline BudG

  • Newbie
  • *
  • Posts: 7
Re: Kryptik-PFA [Trj]
« Reply #45 on: May 06, 2015, 10:58:35 PM »
We already performed a rollback; however, this does not help those who already have the new VPS. Rollback merely stops new users from downloading the "-3" VPS.

Can't you release "new" that are the same as the previous release? then it will overwrite the bad ones.

Yes, even better....  Re-relase -0 as -4, and let us all get the fix...

This, please.

Yes - Great idea! - Please do!

Offline schester

  • Newbie
  • *
  • Posts: 7
Re: Kryptik-PFA [Trj]
« Reply #46 on: May 06, 2015, 11:06:32 PM »
+1 on releasing the known good VPS as -4 so we can restore the files!

Offline jborillo

  • Newbie
  • *
  • Posts: 5
Re: Kryptik-PFA [Trj]
« Reply #47 on: May 06, 2015, 11:26:38 PM »
Luckily, I only have to deal with 30+ systems.  I know there are guys out there responsible for thousands.

I only hope that Avast finds a fix and releases an  updated definition soon.

The damage has been done...now we just need get Avast working properly and deal with the issues.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 936
Re: Kryptik-PFA [Trj]
« Reply #48 on: May 06, 2015, 11:27:14 PM »
The problem is, we are not sure the -0 is a "good" one. The problem started showing up shortly after the -3 update, that much is true, but we are not sure if releasing -0 as -4 would fix the issue.

Furthermore, if we wanted to release -0 VPS again, it would have to be processed by all the common processes. And if those processes released the faulty (if it is caused by it at all) -3 VPS, how can we be sure that the -4 will not be faulty as well?

To put it simply, we have to make sure the new VPS is perfect before releasing it. Thank you for your patience!

Offline brantc

  • Newbie
  • *
  • Posts: 3
Re: Kryptik-PFA [Trj]
« Reply #49 on: May 06, 2015, 11:28:37 PM »
Pro-tip - turn on e-mail notifications. We caught this after a few minutes just by monitoring e-mails. After 1 or 2 calls, we knew there was going to be a serious issue if we didn't disable file system protection ASAP. Luckily our thousands of machines should be in good shape.

Good luck all!



Offline jborillo

  • Newbie
  • *
  • Posts: 5
Re: Kryptik-PFA [Trj]
« Reply #50 on: May 06, 2015, 11:30:09 PM »
The problem is, we are not sure the -0 is a "good" one. The problem started showing up shortly after the -3 update, that much is true, but we are not sure if releasing -0 as -4 would fix the issue.

Furthermore, if we wanted to release -0 VPS again, it would have to be processed by all the common processes. And if those processes released the faulty (if it is caused by it at all) -3 VPS, how can we be sure that the -4 will not be faulty as well?

To put it simply, we have to make sure the new VPS is perfect before releasing it. Thank you for your patience!

Thanks for the prompt reply, HonzaZ.

I hope your internal teams are able to resolve this ASAP and also come up with a way to minimize the damage done.

Good luck!

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 936
Re: Kryptik-PFA [Trj]
« Reply #51 on: May 06, 2015, 11:36:41 PM »
We found the cause of the issue and are rolling an update as we speak (or, more precisely, as I type :) ).
Just a quick note - this only affected VPS5.
I will let you know when the update is online (ETA = 1 hour)!
« Last Edit: May 06, 2015, 11:41:03 PM by HonzaZ »

Offline Rednose

  • Pirate Party Member
  • Avast √úberevangelist
  • Massive Poster
  • *****
  • Posts: 3611
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: Kryptik-PFA [Trj]
« Reply #52 on: May 06, 2015, 11:45:20 PM »
this only affected VPS5.

What is VPS5 ?

Greetz, Red.
OS: Win 7 x64 SP1 / Ubuntu / Qubes OS / iOS  Real TimeAIS  WinPatrol Plus  Unchecky  MCShield  HOSTS File : MVPS + MDL  On Demand: MBAM  SUMo  Backup: Win 7 Image  Proxy: ASL  VPN  Socks 5  Tor

Offline Victor T

  • Newbie
  • *
  • Posts: 7
Re: Kryptik-PFA [Trj]
« Reply #53 on: May 06, 2015, 11:46:20 PM »
We found the cause of the issue and are rolling an update as we speak (or, more precisely, as I type :) ).
Just a quick note - this only affected VPS5.
I will let you know when the update is online (ETA = 1 hour)!
for people lik me that did the reboot and deleted files, what can we do? :/

Offline jborillo

  • Newbie
  • *
  • Posts: 5
Re: Kryptik-PFA [Trj]
« Reply #54 on: May 06, 2015, 11:49:18 PM »
Pro-tip - turn on e-mail notifications. We caught this after a few minutes just by monitoring e-mails. After 1 or 2 calls, we knew there was going to be a serious issue if we didn't disable file system protection ASAP. Luckily our thousands of machines should be in good shape.

Good luck all!

Just curious.  Using e-mail notifications, how did you guys determine that the latest virus def was a bad one that was reporting false positives?

Seems to be the opposite of what one might do.  You get an alert that Avast has flagged some files as being infected and the first thing you do is disable file system protection?

Offline nannunannu

  • Full Member
  • ***
  • Posts: 199
Re: Kryptik-PFA [Trj]
« Reply #55 on: May 06, 2015, 11:49:47 PM »
for people lik me that did the reboot and deleted files, what can we do? :/

Go into the virus chest and restore the files.

Offline jfogel

  • Newbie
  • *
  • Posts: 2
Re: Kryptik-PFA [Trj]
« Reply #56 on: May 06, 2015, 11:51:02 PM »
Unfortunately you are probably out of luck and will have to do a re-image/restore of the system. The thing about the boot time scan is that all the protections that prevent Bad Things from happening to important files are disabled. If you picked the delete option, those files are gone.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 936
Re: Kryptik-PFA [Trj]
« Reply #57 on: May 06, 2015, 11:53:36 PM »
What is VPS5 ?
VPS5 is a version of virus database that is used by Avast 5 (rather old version), but for compatibility issues also by EndProtect (https://www.avast.com/endpoint-protection-suite). Avast for personal devices (99 % of our users) uses VPS9.

Offline Jim85

  • Jr. Member
  • **
  • Posts: 53
Re: Kryptik-PFA [Trj]
« Reply #58 on: May 06, 2015, 11:56:34 PM »
Typically viruses hit individuals - not groups of people simultaneously.  I think his suggestion is that if you see multiple people reporting a virus hit at the same time, especially if it happens right after a VPS update, it's likely a false-positive storm.  Especially if it occurred randomly (one user got it while in Excel, the other got it while on the web, and the 3rd got it while reading e-mail).

If you see patterns you can make good decisions.  If three users report a virus hit and all three were browsing the web, then it's likely the website was infected.  If all three were opening a link or attachment in a blasted e-mail, then it's likely an infected e-mail or attachment.  But if all three were doing completely different things - I'd think it's a storm.

It just takes experience and a gut feeling on what you're seeing.

Offline BudG

  • Newbie
  • *
  • Posts: 7
Re: Kryptik-PFA [Trj]
« Reply #59 on: May 06, 2015, 11:58:04 PM »
Still not seeing any update rolling out...