Author Topic: Kryptik-PFA [Trj]  (Read 35583 times)

0 Members and 1 Guest are viewing this topic.

Offline phungn55

  • Newbie
  • *
  • Posts: 2
Re: Kryptik-PFA [Trj]
« Reply #75 on: May 07, 2015, 01:16:20 AM »
Manually update the def from 150506-3 to 150506-5 from server. Looking good and will enable global file system shield.

Thanks for the patch

Offline spam10

  • Newbie
  • *
  • Posts: 4
Re: Kryptik-PFA [Trj]
« Reply #76 on: May 07, 2015, 01:25:06 AM »
Manualy used, wants a reboot - will this needed on all systems?

Offline schester

  • Newbie
  • *
  • Posts: 7
Re: Kryptik-PFA [Trj]
« Reply #77 on: May 07, 2015, 01:55:58 AM »
Installed the update on computers, but haven't turned back on the file shield yet.

I've tried telling the computers to restore files from the virus chest through AEA and they don't appear to be going back as instructed. Anyone else having problems with this or am I missing something?

Offline Huan

  • Newbie
  • *
  • Posts: 1
Re: Kryptik-PFA [Trj]
« Reply #78 on: May 07, 2015, 02:00:48 AM »
same here. :-\

Offline schester

  • Newbie
  • *
  • Posts: 7
Re: Kryptik-PFA [Trj]
« Reply #79 on: May 07, 2015, 02:04:19 AM »
Installed the update on computers, but haven't turned back on the file shield yet.

I've tried telling the computers to restore files from the virus chest through AEA and they don't appear to be going back as instructed. Anyone else having problems with this or am I missing something?

I was able to restore the files manually on the computer and they went back. TeamViewer didn't appear to function after restoring TeamViewer_Desktop.exe, but it did after a restart, so I guess we have to go and touch each computer that put a file in the virus chest to manually restore them and then restart. That wasn't what I had planned tonight, that's for sure!

Offline spam10

  • Newbie
  • *
  • Posts: 4
Re: Kryptik-PFA [Trj]
« Reply #80 on: May 07, 2015, 02:12:09 AM »
Avast just acted like a virus which it should protect from, please give me an adress where can i send my bill for the repairing of that!

Offline john-genus

  • Newbie
  • *
  • Posts: 4
Re: Kryptik-PFA [Trj]
« Reply #81 on: May 07, 2015, 02:19:17 AM »
Avast staff,

Please update us with official company response regarding what the issue was.  Please indicate what Avast is doing to prevent this from happening in the future.

Offline jetcosys

  • Newbie
  • *
  • Posts: 17
Re: Kryptik-PFA [Trj]
« Reply #82 on: May 07, 2015, 02:26:57 AM »
My servers have 150506-5 but the clients are slow to pull it.  Anyone know how to tell the clients in SOA to go get the latest file from the server?

Offline schester

  • Newbie
  • *
  • Posts: 7
Re: Kryptik-PFA [Trj]
« Reply #83 on: May 07, 2015, 02:28:29 AM »
My servers have 150506-5 but the clients are slow to pull it.  Anyone know how to tell the clients in SOA to go get the latest file from the server?

You should be able to right click on the group, run task on group, updating tasks, update VPS. This appeared to work for me.

You'll have to refresh the window to see the status as it doesn't update in real time and it takes a few minutes for the clients to check in.

Offline jetcosys

  • Newbie
  • *
  • Posts: 17
Re: Kryptik-PFA [Trj]
« Reply #84 on: May 07, 2015, 02:40:38 AM »
My servers have 150506-5 but the clients are slow to pull it.  Anyone know how to tell the clients in SOA to go get the latest file from the server?

You should be able to right click on the group, run task on group, updating tasks, update VPS. This appeared to work for me.

You'll have to refresh the window to see the status as it doesn't update in real time and it takes a few minutes for the clients to check in.

Thanks!

Offline tucsonmark

  • Newbie
  • *
  • Posts: 1
Re: Kryptik-PFA [Trj]
« Reply #85 on: May 07, 2015, 07:34:27 AM »
So, it looks like we've got an update from Avast that resolves this false positive issue. As I researched this problem looking for an answer, I found multiple instances of Kryptik generating false positive issues in the past. In 2012 it was Super Antispyware, in 2009 it was ESET.

It's worth noting that although this was a pretty big pain for those affected, the issue seems to have been limited to a very small number of Avast users. I sell and support  Avast, and I only know of two of my clients that ran into this problem (out of hundreds). In our shop we have EPSP, same update, no issue. I know that is no consolation to those of you who have to clean up after this mess, but it is a fact.

Hopefully those of you who were affected will be able to restore your quarantined files and get back up and running without too much trouble. I think the thing to remember here is that for an AV program to be effective it has to be aggressive and on occasion that can lead to false positives and other problems. If you've been in the network support game for awhile you know that all AV programs have had their issues, whether it be false positives or dirty uninstalls or ineffective protection.

I'd like to thank forum members for their positive suggestions and Avast for a speedy remedy.

Offline ChrisYoungCCS

  • Newbie
  • *
  • Posts: 9
Re: Kryptik-PFA [Trj]
« Reply #86 on: May 07, 2015, 03:06:53 PM »
tucsonmark, you sell it, support it and make a profit off of it, we use it. Big difference.

Do not come on here defending AVAST and pointing out it was only a few customers. It was not. I reached out to the entire State of NC through a listserve and got numerous responses back from them experiencing the same unfortunate circumstances.

We have over 24,000 machines that are being affected by this incident. So once again, don't tell me it's a minority of users that are being affected.

AVAST stated on this forum that they have test servers in which they roll out their VPS updates to see if anything is wrong before they release their VPS updates to the world. For applications such as Office 2010, Office 2013 and the Chrome browser to not have been affected on their test servers, but affected throughout the rest of the world is quite troublesome to me.

If I want an aggressive product I'll go with Malwarebytes. I do not expect this from a major AV company.

Offline ederm

  • Newbie
  • *
  • Posts: 2
Re: Kryptik-PFA [Trj]
« Reply #87 on: May 07, 2015, 03:58:58 PM »
Its still happening today as of 8:20am CST. Using VPS: 150507-0 Engine: 8.0.1603

Several clients affected on campus

Offline Kogure

  • Newbie
  • *
  • Posts: 3
Re: Kryptik-PFA [Trj]
« Reply #88 on: May 07, 2015, 04:02:04 PM »
Had to reset my password just to make this post. Big thanks, Avast! Before this latest update I had no clue that literally half of my drive was occupied by Kryptik! These damn trojans keep getting sneakier and sneakier. Now they install themselves in every single folder.

But seriously, I had it happen few minutes ago. The issue doesn't look very fixed to me.


EDIT:

Its still happening today as of 8:20am CST. Using VPS: 150507-0 Engine: 8.0.1603

Several clients affected on campus

I tried to update my virus database, and it said I have that exact version already. That "150507-0". And quite interestingly, it's only causing issues on my laptop. I also have a regular PC with the exact same version, and nothing is wrong here.
« Last Edit: May 07, 2015, 04:15:14 PM by Kogure »

Offline kaidomac

  • Newbie
  • *
  • Posts: 12
Re: Kryptik-PFA [Trj]
« Reply #89 on: May 07, 2015, 04:39:41 PM »
tucsonmark, you sell it, support it and make a profit off of it, we use it. Big difference.

Do not come on here defending AVAST and pointing out it was only a few customers. It was not. I reached out to the entire State of NC through a listserve and got numerous responses back from them experiencing the same unfortunate circumstances.

We have over 24,000 machines that are being affected by this incident. So once again, don't tell me it's a minority of users that are being affected.

AVAST stated on this forum that they have test servers in which they roll out their VPS updates to see if anything is wrong before they release their VPS updates to the world. For applications such as Office 2010, Office 2013 and the Chrome browser to not have been affected on their test servers, but affected throughout the rest of the world is quite troublesome to me.

If I want an aggressive product I'll go with Malwarebytes. I do not expect this from a major AV company.

I've been working on this since 3:00pm yesterday afternoon.  I just finished getting everyone back up & running about 20 minutes ago.  I "only" had 200 users affected (one company I contract with that uses Avast), so it's not anywhere near the scale of 24k machines, but it was still a major headache.  The company had expensive engineers sitting around twiddling their thumbs as we worked through solutions.  Needless to say they were not happy with me or with Avast.

Also, it did eat some DLL's (in addition to blocking EXE's) for applications such as Office 2013, at least on our machines.  For example, users weren't able to open Outlook at all.  Got a variety of other programs as well.  Probably 90% of them were resolved with a couple reboots after the update got pushed out, a smaller selection started working after restoring everything back manually from the local desktop's virus vault, and a smaller percentage had to have some specific applications completely re-installed to get them working.  Big mess.  I am very tired & frustrated today.

I think my biggest complaint is that I did not receive any sort of contact from Avast regarding this issue.  No emergency email alert, no apology, nothing - just no contact on the issue that took an entire company's computer resources down.  I've been stuck here for the last 19 hours reading user-generated threads on this forum & manually working through individual machines on-site to get people working again.  I am 100% resolved now thanks to people sharing info here, but when I go to Avast.com, I don't see a big red emergency button to help fix my problem.   And fortunately they use a different A/V product on their servers to minimize issues like this, so at least it was only desktop users & not their entire network.