Author Topic: Kryptik-PFA [Trj]  (Read 56855 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Re: Kryptik-PFA [Trj]
« Reply #60 on: May 06, 2015, 11:59:01 PM »
What is VPS5 ?
VPS5 is a version of virus database that is used by Avast 5 (rather old version), but for compatibility issues also by EndProtect (https://www.avast.com/endpoint-protection-suite). Avast for personal devices (99 % of our users) uses VPS9.

Just a quick note - this only affected VPS5.

Thanks for the transparency... 

Please share this with the team:  It is extremely important that you complete the merge of the code base (SOON!) so that the business users are getting the same attention and priority of updates as the home users.  This has become a real issue over the past year, and will continue to drive paying customers away from your products until it is resolved.

REDACTED

  • Guest
Re: Kryptik-PFA [Trj]
« Reply #61 on: May 07, 2015, 12:04:42 AM »
He said it would take about 1 hour - that was 30 mins ago.

REDACTED

  • Guest
Re: Kryptik-PFA [Trj]
« Reply #62 on: May 07, 2015, 12:07:19 AM »
Nan,

I agree with your sentiment, but I also understand their position on this.  The home users (free) are the test users.  The latest code goes to them first.  Only when it's stable does it get rolled to the paying corporate versions.  It's like the old adage "never install the first release - always wait for Service Pack 1".

REDACTED

  • Guest
Re: Kryptik-PFA [Trj]
« Reply #63 on: May 07, 2015, 12:11:39 AM »
Typically viruses hit individuals - not groups of people simultaneously.  I think his suggestion is that if you see multiple people reporting a virus hit at the same time, especially if it happens right after a VPS update, it's likely a false-positive storm.  Especially if it occurred randomly (one user got it while in Excel, the other got it while on the web, and the 3rd got it while reading e-mail).

...

It just takes experience and a gut feeling on what you're seeing.

I'd echo this, too.

For me, it started with a rash of email notifications about a file in "C:\Windows\System32\...". Since my users don't have Administrator rights this immediately set off a major red flag with me that a security incident might be occurring. I immediately extracted one of the files from the "Virus Chest" and examined it. Seeing that it had a good digital signature from a trusted publisher I opted to send the file to VirusTotal.

Around the time this happened I started seeing other files in the notifications. I went here to see if there was discussion about false positives and, shortly thereafter, opted to set "No Action" for the "File System Shield" on the root of my "Computer Catalog".

There's no magic formula for response to this kind of situation (and, over the years, I've seen it with multiple antivirus products).

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Kryptik-PFA [Trj]
« Reply #64 on: May 07, 2015, 12:13:35 AM »
The home users (free) are the test users. The latest code goes to them first.

This couldn't be further from the truth. All VPS versions are released at the same time to all our users. We do not have any test users - that is what we have our test servers for.

Offline Infratech Solutions

  • Avast Reseller
  • Super Poster
  • *
  • Posts: 2395
  • Mayorista e integrador de Avast en España
    • Ciberseguridad Avast para empresas y MSPs en España.
Re: Kryptik-PFA [Trj]
« Reply #65 on: May 07, 2015, 12:14:45 AM »
Paid business users are in v5 and free users are in V9. There is not a single version between business and home, there are a couple of years of development.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Kryptik-PFA [Trj]
« Reply #66 on: May 07, 2015, 12:21:56 AM »
Just to clarify a bit more:
Bussiness product (EndProtect) uses VPS5, almost everything else uses VPS9 (providing the users wanted to update to newer version of Avast, of course). This DOES NOT mean that the bussiness version is inferior in any way - it just uses data in the older format.
To add to that, we are only talking about the VPS - the program itself (as well as the engine) gets regular updates, no matter the version.

REDACTED

  • Guest
Re: Kryptik-PFA [Trj]
« Reply #67 on: May 07, 2015, 12:25:09 AM »
Breaking Teamviewer 9 Pro as well. All my remote clients are seeing files moved to virus chest and a boot time scan that then breaks the program.

Offline Infratech Solutions

  • Avast Reseller
  • Super Poster
  • *
  • Posts: 2395
  • Mayorista e integrador de Avast en España
    • Ciberseguridad Avast para empresas y MSPs en España.
Re: Kryptik-PFA [Trj]
« Reply #68 on: May 07, 2015, 12:26:59 AM »
Just to clarify a bit more:
Bussiness product (EndProtect) uses VPS5 and an engine in V8.
Free users use a VPS9 and an engine V10.
This DOES NOT mean that the bussiness version is inferior in any way, but the problem with FP is only in the business version.

REDACTED

  • Guest
Re: Kryptik-PFA [Trj]
« Reply #69 on: May 07, 2015, 12:30:55 AM »
Youre Guys are funny, if this will impact any of my customers(e.g. a Tax Man Company with 30 Employess) in 6 hours Germany Business time, i never will recommend to use Avast...

REDACTED

  • Guest
Re: Kryptik-PFA [Trj]
« Reply #70 on: May 07, 2015, 12:34:00 AM »
Pro-tip - turn on e-mail notifications. We caught this after a few minutes just by monitoring e-mails. After 1 or 2 calls, we knew there was going to be a serious issue if we didn't disable file system protection ASAP. Luckily our thousands of machines should be in good shape.

Good luck all!

Just curious.  Using e-mail notifications, how did you guys determine that the latest virus def was a bad one that was reporting false positives?

Seems to be the opposite of what one might do.  You get an alert that Avast has flagged some files as being infected and the first thing you do is disable file system protection?

Between receiving a bunch of e-mails on infected files, a few phone calls, and a quick Google search (re: Kryptik) leading me to this forum, I made the educated guess that it was a bad definition file.
« Last Edit: May 07, 2015, 12:36:34 AM by brantc »

Offline Infratech Solutions

  • Avast Reseller
  • Super Poster
  • *
  • Posts: 2395
  • Mayorista e integrador de Avast en España
    • Ciberseguridad Avast para empresas y MSPs en España.
Re: Kryptik-PFA [Trj]
« Reply #71 on: May 07, 2015, 12:45:39 AM »
Quote
We found the cause of the issue and are rolling an update as we speak (or, more precisely, as I type :) ).
Just a quick note - this only affected VPS5.
I will let you know when the update is online (ETA = 1 hour)!
« Last Edit: Yesterday at 23:41:03 by HonzaZ »

New ETA?

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Kryptik-PFA [Trj]
« Reply #72 on: May 07, 2015, 12:50:00 AM »
New VPS5 is online on our servers!

(Hopefully without any problems now :) )

Thanks everybody for all the patience, you guys are wonderful ;D !
« Last Edit: May 07, 2015, 12:54:22 AM by HonzaZ »

REDACTED

  • Guest
Re: Kryptik-PFA [Trj]
« Reply #73 on: May 07, 2015, 12:55:53 AM »
New VPS5 is online on our servers!

(Hopefully without any problems now :) )

Thanks everybody for all the patience, you guys are wonderful ;D !
so, is it safe to turn on my avast now? not even sure if I want to run it now.. I lost a lot of files and I don't really have a restore point to restore what I lost..

REDACTED

  • Guest
Re: Kryptik-PFA [Trj]
« Reply #74 on: May 07, 2015, 01:06:44 AM »
Received Update 3 minutes ago, tells it is 2 days old...