When your anti-virus software works against you in a manner almost as destructive as the worst virus, it is a reminder of how dangerous software updates can sometimes be, and also how new and inadequately tested software features can lead to disaster.
As early as June of 2014 avast! users were reporting a serious problem with the Browser Cleanup (BCU) option and Firefox. Avast was aware of the reports but could not find a problem with their code. The reports however kept coming in. Unfortunately, we were one of the victims in September of 2014 after many other reports had been filed. And more came after.
Not until November 17, 2014 did Avast finally find a solution and fix the problem which was not announced in the relevant forum until November 24 in which the Avast representative posted:
"Reason was a bug in the BCU which slipped through QA because it happened in some rare conditions only. After the first reports from our customer it took us quite some time to reproduce and fix the problem."
As a software developer, we certainly understand the problem of needing to reproduce an issue in order to be able to fix it. In this case however it wasn't a single customer, but many. And the consequences were dire: the Browser Cleanup literally went completely rogue when told to cleanup Firefox add-ons within at least a fair number of PC systems (and was not limited to a particular operating system) under some set of conditions, and due to the bug would proceed to delete thousands of local files seemingly indiscriminately in a fashion that can only be likened to a destructive virus. In our case it reported two never used add-ons as having bad reputations; we did not need them, but made the mistake of telling Browser Cleanup to remove them. A problem like this was so severe that Avast should have escalated the reports to the highest priority and remoted into systems that were having the issue in order to duplicate and resolve it.
In our case it removed a Delphi 7 program files subdirectory and subfolders completely involving some 5,877 files. It removed Winamp. It removed Firefox. It somehow removed avast! itself with 19 small BIN files marked as read only remaining. It removed CrashPlan. It removed OpenOffice. It removed Malwarebytes. And more. And these details were reported to Avast. And it would have removed even more had we not realized something was wrong and shut down the PC. ("Removed" is intended here to mean deleted. Folder names remained but files within those folders were all or mostly gone.) Fortunately the Windows system folders were not impacted.
We were able to recover the missing files but only after hours of work. The PC thankfully was soon again operational after a day or so of high stress, but there was still no response to our forum posting and no resolution for users. And others have not been as lucky.
For Avast to blame their QA (Quality Assurance) testers for missing this problem is patently unfair. Any code that could have had ANY chance of being as malicious as this was should have been foreseen by any experienced programmer. Whenever you are DELETING local files from a user's system and are using some sort of recursive logic as must have been the case here in view of how the BCU bug was behaving (when the problem was triggered, the removal tool was clearly jumping around the local subdirectory structure of the end user's PC and literally ravaging their local file system) and this should have been caught by the programming staff in the first place. The blame here must be placed at the source: the programmer(s).
Programmers have the responsibility to substantially test their programs and not expect their QA departments (or end users) to catch them to the greatest extent possible. They should also safeguard potentially dangerous code that might otherwise not be capable of easily testing, and/or that a tester might not be aware of.
One commenter indicated that since the users involved were using the "free" version that their expectations should be accordingly low, and tried to shift the blame to users utilizing the free version. Wrong. If the software missed reporting a potential virus (none of the anti-virus packages ever detect everything) that might be one thing. But users do have a right to expect that even free software from a supposedly trusted source will not devastate their system, and clearly Avast is very much culpable in this regard. Their software, free or not, was never authorized by the end user to delete local files beyond the Firefox add-ons. Their free software is offering to protect, not harm, an end user system. Viruses are also free but most users do not intentionally install them. So here the very software that is being promoted as helping you to protect your PC instead becomes your worst nightmare. And their BCU likely was behaving the same way with respect to Firefox (under some undisclosed conditions), whether paid for or used as part of the free version. So this issue of free vs. not free is moot.
And to reiterate: our PC was never infected with a virus or with malware of any kind other than the avast! Browser Cleanup software, a newer option we don't ever plan to use again and which was enabled by default, and is was one a suite of new things added to the product that is hard to categorize as something desirable or needed. Its assessment of things that have a "bad reputation" is also certainly questionable.
Some screen shots below show some of the sequence of the initial reports of the problem and the ultimate posting indicating that in fact the problem had been tracked down and resolved by Avast are contained below.
End user beware.
Clips from the avast! user forum relating to this topic:
No comments:
Post a Comment