Bad Definition Update

Vince Steckler 10 Dec 2009

Bad Definition Update

First, I want to thank everyone that left comments on my previous blog entry and on Ondrej's forum entry. We appreciate all the comments—positive and negative. And, if you are still having problems, please do contact our support and they can help you. You can reach them via From that page you can get help on our forum—just post a question and someone (an avast employee or a community member) will help you. Or send a trouble ticket directly to our support staff.

As I had promised in the earlier post, I am giving an update on steps we are putting in place to protect against such an occurrence again in the future. Three key elements of the current process are that:

  • Only a have a small and very controlled group who is allowed to publish virus updates
  • The updates to be tested against our clean set (a massive set of about 10 million known clean files) to ensure no false positives
  • Monitoring of our forums, false positive reports, etc. for some period of time after an update is sent out

The major change we have made is to absolutely mandate that no one other than this small group is allowed to publish virus updates. There are no exceptions to this policy—even myself, our CTO, and other members of the virus research team are not allowed to publish virus updates. We believe that our process itself is very good and the failure came about only because someone outside this small team did the publication. We have added some safeguards though to ensure early detection and remediation of any future problems. These include:

  1. Automated monitoring of false positive servers and data connections. If the servers/links experience unusual traffic, alarms and phones will start ringing. We already have this monitoring on a number of servers/links and now will add it to the false positive servers.
  2. We will be publishing an emergency contact number for key partners and an assortment of users around the world. If these partners or users see anything unusual—whatever the time—they can reach someone responsible on the phone immediately. Some of our power users detected this last problem pretty much immediately—unfortunately they had no way of contacting us. Now they will.
  3. We will be instituting a method of rolling back the virus update pretty much instantaneously. This will allow us to quickly roll back to the last known good update without having to take the time to develop a new update.

So once again, very sincere apologies and we thank you for your continued confidence in us.

Related articles