Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

April 11th, 2011

False positive issue with virus defs 110411-1

Virus definition update 110411-1 contained an error that resulted in a good number of innocent sites being flagged as infected. Generally, all sites with a script in a specific format were affected.

Our virus lab staff discovered the problem quickly after releasing the bad update and immediately started working on a fix. The fix was released about 45 minutes after the problematic update and has version number 110411-2. Anyone who still has this problem is kindly asked to manually update the definitions to the latest version, e.g. by right-clicking the avast taskbar icon (the orange (a) ball), and selecting Update -> Engine and Virus Definitions.

 

We sincerely apologize for the inconvenience. As this typically only affected remote sites (and not local files), simply updating to the latest definitions should completely solve the issue (no local files have been quarantined).

Categories: General, lab, Technology, Virus Lab Tags:
  1. Brad
    April 12th, 2011 at 00:52 | #1

    The information here is good, but I’m left with a serious problem that I still have not seen a resolution as yet: That is, no information was available at the time this started for me and like a couple of other people, I began a system wide scan believing I had a worm. On those PC’s including the server, thousands, of HTML/HTM files were moved to the chest. Becasue of that, I cannot launch Avast to restore them from the chest. Anything on the PC’s and server that uses html to operate is now broken.

    How do I get these files back?

  2. coolmario88cp
    April 12th, 2011 at 00:52 | #2

    Tammy Moore :
    I am just glad it isn’t an actual infection. I used the chest to quarantine about 7,000 files. lol
    I have updated. Now I just need to move the files from the chest back to normal condition. I have checked the Virus Chest tab and I can see them all. How do I tell the chest to get to work guaranteeing them. I don’t see buttons or instructions here. Am I in the wrong place?

    I don’t know what your asking but I’m guessing you are asking how to restore them. Rick click the item in virus chest>restore item from chest

  3. phpcore
    April 12th, 2011 at 00:54 | #3

    @Mike Seals
    Please and sorry to say it : please don’t talk about sh!t ! Don’t compare avast to the 3 sh!ty Avs !

  4. Harry
    April 12th, 2011 at 00:56 | #4

    I found out about the problem and solution from a friend. The update works fine; just follow the steps above (you might have to go to the WebShield and disable it (uncheck Scan web HTTP traffic first). The update to 110411-2 fixed the problem. My only complaint is that this information is not easy to find. I think you should have a link on your home page, and/or this information prominently visible on your Support Forum.

  5. Graham
    April 12th, 2011 at 01:03 | #5

    I too am noticting that not all of my clients updated. When I tried to manually update them, they said they were up to date. Even though they clearly were still using 110411-1. (I did look, they had downloaded 110411-2, but it wasn’t registering…) Solution: Uninstall and reinstall Avast.

    This happened on about 10 clients out of 170.

  6. Jimmy
    April 12th, 2011 at 01:07 | #6

    Glad thats sorted. It was driving me mad.

  7. Tammy Moore
    April 12th, 2011 at 01:08 | #7

    @coolmario88cp
    The restore option is grayed out.Maybe they had a fix built in to the update? I put about 7,000 file into the chest today and there are only 7 of them from today when I went in to restore them. I am glad if that is the case. If not, should I be concerned or count my blessings and ignore these 7 with the grayed out restore option?

  8. coolmario88cp
    April 12th, 2011 at 01:10 | #8

    Tammy Moore :@coolmario88cp The restore option is grayed out.Maybe they had a fix built in to the update? I put about 7,000 file into the chest today and there are only 7 of them from today when I went in to restore them. I am glad if that is the case. If not, should I be concerned or count my blessings and ignore these 7 with the grayed out restore option?

    Come to http://forum.avast.com for better help by many many avast users :)

  9. Tanya
    April 12th, 2011 at 01:20 | #9

    What do I do if I followed all of the Avast directions from the “bogus” update, quanantined all of the recommended file, ran the Boot Scan as requested, and had thousands of files quarantined? I’m afraid to even log back on to my primary computer at this point, for fear that the newly removed files will cause the whole thing to crash!
    Pretty nervous and disappointed here. Have had avast for several months and been very pleased with the simplicity of it, but am not tech-savvy enough to have to do any real repairs.
    Suggestions?

  10. April 12th, 2011 at 01:21 | #10

    We are official resellers of Avast in Panama. Our clients started calling after the update was released, we never received so many calls per hour before.

  11. Greg
    April 12th, 2011 at 01:24 | #11

    Great NOT! I just did a full scan and deleted all those links from just about every web page link within every program. Performed the boot scan too and same thing. Now what do I do? I suppose every programs HTML links won’t work??? Can I restore those links somehow from the chest?
    What a friggen disaster, hours lost!!! How the heck did an update go out with such a major flaw? Was it a disgruntled employee or incompetence?
    And to top it off I had to cycle through about 20 of the word pictures before I could find one I could decifer before I could post.

  12. Tammy Moore
    April 12th, 2011 at 01:25 | #12

    @Tanya
    Most of teh flagged files were html files. You should be able to get in just fine, like I did. Just get you Avast updating first thing and see if anything That you quarantine today is still in the chest. I chested about 7000 files and low-and-behold any about 7 were still in the chest after the update.

  13. Tommy Hood
    April 12th, 2011 at 01:29 | #13

    @Greg
    Same for me! A whole day of work LOST! I ran the boot scantoo! IT TOOK 2 hours, and now I don’t know if I put good files away!

    We need and deserve comprehensive fixes on this!

  14. Tim Turner
    April 12th, 2011 at 01:30 | #14

    This is not true in my case. This entire process shut down my laptop and disabled hundreds of local files. It took me 3 hours to figure out what was going on. I could not access the Avast web site, forum, support or by phone for hours. I could not access the web as every page was blocked as a threat. I began to see threads pop up on the Internet (from my other computer, which fortunately had not yet updated) so I knew what to do. Restore the 884 local files from the chest, uninstall Avast and find another anti-virus program.

  15. Lerch
    April 12th, 2011 at 01:31 | #15

    This is really disappointing. Just bought a three pc two year license for the family and came home from work early because they were freaked that all the computers in the house were infected. St minimum, you guys need to have some kind of push notification to your app so we would know what was up. Of course, we wouldn’t have gotten it, because all the computers were doing boot scans. Unbelievable, I wish I had bought a different AV ;(

  16. rav
    April 12th, 2011 at 01:32 | #16

    no to ladnie zescie odjebali :O

  17. Ogy
    April 12th, 2011 at 01:33 | #17

    thanks for posting this. I was going pretty crazy….

  18. Tanya
    April 12th, 2011 at 01:42 | #18

    Thanks Tammy. I think I’ll leave the whole thing until tomorrow, just in case there are any more updates to be published in the near term.

  19. webguy
    April 12th, 2011 at 01:44 | #19

    make sure to disable the webshield before trying to update the virus definitions

  20. April 12th, 2011 at 01:47 | #20

    @Graham
    Same here. All the regular sites I visit daily were getting blocked…even the avast! site got a false positive! I disabled the WebRep tool and will do as Graham suggested: uninstall and reinstall.

  21. bryon
    April 12th, 2011 at 01:54 | #21

    ok this didn’t only infect mostly remote sites. every single html file that came from microsoft (windows updates, CHM help files, service packs, etc) all marked as infected – 8000 “infections” in just c:\windows\installer\ … 800+ infections inside “sql 2005 express service pack 1″ right from the KB download.

    .. at least it’s not as bad as mcafee detecting and killing svchost.exe – but still i have 450 sheep in a panic calling the helpdesk now.

    nod32 doesn’t do this, but it’s currently too much work to switch to them… anymore “malware-gen” or “script-inf” incidents like this and the tables will have turned.

  22. Steve M
    April 12th, 2011 at 01:58 | #22

    Glad the problem is solved.
    Let’s face it, sometimes these things happen. It’s like loosing your luggage – of which I’m prone to doing. It just happens and you can’t do anyhting about it.

  23. bryon
    April 12th, 2011 at 02:01 | #23

    actually – now that i look into the rest of the threads here, and the server logs… our 450 licenses are up for renewal in 2 weeks – i’m going to suggest we do eset nod32 instead. we run that on our servers and it’s been nothing but awesome.

    the avast forums, have been exceptional in response and assistance the few times i used it, i just wish the product could do a little better

    i mean, before you release a definition update, doesn’t anyone just SCAN A TEST COMPUTER just for the hell of it? i mean, just spend 5 more minutes and do a test or two… maybe try to browse to http://www.aol.com or http://www.avast.com or freaking http://www.google.com and notice that “www.google.com” is probably not infected.

    it got so bad i had to create outlook rules that if the body contains “script-inf” or “malware-gen” just delete it because it’s a false positive every time – it’s been like that for a year.

    good luck avast.

  24. Susan
    April 12th, 2011 at 02:01 | #24

    I had the same issue with the false positives (of course I didn’t know that at the time). Ran a full scan and moved I don’t know how many files to the chest. Then avast became unresponsive and I had to shut it down.
    Now it says my system is unsecured, and when I click “Fix Now” or “Start Program,” nothing happens. I tried manually updating, but I get a message that says “failed to update, the avast service is not running.”

    What can I do to get avast running again, and what about all the files moved to chest??

  25. SlyCooperFan1
    April 12th, 2011 at 02:01 | #25

    @Steve M
    Every website on your computer doesn’t JUST get random virus alerts. These people are professionals at protecting their luggage – they shouldn’t be losing it.

  26. Jon
    April 12th, 2011 at 02:03 | #26

    Still have the problem.. It says I have 110411-2 but still blocking even Google pages.. :(

  27. SlyCooperFan1
    April 12th, 2011 at 02:04 | #27

    @Jon
    Try to uninstall and reinstall avast. That seems to be the best solution at the moment.

  28. Jeff
    April 12th, 2011 at 02:09 | #28

    Can you help me? I did the manual update, and it says I’m running 110411-2, but it is still blocking all websites. What else do I need to do?

    Thanks!

    Jeff

  29. SlyCooperFan1
    April 12th, 2011 at 02:16 | #29

    @Jeff
    Try to uninstall and reinstall avast. That seems to be the best solution at the moment.

  30. blank
    April 12th, 2011 at 02:26 | #30

    I had this problem too. I set a boot scan and had it move all files to chest. They are still there.

    So is the solution to restore those files moved to chest? Or should I delete these files. Quite a few windows files were moved to chest but windows started up fine.

  31. Susie
    April 12th, 2011 at 02:28 | #31

    @vlk
    kuangeleven :
    “As this typically only affected remote sites (and not local files”
    Not for me, I ran a bootup test and it pickled out several local html files.

    Assuming you had avast move these files to the “Chest”, I’d recommend restoring them by going to the avast UI -> Maintenance -> Virus Chest, selecting the files in question, right-clicking them and using the Restore command from the context menu.
    The Restore option is unavailable… unclickable.

  32. bryon
    April 12th, 2011 at 02:28 | #32

    restore them – they’re not infected

  33. MeeSha
    April 12th, 2011 at 02:32 | #33

    Sorry, too late. Two hours useless scanning with thousands of false positives. As a webdeveloper it would have been a desaster, if I deleted those “infected” HTML and JS files. The baddest joke was the redirecting me to the commercial upgrade page, when I click on “more Information”. Marketing gag?

    I think it’s time for you to fire that moron that did this fail, I switched to Comodo Internet Security, more features, less buyme ads.

    You’ll never see me again.

  34. two-gun
    April 12th, 2011 at 02:48 | #34

    You said:”We sincerely apologize for the inconvenience. As this typically only affected remote sites (and not local files), simply updating to the latest definitions should completely solve the issue (no local files have been quarantined).”

    Too late….I had about 14,000 plus files placed in the quarantine chest…..then found out what happened; manually updated, tried to restore from quarantine – no joy…….now what?

    I too, have work to do; have a paid subscription…..I understand mistakes, but please tell me how to proceed now…dang it!!!!!!!!!!!

  35. April 12th, 2011 at 02:58 | #35

    Glad this is fixed. I was tired of Avast deleting Firefox’s prefs.js and calling it Malware.

  36. bryon
    April 12th, 2011 at 03:01 | #36

    i might recommend we come back with our 450 licenses if avast ever decides to show WHY something was detected. show me the script, the malware reason, and dont ever call anything “gen”eral again, be specific.

  37. disPlay
    April 12th, 2011 at 03:02 | #37

    Jeff :
    Can you help me? I did the manual update, and it says I’m running 110411-2, but it is still blocking all websites. What else do I need to do?
    Thanks!
    Jeff

    Jeff create a new post in the avast forums to receive the correct and the best technical support.

  38. April 12th, 2011 at 03:04 | #38

    Everyone that is harping on Avast and expecting that this never should have happened should just quiet down a little bit. Sometimes things go awry, and Avast has made mistakes in the past. So has AVG, so has Norton, so has McAfee, and the list goes on.

    Just recently, I’ve had several computers go completely down with no easy way for the client to restore them because of the Windows 7 SP1 debacle (check this article for proof: http://blogs.technet.com/b/joscon/archive/2011/03/11/why-you-don-t-want-to-edit-your-pending-xml-to-resolve-0xc0000034-issues.aspx).

    So, anyone can have a mistake. I run many sites with Avast installed, and trust me, I heard an ear-full. Just tell your users to relax and wait for an update, or give them instructions on how to do so manually.

    If you think it should have never happened, you’re probably right. But I’d love for you to find a software company that will never ever EVER make a mistake while you’re using them. Go ‘head. Try.

  39. Kathie
    April 12th, 2011 at 03:19 | #39

    STILL not fixed. Have uninstalled and reinstalled and can’t get anywhere on the web (even my webmail without this popping up) Totally sucks.

  40. bryon
    April 12th, 2011 at 03:19 | #40

    i can understand your comments, scythe – and for the most part i agree…

    but when mcafee had their big screw-up deleting svshost.exe, they said it “affected an extremely small percentage of users” – when in fact it was more like 80%

    avast says ”We sincerely apologize for the inconvenience. As this typically only affected remote sites (and not local files)…” when, the remote websites are nothing compared to the amount of local files moved to the chest – and subsequently deleted upon update to 110411-2

    maybe what people need is a little acknowledgment – a truthful “my bad” and not a blow-off

  41. alice0775
    April 12th, 2011 at 03:20 | #41

    I understand that AVAST Software _never_ check Virus Definitions by themselves.

  42. Andy
    April 12th, 2011 at 03:30 | #42

    Its still doing it on my computer. I did a full scan, and it picked out all my tax programs and said that they were malware. And I even put them in different drive. Its not fixed.

  43. Hannah
    April 12th, 2011 at 03:56 | #43

    wow. I was practically hyperventalating all evening thinking my computer was infected. I mean, I did a full system scan and it said over a thousand files were found infected! I thought my information was stollen and everything. so i guess I just wasted like 3 hours performing system scans and stressing out. thanks.

  44. bryon
    April 12th, 2011 at 04:22 | #44

    @hannah – after you update to 110411-2 you get to spend another hour scanning your virus chest so it restores all the false positives

  45. Kyril
    April 12th, 2011 at 04:24 | #45

    Avast guys:

    I too, like some other web developers here, spent Monday deleting 100s of ‘infected’ files, some of it actual work, because they could not be repaired or put to chest by your software.

    HOW DO WE RESTORE THEM?

    THIS IS NOT A GAME – BE MORE RESPONSIBLE WITH THIS – PEOPLE LOST WORK FILES!

    Post the instructions in big ass bold letters on the homepage and every page of your website (and don’t redirect me to the upsell page, that’s just embarassing)

  46. bryon
    April 12th, 2011 at 04:29 | #46

    @kryil from what the forums are saying, update to VPS version 110411-2 and then go into your chest and rescan all of those files, it will restore them to the original locations

    if nothing else it’s a good chance to test your backups

    (i’m not part of avast either i’m just a random customer)

  47. Tecsercom
    April 12th, 2011 at 05:04 | #47

    @disPlay
    Uninstall avast and then reinstall again!

  48. Tecsercom
    April 12th, 2011 at 05:06 | #48

    Msseage to Jeff: Uninstall avast and then reinstall again!

  49. john p.
    April 12th, 2011 at 05:17 | #49

    MSE Baby! Avast deleted after 10 years.

  50. CHILL THE PHUCK OUT
    April 12th, 2011 at 05:18 | #50

    hahahaha people are soooooooo stupid! Good God!

Comment pages
Comments are closed.