Russian security firm Kaspersky Lab is having a very poor start to the week. Thousands of Windows XP machines were cut off from the Internet late last night after an antivirus update crippled Internet access for home and business users.
The update (version 126.96.36.1991) killed off HTTP traffic on Windows platforms. Customers of the software took to Twitter and reported the issue on the company’s forum. A user by the name of “bradb21” described the problem as follows:
I have ~12,000 machines running KES8 and my help desk started getting calls about an hour ago saying users were having problems accessing various web sites. I did all my typical troubleshooting and was not able to find a problem and I was not having the problem on my Linux machine that I use on a daily basis. So I went over to some of my lab Windows XP machines and I was having the same problem. I was able to change a setting and tell KES to stop monitoring port 80 and then I could then access the web sites again. I turned the monitoring of port 80 back on and it broke the browser access again. I can not find any logs as to what is going on. I was able to roll the updates back in KES8 on one machine it the browser was working with port 80 being monitored…. so it seems like a bad update or something that went out.
“This event was off the charts”
Gary Vaynerchuk was so impressed with TNW Conference 2016 he paused mid-talk to applaud us.
Other users confirmed the issue, noting they could not access internal (on company networks) or external (on the Internet) websites. Many noted that Windows 7 did not appear to be affected. Some users tried rolling back the update in question, others disabled the software’s Web protection, and a few manually unblocked the ports 80, 443, and any ports they may have been using for a proxy.
The good news is that Kaspersky issued an update on Tuesday morning to address the problem. The bad news is that in many cases it will require user intervention: the update should install automatically but some users will have to disable the Web protection component first.
For its part, Kaspersky responded in the forum about three hours after the initial post with an apology. Two hours later, the company apologized again, released the fix and accompanying instructions. The security firm asked users to first “please disable the Web AV component of your protection policy for your managed computers” and then in Security Center (or Admin Kit):
- Go to the Repositories section >> (Right click) Updates >> All Tasks >> Clear updates repository
- Go to the Repositories section >> (Right click) Updates >> Download Updates
After that, users were told to “please run your group Update task for Managed Computers” and then “please re-enable your Web AV component in your protection policy.”
When asked for more information, the company issued the following statement to TNW:
Kaspersky Lab has fixed the issue that was causing the Web Anti-Virus component in some products to block Internet access. The error was caused by a database update that was released on Monday, February 4th, at 11:52 a.m., EST.
The problem was limited to x86 systems with the following Kaspersky Lab products installed:
• Kaspersky Anti-Virus for Windows Workstations 6.04 MP4
• Kaspersky Endpoint Security 8 for Windows
• Kaspersky Endpoint Security 10 for Windows
• Kaspersky Internet Security 2012 and 2013
• Kaspersky Pure 2.0
When these errors were reported, Kaspersky Lab identified an immediate workaround and recommended that customers experiencing problems disable their Web Anti-Virus or roll back the update to a previous version of the database. At 5:31 p.m. the same day, the problem was fixed by a database update being uploaded to public servers.
Customers need to perform a database update to resolve the issue. If an affected machine updates from the Administration Kit/Security Center console, then these updates will be downloaded automatically. If a machine updates directly from our servers, then the initial workaround step of disabling the Web Anti-Virus component should be applied first. Internet connectivity will then be restored and the customer will be able to download the most recent database update.
Kaspersky Lab would like to apologize for any inconvenience caused by this database update error. Actions have been taken to prevent such incidents from occurring in the future.
Broken updates are issued by security companies every once in a while. The last major one was in May 2012, when Avira crippled PCs around the world by blocking critical Windows processes and third-party software. While that case was arguably more severe, the issue was also fixed with an update.
Image credit: Olga Kostak