Avira watch - Eckzahn may be right IMHO

Discussion in 'other anti-virus software' started by NaClmind, Apr 10, 2010.

Thread Status:
Not open for further replies.
  1. renegade08

    renegade08 Registered Member

    Joined:
    Aug 26, 2008
    Posts:
    432
    And who are those members? Do you know some of them or ...?
    How did you make that impression?
    I mean not including you as wilders member.
     
  2. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
  3. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well... for random observers, yes. For paying customers, less so. Plus stuff like this makes a bad image for the vendor. It can't be even used for licensing b/c it's there for both free and paid versions. Why the heck play such ridiculous games around it - only boosts the speculations.
     
  4. pasha101

    pasha101 Registered Member

    Joined:
    Nov 28, 2009
    Posts:
    34
    The mystery registry key does seem curious, hopefully Avira will post a definitive answer on their forum.
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    If they just would, or at least if they can't for proprietary reasons, tell people they can't, then this entire thing would stop. It's already getting tense in this thread and nobody actually knows a thing yet.
     
  6. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    976
    Reference please. :rolleyes:
     
  7. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    74
    Give me a few minutes to head to work and i'll take the time for some short explanations :)

    I've never thought I'd be part of such a conspiracy theory. I'm not sure whether to smile insanely because I know what's behind (and some of it is ridiculously obvious) or feel hurt for the distrust regarding our intentions.

    I can even remember explaining the reg key stuff personally before. That's the problem of the web. Not everything can easily be found....
     
  8. ratwing

    ratwing Guest


    Oh my God man!!
    Don't just leave it there!!

    Tell us what you will/can!!
     
  9. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    976
    Marcus. I'm sure the registry key is much ado about nothing, but while you're here, tell us what the data sent to google-analytics is used for. Even the avnotify in the pro version attempts to connects to google-analytics and send them my serial number and various benign data (OS, language, install date, etc).
     
  10. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    74
    Mystery I: Google Analytics

    Let me me reveal, with my considerable magic proficiency, what is behind that mysterious and legendary beast!

    *cough*

    Ok, the magic isn't working, I've not even had my first coffee today, so let us instead ask our two almighty Oracles wikipedia and google itself, the latter obiously being the creator of this thing. Which has its own website. With detailed explanations. But anyway.

    wikipedia quote:
    (taken from http://en.wikipedia.org/wiki/Google_analytics)
    "Google Analytics (GA) is a free service offered by Google that generates detailed statistics about the visitors to a website. Its main highlight is that the product is aimed at marketers as opposed to webmasters and technologists from which the industry of web analytics originally grew. It is the most widely used website statistics service[1], currently in use at around 57% of the 10,000 most popular websites.[2]"

    The Google Analytics Tour
    http://www.google.com/intl/en/analytics/tour.html

    Take a tour on it yourself, and you can see what we can see.


    That's it? But why?
    Yup, that's the mysterious connection to google by the notifier. One of the many possibilities to gather website statistics. There'd be dozens of others, we just stick to google because it is one of the few which doesn't go completely wrong on the numbers.

    Why we need it? Keep track of growth and local distribution for example for: providing additional languages for the products, the rough amount of users we have to plan larger deployments (remember the change to vbase?), make decisions about our support strategies (phone numbers for a country?) etc etc.
    Basically, the same reason others use GA or what other companies offer.


    Now fetching my coffee, maybe the magic will work for Mystery II!
     
  11. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Dang! Marcus was faster again! He even gets a coffee before me!? OH RLY?
     
  12. ratwing

    ratwing Guest

    "Take a tour on it yourself, and you can see what we can see."

    my tour courtesy of Ghostery is brief,but all seems kosher to me.
     
  13. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Just don't use the net for serious things :D
     
  14. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    74
    Mystery II: The Registry Key From Hell

    *ghoulish background chorus with a crescendo of shrill trumpets*

    "Lasciate ogne speranza, voi ch'intrate" - Dante Alighieri

    You must add the dramatic scenery yourself as we speed through the landscape of mystery to discover the ultimate thruths (with reservations i'm afraid).

    Random Facts:
    -this is not a unique identifier
    -it has to do with licensing
    -deleting it will not have any negative effect on user experience with our product
    -deleting it _does_ affect some parts of the licensing system under some circumstances with some types of keys
    -it is not used to do anything evil
    -it could be located anywhere else without causing all the ruckus or change the purpose of the key. Someone picked that location, I have no idea who did it, or why he picked this very location. And with all the confusion it seems to cause I guess a change may be warranted. Not my decision though (not even my team/department).

    Excuse me if I have to leave some mystery to it, but licensing stuff is always a bit of a sensitive area for companies (or employees) to disclose information about.

    I can't kill a fly without a pang of guilt, so you've got to trust me on this one I guess :)
     
  15. ratwing

    ratwing Guest

    Dante Alighieri:"Abandon hope all ye who enter here."

    Good enough for me,having no horse in this race.

    rat.

    (some yanks read a little,even them books as taint got no pictures.)

    No cute aside,this is for me explanation enough.
    Avira (for selfish reasons alone) remains my choice,should I use real time AV.

    Who said Germans have no sense of humor??
     
    Last edited by a moderator: Apr 12, 2010
  16. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    74
    Mystery III: DNS - Dark Nefarious Secret

    The net. Millions of users trying to connect to the same URL. Millions of connections on your poor little single server with a fixed IP. Distributed Denial of Service. Or just our 150 million free-version users trying to connect and fetch two petabytes of updates in 3 days?

    The magic word here is CDN: Content Delivery Network.
    http://en.wikipedia.org/wiki/Content_Delivery_Network

    If a service exceeds a certain size, you need many servers. Dozens if not hundreds. Now you can place these all in a nice and shiny datacenter in Tettnang, so everyone in the world will have to get routed to our little town here, OR you try to be smart and do the global load balancing dance.

    Based on metrics like server load, geo-location of the user (can roughly be gotten from the IP info) the IP reported back to the user can be different.

    This is common practice and used by ANY major site you visit. Ever been to microsoft.com? Youtube? They do it. As do pretty much all other companies/sites/services which have more than a handful of visitors every day.

    There is of course the possibility to reply to a DNS request with multiple IP addresses, however that request is limited by RFC to a meager 512Bytes UDP packet and does only solve the case where one server is not available, and the next will be tried instead.

    The whole point of balancing is to try to give users a fast connection and keeping the service up in case of attacks like DDOS by not giving all of them the same IP.

    This has nothing to do with hijacking or overriding your ISPs DNS, it's how these things work.
    http://en.wikipedia.org/wiki/Load_balancing_%28computing%29
    http://en.wikipedia.org/wiki/Round_robin_DNS <- simple version
    http://en.wikipedia.org/wiki/Split-horizon_DNS


    It may be voodoo for some, but it's common/recommended practice for any net-bound IT operations.
     
    Last edited: Apr 12, 2010
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @Marcus Matten and/or Stefan Kurtzhals

    Hi, i found it hard to believe anything dodgy was happening, and it's good to see you responding, if a little late. If you had replied earlier, both here and/or Especially in the Avira forums, that would have saved a Lot of needless speculation, and harm done in the interim to your product and company. In any such future incident/s i think it would be wise to Very publically, jump straight in with the facts, before it escalates into fairytale land.

    Making the info available quickly on a prominent Sticky on your forum would benefit everybody. If in the past you havn't monitored the forums as keenly, then from now on it might be a good idea to do so. And/or, as i know your busy, advise the forum moderators to contact you directly, if ever something of this nature arises again. Then you can react more immediately.

    I hear you about the DNS.

    I have a couple of points though i'd like you to address please.


    Re - Google Analytics

    eckzahn

    http://forum.avira.com/wbb/index.php?page=Thread&postID=940279#post940279

    So no ALL data profiling/collection, and no payments it seems ?


    Re China communications

    What about those reported outgoings by eckzahn to CHINA on 221.192.199.49 or the supposed data contained within ?


    Re - HKCR\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}

    Michael_Mann

    http://forum.avira.com/wbb/index.php?page=Thread&threadID=110918&226e7cca

    When Mele20 deleted this key, it didn't seem to affect "functionality" whatsoever ? Admittedly she wasn't connected to the internet, but that isn't "whole functionality"

    "whole functionality" doesn't appear to be affected after all ?
     
  18. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,137
    This should put everything to rest, feel really sorry for the fanboyz of other AVs who were having a real good time on this thread, well I guess its time to accept it all and go try and find some other FUD to spread. ;)
     
  19. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Hmmm, OK.

    1/ The lazy factor. Yeah, GA is convenient, practically no work on your part required. But then - one could imagine similar stats could be gathered by the mirrors which distribute definitions. Well, in fact, they'd be more accurate, because people can't really blacklist those mirrors on their FW, hosts file etc if they want the definition updates. They routinely do blacklist Google Analytics there, since they've got enough of it, plus it slows browsing for them or whatnot. More seriously, guess where these statistics go in China, hmmm... to Avira? Nah, not really.

    2/ Legal crap (yeah, boring but so is life today) -Your EULA does not mention a single word about this. In fact, it doesn't mention a single word about the obnoxious ads in the free version at all.

    3/ Costs/benefit analysis - I assume you're well aware of the vastly negative feelings and feedback wrt your advertising tactics. Seriously, c'mon - how many people will pay to get rid of this obnoxious huge popup when there are free excellent quality alternatives w/ no advertising at all (such as MSE) or with decent advertising where the developers have not lost their sense of proportion and common sense (Avast).

    Yeah, the registry keys stands out there like a pink elephant in the middle of the Times Square. So, whoever picked that location should do something more sensible next time. Well, that was just a side note, that brings me to the more important points, which are common factor behind both the GA phone-home and registry key stuff here:

    4/ PR: The Avira forums staff is ridiculous - to put it mildly; the boilerplate and completely useless answers there wrt these questions only make people furious, and it's taken years to get someone provide an on-topic one which wouldn't be complete BS. Which brings me to the next point:

    5/ Non-effective communication: For heaven's sake, go drop the idiotic (sorry, no other word for that) "antispam" policy on your forums. Go look there if you haven't recently, see the amount of duplicate threads, see the amount of replies to a thread scattered in multiple other threads. You had an incidident couple of years ago... yeah, so what. I however suspect strongly that the policy serves not so much against spam like literally to

    a/ prevent people from participating and voicing their negative feedback to the poor level of support provided by those forums. Seriously, "Hello, $foo doesn't work, please help" followed by boilerplate "HTJ log please" - you can do better than that.

    b/ hide negative feedback when **** did hit the fan badly despite the "antispam". Yeah, I do mean the "hidden" avast.eu redirect thread among others now.

    Getting long, will continue later in separate post perhaps.
     
  20. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    74
    Mystery IV: Chinese Hackers and Avira

    I don't get the mystery to be honest...

    We've been having millions of chinese users before, we'll have more in the future. I am not quite getting the point of what that has to do with chinese hackers apart from us trying to protect some more chinese users as well.

    A few years ago the same was said about folks from Russia. Remeber when the Russian Business Network was all the craze and daily hype? Now it's "Chinese Hackers".

    To us it's all the same to be honest. Personally, we do not fight "the chinese hackers", or "the russian hackers", or the "german hackers" or the "nigerian scammers" or the "US spam-kings".

    Our daily job is to protect people from malware/hacking in general. A sample knows no borders or nations.

    We are techs, we find technical solutions.

    The FBI in the US, BKA in Germany or maybe the Guoanbu(?) in China or some other government agency are responsible to enforce whatever policy they are told to enforce (be it good or bad).

    Politicians find political solutions (at least that's what citizens elect and pay them for i guess).

    And i'm neither a politician nor a spook with shades.
     
  21. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    74
    Note that this is a personal statement, and does not necessarily mean that the company as an entity has the same opinion view or stance.

    Some general comments:

    While some people (like me and Stefan) who know most of the technical details about the products inner workings could probably spend our time in forums answering to a thousand queries in forums (which if unreplied by us is taken as a personal insult or indication of guilt it seems, even if it's on a weekend when some of us a trying to get their head clear with family and friends), we rather spend our time on doing our job, which is writing code for the engine or other parts of the software.

    My personal reasons for staying out of most discussions like this is that:
    a) i don't have the time to reply to each and everyone out there who has a question
    b) i don't read every thread in every forum in the universe, not even close to every thread in our forum
    c) if I give an answer I somehow always get elected to be "responsible" to either how things got broken, to fix things, how things should be done in the future, or get targeted with accusations. While we're a comparably small company, it's not like we're the "decision makers" or head honchos or whatever, in corporate world such things are not done by single persons.
    d) to explain thoroughly I'd have to give out potentially classified data, so asking permission first would be required to give a satisfying answer.
    e) an endless stream of more questions ensues because most enthusiasts are incredibly inquisitive, and will be pissed if you do not provide an answer to every question asked.
    f) i have no interest in fame, fortune, glory or being in the spotlight because of how enormously cool I am (Yes, that was a joke)
    g) i'm trying to keep all this out of my private life which is hard enough even without forums on the net, with such a huge userbase in germany

    I'm not sure about you guys, but if someone accuses me of doing evil when all I'm personally trying to do is to make the world a bit of a safer place to live in, that hurts. It really does. Maybe in that way I'm not a "professional to the end", but I guess it is what defines me as a human being, and I'm proud of that in a way.

    And I can live with the heat in dosages that I personally pick for myself.

    It's like you see some girl dropped a coin, want to pick it up for her and hand it back, and as thanks you get a nice dosage of pepper spray in the face for allegedly trying to check for the existence of her undies.

    And damn me for being honest, that's what i felt last night when I went to bed after reading all the speculations in here, idiotically checking wilders on my weekend.

    I just ask you once to imagine, you have 150million folks using your product. Then imagine every week 1% of these has a question. And, stupidly you've shown your head in some forums or *gasp* left your mail address out there.

    Most of the folks in our forums are helpers in their free time. Not paid or hired or anything. If we have 150 million paid customers, we can probably hire enough staff to deal with all the requests on our own. If we happen to speak their language :) They are getting some additional info sometimes, but they are not getting classified information either, so I have to defend them a bit here. Other than that, they're not much different from you folks here, enthusiasts with the will to spend a considerable amount of their free time to help other users.

    I just wonder what the future will bring in regard of trust, if we think about heavily using cloud tech (which inherently is related to privacy concerns).

    If you do not trust your security vendor (be it us or anyone else), I'm not sure what to tell you.

    We're in your kernel, eating your cookies. Technically speaking we could do pretty much everything without you _ever_ noticing.

    In the end, it's all down to the question of whether you trust your vendor or not. No explanation of technical details will ever change that, and much of the detail stuff is what gives advantages over the competition or the baddies, and as such we're not exactly throwing around with it.

    In the end, IMHO, that'd be both a disservice to us and our users.

    Now I'm back to adding detection for that stupid new variant of Sality.
     
    Last edited: Apr 12, 2010
  22. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well... seeing the number of "Avira 10 does not update" threads on your forum, whatever you are doing does NOT work well... it doesn't work at all for some people. Also, your DNS records are kinda broken wrt avira.com, see the issues w/ ns5.avira-ns.net nameserver here. More importantly, your DNS zones are completely broken wrt the new perspeak.avira-update.com zone which your hardwired into the update client - that simply doesn't resolve at all, checked multiple times yesterday and clearly to be seen in numerous threads in the forums.

    Well, this is simply false. UDP works well beyond the 512B, and 4096B is handled by 70%+ of network equipment out there IIRC, that was at least a conclusion of a research conducted wrt DNSSEC implementation recently. If it doesn't work, then there's TCP fallback for that, which is commonly used by almost every DNS server out there.

    There are notorious complaints about slow updates even despite all the CDN/DNS magic etc. you've described. Also, the IPv6 thing you've done back in Oct-Nov last year or so was a nice WTH. I see the AAAA records are gone now, at least for me.
     
  23. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    74
    These are the 'overload' servers, which will only get activated when needed for large updates.

    You believe working for 70% and breaking for 30% by definition is good? TCP fallback does _not_ work for everyone. Some of the odd occurences of update failures were due to that fact, when we had a record that was a few bytes too long early this year. Some home routers do not support it.

    http://www.ietf.org/rfc/rfc1035.txt
    -> "UDP messages 512 octets or less"

    The CDN is still in its early stages, but will be improved. In the last year we've more than tripled the amount of servers. Also note that we've recently acquired a company (CleanPort) whose data-center experience will certainly have a positive effect here too. I'm not aware of the plans at the moment, but I'll be just as happy as you are if this gets resolved once and for all.
     
  24. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    74
    Btw the weirdest cause of update failure we've had was some ISPs applying a hotfix to CISCO routers that blocked all executables containing a sequence of 3 specific characters from being downloaded.

    These characters were: "cmd"

    Cause of failures isn't just "slow servers". Right now the servers are pretty bored for example, but I am sure some people will have problems for one reason or the other. Be it firewalls, broken LSP stacks, driver issues, b0rked hosts, malware (hopefully very very few :ninja: ), other security software, ISPs that are acting out of the ordinary....
     
  25. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, but the client does fall back to those NOW, no matter what. And it fails to resolve, b/c there's nothing in DNS for them. Kinda bad, don't you think?

    Well, then those routers which are unable to do even a simple TCP fallback need to get fixed or replaced, they are broken. That's seriously not something that can be worked around in SW like this. And that will have to happen anyway for both IPv6 and DNSSEC. Meanwhile, I don't see what's preventing you from distributing a basic list of update servers IP addresses in a file like quite a few other vendors do, and use that as fallback at minimum. Instead of falling back to non-existant DNS zones as it is now. Also, this seems quite obviously beneficial wrt all those computers w/ their hosts files hijacked so that it resolves bogus IP addresses for well-known security vendor sites.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.