Jump to content
Sign in to follow this  
jdessoliers

Corrupted updates, corrupted black.lst

Recommended Posts

Greetings,

 

I have a very angry customer. He is the Director of a very powerful company in Guatemala and he is very influential with all the Bank directors of the country. Unfortunately, the only computer affected by the problem was his own laptop.

 

On may 15th, for a reason that is still unclear, when he tried to update his Kaspersky Totalspace Workstation Antivirus through the Administration server, the actualization he received was corrupted, and in particular the "black.lst" file which contains all the blacklisted license of the product.

This corruption deactivated most of the antivirus modules.

 

The technical support of this company tried to push the update through the admin kit, without results. They called me urgently. When I got to the customer"s office, I tried to update KAV through the admin kit, and it worked. All the AV modules started.

 

The customer noted that his laptop has been without any protection during 3 hours. Because of the importance and the confidentiality of the files contained in his laptop, he is very angry.

 

How this update could have been so harmful ? As you will see in the log I ve attached to this thread, there have been an attempt to "Rollback". But this attempt failed. Why could have caused the Rollback to fail ?

 

According to what I have read on Kaspersky forums and official manual, several things could have caused the corruption of the "black.lst" file and/or the deactivation of the modules :

 

- When updates are received, there is a comparison between the checksum of the update and the checksum sent by the update source. If it differs, the actualization is considered as corrupted. In this case, the antivirus should Rollback to the last update without affecting the AV stability.

 

- The license file of my customer could have been made public by one of his employees, and Kaspersky could have blacklisted the file. However, in this case, this theory is discarded by the fact that the next update solved the problem.

 

- Changing the OS Time/Date could affect the Antivirus, because it could be recognized as an attempt to cheat on the license lifetime. And according to what I have read, this could affect the integrity of the black.lst file.

 

What are the others possibilities that may explain the problem ? What could have be done to prevent it ?

 

Beforehand, thanks

log_event_resumido.txt

Share this post


Link to post
Greetings,

 

I have a very angry customer. He is the Director of a very powerful company in Guatemala and he is very influential with all the Bank directors of the country. Unfortunately, the only computer affected by the problem was his own laptop.

 

On may 15th, for a reason that is still unclear, when he tried to update his Kaspersky Totalspace Workstation Antivirus through the Administration server, the actualization he received was corrupted, and in particular the "black.lst" file which contains all the blacklisted license of the product.

This corruption deactivated most of the antivirus modules.

 

The technical support of this company tried to push the update through the admin kit, without results. They called me urgently. When I got to the customer"s office, I tried to update KAV through the admin kit, and it worked. All the AV modules started.

 

The customer noted that his laptop has been without any protection during 3 hours. Because of the importance and the confidentiality of the files contained in his laptop, he is very angry.

 

How this update could have been so harmful ? As you will see in the log I ve attached to this thread, there have been an attempt to "Rollback". But this attempt failed. Why could have caused the Rollback to fail ?

 

According to what I have read on Kaspersky forums and official manual, several things could have caused the corruption of the "black.lst" file and/or the deactivation of the modules :

 

- When updates are received, there is a comparison between the checksum of the update and the checksum sent by the update source. If it differs, the actualization is considered as corrupted. In this case, the antivirus should Rollback to the last update without affecting the AV stability.

 

- The license file of my customer could have been made public by one of his employees, and Kaspersky could have blacklisted the file. However, in this case, this theory is discarded by the fact that the next update solved the problem.

 

- Changing the OS Time/Date could affect the Antivirus, because it could be recognized as an attempt to cheat on the license lifetime. And according to what I have read, this could affect the integrity of the black.lst file.

 

What are the others possibilities that may explain the problem ? What could have be done to prevent it ?

 

Beforehand, thanks

 

Hi,

Try see here :

 

http://support.kaspersky.com/faq/?qid=193239335

 

Maybe this will help.

 

Regards,

lolipok

 

 

Share this post


Link to post
Hi,

Try see here :

 

http://support.kaspersky.com/faq/?qid=193239335

 

Maybe this will help.

 

Regards,

lolipok

 

Thanks lolipok for the reply,

 

Unfortunately, I can't show this knowledge base to this director. This article was made on 11/2007 and should'nt apply on 05/2008.

 

Moreover, this article does not explain why this laptop was the only computer that have been affected. If the update from KL Web Servers had failed, all the 500 computers of the company would have got their corrupted update from the admin kit, and would have got their modules deactivated.

 

Any other idea of what may have occured ?

 

 

Share this post


Link to post
Sign in to follow this  

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.