AVG update set to fix things?

I’ve not had this confirmed from any of my contacts at AVG via the Google Group I belong to, but this post on the Australian Whirlpool Broadband Forums, suggests 9th July might bring the release we’ve been waiting for.

I’ve also found Lloyd Borrett posting the same info here.

If I hear any further confirmation from AVG, I’ll let you know, until then we’ll see what happens on the 9th.  Interestingly Lloyd doesn’t see to know what day it is, either that or my calendar is wrong –

In working with the web master community, AVG has responded immediately and on Tuesday, July 9th, AVG will issue a product modification to address the spikes that a few individuals have seen with their web traffic.

Tuesday? I make it Wednesday, ah well, we might see something Tuesday or Wednesday then 😛

Nice use of “a few individuals” there Lloyd, I wouldn’t class it as a few myself.

Now confirmed by Pat Bitton at AVG, see comment below.

add to del.icio.us :: Bookmark Post in Technorati :: Add to Blinkslist :: add to furl :: Digg it :: add to ma.gnolia :: Stumble It! :: add to simpy :: seed the vine :: :: :: TailRank :: post to facebook :: Bookmark on Google :: Add to Netscape :: Share on Yahoo :: Add this to Live

Advertisements

AVG LinkScanner Updates User Agent

The Register are running a further follow up article “AVG disguises fake traffic as IE6“, which states that AVG are now using a “new” user agent for the paid version of AVG’s LinkScanner.

This has been confirmed by Roger Thompson in the AVG Webscanning Google Group, to which I’m a member.  When asked if it was true Roger said –

..Yes, it’s true, but it’s not quite what it seems. It was a planned
service release that was already in the works when we found out about
the issue, and fixed some other critical issues at the same time.

It changes the User Agent string to SV1, but it leaves some of the
other request headers so that they’re different enough that you can
still parse them out of stats if you want to..

I personally don’t really see this as a “new” user agent, as I’m already filtering my logs for this one.  From what I’ve read, this is the original agent used by LinkScanner before they were purchased by AVG, so it’s already mentioned in my initial AVG log spam post.

That aside, it’s still not a great move from AVG at this point.  They are supposed to be working with the community (myself included) to resolve this from a webmasters point of view, switching (well mixing in another) user agent at this point is a little silly.

At this point I need to credit Michael Ducy who tipped me off this change yesterday, he however claims it’s affecting the free version also –

AVG changed the user agent with the latest release. They now use “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”. I confirmed this by downloading and installing AVG free this morning and using wireshark to sniff the traffic.

The saga continues..

add to del.icio.us :: Bookmark Post in Technorati :: Add to Blinkslist :: add to furl :: Digg it :: add to ma.gnolia :: Stumble It! :: add to simpy :: seed the vine :: :: :: TailRank :: post to facebook :: Bookmark on Google :: Add to Netscape :: Share on Yahoo :: Add this to Live

Posted in Avg, Spam, Technology. Tags: , , , , . 1 Comment »

Invited to join closed AVG discussion group

Over the weekend, I had an email from Karel Obluk at AVG inviting me to a Google Group they have set-up for discussions around the AVG logfile spam issue.

..I would like to invite you to participate in a group dedicated to discussion
about AVG LinkScanner technology, its advantages as well as potential impact
on web sites, the nature of recent web threats and ways of protecting both
users and web masters. Your input and feedback will be highly appreciated.
The group is closed and by invitation only..

I have accepted the invite but unfortunately now have to be re-approved as I used a different email address (my Google account).

Hopefully we’re getting somewhere on this issue.

add to del.icio.us :: Bookmark Post in Technorati :: Add to Blinkslist :: add to furl :: Digg it :: add to ma.gnolia :: Stumble It! :: add to simpy :: seed the vine :: :: :: TailRank :: post to facebook :: Bookmark on Google :: Add to Netscape :: Share on Yahoo :: Add this to Live

My name in lights

… well, not quite.

A week has passed since I email The Register about the AVG logfile spam problems, but, after lots of emails between myself and their Internet Editor, they’re now running the story.

I’m a little annoyed that they don’t acknowledge that I brought this to their attention, but ah well. All I really wanted to do was let the community know that this happening and see if together we can sort this.

I’m really pleased to see that an employee from AVG has stepped up within the comments of the article on El Reg and wants to work with us (webmasters/site owners) to see if we can improve the situation. I’ve already emailed them and await a response.

I’ll keep you posted.

add to del.icio.us :: Bookmark Post in Technorati :: Add to Blinkslist :: add to furl :: Digg it :: add to ma.gnolia :: Stumble It! :: add to simpy :: seed the vine :: :: :: TailRank :: post to facebook :: Bookmark on Google :: Add to Netscape :: Share on Yahoo :: Add this to Live

More AVG & LinkScanner Information

I’m still testing my LogParser fix for AVG log spam and it appears to do a pretty good job. It’s scarey how many visits are being removed from our stats once this crap is cleared out though. I’ve seen one clients stats for a recent day, drop from 14K to 8K so it really is a serious problem, especially if you aren’t even aware it’s happening.

For more information on the user agents used and some background on other similar AV tools, see this LinkScanner, AVG, TrendMicro, 1813 and SV1 post at WebmasterWorld.

add to del.icio.us :: Bookmark Post in Technorati :: Add to Blinkslist :: add to furl :: Digg it :: add to ma.gnolia :: Stumble It! :: add to simpy :: seed the vine :: :: :: TailRank :: post to facebook :: Bookmark on Google :: Add to Netscape :: Share on Yahoo :: Add this to Live

LogParser To The Rescue

Warning: This doesn’t seem to work with very large IIS logfiles, I tried with a 750mb file which didn’t error but was unreadable with a disk full error. My mistake, it does work, it’s TextPad that can’t handle it.

Microsoft LogParser may be the answer to our AVG logfile spam woes, I’m been fiddling with it and have come up with a quite simple way pre-processing the logs with logparser to remove the offending spam. You can put the query inline within the logparser commandline, but it’s easier to stick it in a file once it gets a bit longer. So, I have this in my file

select * into c:\logs\ex%log%out.log
from c:\logs\ex%log%.log
where not (cs(User-Agent)=’Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;1813)
or cs(User-Agent)=’Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)’
and cs(Cookie) is null
and cs(Referer) is null)

Which you run with

C:\Program Files\Log Parser 2.2>LogParser -i:iisw3c -o:w3c file:c:\logs\avgspam.
sql?log=080601

Which yields something like

Statistics:
———–
Elements processed: 209607
Elements output: 151434
Execution time: 8.47 seconds

This shows that logparser has removed ~58K rows from our log and created a new log that we can feed to our stats program.

I’ve tested this with a couple of logs from different clients now and it seems to to work.

Let me know if you have improvements or have come up with a different work around for this.

AVG better not start using more UserAgent strings though as this could get very messy.

If you’re new to logparser (as I was), this guide has some good (IIS centric) examples – Analysing IIS logs with LogParser

Update: I’ve now worked out how to use logparser with Awstats to filter out AVG spam. If you’re using Awstats this is a very quick fix.

add to del.icio.us :: Bookmark Post in Technorati :: Add to Blinkslist :: add to furl :: Digg it :: add to ma.gnolia :: Stumble It! :: add to simpy :: seed the vine :: :: :: TailRank :: post to facebook :: Bookmark on Google :: Add to Netscape :: Share on Yahoo :: Add this to Live

AVG Destroys Web Analytics

I had a call from a client yesterday who was concerned that their web stats had taken a sharp increase over the weekend. An increase shouldn’t normally cause concern but the client is (quite rightly) very skeptical about such increases. I said I’d investigate the source of the extra traffic and hopefully put his mind at rest.

A quick look at the Awstats reports is normally enough to highlight an issue if one exists, this is usually a new spider or some kind of strange spidering activity, in this case it wasn’t. I couldn’t see anything that looked out of the ordinary, this was an increase in visits with a reasonably sensible increase in page views etc. What next, I thought. “Is the traffic from Google?” The site in question normally receives about 75% of it’s traffic from Google, a quick tot up of the figures showed this was looking more in the region of 30% for this month. OK, so it’s an increase in direct traffic, a massive increase in fact, time to delve in to the log files by hand!

I copied across the previous days log file to my laptop and dropped it in to Textpad (I’m always amazed how well it copes with large text files, nice one textpad!) I started to look through the file and it looked reasonably normal, then I spotted a block of requests, only half a dozen or so, for the same file one after another. The thing that made this particularly odd, was that the file being requested was a tracking page used within the site to record data back to the SQL server. I continued to sift through the file and noticed the same block several more times, each time however, from a different IP address, completely different, not even the same range. Could this be a DDoS, I thought, possibly, although we’ve never seen one before. I tried to look for some commonality between the blocks and noticed they all had no referrer information and all seemed to use the same (slightly strange looking) user agent (UA). The user agent in question was

Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;1813)

I googled this and spotted a Webmaster World entry entitled AVG Toolbar Glitch May Be Causing Visitor Loss, sounds interesting I thought. To be honest, it was the only link that wasn’t to somebody’s stats page! At least I’m not alone on this one, I thought.

The forum discussion on Webmaster World described exactly what I was seeing, with many webmasters seeing it. Unfortunately, this isn’t down to a rogue spider, hack attempt, DDoS, no, it’s the latest version of AVG anti-virus.

Grisoft (the people behind AVG) purchased LinkScanner back in December 2007, one of it’s features being

LinkScanner automatically analyzes results returned by Google and other search engines and places a check mark next to sites believed to be safe.

In fact, LinkScanner analyses results from search engines (not just Google) and is browser independent. This may sound like a good idea from a security point of view, however, from a webmaster/website owner point of view, this is not good at all.

If your site appears well in the search engines, as everyone strives to do, your website is or is going to be hugely affected by this. Essentially this means, that everytime your site appears in a users results, regardless of whether they click on it, your website logfiles and thefore your statistics will show that person as a real visitor coming to your site. Now, because the IP address is the users IP address, we can’t filter on that, at first look it would appear we can filter on this useragent, unfortunately I spotted another one

Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)

This one however, is even worst. This time it’s a legitimate user agent which means you can’t filter it out or rewrite it to another page on your site without the risk of blocking or harming real visitors. The first user agent is different, due to lack of a space (or plus) between the last semi-colon and the 1813, it doesn’t follow the standard pattern used by Microsoft.

So, we get to crux of the problem, AVG has destroyed web analytics for people who use a logfile analysis tool. Not only have they done this, they are also wasting our bandwidth and our disk space on servers!

Can we filter it out of our logs? Perhaps. They do seem to follow a pattern.

  • A request for the result in the SERP (often missing the trailing slash)
  • One or more requests for associated JavaScript files
  • A subsequent request for the root of the site
  • One or more further requests for associated JavaScript files

This is the pattern, it also serves as a prefetching routine which may speed up your eventual click on a result, if you do, that is.

I’m no Perl expert (.net is my bag), but I’m pretty sure a Perl guru could knock up a quick log processing script that parses your logs (IIS and Apache versions would differ, I guess) and removes this spam. It is spam at the end of the day, we didn’t ask for it and it’s wasting our resources dealing with it.

Any takers?

I’ve now disbaled the linkscanner component from my machine at home and am encouraging that friends do the same. To be honest I’m considering ditching it completely and using something else. I used to recommend AVG to everyone, I can’t do that anymore.

UPDATE: I have a possible LogParser solution, let me know if it helps.

Note: If you’re not seeing the block of requests for a single file in your logs but think you’re seeing this problem, I’ll explain why we were/are seeing that. Essentially we include a link to an ASP page as the source of a JavaScript include, it sounds a bit dodgy but it does the job. I think linkscanner is expecting a header or similar from this request which it doesn’t receive as it’s not really returning the file it thinks it is. I suspect that it’s therefore requesting the page again and again until it gives up. I intend to get rid of this tracker ASAP and implement it in a more elegant way!

add to del.icio.us :: Bookmark Post in Technorati :: Add to Blinkslist :: add to furl :: Digg it :: add to ma.gnolia :: Stumble It! :: add to simpy :: seed the vine :: :: :: TailRank :: post to facebook :: Bookmark on Google :: Add to Netscape :: Share on Yahoo :: Add this to Live