# Justin Mason: 27 Jun 2008
that's annoying. 4.7% of traffic to taint.org is now coming from this crap.

I suggest adding a query string to the redirection-target URL, like "?LinkScannerSucks"... make your feelings clear in the referrer.
# Pádraig Brady: 27 Jun 2008
Good suggestion :)
Done.
# robert: 28 Jun 2008
Thanks Padraig,

I've been looking for something to deal with this for the last six weeks when I first noticed it. Sadly my regex skills are lacking but once again I find myself in your debt.

It works a treat.
# mike: 28 Jun 2008
Good stuff! Will put it live ASAP.
# ChuckMcB: 02 Jul 2008
Cheers, trying it out myself as well.
# Mathew: 03 Jul 2008
You could also have blocked all IE users and put one of those nice messages to tell them their browser isn't welcome. (smilie)
# Pádraig Brady: 03 Jul 2008
@Mathew I've been tempted many times :)

Currently I degrade functionality gracefully for IE 6.0 users,
rather than trying to hack full support for them into my site.
# Sd: 04 Jul 2008

Why waste CPU on two checks and fuzzy match? Optimize optimize!

Rewritecond %{HTTP_USER_AGENT} "^Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;(?: SV1|1813)\)"

# Pádraig Brady: 04 Jul 2008
@Sd Good point.

I wasn't sure of the flavour of regular expressions provided by mod_rewrite. Thanks for clarifying.
Note we don't want to anchor Mozilla to the start, as some versions of linkscanner also append 'User-Agent: '

Also one has to be wary of over complicating regular expressions, when splitting them up can simplify things a lot.

I've done a quick test on the following which seems to work, but I'm not sure it's better:

Rewritecond %{HTTP_USER_AGENT} "^(?:User-Agent: )?Mozilla/4.0 \(compatible; MSIE 6.0; Windows NT 5.1;(?: SV1|1813)\)$"

I'll test some more,
thanks.
# Martin: 05 Jul 2008
Thanks for the .htaccess redirect code.
However, I found it wasn't working on one of my webhosts until I changed the first two "Rewritecond" instances to "RewriteCond".
# Pádraig Brady: 05 Jul 2008
@Martin,
I thought they were case insensitive and they are for me
on apache 2.0.52 and 2.2.6 on linux at least.

Fixed up now, thanks.
# Dave P: 05 Jul 2008
There's an 'official' comment on
http://robert.accettura.com/blog/2008/07/03/avg-wastes-bandwidth/
that AVG have now discontinued this practice. I've seen no hits on my website since 21:00 yesterday (a couple of hours after I installed your redirect rules - ho hum...)
# Pádraig Brady: 05 Jul 2008
@Dave P, thanks for that info!
I'm still seeing the link scanner traffic to my site BTW.

They said there that they're rolling out an update
on July 9th to stop scanning all search results, but
will still scan results as users click on them.

The good news is that we've made them take notice.
Well done everyone!
# Martin: 06 Jul 2008
@Pádraig: FYI, the webhost that didn't like the differing case of "Rewritecond" is running apache 1.3.41, but all the sites I have that run apache 2.x were happy with either "Rewritecond" or "RewriteCond".
# Lloyd Borrett: 07 Jul 2008
AVG has already responded to resolve this issue. The full response can be seen at http://www.avg.com.au/index.cfm?section=news&feature=104

An updated version of AVG Anti-Virus Free Edition 8.0 is already available. The Search-Shield component of LinkScanner has been modified to only notify users of malicious sites. The equivalent modification to the the AVG 8.0 commercial products will be rolled out on 9th July 2008.

Once the updated version has been rolled out to all AVG 8.0 users the issue will be resolved.

As of this date, Search-Shield will no longer scan each search result online for new exploits, which was causing the spikes that web masters addressed with us.

However, it is important to note that AVG still offers full protection against potential exploits through the LinkScanner Active Surf-Shield component of our product, which checks every page for malicious content as it is visited but before it is opened.

We’d like to thank the web community for bringing these challenges to our attention, as building community trust and protecting all of our users is critical to us.

Best Regards, Lloyd Borrett
Marketing Manager, AVG (AU/NZ)
# Thomas: 07 Jul 2008
I noticed from my logs that one of the User-Agents (MSIE 6.0; Windows NT 5.1;1813) has already virtually disappeared, the other is hopefully to follow soon. So I reckon I'll wait another week or two before I apply some blocking (it definitely has caused a significant increase of useless traffic for some of my sites as well (about 30%-40% over the last 6 months (and I am literally paying for every MB used)).

I am just wondering anyway what the point of integrating such a blanket link scanner technology into an antivirus program is. The latter should detect any malware anyway when it is about to be opened (I am using Avast for instance, which includes a Web Shield as well, but doesn't use any link scanner).
Or was this all just a publicity stunt by AVG?

Thomas
# A2010: 01 Mar 2010
While this is now *ancient* news it does help explain why one of my friend's "older" computers came to a crawl when he upgraded from AVG7PRO to AVG8PRO. I had to disable the AVG Shield components to get anything resembling reasonable network speed. My friend (at my insist) reported this to AVG Tech Support and they gave the expected "not our fault, must be a conflict with something installed on your system" line. Now at least I can be reasonably sure I know what the cause was.
Name:
Website:
comments:
(no HTML)
31+9