We have finally received a valuable lead today in the mystery of the missing
..BLB files.  Apparently a Chinese organization is using DBISAM to create an
adware application called pprich:

http://www.symantec.com/security_response/writeup.jsp?docid=2006-091415-2444-99

Because it ships with an empty .BLB file, certain anti-spyware software has
added the empty .BLB byte signature to its spyware database, and proceeds to
remove any .BLB file that fits this scenario (any empty DBISAM .BLB).
Currently, we are aware of AOL's anti-spyware software removing .BLB files,
but are seeing if any others are doing so also.  We suspect that Time Warner
may also be using the same software, but we're not positive about this yet.

As to a remedy, we are having our lawyer contact AOL in order to get a
technical contact that we can pursue this with, mainly because we can't find
any specific contact information for AOL anywhere.  I will let everyone know
what we find out with this route.  Needless to say, this is a major no-no on
the part of the anti-spyware software and is tantamount to removing all
empty Microsoft Excel .xls files just because they fit a certain byte
signature.  We're not really sure why they aren't scanning the files to see
if they are actual executable files, or why they aren't just removing the
empty .BLB files with the same name as the adware, but the best we can
surmise at this point is that they simply weren't particularly thorough.

The only other remedies are:

1) Changing the .blb file extension to something else in your application.
2) Removing the anti-spyware software so that it stops removing the .BLB
files.

I will let everyone know how things progress on this front.  In the
meantime, if you do experience this issue, please let us know so that we can
figure out which anti-spyware software is responsible.

--
Tim Young
Elevate Software
www.elevatesoft.com

Tim Young [Elevate Software] wrote:
>
> added the empty .BLB byte signature to its spyware database, and proceeds to
> remove any .BLB file that fits this scenario (any empty DBISAM .BLB).

I wonder if there would be some simple hack that would prevent BLB Blob
file never been empty.

For instance in AfterDelete event write some extra check:

 If MyTable.Blobfield.IsNull
  then MyTable.Blobfield.AsString :='Dummy';

(Sorry about the clumsy example, I usually use TStreams to store data to
Blobs)

> 1) Changing the .blb file extension to something else in your application.

For any developers using prior 4.0 versions, this possibility probably
is out?

> 2) Removing the anti-spyware software so that it stops removing the .BLB
> files.

I have not yet faced this happen. Perhaps the clients have just been
lucky and always have had at least something stored in their BLB files.

Markku Nevalainen

Tim Young [Elevate Software] wrote:

> Currently, we are aware of AOL's
> anti-spyware software removing .BLB files, but are seeing if any
> others are doing so also.

I sincerly start to think that some anti-virus packages are worse than
virusses. If a virus would have done the the exact same thing (deleting
important files and breaking many applications), the anti-virus
industry would have released many press releases and the (internet)
media would be all over it.

My first question I ask these days for customers with strange problems
is not if they have virusses, but if they have Norton or McAfee
installed. I guess we can add AOL to that list.

Jan Derk

Markku

> I wonder if there would be some simple hack that would prevent BLB Blob
> file never been empty.
>
> For instance in AfterDelete event write some extra check:
>
>   If MyTable.Blobfield.IsNull
>    then MyTable.Blobfield.AsString :='Dummy';


That would break the logic for anyone who tests for 'RecordCount=0' or
similar in their application. For example, it would turn:

while RecordCount > 0 do
  Delete;

....into an infinite loop. A 'fix' like that would be much, much nastier
than the original problem IMO.


> For any developers using prior 4.0 versions, this possibility probably
> is out?


Not if you have the source code. It only requires changing one constant.

Eryk

Unbelievable!!! AV and AntiSpyware gets more and more to maleware itself.

Does this only affect DBISAM 4 "empty" BLB files or V3 too? Do you know
already which other products than AOL does this?

Regards
Rolf

Markku,

<< I wonder if there would be some simple hack that would prevent BLB Blob
file never been empty. >>

Sure, that will work also.  Any time the .BLB is increased from the empty
512-byte header to something else, it will fix the problem.

<< For any developers using prior 4.0 versions, this possibility probably is
out? >>

It's not out, but it is immensely more difficult to do.

<< I have not yet faced this happen. Perhaps the clients have just been
lucky and always have had at least something stored in their BLB files. >>

So far I can only track it down to AOL anti-spyware, which is weird because
they supposedly use a slightly-customized version of McAfee Internet
Security Suite.

--
Tim Young
Elevate Software
www.elevatesoft.com

Rolf,

<< Unbelievable!!! AV and AntiSpyware gets more and more to maleware itself.
>>

Yes.  Removing virus and adware/malware .EXE/.DLL files is one thing.
Removing random data files is another.

<< Does this only affect DBISAM 4 "empty" BLB files or V3 too? >>

Sorry, I should have mentioned that.  It only affects DBISAM 4 .BLB files,
as far as I know.

<< Do you know already which other products than AOL does this? >>

I've tested Symantec's virus scanning, and they don't report the .BLB files
as being part of a virus, etc.  I'm geting McAfee now to try it out.  I
swore that I would never give those people any money, but sometimes I guess
I need to bite the bullet and do it anyways.

--
Tim Young
Elevate Software
www.elevatesoft.com

Eryk,

<< That would break the logic for anyone who tests for 'RecordCount=0' or
similar in their application.  >>

Yes, it would.  However, if you add a record with BLOB data and then delete
it, you will change the .BLB file size with some extra empty space without
changing the RecordCount logic.

--
Tim Young
Elevate Software
www.elevatesoft.com

Jan,

<< I sincerly start to think that some anti-virus packages are worse than
virusses. If a virus would have done the the exact same thing (deleting
important files and breaking many applications), the anti-virus industry
would have released many press releases and the (internet) media would be
all over it. >>

Yes, that's the unfortunate sad state of affairs that we've come to.  I
don't know why they even bother with spyware signatures and definitions -
the nastier ones hook themselves into the WinLogon process and other
internals in order to avoid being subject to removal through any other
method than the Repair/Recovery Console.

--
Tim Young
Elevate Software
www.elevatesoft.com

Give me some monry and I will tell you the fix
Rita

"Tim Young [Elevate Software]" <timyoung@elevatesoft.com> wrote in message
news:8F9E4DB1-9D26-4CB0-BC6C-0AE165AFDE75@news.elevatesoft.com...
> Rolf,
>
> << Unbelievable!!! AV and AntiSpyware gets more and more to maleware
> itself.
> >>
>
> Yes.  Removing virus and adware/malware .EXE/.DLL files is one thing.
> Removing random data files is another.
>
> << Does this only affect DBISAM 4 "empty" BLB files or V3 too? >>
>
> Sorry, I should have mentioned that.  It only affects DBISAM 4 .BLB files,
> as far as I know.
>
> << Do you know already which other products than AOL does this? >>
>
> I've tested Symantec's virus scanning, and they don't report the .BLB
> files as being part of a virus, etc.  I'm geting McAfee now to try it out.
> I swore that I would never give those people any money, but sometimes I
> guess I need to bite the bullet and do it anyways.
>
> --
> Tim Young
> Elevate Software
> www.elevatesoft.com
>