SQLite User Forum

Anecdata: Kaspersky may silently corrupt SQLite files
Login
Chronological

Anecdata: Kaspersky may silently corrupt SQLite files

(1) By anonymous on 2022-09-23 10:30:34 [link] [source]

I've recently read a complain elsewhere from a person whose Firefox kept “forgetting” some of its settings for no reason at all on an overall perfectly stable computer system. That person used Kaspersky antivirus, and that seemed to me more than a coincidence because of its peculiar (though reasonable) attention to browser configuration, which includes SQLite databases.

A couple of years ago, on my previous job, we had a third party business application of sorts (though pretty solid) that used SQLite (probably some version that was twice as old, as it had not been actively developed for quite some time), just a regular file database on a local drive that was automatically copied to a timestamped backup location on each start. At some point, users noticed that data — orders they had handled in the last couple of hours — simply disappeared from the program without any crashes or errors. If I recall correctly, it happened more than once. As others had little ability to study and debug the problem, I could only advise to restart the program on each shift, and also on big manual changes, and to check that general picture is sane once in a while. Additionally, I excluded both application process and its data directory from Kaspersky antivirus monitoring, as I'd already seen updates that rendered the whole system unusable until its uninstallation, and heard about it silently deadlocking I/O for some programs. That exclusion seemed to fix the problem with our application.

So probably there is some scripted format parser or real-time SQL query checking that clashes with some signature checks inside the antivirus when stars misalign, or it causes some stale memory pages from hours ago to overwrite the data on disk, or the behind-the scenes locking and unlocking of the data it handles on-the-fly inside the kernel is somehow broken. Sure, the idea that antivirus causes problems is pretty obvious, and not much can be done in case of broken system layer code, but this specific combination of brands and the puzzling user experience of silent rollback without any notifications or errors doesn't seem to be reported.

(2) By Rishikeshan (rishikeshan) on 2022-09-27 11:53:36 in reply to 1 [source] 

It's good to know this, not even databases are safe with Anti-Virus! I think they were trying to erase potentially malicious links in 'history' file by a naive string matching algorithm. I have stopped using AV software for my PCs long time ago and none of our PCs have one these days as they do interfere _a lot_ in our work, with unpredictable side-effects.

Windows Defender (or whatever its successor is), was much more decent, if I recall correctly. YMMV, though.

Regards,
Rishikeshan.
oss <at> rishikeshan <dot> com.

(3) By Donal Fellows (dkfellows) on 2022-09-28 12:33:02 in reply to 1 [link] [source]

Many anti-virus systems are well-documented as breaking filesystem semantics in various ways. I view this as a bug in those AV systems. If they're making the system calls lie to SQLite, it's little wonder that SQLite's finding strange things happening under its feet.

However, there probably isn't anything that SQLite can do about it. Disabling the sabotaging AV is truly outside its scope.