Are you in Royal company?

Posted by Peter Labrow on 13 March 2009

Just when website owners thought that they had enough to think about, it turns out that some versions of Kaspersky, one of the leading Internet security suites, may be stopping users from seeing their graphics.

Last week, I took my MacBook Pro to show my brother a new site that we’d developed, which was just about to go live. He liked the site, and being more than a little interested in HTML, went back to have another look at it on his own PC.

And that’s when the fun began.

I got a call from him, where he asked: “where are the images that were at the top of the page?” I looked at the site on my machine. “They’re there,“ I told him. He sent me a screenshot to prove that – for him at least – they were not. The path to the image was correct if you looked in the HTML, but the file was being served up as a tiny one-pixel image, which replaced my rather splendid images.

After quite a bit of head-scratching, hunting and logical elimination, we found that the images were being blocked by Kaspersky’s Internet Security Suite. A little digging into Kaspersky’s configuration files showed that it was pre-configured to block any images that were stored in a folder containing the word ‘banners’ or with ‘banner’ as part of the file name.

Now, the developers at Kaspersky might think that this makes sense – that the only thing someone is going to put in a folder called banners (or containing the word) would be naughty, naughty banner ads that the user doesn’t want to see. But this is poor thinking.

The term banner has been used for many, many years before the Web came into existence – by designers, printers and publishers especially – to describe the ‘big graphic at the top of the page’. It’s a legitimate term, and, as such, is used legitimately in many websites around the world as a place where (you guessed it) ‘big images for the top of the page’ are kept.

If you don’t believe me, here’s a good example. The Royal Family launched their new website this month. Guess what? The images at the top don’t display if the user is running certain versions of Kaspersky’s Internet Suite. Most users will never know that something is missing – they’ll just see an ugly-looking gap on the Web page. Many won’t know how to turn this feature off, and will never see the site as the designer intended.

 

The Royal Family’s website as some Kaspersky’s users see it (March 2009)

 

The Royal Family’s website as rest of world + dog sees it (March 2009)

 

Whose fault is this? I would lay the blame at Kaspersky’s door. An image stored in a place containing the word ‘banner’ is not a banner ad. Blocking such images, without being certain that it is a banner ad, is reducing the experience of the Internet significantly for customers and compromising the message delivered by website owners. Like perhaps you, me, and even the Royal Family.

Currently, website developers should test sites in all major browsers. Fine, that’s part of the job. But it’s not commercially possible to test sites in every security tool too, nor is it reasonable to expect that this would be done.

Not only does it block lots of legitimate content, the most nefarious of website owners will soon clock on to Kaspersky’s foibles and simply put ads in folders called ‘bernard’ or some such. So the real baddies will easily skate over Kaspersky’s somewhat shallow moat while legitimate content is blocked.

So, not good news for many website owners. But look on the bright side, at least you are in Royal company.

I for one, though, am not amused.

Update: 13 March 2009

I reported this to both the Webmaster of the Royal Family’s website and to Kaspersky. Absolute top marks to Kaspersky for getting back to me in person, within a couple of hours. Totally amazing response, really fast, I’m not sure I would have got the same response from some other anti-virus companies. Top marks, Kaspersky.

Kaspersky tells me that this only affects some of the builds of its product and that an update is already available to sort it. I’m currently in the process of testing that out.

Update 2: 13 March 2009

I can’t tell you how impressed I am with the response from Kaspersky. Not only were they rapid, but they also gave me a one-year licence so I could test the Royal Family’s site in the current version of their suite, plus my sites too.

I’m very pleased to say that in the current version of Kaspersky, the problem has gone. An update is also available for older versions - however, users have to specifically download it, it isn’t pushed out automatically. The good news is that Kaspersky tell me that this is now flagged with the product developers in Moscow, to see if a way can be found to push out the update. What’s more, within ten minutes of being told that this was being escalated, I got an e-mail from the developer in Moscow, asking for more information.

I have to say, despite my caustic comments (and I stand by the ones related to the thinking behind this) that Kaspersky has been really superb. Very responsive indeed. I hope this gets sorted soon, so that we poor website designers don’t have to go back and check all of our websites!

Big thanks to Darrel (and everyone else) at Kaspersky.

Update 3: 13 March 2009

I spoke too soon. It turns out that the only reason that banner images aren’t blocked is that the update simply turns the ad-blocking feature off as a default! Once you turn it back on again, the problem re-occurs. This is very disappointing. Call me cynical, but it looks like Kaspersky has recognised the problem but implemented a quick fix that actually isn’t a fix at all. My previous respect for how they responded to this has evaporated. The ad blocking feature still blocks legitimate content.

Update 4: 17 March 2009

I’ve now exchanged several e-mails with Kaspersky which differ in tone and content. By and large I would say that they accept this is a problem, but have no understanding as to the scope or scale of the problem. Their initial stance was that it is entirely reasonable to block images with the word ‘banner’ in the file name or path, since they feel that it is likely that this will be an ad. I have pointed out the flaw in this logic.

Here’s the part of an e-mail I sent to Kaspersky:

Your assertion that the software is only likely to block occasional sites is one that shows a lack of understanding of website design and page structure – please, I mean no offence by that. A ‘banner’ is NOT an advertisement. The term ‘banner’ has been around for longer than ‘banner ads’ and is still a key, common piece of design terminology that refers to something which is (generally) graphical and is (generally) at the top of a page. This can be a web page or a printed page. Banner ads are so called because they (generally) take the banner position. The term banner is by no means exclusive to banner ads.

Most web designers (and printed page designers) break their pages down in to zones, and common terms are used to describe these: sidebar, menu, footer, header, main content, AND BANNER. It DOES NOT mean banner ad, though it can, of course.

But to block content simply because it is called banner shows very shallow thinking, I’m sorry to say. For two reasons:

• Much content called ‘banner’ is not an advertisement
• Many banner advertisements do not use the word banner in them

Therefore, bearing in mind my explanation about terminology above, your software stands a very good chance of blocking legitimate content, and of allowing actual banner ads to not be suppressed.

Kaskersky has acknowledged that simply turning off the ad-blocking feature is not a solution, since users have to know that they need to turn it off and, in any case, they may not want to turn it off because they rely on it to block other content. The people in the UK tell me that they are awaiting a response from Moscow.

Update 5: 18 March 2009

I’ve now spent two days – for which I won’t get paid – testing my websites and fixing them so that Kaspersky doesn’t block the content.

Kaspersky’s teams in the UK continue to be helpful and friendly, but there’s a real lack of recognition as to the scope of the problem. Kaspersky’s head of development is suggesting adding the Royal site to a white list and any other sites that have the same problem. I despair!

To illustrate how far-reaching this problem is, here are just a few more legitimate sites with blocked content:

This site has the whole page blocked, and it’s just a tutorial on drawing something that looks like a scrolled banner. This site again has the whole page blocked the whole page, and it’s a company trying to sell signs (ie banners). On this site, Kaspersky blocks many of the images, they are trying to sell outdoor advertising. On this site the main image in the middle is missing, which happens to be a picture of an award-winning website.

I could do this all day – it took me only five minutes to find these! Kaspersky doesn’t seem willing to recognise the wider problem here, and doubts that many sites are affected, yet it takes very little effort to build up a pretty substantial list.

For example, a quick Google for ‘banner.jpg’ brings up 9,050,000 results – very few of them banner ads, nearly all legitimate content. And that’s not counting variations on the word banner such as banner1.jpg’ (35,700), banner2.jpg (37,100), banner-1.jpg (788,000), main-banner.jpg (15,400) – and so on. The possibilities are nearly endless. Again, many of these are not ads. Yet pretty much all of them will be blocked by Kaspersky.

By blacklisting the word banner, Kaspersky is blocking images, movies, entire pages and possibly even entire sites. It’s like blocking all sites with Middlesex in the URL because it contains the word sex – hardly sound thinking.

It took little old me two days to test my sites and put in place fixes. That’s lost revenue, from just one small Web design company. Why should I have had to absorb that cost? Imagine multiplying that cost over the kind of numbers highlighted above. Personally I think Kaspersky should really take notice – if entire businesses are being blocked, or products being prevented from being displayed and sold, then surely this is a class action suit waiting to happen?

 

Comments

1 comment · add a comment · this blog is moderated

Labrow Marketing takes no responsibility for any comments below, as these do not necessarily represent our views.

On 25 June 2009, gavjof said:

Thank you very much for documenting this on your blog. As a website publisher I was confused as to why certain images were *missing* from my site. I had also thought that flash needed to be reinstalled as certain news sites had spaces where advertising banners were. Common sense reminded me that I'd just recently replaced AVG with Kaspersky suite. Took a few google searches but eventually found your blog :) Thanks again