Stem Bolt
Premium
join:2002-11-08
Cleveland, OH
2 edits | McAfee false-positive glitch fells PCs worldwide
»www.theregister.co.uk/2009/07/03···_glitch/
quote:
IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan attacked core system files, in some cases causing the machines to display the dreaded blue screen of death.
Details are still coming in, but forums here and here show that it's affecting McAfee customers in Germany, Italy, and elsewhere. A UK-based Reg reader, who asked to remain anonymous because he was not authorized by his employer to speak to the press, said the glitch simultaneously leveled half of a customer's 140 machines after they updated the latest virus signature file.
"Literally half of the machines were down with this McAfee anti-virus message IDing valid programs as having this trojan," the IT consultant said. "Literally half the office switched off their PCs and were just twiddling their thumbs."
When the consultant returned to his office he was relieved that his own laptop, which also uses VirusScan, was working normally. Then, suddenly, when it installed the latest McAfee DAT file, his computer was also smitten. The anti-virus program identified winvnc.exe and several other legitimate files as malware and attempted to quarantine them. With several core system files out of commission, the machine was rendered an expensive paperweight.
A McAfee representative in the US didn't immediately respond to phone calls seeking comment. Friday is a holiday for many US employees in observance of Saturday's Independence Day.
Based on anecdotes, the glitch appears to be caused when older VirusScan engines install DAT 5664, which McAfee seems to have pushed out in the past 24 hours. Affected systems then begin identifying a wide variety of legitimate - and frequently crucial - system files as malware. Files belonging to Microsoft Internet Explorer, drivers for Compaq computers, and even the McAfee-associated McScript.exe were being identified as a trojan called PWS!hv.aq, according to the posts and interviews.
We're still trying to determine how widespread this false-positive glitch is being felt and whether people have found any reliable fixes.
--
Norton 2010 BETA + Online Armor Free + Router/SPI |
|
DataDoc
My avatar looks like me, if I was 2D.
Premium
join:2000-05-14
Greenville, NC | And how would a regular user recover from this? |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA | reply to Stem Bolt
A system restore might be the only way..... |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
 ·Optimum Online
 ·Vonage
| said by Dude111  :A system restore might be the only way..... The machines are supposedly unbootable. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to Stem Bolt
Interesting.
I just checked my laptop. It is using DAT 5664. However, nothing untoward has happened. I wonder under what circumstances the problem shows up.
I am reminded of an earlier thread:
»McAfee Virus update leaves PCs unbootable
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs: | ....the glitch appears to be caused when older VirusScan engines install DAT 5664...
Maybe that has something to do with who is affected, the VirusScan engine version? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Yes, but I'm not sure what that means. Periodically, McAfee installs an updated engine, and newer DAT files won't run on the older engine. Did some cross check go wrong? Or does "engine" mean something different from what McAfee calls its engine?
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
SUMware
Premium
join:2002-05-21
| reply to Stem Bolt
From today's McAfee forums:
»forums.mcafeehelp.com/showthread···1&page=3
We have had it confirmed by McAfee support that this problem is due to the old engine and that the only solution is to upgrade. There will be no further assitance in doing this (or fixing the issue) provided by McAfee.
It only affects VSE8.0i with Engine 5100.
VSE8.0i with 5200 Engine or above seems to work properly.
VSE8.5i and 8.7i are not affected.
...this is a false positive due to engine 5100 obsolescence.
5100 is not supported anymore since January 2008, it is very likely that this engine is not able to interpret correctly the latest DATs (5664 in this case). |
|
Cabal
Premium
join:2007-01-21
Boston, MA | reply to Stem Bolt
Doesn't this happen every year? I can't believe anyone would risk their infrastructure on McAfee. |
|
Fireblade
join:2008-08-27
St Catharines, ON
·Cogeco Cable
·Vonage
| reply to Stem Bolt
When I worked at a banking institution, we had over 3, 000 computers and servers running with McAfee Anti-Virus - it's actually very good believe it or not, well the corporate version anyways.
Everything is tested via a sandbox SUS interface rigorously before releasing it to the full domain. This wouldn't get by.
--
I love fish sticks. I love putting fish sticks in my mouth. |
|
Ray422
Premium
join:2002-03-04
Adger, AL
clubs: | Ok, so you run McAfee anti-virus software to protect your pc, and it destroys your Pc. How very interesting 
Real dam kool !!! |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA | reply to Stem Bolt
The very word Mcafee makes me cringe. |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| reply to DataDoc
said by DataDoc :And how would a regular user recover from this? Restoring backups, I'd say. Reinstalling, or repairing Windows if that is what it takes.
However, I can't help being amused by this incident. Apparently folks will now need anti-anti-virus software to protect them from dangerous anti-virus software.  You have to wonder how many people were just damaged more by their anti-virus than they've ever been damaged by actual malware.
--
Want security? Run as limited user. |
|
cork1958
Cork
join:2000-02-26
Fruitport, MI
·Verizon Online DSL
·Charter Pipeline
| reply to Shriyash
said by Shriyash :The very word Mcafee makes me cringe. Man, do I hear you there!!
The word Norton has about the same effect on me also.
--
The Firefox alternative.
»www.mozilla.org/projects/seamonkey/ |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Stem Bolt
"this is a false positive due to engine 5100 obsolescence.
5100 is not supported anymore since January 2008".
My question is why didn't these businesses upgrade to a supported engine? I mean it is not like engine 5100 went unsupported a month ago...it has been over a year and one-half since that engine was supported. In fact, I was a beta tester for McAfee and tested VSE8.0i with the engine 5100 and that was several years ago. McAfee corporate is a good AV. It is nothing like the crap they make for home users.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
·AT&T U-Verse
| It appears they have been getting database updates - so why go to the expense of upgrading, especially in an economic downturn? I have to say McAfee has shot themselves in the foot by refusing to fix this. They would have been better off to cut off database updates to this engine. If I were a business IT manager the last thing I would do would be to upgrade McAfee after it had trashed my network. I'd be looking for another anti-virus.
--
"The best proof there is intelligent life in outer space is the fact it hasn't come here." Arthur C. Clark 1917-2008
Team Discovery
|
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs:
·Comcast
| reply to Stem Bolt
McAfee I assume doesn't care if the "old" engine wrecks havoc possibly reasoning that businesses should have upgraded. However in this market where things are tight, I can see them deciding not to as long as they continue to get updated. Wouldn't it have been a better business practice to send a warning that new data is likely to cause severe crashes etc. if the program is not updated? IMO in the long run, McAfee probably not only lost these businesses but others that heard about it.
--
Spare computer cycles can help find answers
Find A Cure!
|
|
SUMware
Premium
join:2002-05-21
2 edits | reply to Stem Bolt
said by dandelion :Wouldn't it have been a better business practice to send a warning that new data is likely to cause severe crashes etc. if the program is not updated? 5100 McAfee Anti-Virus Engine End Of Life (EoL) Product Management Statement
08-03-2007 - said by McAfee :
After 1st February 2008 the 5100 McAfee Anti-Virus Engine will no longer be supported. In order to continue to receive support on McAfee Anti-Virus products users will need to upgrade to the 5200 version of the McAfee Anti-Virus Engine before this date.
From 1st February 2008 onwards there will be no further Anti-Virus definition files (DAT file) quality testing with the 5100 McAfee Anti-Virus Engine. Also, new detections and cleaning by the DAT files will be written with focus on the new enhanced capabilities of the 5200 McAfee Anti-Virus Engine where appropriate.
|
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs:
·Comcast
| I am assuming possibly someone in the security field may interpret this that at the very least their machines would be open to new malware cropping up even hoping if the update is delayed at least the machines are still partially protected, yet the likelihood of that versus the entire machine crashing wouldn't be thought likely IMO. At least I wouldn't have interpreted that quote that way.  |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to Cabal
I am not seeing this as a McAfee problem. It looks more like a user problem.
We use McAfee at work. It is site licensed. We are allowed encouraged to install on home machines that are used for work related projects (covered by the site license). When we download the software, we have to agree to the conditions before the download starts. And one of the conditions is that we may use the software for only one year, and must uninstall it after then (presumably to install a newer version).
It seems to have been more than 2 years, perhaps more than 3 years, since the offered version was 8.5. So anybody still using 8.0 was not living up to their responsibilities. And we were notified last year by our IT folk, that if we were still running 8.0 or earlier, then it is no longer supported and we should remove it and install the newer version.
It seems to me that McAfee has been getting the word out. It isn't their fault if people were not listening.
My own opinion of McAfee is that it is too bloated. But I use it because it is free for me (the home version provided by ISP, the enterprise version from work). And I mainly use unix anyway, where the bloat in windows software won't be affecting me.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
