bit-tech.net

McAfee update kills Windows

McAfee update kills Windows

Users of McAfee's anti-virus products have been given a nasty shock: a false-positive reading that kills Windows.

A bad virus definition update has left a number of McAfee customers worldwide with systems that will no longer run.

First spotted by the guys over at Gizmodo following a surge of comments on micro-blogging service Twitter, and later confirmed by Engadget and The Register, the issue stems from a false positive contained within the 5958 virus definitions and triggered on machines running Windows XP Service Pack 3.

Users who received the faulty update - initially released yesterday at 1400 and then quickly removed from the update servers - will have found that the rather important Windows service svchost.exe was categorised as a virus. If the default option to quarantine the file is selected - or if the software is configured to do so automatically - the system will crash.

Describing the issue as causing "moderate to significant performance issues" on affected systems, McAfee has posted instructions on both removing the faulty virus definition and on repairing a damaged Windows install.

This is hardly the first time a signature-based anti-virus has gone haywire and caused havoc on the very PCs it was designed to protect, of course. Just last month BitDefender Antivirus crashed 64-bit Windows systems due to a similar faulty signature update, and back in January Kaspersky Anti-Virus ended up blocking Google AdSense by mistake. Unfortunately, such issues are a by-product of the complex balancing act signature-based detection systems must perform: too permissive and you'll miss new and modified viruses; too strict and you'll falsely classify legitimate files as malware.

Do you think the time has come to solve the virus problem a different way, or are these false positive issues just something modern computer users need to expect from time to time? Share your thoughts over in the forums.

46 Comments

Discuss in the forums Reply
Fizzban 22nd April 2010, 10:48 Quote
Quote:

Maybe they need to input a list of files that the scanner is not to touch.

To be honest though this shouldn't have been much of an issue, as virus scanners usually give you the option of not having it perform any action on a potential virus until you give the say so. If you haven't selected that option, then more fool you. Mine always flags up cracks but it wont touch them unless I say otherwise.
Unknownsock 22nd April 2010, 11:05 Quote
Simple solution.
I don't use firewalls nor anti-virus's.

Never had a problem.
cjoyce1980 22nd April 2010, 11:16 Quote
Quote:
Originally Posted by Unknownsock
Simple solution.
I don't use firewalls nor anti-virus's.

Never had a problem.

a mac user by any chance?? :)
BentAnat 22nd April 2010, 11:20 Quote
Our techs had quite a bit of fun with this this morning... add Restrictions on the machines that make it virtually impossible to boot into safe mode, as well as encrypted hard drives, and you're set for a bit of fun.
deathtaker27 22nd April 2010, 11:26 Quote
college didnt roll out the update (damn) and its always horrible to try get past these systems when your at work/college as the restrictions stop everything :(
Hustler 22nd April 2010, 11:28 Quote
Quote:
Originally Posted by Unknownsock
Simple solution.
I don't use firewalls nor anti-virus's.

Never had a problem.

Me neither......

Just out of curiosity i installed AVG the other week and did a full scan, 700Gb's worth and came up totally clear, and that's after 'going commando' for the last 14mths of daily use...

I promptly uninstalled AVG....

The best anti virus you can get is common sense......and its free.
aussiebear 22nd April 2010, 11:29 Quote
A better approach: Apply practices from Unix/Linux world.

(1) Buy the version of Windows with "Software Restriction Policy". (Usually named "Professional" or "Business" editions). Set it to "Disallow". This will only allow executables to run in "Program Files" and "Windows" directories. You can add more rules to suit your needs.

(2) Only use Administrator when installing/updating/fixing issues. (Password this account.)

(3) Always use Limited/Standard User for day-to-day use. (Password this account as well)...Combining with (1) will cause a Catch-22 for malware. => Where I can run; I cannot save. Where I can save; I cannot run.

(4) Always scrutinize every application/executable BEFORE you install. (Buy legit commercial, check user reviews of freeware, only get software from developer's website, etc.)

(5) Always stay up-to-date. Including third-party software like Java, Flash, Adobe Reader, etc.

(6) Familiarise yourself with the various social engineering tricks.
(A malware's most vulnerable point is getting the user to execute code. If that isn't allowed to happen; infection cannot occur!)

In the last 2 years of applying this approach; No infections. No malware. No BS applications running in the background...The only thing I worry about is hardware failure. (This is typically overcome by selecting quality parts.)
Showerhead 22nd April 2010, 11:35 Quote
Do they never even do any QA before releasing an update? Thought this one would have been fairly obvious to catch.
Brooxy 22nd April 2010, 11:37 Quote
Heard about this this morning as we use McAfee at work - thankfully they stopped the updates before they got across the whole network...

Even so, I thought the point of AV software was to keep your system running
aussiebear 22nd April 2010, 11:47 Quote
Quote:
Originally Posted by Showerhead
Do they never even do any QA before releasing an update? Thought this one would have been fairly obvious to catch.

Every AV solution in the last 5 years have caused "friendly fire" incidents such as this. This is why I don't trust AV solutions.

They are a danger to the computer user; and malware writers can easily bypass them by simply re-packaging existing malware...Re-craft existing malware to exploit new holes. (Saves you time...And adds more work for AV companies).

The AV approach to security is the reason why we still have crap floating on the web.

When more people apply what I've suggest; Windows infection numbers will fall.

(Granted, it'll put a number of people out of work; but that's just tough titties! Serves them right for being part of a dodgy industry!)
eddtox 22nd April 2010, 11:52 Quote
Quote:
Originally Posted by Article
"moderate to significant performance issues"

I would say not being able to boot your system is fairly severe. Surely you should be able to seek compensation from McAffee over this?
aron311 22nd April 2010, 11:55 Quote
Quote:
Originally Posted by Hustler
Me neither......

Just out of curiosity i installed AVG the other week and did a full scan, 700Gb's worth and came up totally clear, and that's after 'going commando' for the last 14mths of daily use...

I promptly uninstalled AVG....

The best anti virus you can get is common sense......and its free.

Hustler you do realise AVG wouldn't find anything even IF your computer is riddled with viruses? It's a piece of crap..

Microsoft Security Essentials is worth a go as its free, Malware Bytes Anti-Malware is also good..
perplekks45 22nd April 2010, 12:38 Quote
We just went from McAfee to MS SE here at work and I wish we hadn't. We had 3 infections in 5 months, switched to SE and since then 12 infections in 1 month.

Thank you very much, MS. As much as I hate McAfee for being the resource killer it is, at least it found the malicious software!
TWeaK 22nd April 2010, 12:52 Quote
The University of Sheffield got hit hard by this, pretty much all of the uni PC's are on XP SP3 and were shut down. I think they're still working on getting a lot of the staff computers running again.

Surely this all could've been avoided if people didn't download the update as soon as it was released? A 6 hour wait probably could've saved a lot of people a lot of trouble.
cybergenics 22nd April 2010, 13:06 Quote
Quote:
Originally Posted by aron311
Hustler you do realise AVG wouldn't find anything even IF your computer is riddled with viruses? It's a piece of crap..

Microsoft Security Essentials is worth a go as its free, Malware Bytes Anti-Malware is also good..

Seen numerous PC's of friends using AVG free and paid, Avast, Avira, all riddled with malware and viruses and all aformentioned programs did (as you say) F all. I am not sure if the people in question willfully let programmes like 'Anti Virus XP' take over their pc by clicking the boxes it pops up, but then these AV progs should block it.

As we know, best AV prog is called being Savvy.
tripwired 22nd April 2010, 13:08 Quote
Quote:
Originally Posted by TWeaK
Surely this all could've been avoided if people didn't download the update as soon as it was released? A 6 hour wait probably could've saved a lot of people a lot of trouble.

True, although it increases workload for IT departments - especially difficult for companies without the resources to dedicate to a lab to test updates before rolling out to the live environment.
Hustler 22nd April 2010, 13:48 Quote
Quote:
Originally Posted by aron311

Hustler you do realise AVG wouldn't find anything even IF your computer is riddled with viruses? It's a piece of crap..

Microsoft Security Essentials is worth a go as its free, Malware Bytes Anti-Malware is also good..

yeah...yeah...yeah.....heard it all before, fact is no matter what anti virus product i could have used, someone like you would always pop up to say its 'a piece of crap'........use this or use that...
Zurechial 22nd April 2010, 13:54 Quote
Common sense keeps you pretty safe and ClamWin (windows port of ClamAV for Linux) helps out when common sense fails.

McAfee & Norton are as bad as or worse than the majority of viruses and have been for almost 20 years now.
Bauul 22nd April 2010, 14:16 Quote
Quote:
Originally Posted by perplekks45
We just went from McAfee to MS SE here at work and I wish we hadn't. We had 3 infections in 5 months, switched to SE and since then 12 infections in 1 month.

Thank you very much, MS. As much as I hate McAfee for being the resource killer it is, at least it found the malicious software!

You know MS SE is explicitly designed to work with a home user? In fact the liscence agreement forbids you from using it for work.

In other words, you really don't have a leg to stand on complaining.
Hustler 22nd April 2010, 14:18 Quote
Quote:
Originally Posted by Bauul


You know MS SE is explicitly designed to work with a home user? In fact the liscence agreement forbids you from using it for work.

In other words, you really don't have a leg to stand on complaining.

Doesn't change the fact the product didn't work though does it.....
proxess 22nd April 2010, 15:21 Quote
*nix ftw. *BSD ftw. Book ftw.
TWeaK 22nd April 2010, 15:59 Quote
Quote:
Originally Posted by tripwired
True, although it increases workload for IT departments - especially difficult for companies without the resources to dedicate to a lab to test updates before rolling out to the live environment.

Well I meant more to just let the update test itself in the wild, then hope that the AV company will remove it in a timely matter. Either way, we've had an email from the university now in which they said they perform their updates at 5pm, so they didn't get the update from McAfee as soon as it was released anyway.

Really though, and I know it's been said before, the AV companies should be more on the ball with this. There should be some legal responsibility put upon them to ensure proper testing across all OS' they list as compatible. I bet McAfee don't even bother testing on XP anymore, even though the majority of their corperate users run it.
proxess 22nd April 2010, 16:08 Quote
Funny how some are trying to make others pay for natural disasters (Iceland) but no one's attempting to make AV companies pay for these things.
Denis_iii 22nd April 2010, 18:12 Quote
we had such fun with this last night and today :) lmao the financial traders and hedge fund managers were tweaking!
its easy to fix if you have a usb thmubdrive and a unaffected PC to get the svchost file from or if your lucky you can just restore it from quaranteen but that was only possible on the 10% of the 200+ pc's we had to fix
truckmeister 22nd April 2010, 20:22 Quote
McAfee sucks, if they don't sort out my AV problems then they can forget any future custom from me, my internet security crashed and every attempt that I have made to get them to rectify the fault has left me dealing with muppets, I have emeaile them telling them to phone me to sort the problem out, either that or they can refund my purchas costs, why should I pay for something that doesn't work?
eternum 22nd April 2010, 20:27 Quote
svchost.exe? seriously??? Just about any home computer hobbyist that uses windows could tell you that it's a required file. And these half-wits who are supposed to be guarding your computer's security and should have a fairly intimate knowledge of how windows works weren't aware of this? Seriously??? Just wow... I feel sorry for all the IT personnel who had to deal with this kind of malign stupidity.
RichCreedy 22nd April 2010, 21:10 Quote
svchost.exe, is also a file that is targeted by virus writers, hence the need to scan it, false possitives will always happen from time to time, as there are too many pc's which aren't updated, so will have an older version of a file, that might not have been tested by the av writer
RichCreedy 22nd April 2010, 21:23 Quote
i have seen machines will norton and mcafee get infected with alsorts, avg does what its meant to just like the rest of them, but they all rely on people keeping up to date, and as someone else said, be aware of what your clicking on.
gnutonian 22nd April 2010, 22:05 Quote
Quote:
Originally Posted by aussiebear
A better approach: Apply practices from Unix/Linux world.

(1) Buy the version of Windows with "Software Restriction Policy". (Usually named "Professional" or "Business" editions). Set it to "Disallow". This will only allow executables to run in "Program Files" and "Windows" directories. You can add more rules to suit your needs.

(2) Only use Administrator when installing/updating/fixing issues. (Password this account.)

(3) Always use Limited/Standard User for day-to-day use. (Password this account as well)...Combining with (1) will cause a Catch-22 for malware. => Where I can run; I cannot save. Where I can save; I cannot run.

(4) Always scrutinize every application/executable BEFORE you install. (Buy legit commercial, check user reviews of freeware, only get software from developer's website, etc.)

(5) Always stay up-to-date. Including third-party software like Java, Flash, Adobe Reader, etc.

(6) Familiarise yourself with the various social engineering tricks.
(A malware's most vulnerable point is getting the user to execute code. If that isn't allowed to happen; infection cannot occur!)

In the last 2 years of applying this approach; No infections. No malware. No BS applications running in the background...The only thing I worry about is hardware failure. (This is typically overcome by selecting quality parts.)
Unfortunately, that is way too much work for the "the blue E is the internet"/"I deleted the internet from my desktop, what do I do?" crowd. People like that seem to be completely incapable of exercising any kind of common sense when it comes to computers/internet.

Hence, no doubt, the Internet Explorer 8 commercial I saw the other day, along the lines of "I received an e-mail from my mother. I clicked the link and IE8 informed me that the website wasn't the real website of my bank. I closed the window, and there, I'm safe."

I guess complacency and blindly trusting the company who made the software has become the norm. I'm really glad I don't work in IT support!
perplekks45 22nd April 2010, 22:20 Quote
Well, technically we switched to ForeFront which, as far as I know, is the company client from MS.
Still sucks IMHO.
aron311 23rd April 2010, 00:05 Quote
Quote:
Originally Posted by Hustler
Quote:
Originally Posted by aron311

Hustler you do realise AVG wouldn't find anything even IF your computer is riddled with viruses? It's a piece of crap..

Microsoft Security Essentials is worth a go as its free, Malware Bytes Anti-Malware is also good..

yeah...yeah...yeah.....heard it all before, fact is no matter what anti virus product i could have used, someone like you would always pop up to say its 'a piece of crap'........use this or use that...

I use them because they work, I fix computers every single day and those are the products that remove the viruses..

Take almost any computer with AVG and install any of the main paid antiviruses and I'll damn near guarantee you that something will be there, most people are just not aware of what's good and what's bad on the web.
RichCreedy 23rd April 2010, 01:20 Quote
the real problem with avg, is that "my mate told me to use avg cos it's free", they dont update it manually, and the free one, doesn't update itself as regularly as the paid for version

also the free one doesn't offer the same level of protection as the paid for version

tie that with, the fake av products telling the end user that they have 300 infections, click here to fix your unbroken computer and it doesn't matter what antivirus you have, you clicked to allow it and hey presto av product bypassed
Denis_iii 23rd April 2010, 15:00 Quote
i'm using microsoft security essentiuals since it was released in the UK and have never looked back
i drop in a SAS, MBAM, spyware doctor and spybot scan every now and then which have always been clean

I steer clear from AVG as drastically slows down the PC plus have come across several issues with it some of which causing BBC and CCN webpages not to load in one instance
V3ctor 23rd April 2010, 18:06 Quote
This is why Apple doesn't like AV :D
eternum 24th April 2010, 01:34 Quote
Quote:
Originally Posted by RichCreedy
svchost.exe, is also a file that is targeted by virus writers, hence the need to scan it, false possitives will always happen from time to time, as there are too many pc's which aren't updated, so will have an older version of a file, that might not have been tested by the av writer

Naturally - but scanning it is one thing, prompting to quarantine it as this update did is immeasurably stupid. There are quite a few necessary windows files that are targeted by virus writers and it's nothing new. But given the scope of the effects, this wasn't a simple oversight with a minor system file; it was gross negligence with regards to a lynchpin system file. If a particular quarantine could result in the system not being able to function (i.e. a file that was required for windows to operate), then the AV program needs to tell the user so - AND prompt the user to create a restore point before applying the quarantine.

I can see the occasional false positive on a relatively obscure file, but there is no worthwhile excuse I can see for this particular screw-up.
Star*Dagger 24th April 2010, 08:26 Quote
If you are still running XP you deserve this!
Crazyglue 24th April 2010, 16:45 Quote
Honestly, if you are using McAfee virus protection still, you deserve to not have a working computer.

ESET Nod32 is probably the best virus software in the world, I highly recommend it.
Shagbag 25th April 2010, 07:44 Quote
Security is a process, not a product.
dyzophoria 25th April 2010, 08:18 Quote
same, I suggest you stray away from mcafee, and for work switching from Mcafee to MS?, you need better IT personnel imo if thats the case, no offense.

And all these companies where against MS locking down the original 64bit core from virus companies,lol, the irony
RichCreedy 25th April 2010, 12:55 Quote
Quote:
Originally Posted by eternum

Naturally - but scanning it is one thing, prompting to quarantine it as this update did is immeasurably stupid. There are quite a few necessary windows files that are targeted by virus writers and it's nothing new. But given the scope of the effects, this wasn't a simple oversight with a minor system file; it was gross negligence with regards to a lynchpin system file. If a particular quarantine could result in the system not being able to function (i.e. a file that was required for windows to operate), then the AV program needs to tell the user so - AND prompt the user to create a restore point before applying the quarantine.

I can see the occasional false positive on a relatively obscure file, but there is no worthwhile excuse I can see for this particular screw-up.

Or if it is a system file thats needs to be sorted, at least give the user the option to reinstall file, from windows update, maybe?
MSHunter 25th April 2010, 21:18 Quote
Get Linux....
Mandrivia, fadora, ubuntu ect
and don't log in as SuperUser.
Done.

(free OS, No viruses, no problems)
And best for businesses because you can't install all the online gambling software that workers get caught with in the US.
MarkW7 25th April 2010, 21:48 Quote
Using Linux is now Win :D

I've never liked McAfee.
1ad7 26th April 2010, 01:24 Quote
Ok I have a simple question. Why didnt McAfee test the definitions on a Windows xp sp3 machine prior to releasing it to the public? Had they tested it, which would take 5 min max with 1 guy they would have caught this. Seems simple to stop these system destroying updates, at least when it comes to windows.
supermonkey 26th April 2010, 04:08 Quote
Quote:
Originally Posted by MSHunter
Get Linux....
Mandrivia, fadora, ubuntu ect
and don't log in as SuperUser.
Done.

(free OS, No viruses, no problems)
And best for businesses because you can't install all the online gambling software that workers get caught with in the US.
Sure, one of the Linux flavors might be best for business because it's free and has no problems - for a given value of "free" and a given value of "no problems."

I tried Ubuntu a while back. There are some software titles and certain hardware devices I use on a near daily basis at work, and often away from the office when I'm working from home. These titles won't run on Linux. It was fun messing about with Ubuntu, but since I'm not savvy with Linux I found it very time consuming to find and install all the programs I normally use (or free/Linux friendly alternatives of those programs). The Ubuntu forums are loaded with requests from people trying to get this piece of hardware functioning, or that program installed and [i[completely[/i] functional. A good AV solution is sometimes the least of their problems.

After reading so many IT geeks bemoaning working the help desk because users can't figure out their Windows boxes, I'd hate to see the comments when they have to take over all the help calls coming in when the secretary can't figure out the sudo command.

Sorry, but pithy comments such as "use X and you'll be problem free" don't take into consideration that the majority of computer users rely on AV programs much in the same way that they rely on nanny-state governments. They need the computer to take as much control, but not appear as though it's taking over (Windows Vista User Account Control, anyone?). When a person relies on an AV program to filter out all the spam while he surfs for prOn, he's trusting that the company makes every effort to release a quality product. Sometimes, sh*t happens, and you end up electing an idiot warmonger clicking the wrong link, or the update crashes your machine.

Yeah, it would be nice if software companies would only release programs that worked 100% of the time. I also want my washing machine to run forever.
Shagbag 26th April 2010, 05:58 Quote
Secretaries shouldn't have access to the sudo command. That's the whole point. Windows is rubbish at event logging so it's little wonder the Help Desk gets frustrated when users can't explain what they did.

As to vendors not providing Linux versions of their software. This will change over time but you can always get your IT dept to run it on WINE or virtualised it.
eddtox 26th April 2010, 11:36 Quote
I'm 21. At each of the last 3 companies I worked for (as a CAD technician) I was the most tech-savvy person there. I love the idea(ls) of linux and I've tried it quite a few times.

However, each time I found that everything took me so much longer to do, because it wasn't windows. Almost every task I wanted to perform had to be preceded by an often lengthy learning process, during which I discovered various ways in which linux is different from windows.

Now, I'm not necessarily saying that's a bad thing, but it is a huge factor. For most people, switching their production machines to linux would be disastrous. It is also worth bearing in mind that many small companies do not have a dedicated IT department to set things up and teach people how to do the things they need to get done. It's easy to say "Just switch to linux", but for most people that is even more work than putting up with McAffee ruining their pcs.

For the record, I continue to tinker with linux, and I hope the day will soon come when I am competent enough to be able to run it as a primary OS on my machines.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums