Stem Bolt
Premium
join:2002-11-08
Cleveland, OH
2 edits | McAfee false-positive glitch fells PCs worldwide »www.theregister.co.uk/2009/07/03···_glitch/
quote:
IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan attacked core system files, in some cases causing the machines to display the dreaded blue screen of death.
Details are still coming in, but forums here and here show that it's affecting McAfee customers in Germany, Italy, and elsewhere. A UK-based Reg reader, who asked to remain anonymous because he was not authorized by his employer to speak to the press, said the glitch simultaneously leveled half of a customer's 140 machines after they updated the latest virus signature file.
"Literally half of the machines were down with this McAfee anti-virus message IDing valid programs as having this trojan," the IT consultant said. "Literally half the office switched off their PCs and were just twiddling their thumbs."
When the consultant returned to his office he was relieved that his own laptop, which also uses VirusScan, was working normally. Then, suddenly, when it installed the latest McAfee DAT file, his computer was also smitten. The anti-virus program identified winvnc.exe and several other legitimate files as malware and attempted to quarantine them. With several core system files out of commission, the machine was rendered an expensive paperweight.
A McAfee representative in the US didn't immediately respond to phone calls seeking comment. Friday is a holiday for many US employees in observance of Saturday's Independence Day.
Based on anecdotes, the glitch appears to be caused when older VirusScan engines install DAT 5664, which McAfee seems to have pushed out in the past 24 hours. Affected systems then begin identifying a wide variety of legitimate - and frequently crucial - system files as malware. Files belonging to Microsoft Internet Explorer, drivers for Compaq computers, and even the McAfee-associated McScript.exe were being identified as a trojan called PWS!hv.aq, according to the posts and interviews.
We're still trying to determine how widespread this false-positive glitch is being felt and whether people have found any reliable fixes.
--
Norton 2010 BETA + Online Armor Free + Router/SPI | |
|
 
DataDoc
My avatar looks like me, if I was 2D.
Premium
join:2000-05-14
Greenville, NC | Re: McAfee false-positive glitch fells PCs worldwide And how would a regular user recover from this? | |
|
 | Tuulilapsi
Kenosis
join:2002-07-29
Finland
| Re: McAfee false-positive glitch fells PCs worldwide said by DataDoc  :And how would a regular user recover from this? Restoring backups, I'd say. Reinstalling, or repairing Windows if that is what it takes.
However, I can't help being amused by this incident. Apparently folks will now need anti-anti-virus software to protect them from dangerous anti-virus software.  You have to wonder how many people were just damaged more by their anti-virus than they've ever been damaged by actual malware.
--
Want security? Run as limited user. | |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA | A system restore might be the only way..... | |
|
| |
|
| 
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs: | Re: McAfee false-positive glitch fells PCs worldwide ....the glitch appears to be caused when older VirusScan engines install DAT 5664...
Maybe that has something to do with who is affected, the VirusScan engine version? | |
|
| | 
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| Re: McAfee false-positive glitch fells PCs worldwide Yes, but I'm not sure what that means. Periodically, McAfee installs an updated engine, and newer DAT files won't run on the older engine. Did some cross check go wrong? Or does "engine" mean something different from what McAfee calls its engine?
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 | |
|
SUMware
Premium
join:2002-05-21
| From today's McAfee forums:
»forums.mcafeehelp.com/showthread···1&page=3
We have had it confirmed by McAfee support that this problem is due to the old engine and that the only solution is to upgrade. There will be no further assitance in doing this (or fixing the issue) provided by McAfee.
It only affects VSE8.0i with Engine 5100.
VSE8.0i with 5200 Engine or above seems to work properly.
VSE8.5i and 8.7i are not affected.
...this is a false positive due to engine 5100 obsolescence.
5100 is not supported anymore since January 2008, it is very likely that this engine is not able to interpret correctly the latest DATs (5664 in this case). | |
|
Cabal
Premium
join:2007-01-21
Boston, MA | Doesn't this happen every year? I can't believe anyone would risk their infrastructure on McAfee. | |
|
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: McAfee false-positive glitch fells PCs worldwide I am not seeing this as a McAfee problem. It looks more like a user problem.
We use McAfee at work. It is site licensed. We are allowed encouraged to install on home machines that are used for work related projects (covered by the site license). When we download the software, we have to agree to the conditions before the download starts. And one of the conditions is that we may use the software for only one year, and must uninstall it after then (presumably to install a newer version).
It seems to have been more than 2 years, perhaps more than 3 years, since the offered version was 8.5. So anybody still using 8.0 was not living up to their responsibilities. And we were notified last year by our IT folk, that if we were still running 8.0 or earlier, then it is no longer supported and we should remove it and install the newer version.
It seems to me that McAfee has been getting the word out. It isn't their fault if people were not listening.
My own opinion of McAfee is that it is too bloated. But I use it because it is free for me (the home version provided by ISP, the enterprise version from work). And I mainly use unix anyway, where the bloat in windows software won't be affecting me.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 | |
|
|
| |
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA | The very word Mcafee makes me cringe. | |
|
| |
Mele20
Premium
join:2001-06-05
Hilo, HI
| "this is a false positive due to engine 5100 obsolescence.
5100 is not supported anymore since January 2008".
My question is why didn't these businesses upgrade to a supported engine? I mean it is not like engine 5100 went unsupported a month ago...it has been over a year and one-half since that engine was supported. In fact, I was a beta tester for McAfee and tested VSE8.0i with the engine 5100 and that was several years ago. McAfee corporate is a good AV. It is nothing like the crap they make for home users.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason | |
|
| 
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
·AT&T U-Verse
| Re: McAfee false-positive glitch fells PCs worldwide It appears they have been getting database updates - so why go to the expense of upgrading, especially in an economic downturn? I have to say McAfee has shot themselves in the foot by refusing to fix this. They would have been better off to cut off database updates to this engine. If I were a business IT manager the last thing I would do would be to upgrade McAfee after it had trashed my network. I'd be looking for another anti-virus.
--
"The best proof there is intelligent life in outer space is the fact it hasn't come here." Arthur C. Clark 1917-2008
Team Discovery
| |
|
|
SUMware
Premium
join:2002-05-21
2 edits | said by dandelion :Wouldn't it have been a better business practice to send a warning that new data is likely to cause severe crashes etc. if the program is not updated? 5100 McAfee Anti-Virus Engine End Of Life (EoL) Product Management Statement
08-03-2007 - said by McAfee :
After 1st February 2008 the 5100 McAfee Anti-Virus Engine will no longer be supported. In order to continue to receive support on McAfee Anti-Virus products users will need to upgrade to the 5200 version of the McAfee Anti-Virus Engine before this date.
From 1st February 2008 onwards there will be no further Anti-Virus definition files (DAT file) quality testing with the 5100 McAfee Anti-Virus Engine. Also, new detections and cleaning by the DAT files will be written with focus on the new enhanced capabilities of the 5200 McAfee Anti-Virus Engine where appropriate.
| |
|
| |
| | SUMware
Premium
join:2002-05-21
| Re: McAfee false-positive glitch fells PCs worldwide said by dandelion :I am assuming... I wouldn't have interpreted that quote that way. I am assuming that McAfee provided users with addition information and warnings. I am assuming that when a product goes 100% unsupported no one can predict how it will perform or interact on a system into the future. At that point users are 100% on their own and potentially at risk for all kinds of unpleasantness. Just common sense. | |
|
| | Mele20
Premium
join:2001-06-05
Hilo, HI
| said by dandelion :I am assuming possibly someone in the security field may interpret this that at the very least their machines would be open to new malware cropping up even hoping if the update is delayed at least the machines are still partially protected, yet the likelihood of that versus the entire machine crashing wouldn't be thought likely IMO. At least I wouldn't have interpreted that quote that way.  Symantec does the same and the same position is taken for home users. The message from McAfee is clear. "You wanna risk big fuckups stick with the old engine as we ain't gonna test the DAT files after February 1, 2008 on the 5100 engine."
I don't buy for one second that IT for those businesses was not aware of how this works with both Symantec and McAfee. They took a calculated risk and they lost big time.That is not McAfee's fault.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason | |
|
Oleg
Bellsouth Fastaccess
Premium
join:2003-12-08
Birmingham, AL | Not surprised at all. | |
|
|
| 
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| Re: McAfee false-positive glitch fells PCs worldwide said by mers2 :At least with Symantec, you can no longer get updates without going to a lot of trouble when their product goes unsupported. You can simply download and update manually 8.1 with all the risks that might bring
Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2009 | |
|
| |
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
·AT&T U-Verse
1 edit | Re: McAfee false-positive glitch fells PCs worldwide said by Cudni :said by mers2 :At least with Symantec, you can no longer get updates without going to a lot of trouble when their product goes unsupported. You can simply download and update manually 8.1 with all the risks that might bring Cudni That's what I meant by going to a lot of trouble. McAfee would have been better off to have that as the model for non supported versions, than allow it to continue auto-updating. That is a recipe for disaster and bad press - which is what they got.
Edited to add: What most people are going to remember is that a McAfee update made a lot of computers unusable.
--
"The best proof there is intelligent life in outer space is the fact it hasn't come here." Arthur C. Clark 1917-2008
Team Discovery
| |
|
| | |
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| Re: McAfee false-positive glitch fells PCs worldwide said by mers2 :That's what I meant by going to a lot of trouble. McAfee would have been better off to have that as the model for non supported versions, than allow it to continue auto-updating. That is a recipe for disaster and bad press - which is what they got. It is not just McAfee to blame it is also the admins who allowed non supported software to break their network. Although they can always remind their bosses how they were refused the budget when they requested to update AV.
Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2009 | |
|
| | | |
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
·AT&T U-Verse
| Re: McAfee false-positive glitch fells PCs worldwide said by Cudni :said by mers2 :That's what I meant by going to a lot of trouble. McAfee would have been better off to have that as the model for non supported versions, than allow it to continue auto-updating. That is a recipe for disaster and bad press - which is what they got. It is not just McAfee to blame it is also the admins who allowed non supported software to break their network. Although they can always remind their bosses how they were refused the budget when they requested to update AV. Cudni Yup, but I feel sorry for IT admins in this economy - and it's been going down the tubes for a couple of years. It's really hard to talk the boss into upgrading when the current system works fine and the AV is updating. I'd wager, though, that the bosses will now demand a different brand AV 'cause they'll think it's McAfee's fault.
--
"The best proof there is intelligent life in outer space is the fact it hasn't come here." Arthur C. Clark 1917-2008
Team Discovery
| |
|
| | | | | 
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs:
 ·Comcast
| Re: McAfee false-positive glitch fells PCs worldwide said by mers2 :said by Cudni :said by mers2 :That's what I meant by going to a lot of trouble. McAfee would have been better off to have that as the model for non supported versions, than allow it to continue auto-updating. That is a recipe for disaster and bad press - which is what they got. It is not just McAfee to blame it is also the admins who allowed non supported software to break their network. Although they can always remind their bosses how they were refused the budget when they requested to update AV. Cudni Yup, but I feel sorry for IT admins in this economy - and it's been going down the tubes for a couple of years. It's really hard to talk the boss into upgrading when the current system works fine and the AV is updating. I'd wager, though, that the bosses will now demand a different brand AV 'cause they'll think it's McAfee's fault. Looking at it in the "business" sense rather then security, I agree which was my point originally. As has been posted numerous times in this forum, it is amazing the number of people who wouldn't think security of their computer is all that important yet keep very sensitive data on it some businesses relying heavily on it.
--
Spare computer cycles can help find answers
Find A Cure!
| |
|
| elnino
join:2006-08-27
Akron, OH
| said by mers2 :At least with Symantec, you can no longer get updates without going to a lot of trouble when their product goes unsupported. McAfee should have engineered their products the same way if an update is going to crash systems/networks. I'm pretty sure they lost customers because of this - and the bad publicity doesn't help. Actually, this is kinda what McAfee did already. The Auto-Update on 8.0i doesn't update to anything newer than Nov 30, 2008. But, if they're running a centralized management server for McAfee, it can manually FTP into McAfee and download the DAT updates and push them out to the end users.
If this company was paying maintenance/support costs to McAfee, upgrades to the software are free. Should have been no reason for them to be running an unsupported version of their software. Yeah, it "was working" for them, but in an unsupported fashion. They could have even pushed out a new version of the McAfee client from the management server | |
|
|
|
|
·
