hurleyp
join:2000-06-20
Ottawa, ON
 ·Rogers Hi-Speed
| McAfee/NAI rolls bad pattern
SANS Internet Storm Center is reporting that "NAI/McAfee today (March 10) released pattern version 4716 only hours after 4715 had come out."
"Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products."
Full report at »isc.sans.org/diary.php?storyid=1179
Paul
--
"I reject your reality and substitute my own." |
|
Portmonkey
scurvy
Premium
join:2004-04-09
Southern IL | Thank you very much for posting this info. I'm glad I decided to check here before allowing McAfee to start deleting or quartineing files.
--
Road to hell paved with unbought stuffed dogs. Hemingway |
|
owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
clubs:
| reply to hurleyp
Just this morning I woke up to find an alleged 37 files infected with the W95/CTX virus. Fortunately, I doubted the report and looked at the Virus Help on McAfee's web site, where it said that 4715 produces FPs and to get 4716.
But I am an experienced user, and work in I.T. so I was reasonably certain that the report was false. How about the 99% of the users who would have just quaranteened the files? That's a BIG "my bad" for McAfee. |
|
hurleyp
join:2000-06-20
Ottawa, ON
·Rogers Hi-Speed
| reply to hurleyp
At least if you set McAfee to quarantine "infected" files, you can go about restoring them. Not an easy job, but much better than if they were deleted. I use NAV, and after I saw this report I checked my options and sure enough, NAV was set to delete infected files. I've changed that to quarantine just in case NAV starts going false-positive crazy!
Paul
--
"I reject your reality and substitute my own." |
|
waynemr
join:2002-01-28
Madison, WI
| reply to hurleyp
Well CRAP! I had 161 files false tagged and quaratined because of this fiasco! Now I've got to go back and restore each one by hand!!!!  |
|
GlassRail
Premium
join:2000-11-02
Retired
clubs:
 ·AT&T Southwest
| reply to hurleyp
Thanks for the heads up. I came home yesterday and found 48 files with W95/CTX. They were all main program files and I almost had a heart attack.
I finally restored them and everything worked fine, until I installed NOD32  My system froze up and wouldn't allow me into the safe mode  What a mess that was!
--
Frankly Speaking! |
|
hurleyp
join:2000-06-20
Ottawa, ON
·Rogers Hi-Speed
| reply to hurleyp
Here is a March 12 follow-up to this incident from SANS:
»isc.sans.org/diary.php?storyid=1184&rss
"Users who have moved detected files to quarantine should restore them to their original location. Windows users who have had files deleted should restore files from backup or use System Restore."
Gee, thanks. 
Paul
--
"I reject your reality and substitute my own." |
|
zteardrop
join:2005-12-20
Brooklyn, NY
| reply to hurleyp
A lot of antivirus companies in an effort to get definitions out first, are compromising on the quality of their definitions. We seen that with NOD32, KAV, now McAfee. I agree that FPs do occur, but I think some needs to keep score on how many times they occur for various companies. |
|
ForeverZero
join:2005-01-11
Hollywood, FL | reply to hurleyp
Just got done cleaning up the mess this caused at my workplace.
Good way to start a Monday!
I think we got off pretty easy tho, the 4716 release happened before a lot happened to us, did have some servers affected tho.
-ForeverZero- |
|
hurleyp
join:2000-06-20
Ottawa, ON
·Rogers Hi-Speed
| reply to hurleyp
McAfee has created a cleanup tool to restore files incorrectly quarantined by the bad DAT update. Follow the link in the 13 Mar update at »vil.nai.com/vil/content/v_138884.htm
--
"I reject your reality and substitute my own." |
|
lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs: 
·Comcast
Host:
TV over IP
Software
RCN
Inside Insight
Team Discovery
1 edit |  said by hurleyp  :McAfee has created a cleanup tool to restore files incorrectly quarantined by the bad DAT update. Follow the link in the 13 Mar update at » vil.nai.com/vil/content/v_138884.htm Thank you for the link...that helps 
Edit: Had added this morning to SCU news as well:
»McAfee Update Breaks Hundreds Of Apps |
|
