Thursday, April 22, 2010

Bug causes McAfee AV to attack systems it was supposed to protect

It happens. It's happened before and it will happen again. It is, of course, more unusual when something like this happens to one of the bigger security firms, however, and hard to imagine a bigger mistake.

Unlimited Online Backup Only 4.95Wednesday morning, McAfee released an update to its antivirus definitions for corporate customers. Nothing unusual in that. What was unusual is that the update affected Windows XP SP3 (and unfortunately, a lot of companies are still on XP) and a vital file, svchost.exe. While consumers were not affected, since the update, DAT update 5958, deleted the svchost.exe file, resulting in multiple reboots and loss of networking, you can bet a lot of IT administrators are looking into a new security vendor today.

The SANS Internet Storm Center described the SNAFU as follows:
McAfee's "DAT" file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and loose all network access. We have individual reports of other versions of Windows being affected as well. However, only particular configurations of these versions appear affected. The bad DAT file may infect individual workstations as well as workstations connected to a domain. The use of "ePolicyOrchestrator", which is used to update virus definitions across a network, appears to have lead to a faster spread of the bad DAT file. The ePolicyOrchestrator is used to update "DAT" files throughout enterprises. It can not be used to undo this bad signature because affected system will lose network connectivity.
It is a source of great dismay for IT when they have to go around from system to system individually to fix things, and in this case, they had to. McAfee has since released an updated DAT file. Of course, if your networking is hosed, it will be difficult to get an updated DAT file.

Perhaps the only good news is that it was the corporate version of McAfee's security software that was most affected. As with most of these sorts of issues, one has to wonder why a little QA didn't find the issue before McAfee ended up attacking the PCs it was supposed to protect.

ESET - Download NOD32 Here!

No comments: