Wednesday morning, McAfee released an update to its antivirus definitions for corporate customers. Nothing unusual in that. What was unusual is that the update affected Windows XP SP3 (and unfortunately, a lot of companies are still on XP) and a vital file, svchost.exe. While consumers were not affected, since the update, DAT update 5958, deleted the svchost.exe file, resulting in multiple reboots and loss of networking, you can bet a lot of IT administrators are looking into a new security vendor today.
The SANS Internet Storm Center described the SNAFU as follows:
McAfee's "DAT" file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and loose all network access. We have individual reports of other versions of Windows being affected as well. However, only particular configurations of these versions appear affected. The bad DAT file may infect individual workstations as well as workstations connected to a domain. The use of "ePolicyOrchestrator", which is used to update virus definitions across a network, appears to have lead to a faster spread of the bad DAT file. The ePolicyOrchestrator is used to update "DAT" files throughout enterprises. It can not be used to undo this bad signature because affected system will lose network connectivity.It is a source of great dismay for IT when they have to go around from system to system individually to fix things, and in this case, they had to. McAfee has since released an updated DAT file. Of course, if your networking is hosed, it will be difficult to get an updated DAT file.
Perhaps the only good news is that it was the corporate version of McAfee's security software that was most affected. As with most of these sorts of issues, one has to wonder why a little QA didn't find the issue before McAfee ended up attacking the PCs it was supposed to protect.