McAfee Anti-Virus Causes Widespread File Damage

AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems. At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."

Help!

[vjmurphy]

I need virus protection from my virus protection!

Re:Help!

[spellraiser]

Okay - but after you get that, are you still safe?

NO!

You're going to need some virus protection from your virus protection from your virus protection to be absolutely safe.

Thankfully, I am offering those at very reasonable prices. Buy one now and receive a free fragment from the Eiffel tower as a value-added gift.

Re:Help!

[xtracto]

What about a *nix firewall with antivirus software on it?

You only need that headless pentium 3 (even a pentium pro could make it!) that you are using to rest your feet ;-), plus you will be able to forget the burden of whatever "ANTI-*.* " software that wastes your precious resources.

Of course that is if you use Windows (for whatever reason, I also do it).

Re:Help!

[Mistshadow2k4]

A common misconception. First of all, some viruses/malware can download straight into your computer while you're just online (the infamous Blaster comes to mind). So obviously you need a firewall. And some programs that are tagged "clean" by some sites can contain trojans aanyway. The only solution against the latter besides antivirus would be to never buy or download any program that didn't come with Windows - and Windows comes with practically nothing as it is.

Re:Help!

Now I am going to come out with an Antivirus product that is pretty bare bones, but I am going to make available to you, for the low low price of $39.95, the anti-spyware/anti-anti-anti-anti-virus protection. Protects you from all viruses, and all other antivirus software on the market.

But wait...there's more. Act now and I'll throw in this set of Ronco steak knives!

Re:Help!

[Ucklak]

OK, then don't use Windows.

If you have to use Windows, use it in a non network environment in a VM setting.

Re:Help!

[Pharmboy]

Now I am going to come out with an Antivirus product that is pretty bare bones, but I am going to make available to you, for the low low price of $39.95, the anti-spyware/anti-anti-anti-anti-virus protection

Or install Linux for free.

Re:Help!

[Mistshadow2k4]

Exactly. If you don't want to install Windows, just use Knoppix and save your settings (including anything you download). It can make it's own directory on drive C to do that and it's directory is fully accessible under Windows.

Re:Help!

Their Linux product was also affected.
You would have noticed that, had you RTFA.

This trashed IT staff's weekend - not just Sunday, but Friday night, Saturday all day. It trashed Oracle database server and client binaries - so it also affected application servers and database servers.

Re:Help!

[hviezda14]

Better from us (good), than from them (bad viruses).

Re:Help!

[rikkards]

That's great but what if someone introduces a virus through other means i.e usb key, infected laptop, etc. Firewall won't help much internally

Re:Help!

[Pharmboy]

You would have noticed that, had you RTFA.

Um, I did RTFA, and I have been restoring systems all morning. Our Linux server, however, didn't need restoring, since we don't use any AV on any Linux systems. I am more than aware of exactly what it did, and when it did it, since I am busy cleaning up their mess.

Would love to chat more, but I'm kinda busy mopping up after this mess...

Re:Help!

[enjerth]

Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.

So was MS Office affected twice?

Re:Help!

[blincoln]

That's great but what if someone introduces a virus through other means i.e usb key, infected laptop, etc. Firewall won't help much internally

Exactly.

Every virus that's hit the company I work at while I've been there was brought in on a laptop by a contractor.

Re:Help!

In other news today, Finnish security company F-Secure's CEO Mr.Hiippoonnneneiinaronson declared that their security lab had discovered the McAfee Virus Update Worm. "This is a virulent system sttack that will delete essential files from systems all over the world, and we are rating it Highly Critical". F-Secure today released an update to their own Anti-Virus software (cost $1m) which successfully removes all McAfee products from the users system, and then establishes a credit-card account with F-Secure which will be randomly billed for anti-virus updates. "But really, this is a all-round winner of a deal for the end user", Hipperoonsensonenfart" declared.

Re:Help!

[KlomDark]

What, the only people at your company who have laptops are contractors? Tell us another one, punk-ass.

Re:Help!

[Rakishi]

I assume all the non-contractors have company approved (and tested) anti-virus software on their laptops.

Re:Help!

[gcranston]

Trace-buster-buster-buster.

Re:Help!

[operagost]

So, when do the needle snakes and gorillas come in?

Re:Help!

LOL...after 36 hours of frantically packaging fixs for deployment to thousands of pc's my favorite part of all this was the lame letter we got that attempted to apoligize. Somewhere in there it mentioned that they at least caught it in a 5 hour window...of course that 5 hours came at about the same time everyone went home for the weekend.

HOW ABOUT SPENDING AT LEAST 5 HOURS QAing YOUR FLIPPIN UPDATES FIRST

in about 2 weeks when most of the dust has settled my next package will remove Mcafee and install something else

Re:Help!

"Rational" too. I didn't realize ATI was an application, either.

Re:Help!

[Crunchie+Frog]

So what are you doing allowing them to connect non-company laptops to your network?

Re:Help!

[Master+of+Transhuman]

Just had a client who was installing his Mac and wanted me to hook him up to the Internet.

First thing he asked was, what did he need to be secure from the viruses?

I told him there ARE NO VIRUSES for Mac OSX. And damn little spyware - so little that no one has written an open source anti-spyware tool for the Mac, although there are one or two commercial products probably not worth buying.

I pointed him to ClamXav anyway, but told him that was just for protecting him from forwarding an email infected from a Windows machine to another Windows machine.

Re:Help!

Please explain.
You link how to build BSD Firewall, and and then link to a bsd workstation antivirus. How is that going to protect the corperate network??
As far as I understand, the antivirus will only scan files on the local machine, so unless you want to save all emails/www/bittorrent/ftp/etc/etc files on the firewall for scanning before the local machine gets it, your solution is pointless.

Re:Help!

[blincoln]

I assume all the non-contractors have company approved (and tested) anti-virus software on their laptops.

Exactly. Although I am a punk-ass.

Re:Help!

[Mycroft_VIII]

They do ship several apps with thier product, some they developed, some third party.

Mycroft

Re:Help!

[jtcm]

You're going to need some virus protection from your virus protection from your virus protection to be absolutely safe. Thankfully, I am offering those at very reasonable prices.

An old acquaintance of my mother has apparently made vast sums of money selling insurance to the insurance companies...

I think your business model may have merit.

Re:Help!

[enigma48]

This would only give you partial protection unless you have security software/gateway that could perform miracles. Your gateway is almost guaranteed to miss viruses/malware/trojans/etc in:

* Torrent downloads (unless the gateway downloaded it for you and didn't send it to your computer until it had finished, scanned it, and approved it)
* Any downloaded archive (it might catch a ZIP file you downloaded from a website, but a password protected one?)
* non-standard traffic (encrypted IM messages, etc)

You'd be partially protected though but for thorough protection the gateway would have to be all-seeing, understand all protocols, block (or hold?) password protected/encrypted info, read all file formats, catch multi-platform viruses/malware/trojans, etc.

Most companies with a strict IT policy that disallows the above could (and probably should) look into doing all protection on a firewall. Maybe incorporating a application-level router as well. Interesting idea.

Re:Help!

Well, that's what you get for using Windows. Stop running your company on Windows and you won't have this problem.

The Risk

[eldavojohn]

I think it's funny how on McAfee's site, they list the risk of the virus they are trying to identify:

Corporate User : Low
Home User : Low

Did they forget to include that the risk of installing McAfee Anti-Virus for any user : High?

Wait a minute, it is identifying some system files that Windows put on my machine! I guess the Mac & 'nix freaks are right, Windows really is a virus. I hope it's only a matter of time before my next virus definition assesses Internet Explorer & Windows Media Player as full blown Trojan viruses distributed as malware with my OS.

Re:The Risk

[Aspirator]

One of the commonly percieved risks of viruses is that
'they will delete your files'.

In one fell swoop it seems as though McAfee may have deleted more files
than all the viruses it has removed would have.

Re:The Risk

[dc29A]

Wait a minute, it is identifying some system files that Windows put on my machine! I guess the Mac & 'nix freaks are right, Windows really is a virus. I hope it's only a matter of time before my next virus definition assesses Internet Explorer & Windows Media Player as full blown Trojan viruses distributed as malware with my OS.

With common sense like not running Windows as root, ditching IE, ditching WMP and not blindly installing every software you find (even if it has flashing (OMG YUR PC IS SLOW GIGGLEHURTZ!!!oneone!!!) you don't need anti-malware on Windows.

Re:The Risk

[AndroidCat]

Don't worry, just install the new patched version of McAfee. I believe the internal name for this release is called Skynet.

Re:The Risk

[Dare+nMc]

>McAfee may have deleted more files
than all the viruses it has removed would have.

go figure, no big system admin has wanted automatic (witout testing) updates for some time, to their OS. I guess sys admins got lazy on testing virus scanner updates before rollouts.

I know I am not alone in turning off all runtime virus protection on my PC, because it has historically had more impact on system stabilty, and speed than most virii. (ok it seams the latest scanners on winXP may actually work...) Wouldn't save me from this problem, except my system scans only occur weekly, so may be luckly my weekly scan didn't occur (I do have nightly complete backups from backuppc.sourceforge.net ).

Re:The Risk

[fuyu-no-neko]

I guess the Mac & 'nix freaks are right, Windows really is a virus.

But aren't viruses meant to be small and efficient? O.o

Re:The Risk

[justthinkit]

Score one for AVG (http://free.grisoft.com/). Much as I liked McAfee (back in Win98 days), I stopped using it due to (1) huge memory footprint, (2) onerous yearly fees.

Re:The Risk

[The+Spoonman]

I know I am not alone in turning off all runtime virus protection on my PC, because it has historically had more impact on system stabilty, and speed than most virii

Nope, you're not alone. I don't typically run with AV enabled, and the last virus I had on any system was Jerusalem. :) (Before the literalli ask: I run semi-regular virus scans using one of the web-based scanners, that would be how I know for sure.)

Re:The Risk

[noone42]

One of the things that nobody's saying here is that the default behavior for McAfee is to move the files into a quarantine directory, not to delete them. The user would have to change the settings for that to happen. Admittedly, it's still messed up for the program to delete essential files, but I think it's good policy to quarantine first in case something like this happens.

That being said... On Saturday I went to do some work in Flash MX and got a message that it was missing a DLL file and I had to reinstall. No big deal, I must have botched something, so I reinstalled. While I was doing that, I went to get my bills together in Excel and got the message that Excel was no longer installed. My first reaction was that I had some kind of virus or trojan, so I ran a full system virus scan. It took me three hours of panic to realize that something like 40 .exe files and another 80 .dll files had been quarantined. VirusScan provides no way to restore quarantined files, so you have to pick through the scan log to find out where they originally lived and put them back yourself. I was wondering if this would come out in the news or if I just had a screwed up system. Thank god it's getting some press and McAfee had to fix it, I've been fighting my virus checker all weekend and it was getting pretty tiresome.

Re:The Risk

[stinky+wizzleteats]

I guess sys admins got lazy on testing virus scanner updates before rollouts.

That's very funny. When a ubervirus thrashes a couple of corporate networks to the tune of a billion dollars apiece, we hear "Stupid admins - the patch was available - they weren't keeping up". Now it's "They should have tested before rolling them out." (paraphrased)

It appears, therefore, that using a system that is subject to viruses and security vulnerabilities on the scale of Windows is inherently untenable. We can't even define logically consistent expectations for the administrators of such systems. Can we stop using them now?

Re:The Risk

[digital+photo]

More often than not, the choice to put AV software on systems wasn't a sysadmin choice, but a management/business choice. IE, cost reasons, CYA reasons, lower priority than say getting that next X million dollar project up and running, or some other reason which pre-empts AV stuff.

I don't use AV software on my systems at home, but that's a personal choice. Not due to laziness, but because other measures have been taken: strong firewalling, restricted software on desktops, strong desktop settings, regular backups, and sufficiently educating anyone who uses the computer of the dangers they can face, what online actions are risky, and to abide by the basic rules so as to avoid putting your data/computer at risk.

For half a decade, I've gone without AV software and have had all of my systems virii/adware/malware free. This isn't due to laziness, but diligence and preparation. This isn't due to OS fanatacism, but making a decision about what compromises to make between security and usability. I use WinXPpro, Linux, and MacOSX systems at home.

When people passively rely on external assistance, like AV software, something like this would eventually happen. People make mistakes. Companies make mistakes. And when you have a large install base, those mistakes can easily become big monstrous mistakes.

Right now, ALOT of sysadmins are probably sweating bullets getting systems back online. This isn't because they were lazy. This was because someone at another company screwed up and it impacted their infrastructure, which in turn impacts their business.

Make no mistake, people will get sued and lawyers will get involved. Think it was just the businesses and end users of the AV software that got screwed? What about the customers of the businesses? What about the home users who run their business off of their home computers? Yeah, there'll be some noise about this down the road, make no mistake.

*listens over the cube walls* I don't hear any cursing or screaming, so it hasn't happened here or the OS admins have done their homework over the weekend. In either case, this will be interesting to follow in the months to come.

Re:The Risk

[AnyoneEB]

Mac or *nix freak? I use Windows XP. My .sig is from personal experience. :)

Re:The Risk

[legirons]

"That's very funny. When a ubervirus thrashes a couple of corporate networks to the tune of a billion dollars apiece, we hear "Stupid admins - the patch was available - they weren't keeping up". Now it's "They should have tested before rolling them out." (paraphrased)"

Which neatly highlights the problem with this internet-connected "built to a budget" software that we're all using -- every time there's a patch, it reveals that we've all been running massive security risks for years, which the programmers only just discovered.

It's even worse with people who rely on adware scanners, or virus scanners -- they've allowed security threats right into their core systems, and are hoping that the latest virus list will somehow save them.

I know this is all because there's too much software for us to review individually, but we could at least trust someone more reliable (FreeBSD, Debian and GNU being the obvious choices) with all this "checking our software isn't going to do something really stupid", rather than a company whose interest is limited to selling you the software and letting you figure out what the problems with it are...

Re:The Risk

[riscthis]

Unless you're already running inside a Virtual Machine, of course ;)
http://it.slashdot.org/article.pl?sid=06/03/11/013 0221

Re:The Risk

That downplaying is simple spin/damage control.
Imagine the reaction of the stock price if the real news of the magnitude of the impact of this on platinum-level, enterprise customers was divulged.

Anyways, it just meant that thousands of IT people didn't get a weekend.
I lost 12 hours on Sunday - it could have been worse.

Re:The Risk

[ummit]

...a system that is subject to viruses and security vulnerabilities on the scale of Windows is inherently untenable.

Yup. Been that way for quite some time now.

Can we stop using them now?

Some of us can, but alas, most are still utterly addicted, and will put up with nonsense like this for quite a bit longer. "Thank you sir, may I have another!"

Re:The Risk

[Kuros_overkill]

very time there's a patch, it reveals that we've all been running massive security risks for years, which the programmers only just discovered.

No, that was back when Patches were few, and far between. These days they are just patching up security risks that were added 10 patches ago.

It is my belief that any system more than 5 years old, and has been patched on a regular basis, nolonger has any of the original security holes. Only the 2^N holes that have been added by the successive patches (Where N is the number of patches.)

Re:The Risk

[Dare+nMc]

> "Stupid admins - the patch was available - they weren't keeping up". Now it's "They should have tested before rolling them out."

I did say lazy didn't I :(
> That's very funny.
whats even funnier (to me): is that I am a system admin (small part of my job) for a dozen people. I got automatic updates of virus scan, and windows auto updates on for every PC but mine, guess I figure I'll hear of something bad before it hits my part (ok I do fit into the proud to be lazy crowd.)
> vulnerabilities on the scale of Windows
I am no defender of microsoft, but the biggest didn't update crowd taking heat was for months old (since patch) vulnerabilities being exploited (at msn.com also I recall.) I understand not taking the time to test every 2 weeks, but I did admit being lazy also.

I will add, in general I get very upset when I pay a premium for something that has big problems, but figure it was part of the fun when I am given something at little or no cost. probably why I run linux on the systems I know I'll get flack for problems with (probably not more stable than windows in my case, at least I got $2000 in our phone system for example instead of $30,000)
I do run http://www.clamwin.com/ at home despite having access to norton, and mcafee corporate versions easily borrowable from work. ( I have no moral qualms since I do work from home PC's also... )

Re:The Risk

[From+A+Far+Away+Land]

The good news is that I'll be able to easily identify the machines I've not yet upgraded to Grisoft AVG from McAfee. I'll get a call from the McAfee users asking, "Why isn't my Excel opening?"

Re:The Risk

[Mycroft_VIII]

I've stopped using McAfee and Norton for those reasons as well as the fact that this event was the only virus like thing they were not doing yet.
    I uninstalled the McAffee 90day freebe from my laptop and started having random re-boots. Some digging around showed one of thier processes STILL being loaded at boot.
    Delete it and everything seems fine now. The paranoid in me wanders if that wasn't designed to make you think maybe you'd caught a virus and needed to re-install and re-pay for thier crap again.
    My laptop hasn't been online except ONCE right after I bought it, and was thouroughtly checked out bye several different malware scanners right after with no problems found.

Mycroft

Re:The Risk

[Knitebane]

When people passively rely on external assistance, like AV software, something like this would eventually happen.

You are hereby appointed to the Federal Emergency Managment Agency, Gulf Coast Region.

Re:The Risk

Only back in the old days. These days, any idiot who can string together a few lines of Visual Basic can write themselves a virus... er, operating system... whatever.

Good thing...

Good thing Mcafee doesn't have liability, via contract, for this mess....

Re:Good thing...

[griffjon]

Mod parent up -- this is a Very Important issue -- we shell out huge bucks for OSes, A-V, firewalls, ad infinitum, with the marketspeek saying "This not only protects you from everything, it will butter your toast, too!" -- yet this is translated in legalese click-throughs as "We aren't liable if this product not only doesn't do what it is marketed to do, but for no apparent reason causes your network to melt. Oh, and it greases your goatse hole, too!"

It is what you might say, a problem.

who-can-you-trust?

[suso]

This is one of the major reasons I use open source software. Its hard to trust corporations who only tell you lies to preserve their public image.

Re:who-can-you-trust?

[dc29A]

This is one of the major reasons I use open source software. Its hard to trust corporations who only tell you lies to preserve their public image.

Do you really think Open Source AV can't fsck up your PC if there are bugs in it? And let's be honest, how many people actually look at the source of programs (updates) they install? I am a programmer, and I never looked the code of an Open Source program I installed for the sake of "Let's make sure this update won't fsck up my PC". I look at the code because I am curious to see how they do certain things, or I want to change some annoying aspect of it.

Re:who-can-you-trust?

[MankyD]

What on earth did they lie about? They screwed up and they're trying to tell you how to fix it. This is not a commercial vs. oss debate - sheesh!

Re:who-can-you-trust?

[MustardMan]

Quiet you, we'll have no reasonable thoughts in THIS house!

Closed source is teh $at4n... go linux, w00t!

Re:who-can-you-trust?

Anyone still using Mcafee deserves what they get. It's a horrible piece of crap software and the people still pushing this crap should be shot.

Re:who-can-you-trust?

> I am a programmer, and I never looked the code of an Open Source program I installed for the sake of "Let's make sure this update won't fsck up my PC".

Well damn. Maybe you should have.

Re:who-can-you-trust?

[Slashcrap]

Do you really think Open Source AV can't fsck up your PC if there are bugs in it?

Do you really think it's better to have your system trashed and pay for the privilege?

Re:who-can-you-trust?

[PitaBred]

If you're really using open source, you shouldn't need much by way of AV, except maybe a mail scanner, and it's domain of scanned files should stay away from the system. And at any rate, configure it so it doesn't auto-delete or even quarantine things things. Make sure it's ok to remove the vmlinuz or kernel.dll file personally.

Re:who-can-you-trust?

[freeweed]

let's be honest, how many people actually look at the source of programs (updates) they install? I am a programmer, and I never looked the code of an Open Source program I installed

The point of open source is not that you PERSONALLY can look at the source to find problems (although you can if you like).

The point is that thousands of other people can. And usually, no one's stopping them from reporting a problem if they do find one.

Admittedly, this leaves gaps (what if no one else looks?), but it works pretty damn well, for the most part.

Re:who-can-you-trust?

[penguinbrat]

Do you really think Open Source AV can't fsck up your PC if there are bugs in it?

Agreed - both can hoze your system up, BUT when it comes down to it, since neither comes with anykind of warranty and both usually have the same level of support (obtained differently ofcourse) - I would much rather know that I didnt waste X amount of dollars on something that didn't really do all that much different than the free stuff...

And let's be honest, how many people actually look at the source of programs (updates) they install?

Not a lot, but atleast the OSS community has it as a standard to have the change log readily availiable for anyone and everyone to grab and read if they so choose, and if you get the source directly from the author - there is usually a big page of all the changes before you get to the download link, so you will know in advance if the upgrade is worth it or not...

Re:who-can-you-trust?

[Ungrounded+Lightning]

What is this "Open Source A[nti]V[irus}" you're assuming?

The main approach of open source software to viruses is not to be susceptable to them in the first place.

Re:who-can-you-trust?

[gronofer]

The point of open source is not that you PERSONALLY can look at the source to find problems (although you can if you like).

In theory, yes. But since nobody PERSONALLY has to look at the source, hardly anybody will actually bother. Most just run the Windows binary installer, or "apt-get" and equivalents.

Re:who-can-you-trust?

If you're really using open source, you shouldn't need much by way of AV...

Tell me you don't really believe this. Because, if you do, I have some land and a wharehouse full of "state of the art" 286 computers to sell you.

Does this mean...

[__aaclcg7560]

That Microsoft Anti-Virus will be deleting McAfee from the system? And, to be on the safe side, also Norton?

Re:Does this mean...

[Stephen+Samuel]

Perhaps they were just trying to do a pre-emptive deletion of MS-AntiVirus and set the net too wide.
Oh well... At least it's a commercial package so, unlike Open Source, I have somebody I they can sue when something like this ......

WHAT???!!! EULA?? Yeah, but I didn' think... arrrrgh!

Re:Does this mean...

[rbochan]

...And, to be on the safe side, also Norton?

You'd hope that the sysadmin would be competent enough to do that.

Re:Does this mean...

[jacksonj04]

You may laugh, but the MS OneCare is actually a pretty damn good product, and subscription looks to be a lot cheaper than McAfee/Symantec as well.

Re:Does this mean...

[Omaze]

I read the headline, I came to the forum, and "EULA" is the first thing I searched for.

Re:Does this mean...

[identity0]

MS Antivirus salesman: What are you talking about, Comrade? Norton is our ally. We are at war with McAfee. We have always been at war with McAfee. We shall trium-

-Slashdot headline: Norton Deletes MS Windows-

-phantly avenge this betrayl! Down with Norton! Up with Big Ballmer!

hijackthis

Gotta love McAFee, they also delete hijackthis when I plug my USB key in.

Re:hijackthis

[maotx]

I've never had a problem with McAfee and hijackthis. Also, 4715 isn't even showing up in our records under the ePolicy Orchestrator. Everyone is either at 4716, or if they haven't connected, 4714.

Re:hijackthis

[narf]

Yes, I just noticed that. I'm curious if it's because I have no workstations running 4715 (I hope!), or if they've just made it a non-person.

April 1 Already?

[yup2000]

I seriously did a double take and had to check the calendar to make sure...

Well...

All I can say is 'wait 'til monday.'

I wouldn't be surprised if this fuckup is a fatal blow to McAfee.

Re:Well...

[MustardMan]

... by Anonymous Coward on Monday March 13, @09:07AM (#14906906)
All I can say is 'wait 'til monday.'

Heh, now that's funny.

Re:Well...

[Cal+Paterson]

Ever heard of timezones?

Re:Well...

[MustardMan]

Ever heard of humor? Just checking.

Holy Shiznit

IT men and women all over the world are shiznitting themselves this morning.

The McAfee developer who screwed this up will surely be fired. What about the QA people in McAfee, aren't they supposed to have seen this or were they just being paid to do nothing? Surely, they should be fired!

I smell a class-action lawsuit coming.

Re:Holy Shiznit

[visigoth]

wanna bet they didn't do comprehensive testing? Regression? Did McAfee lay off QA people lately because the cost of rigorous testing couldn't be justified in a nice, concise business case? Or was it just an "honest mistake" that led to this screwup, which, one hopes, won't be repeated any time soon (and, one further hopes, will remind McAfee that potentially dangerous software requires comprehensive and effective testing *always*, which certainly would have caught this particular bug.)

Am I missing something here

[His+name+cannot+be+s]

I've heard of a program, some sort of scanner that is supposed to stop rogue programs from attacking your computer, and deleting files.

Oh yeah, the AntiVirus program.

Whoops! Nice Try McAfee.

Doesn't this kinda breach some sort of Digital-Hippocratic-oath? "First,do no harm?"

Re:Am I missing something here

[Plaid+Phantom]

Well, that oath only applies for people who are actually trying to help people.

McAfee.. not.. Nod32... yes

McAfee is crap, pure and simple. Our ISP uses McAfee as a filter on mail and lets just say I am glad I am running NOD32 on my home machine as it catches on average 1 or 2 virus a month that slips past McAfee. Also we cannot run it on any of the machines that are running video editing as they cause the system all kinds of problems (cpu spikes, general instability).. junk... junk... junk...

Surprisingly, it didn't quarantine itself

[digitaldc]

If only McAfee had quarantined itself before this disaster, it would have worked perfectly!

Re:Surprisingly, it didn't quarantine itself

[btellier]

Actually, in their press release they have some of the filenames affected by the errant signature. Among them is:

- FrameworkService.exe

Which, if you take a look at your Task Manager, you will notice is:

  Directory of C:\Program Files\McAfee\Common Framework

09/27/2005 03:06 AM 102,463 FrameworkService.exe

Don't use anti-virus!

[$calar]

See, this is another reason why I don't use anti-virus. The truth is viruses don't magically propagate on the Internet, it takes a dummy to do something stupid. Just learn some common sense and avoid these awful programs.

Re:Don't use anti-virus!

[Aranth+Brainfire]

Yeah, but you can feel all superior and stuff if you have one that scans every day and can sincerely say that you have never ever gotten a virus onto your system.

Re:Don't use anti-virus!

[PFI_Optix]

I haven't had a virus on my XP system in four years, including during my dial-up days.

If you keep your system updated, use a firewall, and just generally understand how the typical virus/worm/trojan works, you're 99.9% protected. However, there's always the possibility that someone will get clever enough to get through that, so I use AVG just to be on the safe side.

Re:Don't use anti-virus!

[MankyD]

Actually... they do "magically propagate" when flaws are found in things like Windows SAMBA sharing or Apache's web server (or any server program that you run for that matter.)

Re:Don't use anti-virus!

[$calar]

I have never used anti-virus software and have never gotten a virus in my life. My main reason for not using anti-virus was because it hampered system performance. I really don't think it's that hard to avoid getting a virus, all you have to do is stay up to date with your operating system and don't open executable attachments (it would be even better if you just ignored emails that weren't from trusted sources). The only thing that bothers me are these zero day exploits that even anti-virus software can't stop.

Re:Don't use anti-virus!

[TubeSteak]

Wouldn't that make it a worm?

Worm = no user interaction
Virus = user interaction

Hence... virii don't "magically propagate"

Re:Don't use anti-virus!

[$calar]

Those are called worms, not viruses. Besides, anti-virus is only as good as the latest definitions. If you have auto updates enabled on whatever operating system you use, you should be fine. Additionally, a good firewall goes a long way against these types of exploits.

Re:Don't use anti-virus!

[MankyD]

Ok, true, a worm. That doesn't change the fact that an infection is possible and that av software works to quarantine it.

Re:Don't use anti-virus!

Well, yeah... "all" you have to do is that, plus cripple your web browser (or never use it), and then you can think you're safe.

If you don't run anti-virus software, then you don't know that you've never gotten a virus. Not all of them announce their presence.

Re:Don't use anti-virus!

[OrangeDoor]

This is no reason to NOT use anti-virus. You can have an anti-virus program that doesn't screw up your computer with updates. As previously mentioned AVG is one of them. But like a lot of other software there might be occasional bugs, but they shouldn't delete files. You don't have to go with a crappy product by McAfee or Symantec, besides free A/V software there is a lot of quality software you can pay for.

It's naive not to run anti-virus software. For people like me it's not about constant protection from my safe computer using habits. It's for that really tiny chance that something gets by. Not only is it important to have, it's also useless if not kept upto date. New virus attacks are designed to get on a system in the narrow window between virus release and A/V definition updates.

On a different note, another thing to be wary of when useing McAfee... losing internet access. On several occassions I've gone to clients and discovered that either a) McAfee firewall has decided to block Internet Explorer's access to the internet, or b) McAfee is broken and you can't change the firewall settings and manually removing it is the way to get the internet working again. Similar things happen with the Norton Internet Security package, though McAfee's, as hard as it is to believe, is worse.

Not only do these companies break their customers computers (which I get paid to fix as an independent PC Tech), they also provide crappy or non-existent phone "support." Apparently, nowhere in their manual does it say "Prior to rebooting, uninstall McAfee products."

Re:Don't use anti-virus!

[Tibor+the+Hun]

That's wonderful news sir. You've just won yourself an invitation to come to my place of work and train 200 40+ year olds to do the same.
Wow, that'll save us tons of cash!

Re:Don't use anti-virus!

Bah, he wasn't even claiming that any corporate users should follow his advice...

Re:Don't use anti-virus!

[rmadmin]

Just curious... if you don't have an antivirus scanner... how do you know that you've never had a virus before? There are viruses that are passive enough that even a skilled admin might not notice them. :)

Re:Don't use anti-virus!

[JazzCrazed]

Not to mention that you won't know whether or not your computer has a virus if you don't scan it with some sort of antivirus software.

Re:Don't use anti-virus!

[$calar]

I use Linux.

Re:Don't use anti-virus!

[xtracto]

If you keep your system updated, use a firewall, and just generally understand how the typical virus/worm/trojan works,

There was a time when antivirus software was *really* useful. When viruses where hidden in boot sectors and they used technologically saavy tactics to duplicate.

Nowadays the deffiniton of viruses are mostly worms and trojans. Worms are defeated by using a firewall (I have an openbsd firewall standalone pentium pro machine), trojans are defeated not opening those OMG_BRITNEY_TITTS.JPG.EXE files.

I still miss the good old day virsuses, I found cool when my computer said i was "Stoned", hehe, or when the freaking ball started bouncing trhough the screen... but I always find it fascinating the methods used by the viruses, I even once created a virus (the darn thing just beeped the buzzer when an infected file was launched... after some time I found my Win3.11 was unusable as it got infected =-S).

I started to lose respect of viruses when the so called Word Macro viruses started, from my point of view that was not a virus...

Re:Don't use anti-virus!

[BeanThere]

Sure, but he was implying that XP is easy to secure.

Re:Don't use anti-virus!

[rmadmin]

So you're blabbing about how easy it is to keep viruses off of your linux box, when the article is focused towards windows machines, which are not OMGEASY to keep viruses off of. Apples and oranges buddy.

Re:Don't use anti-virus!

[dogbowl]

I don't run virus protection and I've never had an 'infection'. To me, Mcafee and Norton are nothing more than snake oil.

(How do I know? I do occasionaly run spyware/virus scans, and other than the typical suspicious cookie file, never found anything.)

Re:Don't use anti-virus!

[PFI_Optix]

Apparently, it is.

I've used it at home for a little over four years and worked with it for three years as an administrator. I have NEVER had a virus on any XP system I was responsible for.

In fact, the only virus I've ever had a problem with was an infected Windows 2000 domain controller that was SUPPOSED to be managed by corporate IT. They hadn't updated it in well over a year and wouldn't let me touch it until it started crashing (and those geniuses had it as the exchange server as well...again, I couldn't change that).

In both cases, I didn't go to extreme measures to secure the systems. I used automatic updates, both a standalone firewall and Windows Firewall, and antivirus (AVG Free at home, Symantec Corporate at work). That, and I educated my users on what NOT to open from their e-mail.

A good way to teach your users not to open strange attachments is to give them a dummy one that will just let you know who opened the file. I arranged with management to do this one day...send out a trojan-like e-mail with a script that would write a file with the username in it to one of the network shares and see who opened it.

The next day I unplugged one of the network switches for fifteen minutes at the beginning of the day, told them it was because some people had opened "virus e-mails" (management knew the truth) and then plugged it back in. I talked to the people who had opened the "virus" e-mails and gave them an in-depth training session on why it's a bad thing to open every attachment you get on e-mail. From then on, they wouldn't touch anything that was even remotely suspicious.

Three years, nearly 100 users, and ZERO penetration on my systems. It's not rocket science.

Re:Don't use anti-virus!

[Mistshadow2k4]

If you've never used antivirus and aren't using it now, how do you know that you don't have a virus at this very moment? A good trojan doesn't screw with your computer, spyware slows it down (but not so much that you might notice if you don't have a lot of spyware), a virus may cause problems but often nothing that seems unusual with Windows....

Re:Don't use anti-virus!

[st1d]

You mean those "totally free" ones on that pop up on random sites you visit, and promise to do a thorough scan of your system, and all you have to do is click to accept their "license agreement"? :)

Re:Don't use anti-virus!

[st1d]

What, were you out of batteries for your cattle prod? :)

Re:Don't use anti-virus!

[dogbowl]

yes of course. You must have recieved the same time limited offers that I did.

You should see the exciting scientifically proven results I've had with Vicerex.

Re:Don't use anti-virus!

[mlewan]

Could you provide any support for your statement that McAfee and Symantec are crappy? Could you provide any examples of quality "free A/V software" and quality pay for software? Could you provide any information for why you think it is of better quality than McAfee and Symantec? Tests? Benchmarks? User surveys?

Re:Don't use anti-virus!

[BeanThere]

So you've demonstrated that XP can be secured in an environment with someone who is clued up. Well done, but you missed the point: XP is hard to secure for the man on the street, to whom it is marketed.

Re:Don't use anti-virus!

[PFI_Optix]

XP is hard to secure for the man on the street The problem isn't XP. You can't make an idiot-friendly OS that is secure*. The problem is in part the consumers, and in part documentation. The consumers don't want know how to do these things. They "just want it to work". If they treated their cars the same way they did their computers, they'd have to buy a new one every 25-30,000 miles because they never changed the oil. Any OS requires basic maintenance, just like a home or a car or anything that is that complex. New (and resold) PCs also have totally insufficient documentation. People aren't being informed on how to keep themselves safe on the internet. Computer manufacturers, OS developers, and ISPs should all do everyone a favor and distribute printed literature that explains the basics of internet security and how to protect yourself from internet crime. If enough people learned to protect themselves, eventually anyone who uses a computer without proper security will be looked at like someone who lets their car seize up because they never checked the oil: idiots. *: For those whose first thought was "APPLE!" I have experience with trying to introduce people to computers with both OSX and Windows. Windows has a much easier learning curve to the completely clueless.

Re:Don't use anti-virus!

[cswiger2005]

I don't want to blame McAfee or Symantec excessively, but you do realize that you are posting to a thread where an update to their products ended up breaking hundreds or thousands of machines.

As for freely available A/V software, try ClamAV at http://www.clamav.net/, or the associated ClamWin for Windows. The site has some studies and comparisons that people have done against other antivirus products. I think that ClamAV's scanner is somewhat slower than the big name AV products, but it seems to be more thorough about catching nested viruses (ie, a zip containing a rar containing a .exe or whatever).

Re:Don't use anti-virus!

[poopdeville]

Car manufactuers have actually gone through great pains to make cars tolerant of not having their oil changed for 50,000+ miles. You shouldn't actually try this, because damage to the engine will occur.

Re:Don't use anti-virus!

[mlewan]

"I don't want to blame McAfee or Symantec excessively, but you do realize that you are posting to a thread where an update to their products ended up breaking hundreds or thousands of machines."

One bad (ok, catastrophic) update is hardly a statistic proof that McAfee's product is crappy. For all we know any other AV provider could potentially have done the same thing. And we don't know why this happened with McAfee. It could very well be the old case of a disgruntled employee who released something as a bad joke, just before he left.

Thanks for the link to ClamAV, however.

Re:Don't use anti-virus!

[cswiger2005]

You're welcome for the link to ClamAV. It started as a tool for people running Unix mailservers to have a useful tool for scanning for Windows malware like viruses and worms, and has since evolved to also do a good job of identifying phishing scams and other email frame-based exploits. ClamAV isn't perfect-- no anti-virus software is, apropos-- but it's worthwhile and certainly the price is right.

I wouldn't go so far to describe McAfee or Symantec as "crappy", but their track record has encountered far more than just one bad update. There have been other fairly significant problems with various anti-virus software over the years which seem to crop up every six months or so, you can hunt down some amusing articles on the Register for example, if you don't want to research the tech articles and knowledge base items in MSDN:

Search Results 1-10 of 1,153 containing Norton AntiVirus problem (0.14 seconds):

http://support.microsoft.com/default.aspx?scid=kb% 3Ben-us%3B295824
http://support.microsoft.com/default.aspx?scid=kb; en-us;265824
http://support.microsoft.com/default.aspx?scid=kb; en-us;276504 ...etc, etc.

Re:Don't use anti-virus!

[Obi-w00t]

I think this strain of the comments has struck upon a problem with the IT industry as a whole. When I had to do work experience in the IT helpdesk of our local council I had to go around with someone who would try to fix user's problems. 99.9% of the time these computers were mid-range PCs running like a 286. Just completely filled with spy/ad/malware. No firewall, no malware scanner and most of the time no Anti-viurs. These people just did not know anything about computers.

Nortons AV did this to me once...

[craznar]

Scanned my Inbox file, and deleted it because there was a virus in it from before I installed Nortons AV.

However - like most AV software, you can put it straight back.

No biggy ..... however I turn off automatic scanning these days... just manually scan every so often.

Re:Nortons AV did this to me once...

We've had this happen with ppl using eudora, which stores all its mail in one file.

Re:Nortons AV did this to me once...

[Nimey]

Were you using Mozilla, Netscape 6.x/7.x, or Thunderbird? I've been told of that problem on the first two and experienced it on the latter -- even though that installation of T-bird 1.5 had the option to let antivirus scanners remove individual infected attachments.

Re:Nortons AV did this to me once...

[craznar]

I think it was 0.x of Thunderbird where x>=5

It was annoying, because I never install autoscanners, however a new laptop I had decided to have a Norton AV installed that wasn't removable - easily.

Re:Nortons AV did this to me once...

[HermanAB]

Yeah, McAffee did that to me once and I could not put the file back either. That was the last time I use McAffee...

HA!

[ramunas]

Seems I was right in my reasoning NOT to use antivirus software. My reason was that it's just a useless waste of system resources, now it seams not only that, but also a potential danger to the integrity of the system.

Re:HA!

What's your e-mail address again? I have this really cool pic of Anna Kournikova for you! ;)

Actually: ditto here, disabled antivirus programmes as they create the same amount of load that viruses/spyware etc. would do. In medicinal practice there is this rule of thumb that medication is not useful if the side-effects of using it are not improving the quality of life.

There's gotta be a way to blame this on Bush...

There's gotta be a way to blame this on Bush. Somehow he was responsible.

Re:There's gotta be a way to blame this on Bush...

[PFI_Optix]

He'd been drinking, and there was this bird...

Re:There's gotta be a way to blame this on Bush...

[99BottlesOfBeerInMyF]

There's gotta be a way to blame this on Bush. Somehow he was responsible.

No problem. Bush was elected, then suddenly all the anti-trust remedies against MS were gutted. MS was not broken up into several competing companies and thus had no motivation to create a better product to compete against the other "baby-MS's." Since they had no such motivation they did not release a new version of their OS that was fairly secure by default and they did not sell it at a competitively low price. As a result more companies and individuals had to buy anti-virus add ons and were thus burned by this malfunction. See, that wasn't too hard.

Re:There's gotta be a way to blame this on Bush...

Dear God there are some humorless people with mod points.

I guess I'm going to have to label these posts with "DISCLAIMER: in the event that you have mod points but are lacking in the humor department, this post is indeed a joke."

They asked for it

[voice_of_all_reason]

There's one action that is responsible for almost all computer-related problems -- crashes, virii, corruption -- and that's blindly running code without checking it out first (either yourself if you have the know-how, or waiting for others who do to test it out first).

Re:They asked for it

[assassinator42]

Who asked for it? McAfee? They're the ones that should test the update files they're putting out. Same with other A/V companies. However, it doesn't seem like they do. Now I'm a bit worried, because eTrust apparently doesn't test their updates either. As they put out an update a while ago that disabled the virus protection.

Ouch....

[Araxen]

McAfee doesn't have the greatest rep as it is but this might be the last straw for them.

Re:Ouch....

I guess the execs were too busy embezzling funds to notice that one their Eastern Block coders decided to work on the DAT update instead of writing a new virus.

Not surprised

[QuantumPion]

This is a major problem with anti-virus software. Because of their blacklist model, they have to release definitions and updates very frequently. They have to release these updates as quickly as possible as well, or else their subscribers will be infected with these viruses before they get the updates. In addition, their software is very bloated and complicated, needing to be able to defend against a huge variety of attacks, both immidiate and obsolete. This results in a very error-likely situation. What the network security companies need to work on is an innovative way to effectively protect corporate and home networks without having to use dangerous bloatware.

Re:Not surprised

[MartijnL]

Well, Cisco's CSA (http://www.cisco.com/en/US/products/sw/secursw/ps 5057/index.html) does the exact opposite: you tell it what is allowed to run and it blocks everything else. It also runs a signature analysis so when something that you hadn't configured yet tries to perform an attack it alerts the user. It can become quite a task however to properly configure and you still need user awareness to keep them from clicking "YES" everytime like they do with every other popup they face (the other option is that you manage everything but then you will get flooded with support calls).

Re:Not surprised

[Monkelectric]

No ... McAfee is just irresponsible. Try another program like Panda or Trend or Avast. I personally think Panda is the best at catching viruses -- but its software is a bit buggy. Trend is a solid performer, and Avast seems to do an ok job but it screws up Visual Studio so I dont use it personally, but I recommend the free version to friends.

Re:Not surprised

[Billosaur]

It can become quite a task however to properly configure and you still need user awareness to keep them from clicking "YES" everytime like they do with every other popup they face (the other option is that you manage everything but then you will get flooded with support calls).

This would seem to be a good place for the addition of some low-level AI, to learn usage and traffic patterns and be able to anticipate such things. It might even be made smart enough to detect suspicious or erroneous processes/traffic and alert the sys admin so action could be taken. It would then "learn" from the response and be able to become more autonomous as time passed.

Re:Not surprised

[WebbedPete]

Because of their blacklist model, they have to release definitions and updates very frequently. They have to release these updates as quickly as possible as well, or else their subscribers will be infected with these viruses before they get the updates.

McAfee uses both heuristics and (blacklist) signatures. Heuristics find about 40% of viruses, IIRC. But that's not good enough. So, what do you suggest?

...their software is very bloated and complicated, needing to be able to defend against a huge variety of attacks, both immidiate[sic] and obsolete.

What basis is there for saying it requires bloated, complex software to protect against a variety of attacks, or that McAfee's tools are bloatware? Unless you've seen the code, I think we can't say. I use their tools, and the footprint is pretty tiny! (Total size of all of their DLL/EXE loaded right now: 2.5MB)

This results in a very error-likely situation.

To me, the fact that there are "a huge variety of attacks, both immidiate and obsolete" is what results in an error-likely situation. Let's face it, connected, up-to-date computing is dangerous.

My SMTP server allows ~4 emails per hour through its front door. It rejects (without even looking at message body!) about 2 per second. And that's with very conservative rules designed to avoid false-rejections of all kinds. When 99.9+ percent of all messages are bogus, and when many (most?) web pages include dynamic content (advertising and more) from outside sources, it's no wonder we see ever-more prevalent widespread failures.

Re:Not surprised

If they designed a product that actually worked they wouldn't be able to hammer their customers for a yearly subscription to update it.

Re:Not surprised

[morganix]

You mean like Trusted Computing (TM)?

I'd take norton over TC anyday, and sadly I'd take my chances with the viruses over Norton. However, there are some good antivirus products out there that are not overly complicated or bloated (such as NOD32).

Re:Not surprised

[j-cloth]

This really got an "Interesting"? This site really needs a -1 Missinformed. The current McAfee scan engine, 4400, has been out without an update since November 2004. That is the software that does the work. Repeat after me: You are not updating the software. What you are subscribing to are the DATs. These files are not executables. They contain the information on the files that should be detected. You want these to be refreshed often because new viruses/trojans and now malware come out even more often. can't believe I just wasted 2 minutes replying to an AC

Re:Not surprised

[MartijnL]

Well, that actually is what it does (analyse on through some form of logic and reporting anomalies to either or both end-user and sysadmin. The issue is that you first have to set up the base security profile for your environment. The usual steps being that you leave the application in "learning" mode over x period of time and then translating all the traffic caught by CSA into the baseline. This gets harder in environments where you restrict user access to the system (example: a section of the population who are only power-user and not local admin) and/or where the user awareness on security is low (the majority of businesses I'm guessing and certainly where I work). This either means an extra effort in the implementation period and/or extra management effort because you get an exponential rise in reports into the policy management system. So every advantage has it's own disadvantages.

Re:Not surprised

[ummit]

What the network security companies need to work on is an innovative way to effectively protect corporate and home networks without having to use dangerous bloatware.

Here's an innovative idea: how about... not running untrustworthy code off the network! Not block it, not scan it, not check its digital signature to see if it's "trusted"; just: don't have any way of running it at all. If there's an executable attachment in an email message and you click on it: nothing happens. If there's an executable file in a zip archive in an email message and you click on it: nothing happens. If a web page contains code instead of data: nothing happens.

If Microsoft had done this years ago, the virus problem wouldn't exist today. If Microsoft could see its way clear to do this today, the virus problem would start diminishing tomorrow. But no, we have to give the virus writers carte blanche to have their code executed at the drop of a hat, while we run around trying to block it or cleaning up after it. (It reminds me of the way Wikipedia gives anonymous users carte blanche to vandalize articles, while an army of volunteers runs around reverting.)

Re:Not surprised

[ummit]

To me, the fact that there are "a huge variety of attacks, both immidiate and obsolete" is what results in an error-likely situation. Let's face it, connected, up-to-date computing is dangerous.

But it doesn't have to be that way. Connected computing is not inherently dangerous. It's only inherently dangerous if you (or the author of your operating system) have gone out of your way to open doors to attackers.

The root cause of that "huge variety of attacks" is not that there's some huge army of sophisticated miscreants creating them. The root cause is that Microsoft Windows has always had such a crashingly mediocre security architecture.

Re:Not surprised

[WebbedPete]

The root cause is that Microsoft Windows has always had such a crashingly mediocre security architecture.

No argument about the mediocre security architecture. ;)

The hard part is: there is no comparably popular, attackable, commercially viable computing product anywhere. So it's hard to know what the "root cause" really is.

Why did I pick those attributes? Because I sense those are important for hacker-publicity:

Popular: gives widespread visibility

Attackable: embedded firmware in an iPod isn't particularly susceptible to interruption ;)

Commercially viable: economic viability brings extended investment in publicity, and get-me-where-it-hurts pain.

The latter attribute may not be necessary for my perspective...Linux is popular to some extent, but there's no comparison for this discussion: Linux PLUS Apple together have yet to hit five percent of installed desktops (http://news.com.com/Desktop+Linux+a+vehicle+for+p irating+Windows/2100-1016_3-5388863.html). Just as legitimate developers tend to aim at the 95% solution, so too with crackers.

Thus, I suggest hackers can gain notoriety going after any ubiquitous software product. And they do.

For what it's worth

[shoptroll]

My computer started rebooting randomly a week or so ago, and is something I've been trying to combat for a while. It would do it when idling or when I was in the middle of websurfing.

I find it interesting that once I disable Mcafee's on-access scanner the system stabilized itself and has been running without a problem for about a week now (I had seen it reboot about 3 times in one day).

Seeing this article makes me more suspicious of the scanner now.

Re:For what it's worth

[Stephen+Samuel]

You might want to scan your hard drive for bad blocks.

Re:For what it's worth

[ehud42]

Double check your CPU fans, heatsinks, etc. I had a customer bring their system in because they were absolutely convinced they had a virus. The PC would reboot every time they ran a virus scan. They even managed to find a virus definition online that described their virus.

Turns out the CPU fan was not connected properly, and the strain of performing a virus scan was enough to cause the system to overheat and the BIOS restarted the machine.

Re:For what it's worth

[shoptroll]

That was my first guess... Seagate's SeaTools found nothing, same with CHKDSK in Windows Recovery console

Puzzling.

Re:For what it's worth

[shoptroll]

I've been thinking about thermal issues but I've checked the internal monitoring software and everything looks normal. Also, I haven't been seeing reboots when playing games like UT2004 which will push my rig towards the limit.

I'm gonna re-enable the on-access scanning at the end of the week and see if the problem re-appears.

Re:For what it's worth

[High+Hat]

Have you tried running memtest86?

This honestly sounds like a corrupt memory problem.

Other possibility is that you've hard-set the windows swapfile limit...

Re:For what it's worth

[shoptroll]

Memtest86 was run a month or so back, no problem found.

Swapfile limit is currently set to 3 gb on one drive, 3gb on another drive. 1 gb of RAM. I'm pretty sure this shouldn't be a problem based on everything I've read about the Windows swap file

Re:For what it's worth

I had this same problem back a couple of years ago and I found that the problem was a set of bad capacitors on my motherboard. I'm sure that there are a number of possible causes, but I'd take a quick look at your hardware. In my case I could see that the caps were burst. In your case it could be a hard-drive going bad.
BTW,UT2004 may not stress the drive as much as a virus scan.
I'd suggest doing a defrag or block scan of the drive to really test it.

Re:For what it's worth

It's not ram. I say it's McAfee. From research I've done, 40% of the time, McAfee is too slow in releasing an update to their definitions. What that means is, by the time you get an update to your virus definitions, 40% of the time, you've already been exposed. Now, if virus protection is there to PREVENT an infection, then you can say that McAfee completely fails at this. Anyways, that's why I use Nod32. Yes, you probably haven't heard of it... that still doesn't stop them from having the best antivirus software that nobody's ever heard of.

Re:For what it's worth

[shoptroll]

Defrag last week. No problems. Caps could be an issue. But the system is less than a year old, so unless I've got a lemon or a power surge I wasn't aware of I can't think of why caps could be the culprit. Won't hurt to take a look though.

Re:For what it's worth

[LordKronos]

Could also be a failing power supply.

Re:For what it's worth

[dkone]

Get AVG, it is free, small and stable. Norton and McAfee are both bloatware

Re:For what it's worth

[Maniacal]

If you are running 2000 or XP you may be bluescreening and your PC is set to automatically reboot (which is the default). In XP right-click on "My Computer" and select "Properties". Click on "Advanced" tab. Under Startup and Recovery click on "Settings". Under System Failure clear the checkbox next to "Automatically Restart".

If you are running 2000 you'll have to find it yourself. It is somewhere under Properties for My Computer.

Most of the time when a 2000 or XP machine is just rebooting itself I find that the issue is that it's bluescreening and rebooting itself. Hope this helps.

Re:For what it's worth

[rcw-work]

My computer started rebooting randomly a week or so ago

See the other post on rebooting being the blue screen of death.

I've seen a Windows XP system do this with a dying hard disk. By the time I got to it, even though Windows couldn't find any problem with the disk, it wasn't able to be fully backed up (all of C: and System State) with ntbackup - it'd blue-screen every time at the same point.

No problems since replacing the hard drive (which, granted, necessitated a fresh Windows XP installation). The failing hard drive, if you're curious, was a Western Digital 120GB IDE drive. In my case it was likely Google Desktop's reindexer, not a virus scanner, that was causing the disk activity that triggered the crash.

Re:For what it's worth

[incabulos]

My experience with windows swapping ( not recent, but circa NT4 & Win2k ) is that as well as slowing down the system significantly, it also contributes to instability. Why this is I dont know, I have never seen any other OS be lock-up and crash-prone when they use swap heavily, but it seems to be a certainty under windows.

Monitor your physmem and swap usages if you can and see if there is a correlation. Or if you cant do this, try and get some extra RAM from somewhere ( modules that you know are 100% fault free ), run with it for a while, and see if it makes a difference.

Re:For what it's worth

[shoptroll]

1 GB Crucial RAM. System has never hit 1 GB usage ever to my knowledge.

Re:For what it's worth

[shoptroll]

Did that a long while ago which was helpful in diagnosing some driver issues... The joys of the 8x series of Nvidia drivers mixed with a Geforce 6600GT. Along with some fairly unstable beta drivers from Creative at the time.

Trust me, I've been around when this thing has rebooted. I've seen it pull a reboot when closing Firefox and once when I clicked a link. No warning, no BSOD, just flat out reboot.

Re:For what it's worth

[shoptroll]

All hard drive diagnostics I've thrown at this haven't given any problems. Both hard drives are Seagate PATA drives, so I can use their SeaTools to run some hardware level diagnostics. No problems detected by them. The only thing windows has ever reported is some minor problems with the NTFS records on occasion, but I believe thats from the crashing and stuff.

For anyone keeping score here's a dump of the hardware in my system:

AMD Ahtlon64 3500+, Gigabyte GeForce 6600GT, Epox 9NPA+SLi, 1 gb PC3200 Crucial RAM, Sound Blaster Audigy 2 ZS, SeaGate ST380021A (80 GB), SeaGate ST3200822A (200 GB), Windows XP SP2 (All latest updates)

At last !

[alexhs]

At last a good AV software removing those virii-ridden bloatware from your computer :)

Why are people complaining ?

Second time in a month

[Malc]

This is the second time in a month, although much worse than the last one. On the 23rd Feb, my mum asked me about an issue where McAfee had just cleaned Firefox of a trojan: Exploit-MS06-006.gen. Turns out that it was a false-positive and it had needlessly truncated some files.

Short this stock?

[cyberwave]

The Market opens in 13 minutes. Should I short McAfee's stock? ...or is it just going to start trading at a shitty price?

Problems with McAfee

[NetDanzr]

This is not the first problem with McAfee I've had this year. A few weeks ago, something started eating my system resources, pushing total CPU usage to 100%. Through trial and error I found that it was the McAfee virus scan. I found others with the same problem, which convinced me that for a change, the problem was not with the user. I ended up uninstalling McAfee and switching to AVG. Just in time, as I can see...

GAHHH!

WOW lucky me. I uninstalled this AV just 2 weeks ago and switched to the free AVG!

Re:GAHHH!

[tombeard]

Why are you posting anonymously? If you managed a successfull uninstall w/o their help you deserve the recoginition. Absolute piece of viral crap.

Deletes text files too

[psm321]

I had a TEXT file deleted by McAfee just a few days ago. The "virus" that it identified was a different one from the one in this article too. Unfortunately, in the version of VirusScan I have (came with Dell computer) there's practically no configurable options, so I have no way to set it to quarantine instead of delete.

Re:Deletes text files too

If you were smart, you'd just get a different AV prog but then you did get a Dell.

Prompt

[_Shorty-dammit]

Exactly why you set that kind of software to prompt you for the action, if any, you'd like it to take. Get what you deserve.

Re:Prompt

[srw]

That might be fine for the more computer literate user, but... giving a clueless user the option to clean, delete, quarantine, or ignore is a recipe for disaster. Trust me. Yes, from experience.

Who gives them the right?

Who gives them the right?

You do!

Compensation?

Great. So THATS why I've been spending all morning fixing Dreamweaver and Microsoft Office. And to think I actually didn't believe the first user that said "... it worked on Friday and I haven't done anything to it".

Now, how do I go about getting compensation from McAfee? A hughe bundle of Sys Admins getting together mayhap?

McAfee Zen

[Woy]

You use McAfee in this day and age, you deserve what you get.

Fond memories from the 90's won't bring your files back.

Re:McAfee Zen

[st1d]

Fond memories? I remember testing McAfee on systems in the early 90's, and having it find all sorts of virus...at least "user created" ones. McAfee has a long reputation of being a little too vigorous in their desire to find the most viruses of any anti-virus product. If it happens to delete important stuff, hey, that's the price you pay for ensuring your computer's not infected!

Even so, from the description at least, this would appear to be one of their worst screw ups. That said, it's too bad MS has produced a culture of lazy admins. Something like this should only be an issue for home users, who might not know better. Any company that suffers from this should review their staff's qualifications and make appropriate adjustments. Unfortunately, companies are so used to software problems they've come to accept things like this and regular reboots almost as if the problem is in the hardware.

Ticks me off, because the folks that will lose their data will see the incompetent admin as a hero, because he'll make himself busy getting system backups restored. They'll lose a day (or more) of data, and be thankful the admin "was on top of things" because he made backups. Meanwhile, better admins will spend the day listening to their boss ask, "shouldn't you be doing some work or something?" Arrgh! :)

Re:McAfee Zen

[Woy]

I mentioned "fond memories" as in "it seemed somewhat better than it is now". If that's because my standards were lower, i knew less alternatives or because the product was actually better, i dunno. McAfee, much like Norton/Symantec, are examples of old-timers who couldn't avoid fucking up their product lines and from a technical point of view have been circling the drain for years, kept alive by existing contracts, marketing and "fond memories".

And I couldn't agree more on your "misunderstood admin" remark. I sysadmin for a customer with 120 workstations loaded with 2d/3d image programs (its an art school). Before i arrived, the sysadmins in charge had no automation in place whatsoever. Each problem was handled by manually installing and updating windows, followed by the individual installation of each program. This complex setup was often left unfinished and problems would drag on. Lets just say i arrived to a 50% workstation availability situation. I started by building a complete install for each of 5 hardware configurations, to make disk images and copy it over all similar computers. I was harassed to no end because i wasn't "installing the students computers" and was instead locked in an office "doing nothing". After a week of that, and another week of loading images, they now have a situation of 95% workstation availability for one _fifth_ of their previous costs.

Their response? They told the janitor to check if i actually show up to work on the contractually assigned days, because they don't see me "working on the student's computers".

Re:McAfee Zen

[st1d]

Yep, that's annoying. I got to learn the lesson at my first "real" job, working for a small computer shop. We provided systems and support to EDS, as did one of our competitors. They were there every few days "working", while we went in once a month (as per our contract) to make sure things were kosher. At one point, our competitor was trying to cut them a "good deal" for our contract, and questions arose as to why we weren't maintaining the systems "as well as" our competitor.

I learned two important lessons from that situation. One, even if everything's running well, a box of donuts and a few minutes of chit-chat are just as important as (if not more so) than "work". Two, accountants that don't lose data are really reluctant to approve a contract that might affect that situation. :)

Re:McAfee Zen

[Lehk228]

periodically 'down' non critcal things and go fix them. in 2+ printer lab knock one offline right as you go for lunch and come to the rescue by "fixing" it during your lunch (eat lunch then turn it back on)

/BOFH

Saw it coming (sort of)

[martyb]

Just last week, in response to: The Trouble With Software Upgrades I posted a question asking what do you do to protect yourself from automatic updates that go bad... but I got no responses. In light of the current situation, I'd really appreciate hearing some responses, here.

Re:Saw it coming (sort of)

I just find it funny no one has yet to respond.

Re:Saw it coming (sort of)

[tomstdenis]

Rollback the OS.

First, don't have your homedir on your workstation. Then, don't do auto-updates on the file servers.

Then, for your workstations create images of the disks. Don't let users perform upgrades unless they assume the responsibility for the box. Next, test the update on a limited subset of boxes. If it works then roll it out. If by chance you screwed up rollback to images that are stable and perform the safer updates.

Generally this is trivial with a proper OS distribution like freebsd, openbsd, Gentoo, etc.

Tom

Re:Saw it coming (sort of)

[simong]

I don't think there really is a way apart from having verifiable restorable backups of every system prior to patching. I was having a conversation along these lines this morning and the agreed solution was to have an identical test platform and install on that first, allow it to run long enough for any problems to arise and only then implement on a production system. That's the ultra-conservative approach but many years in financial services have shown that that's the only way of being certain.

Re:Saw it coming (sort of)

[xtracto]

what do you do to protect yourself from automatic updates that go bad...

Doh! Turn of automatic updates.

Hehe, kidding aside, seriously that is what I do. I do not do auto upgrades because I find it a bit disturbing that any of my systems installs something else which I have not seen what is it. Granted, sometimes I do not read the Microsoft KB12312412412 patches information but at least I just patch what I believe is worth patching.

However in a big network it may not be trivial to update manually. Although maybe sysadmins should have a script that allow them to distribute and apply the patches after they have reviewed them. If that is not possible then as somebody else wrote, System Restore is your friend or even DAT tapes!

ps. with your PIN number in your ATM Machine :-)!

Re:Saw it coming (sort of)

[st1d]

Auto updates for antivirus software, as others have said, is just asking, no begging, for trouble, because of the risk of false positives. That aside, auto update functions seem wrong on a fundamental level, for a couple reasons.

1) They encourage laziness, forgetfulness, and indifference. You install the program, and it does the rest, and when you actually need to use it manually, you have to learn (relearn) how to do so, typically at the most inconvienient time. For example, how many users/admins can use their antivirus software from the command lineon a normal day, much less when their system is working against them? Also, is testing and a staggered rollout that much freakin' effort?!!

2) Auto update, at least to me, is just another backdoor for anything, be it an attacker or virus, to use to compromise your system/network. 'Nuff said.

Re:Saw it coming (sort of)

[penguinbrat]

Not trying to start a flame war here, but in all honesty this is one of the major reasons I try to use Linux exclusively. I mean, for example, I have a some what high end entertainment system - what ever peice I choose to spend $500+ on - I EXPECT it to work seemlessly with the amp and TV, AND I expect it to work for a few years atleast, if it doesnt I get pissed and will never buy that brand again (Dennon is at the top of my list now).

The same goes for computers the way I look at it, I can either spends hundreds and thousands on software (I'm into graphic/3D design), or get everything for free and try to make do. The difference is that if Im going to spend all that money - it better damn well work and NOT make things worse, especially when I can get the functional equivalent for FREE!!!!

The ironic thing is that the free stuff is a hell of alot more stable, whether this is due to the architecture of the OS or how alot of comercial software these days seem to be released as beta and updated later, cant say - all I know is my shit works. But to answer you original question, I have an extra "project" drive aside from the file server - I store all my working projects and important stuff on it, so if I have to reinstall due to a bad update, or overall crash - that drive doesnt get formated, although I do admit that in this situation it wouldnt have mattered =(

To me it all boils down to the warranty/gaurantee with ANY product. Why would anyone pay $$$ for something when it can totaly hoze up their world and with NO compensation? From what I can tell, you get all the same exact stuff (warranty,support,updates,etc..) with the free stuff as you do with the comercial stuff - they are just obtained in completely different and un-related ways; essentially - the comercial software had better damn well do something I really need and that I can't come close to doing with the free stuff, which fortunately I haven't seen alot of.

Re:Saw it coming (sort of)

[Shadowland]

> That's the ultra-conservative approach but many
> years in financial services have shown that that's
> the only way of being certain.

Obligatory Aliens reference:
Actually, taking off and nuking it from orbit is the only way to be certain.

Re:Saw it coming (sort of)

[apoc.famine]

I only manually update...on friday nights, so I have the weekend to fix anything that breaks...

McAfee's response

[gEvil+(beta)]

Ummm...Whoops?

Good catch

[blueZ3]

I dunno about the rest of that stuff, but the Adobe update manager is a virus in my opinion.

It seems to have "infected" all of Adobe's recent product install CDs. Once it "infects" your computer it displays a popup whenever you open an Adobe app. As far as I can tell, there's no way to shut this off in the latest versions. So I've paid $x00 dollars for Acrobat, and it comes with a virus.

Re:Good catch

[Thaelon]

I mostly only use Adobe Acrobat Reader and I've noticed a trend in it to get more and more bloated, and less and less user friendly as the version numbers get higher. It now takes longer to load, annoys me more by asking me to "upgrade" constantly, it wants to install yahoo toolbar with itself, it adds a freaking add banner to itself mostly directing you to yahoo crap.

Acrobat reader really is tending more toward malware program that just happens to be able to read pdf files. I wish the people who decide to make their products step way outside the sane scope of the product would knock it off. Every time they do it I jump ship or "upgrade" to an older version.

The good thing is it's really easy to put a stop to it: http://www.oldversion.com/

I am now happily using 5.0. I think it's the last streamlined non-annoying version. You can actually turn off update checking. (Amazing!) I consider any program that prohibits me from turning off its automatic updates to have a terminal illness. Meaning I will replace it soon with a program that behaves itself.

To get back off the tangent, I could rant about virus scanners all day. About how futile they are and how little they benefit you and - I guess in this case - how much they can actually hurt you, but I've done it before, however, McAfee has a bigger PR department than I do so it's pretty futile.

Speak with your money. Quit buying virus scanners.

Re:Good catch

[Tweekster]

I found in acrobat you can shut it off. It is sooo much nicer now that it doesnt constantly want to install photo album updates (which i dont even use and dont know how it got installed) and other bullshit... check the preferences. why cant someone port Evince to windows.

Re:Good catch

[john83]

It seems to have "infected" all of Adobe's recent product install CDs. Once it "infects" your computer it displays a popup whenever you open an Adobe app.

I prefer to just let my firewall treat it as a career criminal, and hey presto - no more updates.

Re:Good catch

[Lehk228]

try foxit reader. sometimes it doesn't draw as quickly as acrobat reader but it also doesn't lock your system while it downloads and draws PDF's

Re:Good catch

[SillyKing]

I have removed Adobe Acrobat reader from my systems. In it's place, I use Foxit Reader (http://www.foxitsoftware.com/pdf/rd_intro.php) for reading PDF files. It's a lot faster to load, and I have yet to come across a PDF it can't read.

For creating PDF files, I use PDFCreator (http://sourceforge.net/projects/pdfcreator). It works like Adobe Distiller used to, you create your PDF files by printing to PDFCreator.

Re:Good catch

[Wiz]

You can use this piece of Adobe software:

http://www.adobe.com/support/downloads/detail.jsp? ftpID=2709

To create custom MSTs for Acrobat, which you can use to disable all of the annoying crap. Well, apart from the Yahoo search! I suggest also http://www.appdeploy.com/ can be useful for finding ways to disable stuff in installers.

We lucked out

[PinternetGroper]

Our main system here downloads the DAT updates at 2 AM every day. As of Friday morning, it had downloaded the 4714 files, then downloaded the 4716's on Saturday morning, completely missing the 4715's. It appears we missed a bullet. Good luck to all the sysadmin's out there working on cleaning this up!

Same as with safety belts

[Opportunist]

Every once in a blue moon, some poor person dies because he or she didn't get out of the burning car because of the belt. Then someone will stand up and say "See? I don't use them and if they didn't, they'd live as well. I drive carefully, I don't get into accidents, so I don't need them!"

The problem is, you never know. It's not only foolishness that gets a trojan onto your system. They come with presumably legit software, even from reputable companies. An infected driver CD is all it takes. Shareware CDs or other CDs slapped on magazines, do you think they have a lot of time to make just perfectly sure the programs are clean? A lot of shareware comes bundled with adware, do you read all those EULAs? And do you think they tell the full truth? Can you read through the legalese?

I won't get into system bugs and other exploits.

So yes, you don't really need safety belts. But it sure feels a bit more secure with them.

Re:Same as with safety belts

[cdn-programmer]

Suppose you were driving on an ice road - would you wear a seat belt? I wouldn't! I don't care how safe they say it is there is no way I'll wear a seat belt when driving on ice.

Similarly I am cautious enough that rather than waste my time with anti-virus software - which can only be retroactive - I simply avoid the hasle and use linux.

Computers are so cheap these days that pretty much anyone who uses windows to surf the net is IMHO pretty much an idjot. I routinely instruct the consultants and professionals I hire that they are not to put any of my files on a windows machine that is connected to the net. Of course - I know some ignore me - and I have had confidential technical drawings worth $1000's of bux published on the net! Its pretty bad when the people you hire figure they should charge the client and then give away the clients work... but like I said - a large percentage of people are totally clueless.

I just found the whole issue pretty funny! To be honest I don't even feel sorry for them. Maybe this will cause a few to wake up and smell the coffee eh?

Re:Same as with safety belts

[Stavr0]

Every once in a blue moon, some poor person dies because he or she didn't get out of the burning car because of the belt. Then someone will stand up and say "See? I don't use them and if they didn't, they'd live as well. I drive carefully, I don't get into accidents, so I don't need them!"

No. No no no. This would be similar to say, an airbag deploying (i.e. exploding in your face) when you turn on the radio.

• A security system activates erroneously, there is no real threat present (turn on the radio).
• The activation of the security system results in real damage (to your face).
• The aftermath of the activation will cost a lot of time/money to recover (airbags are expensive to replace).

Compare:

• A security system activates erroneously, there is no real threat present (inocuous files classified as virus/trojan)
• The activation of the security system results in real damage (the files are deleted).
• The aftermath of the activation will cost a lot of time/money to recover (recover/reinstall will waste several hours of your time).

Re:Same as with safety belts

[Ender+Ryan]

Suppose you were driving on an ice road - would you wear a seat belt? I wouldn't! I don't care how safe they say it is there is no way I'll wear a seat belt when driving on ice.

Huh?

Re:Same as with safety belts

Incompetance at its height - in the moderation dept as well!

Re:Same as with safety belts

[pilkul]

The difference is that a seatbeat doesn't harm you, but antivirus software does. As incidents like this clearly show, antivirus software is practically a virus itself. It slows down your computer, it pesters you with popups ("Update to the newest definitions!"), and on rare occasions it deletes your files. It also potentially opens new backdoors on your network: a year or so ago, the Witty worm spread on top of a security flaw in a security program.

Frankly, I'd rather run the risk of being infected by a "real" virus occasionally (the vast majority of which do not delete your files), which I will then have to clean up, than intentionally install a McAfee/Norton-branded virus on my system and run it on a permanent basis.

Re:Same as with safety belts

[locofungus]

Every once in a blue moon, some poor person dies because he or she didn't get out of the burning car because of the belt. Then someone will stand up and say "See? I don't use them and if they didn't, they'd live as well. I drive carefully, I don't get into accidents, so I don't need them!"


However, if wearing a seat belt (using AV) makes you drive less carefully (run arbitrary untrusted executables) then you may not gain anything.

In the UK front seat belts were made compulsory IIRC in 1983. At the same time evidential breath testing was introduced. If you remove the estimated lives saved by having fewer drunk drivers then it appears that front seatbelts killed something like 200 extra people in 1984. Fewer car drivers did die but this was offset by increased cyclist and pedestrian deaths.

Single vehicle loss of control fatalities remains stubbornly at about 20% of all driving fatalities in the UK over multiple decades despite improvements in tyres, brakes and things like SIPS and airbags.

Likewise we hear that users in a corporate environment are more likely to "just run stuff" because the company IT infrastructure will protect them from their actions.

Tim.

Re:Same as with safety belts

[st1d]

Well, here's two perspectives on the OT safety belt issue. First, my uncle was killed wearing a seatbelt back in the early 70's, as the belt held him tight enough to let only his head slip partway out of the rolling 1970 LTD.

Second, this past holiday season, I was running late to work in the morning, and though I had the belt on, I didn't give it a good tug before I left the house. About a 1/4 mile down the road, I hit a patch of ice, overcorrected, hit a large bump at the side of the road, and got ejected. The belt held me just enough that I landed in a crouched position, on my feet.

Then the truck slid over me, pushed me onto the ground completely, and in slow motion, continued on it's way, driving over me with the rear wheel and breaking my pelvis in several places. Two weeks in the hospital, and another month in a wheelchair (much better now, though), and I'm still not sure if the seatbelt helped or hurt me. Had it held, I would have been in the truck when it fell on it's side, and maybe been "hung" out the window like my uncle was. Had I not had it on, I might have been thrown completely free of the truck (into trees or the fence at the side of the road). Anything else, and I'd probably be typing this with a straw in my lips.

So my suggestion is to wear the seatbelt, but make sure it's not latched good! :)

Re:Same as with safety belts

[IcePop456]

The problem with your argument is that the analogy doesn't hold. There are no side effects to wearing the seat belt on daily basis. It was designed, verified (i hope) and installed. It doesn't change and it does not update. Can it break? Sure, but that's that a completely different situation. Can it jam after an accident? Sure. This is why seat belt laws are stupid. Let people evaluate the situation and do what they want. However, if a body flies into my car, expect a lawsuit. You only have the right to kill yourself (in my opinion).

I will never use anit-virus software because it messes with your computer. The performance suffers, it has access to items that can break the machine (obvious example is the main topic). The cost-benefit does not work out for me. A seatbelt does not alter the performance of the vehicle.

I have not used any AV software, ever! I've never had a virus and the last I checked, no spyware either. I treat my computer with care. I don't install random things, I have a pop-up blocker, and I don't open attachments. I have a firewall and I keep windows updated with security patches and I try not to visit questionable websites.

Re:Same as with safety belts

[Fish+(David+Trout)]

Look at it this way:

I trust my own driving skills.

It's the OTHER arseholes out there on the road who I have to share the road with that I DON'T trust.

If you get into your automobile and put on your safety belt and DON'T get into an accident then you've wasted maybe 3 seconds of your life.

But if you get into your automobile and DON'T put on your safety belt and DO get into an accident (due to one or more of the aforementioned arseholes) then you could have wasted your entire life.

Therefore, if you value your life -- as well as the lives of your passengers -- the only prudent choice is to always, ALWAYS wear your safety belt.

Always.

Where should users turn?

[babbling]

When the virus scanners act like viruses, what should users do? This isn't the first time a virus scanner has screwed up, and it probably won't be the last time, either.

Furthermore, a lot of virus scanners have an option to "auto-update". Imagine if an entire company had this option turned on.

Virus scanners have always been a bad solution to the problem of viruses. They don't fix the problem at its root. Instead of ensuring their operating system has no known security holes, users now rely on virus scanners to just catch everything that comes through. Any determined attacker could still just craft a custom virus to attack any host they desire. Since the virus scanner companies wouldn't have come across that particular virus, it wouldn't get picked up.

Would you fix the holes in a boat with sticky tape instead of checking that the boat doesn't have holes before you put it in the water?

Re:Where should users turn?

[hackstraw]

Would you fix the holes in a boat with sticky tape instead of checking that the boat doesn't have holes before you put it in the water?

Would you buy a boat that you know has holes in it, and put it in the water anyway?

Forgive my lack of sympathy for the uninformed, but there are computer systems that are not fundamentally broken and need "anti-virus" tape to fix the holes before putting the computer "in the water".

Re:Where should users turn?

[Cunjo]

I, personally, use anti-virus applications as a back-up measure in the event that something does go wrong, and a new hole in my computer's security is discovered and exploited. Needless to say, my first priority has always been to eliminate the holes to begin with - much better to save the trouble of cleaning up the mess later. Unfortunately, microsoft Windows is so full of holes to begtin with, that even with the most rigorous of patching, you can never be sure that something won't go wrong - that's where a good virus scanner comes in.

McAfee is not a 'good' virus scanner.

Where your security is concerned, using anything with a less then flawless track record is asking for trouble. People who put their faith in McAfee deserved what they got.

Of course, this doesn't change the fact that people need to be more aware of how even the most reliable programs can go sour - there is no substitute for backing up your data, and those who do not back up their data typically learn that the hard way. Some of them don't learn at all.

I, personally, keep redundant back ups of all of my most important data, and also store the primary copy of all my documents and installers on a seperate drive that my Anti-Viris scanner (Avast!) is instructed to not scan. This way, if the system goes down, I don't lose any data, and more than likely will be able to restore access to the majority of it mere minutes after the system is again operational. In the event that Avast! somehow suffered the same error as McAfee did, my data would not have been compromised.

Nothing new

[Sesticulus]

I stopped using them years ago when after installing it deleted everything in my start menu.

Not Bush's Fault, It is Cheney's Fault!

Since he shot the poor developer, while he was working on this patch, right in the face!

Being shot like that is bound to distract you and cause coding errors!

I haven't had any problems

[myth24601]

I use McAfee and My system is working fi

Ye don't always get what ye pays for

[cgenman]

People percieve paid software to be superior to free alternatives because A: nothing could go wrong with paid software and B: if something did go wrong, obviously the company would indemnify / rectify / fix the problem.

Likewise, the perception is that the more expensive the software (and the bigger the box it comes in) the more protection you are afforded. And that the company won't suddenly decide to change direction / stop supporting the software / etc.

Yet time and time again this is shown not to be true. McAfee uninstalls arbitrary files on your computer (how'd that get through testing?) and just tells users to re-install from backup... exactly the kind of calamity the software is supposed to prevent. Part of WinNT5 was found to violate someone's patent, and anyone using that particular (admittedly rare) function had to pony up to the original patent holder or write a workaround.

As far as I can tell, the "little guys" software tends to be better in general than the big boys. Why? Because they're still trying. Before Norton was Symantec, they struggled to create an amazing toolkit of software tweaks that really did some great things. Now that their position is secure, they've hardly updated the suite to even work with XP, let alone taken advantage of the fixes and hacks that smaller houses have found. McAfee, once a nimble little company making a great little product, has been bloating for years. The more developers you add to a project, the less anyone knows about what the system is doing.

A free alternative that has been around for a long time:
AVG Antivirus
There are others. Please post 'em below.

Re:Ye don't always get what ye pays for

[natoochtoniket]

As far as I can tell, the "little guys" software tends to be better in general than the big boys. Why?

Pointy-haired managers and bloated bureaucracies don't develop high quality software. They develop elaborate cost-minimization strategies that maximize buzzwords and increase fiefdoms. In the process, they invariably seem to squash talent and frustrate initiative.

Effective development of high quality software is a difficult art that requires knowledge, talent, commitment and desire. It is done by single developers, or small teams, in environments where talent and initiative are allowed to shine.

Re:Ye don't always get what ye pays for

[GreggBz]

Avast. AVG is fine, but Avast is awsome!
http://www.avast.com/

Re:Ye don't always get what ye pays for

[LittleLebowskiUrbanA]

Hang on and stop trying to sound so wise. If you'd installed Grisoft Free Edition you'd know that it's not licensed for enterprise installations. So your advice is about Grisoft Free Edition is pointless for the sysadmins dealing with Mcafee.

Perhaps you might be thinking of an actually free alternative such as ClamAV? Of course, ClamAV is actually a server-side solution. TrendMicro and Grisoft's enterprise solutions come to mind since you hate big companies so much. Myself, I'm using Symantec Corporate for my Windows boxes and it works just fine.

Re:Ye don't always get what ye pays for

[CuriosityKilledWHAT]

Lots of free alternatives for home users...AVG, Avast, Antivir to name the most popular three. Overall, and on the commercial end, Kaspersky and Nod32 set the standard in effectiveness. KAV's pretty much got the most comprehensive and fastest updating signature sets of any AV software, while Nod32 has an edge in heuristic identification of unknown viruses (and its signatures and response times are quite good as well). Nod32's also noteworthy for it's speed and minimal impact on system resources.

Re:Ye don't always get what ye pays for

Annonymous Coward Mode ON:
Lets just say that at McAfee - Shipping a feature on time matters WAY more than shipping a feature that actually works. Working there I had several hundred dollars worth of bonus taken away because I sent a working update to QA on Friday, rather than the broken update I had on Wed. Night.

The end result is that I need to send QA the broken software on Wed. (so they could start testing it on Monday) so I get my bonus, and fix it sometime after they find the problems that I all ready knew were in there (well, maybe they wouldn't find them and we could have just shipped - don't get me started with that story)

That said - I am forced to use McAfee where I work now, but it is coming off all of my home systems until I am convinced that they have cleaned up their QA practices and put product quality ahead of shipping "On Time".

The real irony here....

[cbiltcliffe]

The real irony is that all the people who are too lazy/stupid/uneducated to update their anti-virus subscription were protected against this.....

Re:The real irony here....

[Syberghost]

Granted, I'm lazy, but I'm not dumb or uneducated, but I have no concept of an "anti-virus subscription".

Couldn't you have just looked at the pricing page for any of the major antivirus vendors, or any of the 163,000 hits on Google for "antivirus subscription" or 6.04 million for "anti-virus subscription" (the top hits of which are about the same) for this answer, instead of flaming the guy?

I mean, yes, you're lazy, but damn, man, it's just Google.

Re:The real irony here....

[KarmaMB84]

There's very few options in a corporate or university environment who want to manage their virus scanners. Most of the "free" scanners dictate that you need to pay if you're in such an environment anyway.

Re:The real irony here....

[hackstraw]

I mean, yes, you're lazy, but damn, man, it's just Google.

My point was that I don't use any computers that need such a thing or to my knowledge, there are even subscription offerings for anti-virus subscriptions.

Currently, I run OS X, Linux, and Solaris, and I have never known anybody that has needed an anti-virus subscription for them.

Am I missing out on the fun?

Re:The real irony here....

[cbiltcliffe]

What an arrogant jackass. I didn't think it was possible for a nose to get so far out of joint, but I've been proven wrong. To answer your questions:

Name me one unlazy, smart, or educated person that pays for an anti-virus subscription?

Anybody who actually has functional anti-virus software that they've paid for, but doesn't just go to Best Buy and buy NAV 2006 to replace their NAV 2005, which doesn't work anymore. Anybody who bought a brand name system with the 90-day NAV or McAfee trial version, but didn't just go to Best Buy and buy the new box version. I've got plenty of customers who've bought subscription updates after their initial purchase expired.

Enlighten me. How much does something like that cost?

http://ca.mcafee.com/root/package.asp?pkgid=100
From McAfee, $42.99 (CAD) for the first year, $36.84 for a renewal.
http://www.symantec.com/home_homeoffice/products/v irus_protection/nav2006/index.html
From Symantec, $29.99US for 1 year renewal, $59.99 for 2 years.

How much of my time does it take to run it?

Depends how big of a piece of shit your computer is, and whether you're intelligent enough to figure out how to use their web store.

What does it give me?

Errr...a subscription to their anti-virus software?

Is this parallel to health insurance for my computer? So I only have to pay a copay of $25 or so for an in-office visit?

No, it gives you updated virus definitions for your computer's immune system. You don't have to pay anything as long as you're not a moron and open every email attachment or install every free dialer program promising FR33 pR0N!
It doesn't guarantee you won't get sick any more than health insurance guarantees you won't get sick.

Granted, I'm lazy, but I'm not dumb or uneducated, but I have no concept of an "anti-virus subscription".

Then you're completely out of touch with the computer world, and shouldn't be allowed to use one.

From your other post:

My point was that I don't use any computers that need such a thing or to my knowledge, there are even subscription offerings for anti-virus subscriptions.
Currently, I run OS X, Linux, and Solaris, and I have never known anybody that has needed an anti-virus subscription for them.
Am I missing out on the fun?

So you run a few systems that aren't known for viruses. Big, hairy-assed deal. If you're even remotely competent in the computer field, you'll know that Windows (remember? 90% of desktops run this crap?) needs anti-virus software, unless in very capable hands. Intentionally choosing to ignore this fact and cop a holier-than-thou attitude just makes you seems like a moronic jackass, which won't win your OS of choice any followers. Not knowing that you can get an anti-virus subscription is marginally excusable, if you don't run Windows, but feigning ignorance of anti-virus software in general, as you really seem to be doing, just makes you look like an incompetent boob.

One more thing: Since you seem incapable of wrapping your pitiful excuse for a brain around this:
...who are too lazy/stupid/uneducated to update...
I'll expand it for you: ...who are too lazy and/or stupid and/or uneducated to update...

Just because you're lazy (admitted by you), doesn't mean you're also stupid and uneducated, and I never claimed that it did.
For your case, though, I should have added an extra adjective: asshole.
Because you certainly seem to be one of those.

Re:The real irony here....

[hackstraw]

Anybody who bought a brand name system with the 90-day NAV or McAfee trial version, but didn't just go to Best Buy and buy the new box version.

OK, I'm still clueless I guess.

I've bought brand name computer systems from HP, Dell, Sun, and Apple. And _none_ of them came with a 90-day NAV or McAfee trial version. I've bought something like 200 or so of these machines, and, again, none of them came with this stuff.

http://ca.mcafee.com/root/package.asp?pkgid=100
From McAfee, $42.99 (CAD) for the first year, $36.84 for a renewal.
http://www.symantec.com/home_homeoffice/products/v irus_protection/nav2006/index.html
From Symantec, $29.99US for 1 year renewal, $59.99 for 2 years.

It seems like not paying the 59.99 option is the best.

Errr...a subscription to their anti-virus software?

And I need that for what?

You don't have to pay anything as long as you're not a moron and open every email attachment or install every free dialer program promising FR33 pR0N!
It doesn't guarantee you won't get sick any more than health insurance guarantees you won't get sick.

OK, so only morons need to buy the stuff, and even then morons can still get their computers "sick". Hmm.

Then you're completely out of touch with the computer world, and shouldn't be allowed to use one.

Thats twice in one week that I've been told that! Three times, and I'm going to look behind me for a tail! The other time was here.

feigning ignorance of anti-virus software in general, as you really seem to be doing, just makes you look like an incompetent boob.

As far as Windows goes, yes, I'm an incompetent boob. I used to be a Windows developer, but I had another incompetent boob take care of the anti-virus stuff for me. I really haven't had the need personally or professionally to use a Windows machine since 2001.

For your case, though, I should have added an extra adjective: asshole.
Because you certainly seem to be one of those.

Ouch. A funny thing is that when I took a personality class from the psychology department, the teacher asked if there were any personalities that were missing from the book. I raised my hand, and said, "Asshole!". That must of been a self-fulfilling prophesy.

Does an anti-virus subscription get rid of assholes?

Re:The real irony here....

[Wavicle]

Name me one unlazy, smart, or educated person that pays for an anti-virus subscription?

I don't use any computers that need such a thing

I run OS X, Linux, and Solaris, and I have never known anybody that has needed an anti-virus subscription for them.

Are you a teenager? One of the psychological milestones accomplished in late adolescence is understanding that the whole world is not just what you see of it. You don't seem to have completely made that separation yet. The fact that you are not a windows user does not correlate with those paying for an anti-virus subscription being somehow incompetent.

Re:The real irony here....

[ummit]

Are you a teenager?

Looks to me like he's a smug user of computing platforms that are actually, inherently, mostly secure.

...those paying for an anti-virus subscription being somehow incompetent.

It seems there are yet a few little boys who dare to say "The Emperor has no clothes" when confronted with the, yes, staggering incompetence with respect to security which is rampant within the mainstream PC world.

1. adopt a platform with no inherent security
2. become utterly dependent on it such that you can neither abandon it nor correct its inherent flaws
3. spend extra time and money on extra, after-the-fact "security" applications which, at best, give you a slight headstart in what's still a footrace between the white hats and the black hats (a race in which the black hats still seem to be holding their own)
4. put up with lost files and more lost time when the "security" software runs amok
5. to make yourself feel better while you're waiting for your backup tapes to read, belittle someone who has the audicity to wash his hands of your chosen platform's sorry problems.

Re:The real irony here....

[cbiltcliffe]

I've bought brand name computer systems from HP, Dell, Sun, and Apple. And _none_ of them came with a 90-day NAV or McAfee trial version. I've bought something like 200 or so of these machines, and, again, none of them came with this stuff.

Well, the Sun and Apple machines have no need for anti-virus software in the current Internet climate, so that makes sense. As far as the Dell and HP stuff, you're obviously not talking about consumer level machines. I haven't seen a Best Buy/Future Shop machine for months without an anti-virus trial, so I'm assuming you're talking about business level machines that are much more customizable that way. And with 200 of them, I sure as hell hope they're not home computers.

http://configure.dell.com/dellstore/config.aspx?c= ca&CS=CADHS1&l=en&OC=OCDIM1100_FEAT_CH11WP6 Search on this page for "Security", and you'll find this machine comes with "McAfee Security Center w/VirusScan, Firewall and Privacy, 90-day trial". Exactly what I'm talking about. This is a Canadian machine. Maybe it's different in the States, but pretty much every home machine you can buy in Canada comes with some 90-day trial anti-virus program.

It seems like not paying the 59.99 option is the best.

In the case of a Sun or Apple machine, yes, you're right. With Windows, it's difficult to get by without it at all.

And I need that for what?

Windows.

OK, so only morons need to buy the stuff, and even then morons can still get their computers "sick". Hmm.

No, more than morons need this stuff. I said in my first post that Windows doesn't need anti-virus software in "very capable hands". I stick by that, even though I indicated that if you're not a moron, you won't get crapware. The problem is, we can all be morons at times. I've had vicious spyware infect my machine before, because I was doing something stupid. It stuck around for a whole 10 minutes, since I saw it being installed on my machine, but the point is, it got there in the first place. I didn't click anything to do it, either. If you ever have a single "stupid moment" while running Windows, you can get crap on your machine, whether it be viruses, spyware, or whatever. Your only saving grace is that you're mainly running Mac and Sun machines.

As far as Windows goes, yes, I'm an incompetent boob.

At least you admit it. :)

I really haven't had the need personally or professionally to use a Windows machine since 2001.

Lucky bastard.

Ouch. A funny thing is that when I took a personality class from the psychology department, the teacher asked if there were any personalities that were missing from the book. I raised my hand, and said, "Asshole!". That must of been a self-fulfilling prophesy.
Does an anti-virus subscription get rid of assholes?

I'm sure there's an asshole virus out there somewhere, so probably, but not in the sense that I meant it. While we're on the subject, this post from you seemed quite reasonable. I may have jumped to conclusions in my last one, but you really did come across as a prick in your post I was responding to.

Re:The real irony here....

[VON-MAN]

It is funny however, how you people respond when someone pretends not to know how things work in the Microsoft world. I'm afraid that, in the end, the joke's still on you. And you do seem to realize this, on some level.

Re:The real irony here....

[rtb61]

Talking about jokes, don't forget a lot of major software companies exclude from their warranties any guarantee for the absence of viruses from their computer programs when they sell them to you.

Is this an example of an anti-virus program picking up dormant viruses in computer programs. Of course the microsoft ones are hardly surprising but shame on you Adobe ;-).

Re:The real irony here....

[hackstraw]

While we're on the subject, this post from you seemed quite reasonable. I may have jumped to conclusions in my last one, but you really did come across as a prick in your post I was responding to.

I'm actually a pretty reasonable guy. I call things how they are, and so that is "controversial" to some. Many times here on /. I post something that gets modded all over the place with "insightful/interesting/flamebait/and troll", and then I continue the discussion like this and get modded up. Look at my post history and some of the troll mods for examples.

The thing that kills me about people (including myself) is how rigid they they are about beliefs in things.

My original post was trying to elicit the feeling of "Hmm, do I really need AV software?" or "Hmm, is Windows to blame here?". I often make semi-ignorant comments about Windows to make people think and question if Windows is really a worthwhile platform considering its numerous flaws. I have answered that question, and I don't believe its worth it. I do realize that many businesses are "stuck" with windows because of 3rd party apps are only available for that platform, but now that Macs run on Intel chips, and semi-native encapsulation or virtualization is right around the corner -- Well, imagine not having to do Windows updates anymore? Imagine having a know working Windows system image in a window on your Mac that is secure enough to run your legacy app until a Mac port is available? Imagine not having to pay for an AV subscription? Imagine not having your paid for AV subscription deleting your files? Imagine again not having to do Windows updates?

And yes, all of my HPs and Dells are servers running Linux. My HPs are primarily Itaniums that kick ass! The Dells are just toy boxes for me to play with. I also have like 400 or so SPARC chips to play with, and other toys. I'm not a slacker when it comes to computing by any stretch of the imagination. Where I work, I don't think anybody really uses Windows anymore. I'm talking about the Windows sysadmins :) I don't interact with them much, and have been pretty much removed from the Windows world for quite some time, but I hear about weekly what MS is going to _not_ include in Vista, and what broken stuff like http://www.live.com/ is coming.

BTW, I'm a pretty big apple "fanboy", but I'm going to downgrade my G5 at home to Panther soon. I'm sick of the bugs in Tiger, and I have things to do with my home computer. I've also been modded as a troll for calling Apple out with their issues here as well. Oh well....

How on earth did this get past QA?

This is really bad for the QA dept. How hard is it to push a dat file through a test lab. It seems to me that a whole lot of red flags would have immediatly flown through the roof.

We stopped using mcAfee in 98 when they, not once, but twice pushed out a dat file that sent the CPU of every workstation to 100%.

Personally, I'm with those that turn of autoscanning and just run a scheduled scan every week or so. Now in a corporate environment where the clueless thrive it's a different story.

McAfee Haiku?

[ursabear]

The files they are gone. It seems McAfee ate them. The backup saved us. or The files they are gone. It seems McAfee ate them. Go home from work now.

Auto update sucks

Some products seem to resist all efforts to disable auto updates. I only use windows for audio mastering and linux for everything else. The box isn't even plugged into my local network 99% of the time. I do that to keep my exposure low. I don't have time to deal with a broken infested PC.

I've turned off every update option I can find but Grisoft AVG still tries to go get updates at times (usually the worst possible time). I have a laptop that I believe was trashed by AVG. Can't uninstall it, etc.

I guess they know best.

OOPS

[ROOK*CA]

"False positives aren't uncommon however, but this is something that should be caught during regression testing. "

Email from the Test Group to Product Marketing:
"Hey when did we announce an uninstaller product?"
Email from Product Marketing to Test Group:
"We didn't"
Email from the Test Group to Product Marketing:
"What are we supposed to do with this then?"
Email from Product Marketing to the Test Group:
"Just Ship the damn thing whatever it is, we're sick of you guys screwing up our ship dates, now go away"

Look out SkyNet

[brix_zx2]

So McAfee finally became self-aware of M$'s flaws. It's only a matter of time till Bill acquires this knowledge to take over the world. "May God have mercy on their souls."

Don't run windows, it's bad ... 'kay?

[elronxenu]

This is yet another reason to not run windows. If you run windows, the system's so insecure that you have to buy third party applications to check it constantly. These third party applications have the ability to run rampant through your files, destroying critical data without oversight.

Seriously, who thought this was a good idea, to configure these programs to automatically delete system files? There is always a chance of a false positive - identification of a file which does not contain malware. Are viruses so common in the windows world that it's not worth a human's time to confirm detection before files are altered?

And why, oh why, is it necessary to maintain huge lists of virus signatures? If windows kept a list of the correct md5sums of the system files it would become a trivial task to verify the integrity of those files. One would not need a daily update of virus signatures. Can I cynically suggest that the need for constant update gives the anti-virus companies a permanent revenue stream? And what does Microsoft get out of the flood of windows viruses?

Here's a way that Microsoft could design windows to be virus-resistant: designate certain files (system DLLs, EXEs etc) as change-limited. Provide an API into the kernel to permit those files to be changed by windows update software (only when the replacement file is signed by a trusted key). Maintain a file containing the md5sums of all change-limited files. This file would be modifiable only by the kernel.

In this scenario any virus wouldn't get a chance to corrupt system files because it wouldn't have a correctly signed replacement. And even if it did get to corrupt a system file, it would be trivially detected because the md5sum of the corrupted file wouldn't match the expected md5sum. In order for an infection to occur and be undetected the virus would need to work around the kernel file change API and alter both system file(s) and the md5sums file.

This scheme can be implemented for vendor software too. Windows needs some kind of database of installed software. Does it not have one already? (checks system clock: yep, it's 2006). Red Hat had RPM and the installed software database since 1995. That's 11 years ago, and Red Hat were probably not the first to hit upon the idea of a centralised list of all software installed on a computer.

Re:Don't run windows, it's bad ... 'kay?

"If you run windows, the system's so insecure that you have to buy third party applications to check it constantly"

That's balony. I do not run a virus-scanner, and I still have no problems whatsoever. Ofcourse, I have closed certain hay-doors into my system by disabeling certain programs (or by simply not letting whomever installing them on my machine :-) )

"Here's a way that Microsoft could design windows to be virus-resistant : [description]"

I'm sorry ? who's computer is it ? And yes, that means that I want to be able to replace system-files at will, and not only when I get permission after filing my request in three-fold.

The idea allone that someone would tell me what, how & when I can install stuff onto my machine. :-(

Re:Don't run windows, it's bad ... 'kay?

[cloudmaster]

If the user can write/change files, a program can write/change files. Sure, making the user authenticate helps some, but all a malicious program has to do is monitor the keyboard when the password dialog's focused, or probably even easier, prompt the user for their admin pasword at install time. Users are so used to having to grant admin access (if they're not already running as admin) that any level of software restriction is probably pretty useless...

Of course, that doesn't mean that M shoudl leave the damned door hanging wide open like they have, either. :)

Re:Don't run windows, it's bad ... 'kay?

[elronxenu]

If the user can write/change files, a program can write/change files.

You missed my point - in a scenario where the kernel prevents certain files from being changed (unless the replacement file is verified by some cryptographic mechanism), neither the user nor a program can write or change certain files at will.

So no "admin password" will be necessary, and thus there's nothing for a trojan horse to scan.

The idea is that the windows kernel should limit modification of windows system files to only those files which are crypto-signed by MSFT (or another trusted key which you permit).

Re:Don't run windows, it's bad ... 'kay?

[elronxenu]

That's balony. I do not run a virus-scanner, and I still have no problems whatsoever.

That covers maybe 1% of windows users. The other 99% are composed of two groups: corporate desktops and others who run anti-virus software and botnets. Pretty much every corporate windows installation runs anti-virus code. Why? Because they believe the chance of infection is unacceptably high without it.

I'm sorry ? who's computer is it ?

You run windows, you already lost to Microsoft. Sorry.

And yes, that means that I want to be able to replace system-files at will, and not only when I get permission after filing my request in three-fold.

This attitude is dangerous to you. If you can do it, a piece of malware can do it. Are you likely to want to replace CMD.EXE? If not, why do you want to make it easy for malware to do it?

Anyway, you miss the point. The point is to get away from this endless arms race of having to get the latest anti-virus definitions. A simple verification process to ensure that system files are checked against what they should contain, rather than what they should not contain will go a long way toward that. A kernel-enforced process for upgrading certain system files will help to avoid those files becoming infected in the first place.

Announce.

[leuk_he]

For a announce you need mc-disaster. In annouces regually it found a virus, or sometime just announces the fact that there are dangerous viri on the web.

If it really found a virus is very well discusable. It gives a warning once in a while that some webpage might contain a virus, or some bounced message with an attachment might be a virus.

Anyway, mc-disaster is not the program that saves me time keeping my system clean. It only costs me time. In the short time i ran it in the past it costed me more time than all the combined viursses i have seen. (not that many)

Ethereal too?

[OrangeDoor]

Just noticed the screenshot on the McAfee page for W95/CTX. It shows some dlls from the Ethereal program as being infected. Of course those files are in their complete list of affected files, which comes in a convenient easily accesible PDF file as all the most important documents on the web should. It's 7 pages long, but an amusing list to skim through.

Who uses Ethereal and McAfee? Just found that funny/ironic on some levels.

Re:Ethereal too?

[ptegan]

I use Ethereal and Mcafee and have both installed on about 300 servers all of which are being worked on by a team of 2 (me and Tom) to try and figure out a way out of this fup-up. Every machine has about 350 files (mostly .exe) in the C:\QUARANTINE\ folder and no way of putting them back where they belong via Mcafee !

Re:Ethereal too?

[OrangeDoor]

Maybe I can help. My AIM is in my info. If no AIM installed, try meebo.com .

Thank God!

[DoctorPepper]

I don't use Windows! :-)

Feeling pretty good

[dtfinch]

I don't use antivirus software, at least for anything more than manual scanning, but for reasons other than this. Antivirus makes Windows slow and unstable, sort of like some malware does, except it does it all the time.

I don't get viruses and other malware, because I don't manually install viruses and other malware. People who do need antivirus software.

Re:Hahahahaha

[DextroShadow]

Hey Tom, Stop sending me bulletins in my mysp, hey wth, c:\ntldr.... a virus? *lost carrier*

the difference

[Ender+Ryan]

The difference being, seatbelts have saved my life, but I've never used AV software and have (almost) never had a virus. I don't connect windows boxes directly to the Internets, don't use IE, and just generally don't install anything that I don't know enough about to feel it's safe.

IMO, AV software is malware itself. It interferes with the normal operation of the system in order to "protect" it. The simple fact is, users should never execute code that might be malicious, and the system shouldn't execute any arbitrary code.

AV software just lulls people into a false sense of security. Plain and simple, it doesn't even work. Most of the virus-infected windows machines I've seen have had up-to-date copies of a major AV package. It's the users, and the general lack of proper security of the systems -- well, that's a very simplistic view.

Honestly, and obviously, I don't know what the answer is. AV software, in its current form, is simply not it though. Trusted computing? Perhaps if TC was designed around users' needs, instead of greedy vendors.

Software Wars

[Godji]

[deep bass voice]It's a world where companies wage a security suite war on other companies. The battlefield is your own desktop. Imagine Mysantec's antivirus attempting to delete Facamee's antivirus, before being both obliterated by Sicromoft's security solution still in beta. Wouldn't it be fun to watch as your CPU cycles get all pulled into the fight, with rampant defense software running around your RAM and filesystem, killing each other out, filling your desktop space, and celebrating victory with funny alerts, baloons, dialogs, pop-ups, windows, and what not, all reaching for you attention? Ah, talk about an exciting desktop! (And really, what could be more boring that a computer that just works and leaves you with nothing to do except to work with it?)
[special effects]
In the ensuing destruction and chaos, nothing remains alive but two things: the memory of your once existing data, and an unidentified hideous sneaky polar bird determined to show you of an alternate dimension of reliability and freedom...
[epic music]
Coming soon, on your desktop: RealityArts presents: THE SOFTWARE WARS, EPISODE 442.75
[/deep bass voice]

CTX undo file

[n3m0-kn0z3]

I just got off McAfee tech support line. They have an undo script to unquarantine incorrectly identified files. Since the file is not publically available from their site, I have uploaded it here: ctxundo.zip

Re:CTX undo file

[ptegan]

Many, many thanks. I can't believe that it hasn't been put on their site and the office in France that I called didn't know such a script existed.

Re:CTX undo file

[stry_cat]

Who in their right mind is going to download and run a script off of an unknown website? I'm sure you're trying to help, but no one should do this. Otherwise they'll need more than just McAfee to fix their computer.

McAfee Plague

[ShadowNetworks]

This incident only goes to show that any file manipulation program (even the essentials like anti-virus and spy-ware/ad-ware removers) can have a profound effect on one's personal files. ALWAYS BACKUP. Even if you trust your media, you'll probably get attacked from within (hackers and now your own software).

Anyone remember Microsoft Anti-Spyware removing Norton? Anyone remember IRC commands such as "startkeylogger" booting systems from the internet running Symantec?

No one's perfect, even the software programmers. And as he laid down in a vicous wrath... the software they trusted most deleted their most precious files. Welcome to Monday everyone.

Re:McAfee Plague

[BobVH]

"Only wimps use tape backup: _real_ men just upload their important stuff on ftp, and let the rest of the world mirror it ;)"
-Linus Torvalds

Advice for corporate users

[futuresheep]

This is exactly why I force all my clients to update their DAT's from MY server, not McAfee's, and I push the updates out, the clients never pull them. Along with that, I always wait three to four days before pushing the updates out. Even if you don't use the full McAfee Epolicy Orchestrator, you can still configure the clients to point to an ftp server on your network for updates. Just like with MS patches, it's simply prudent to wait a few days just in case there's any issues like this that may arise.

I'm not excusing McAfee here, but there are ways that we, as admins can minimize the risk to our users and our network.

Re:Advice for corporate users

[discovercomics]

So all your users are using dat files that are several days old? This just means that they have 3 extra days of vulnerability.

Re:Advice for corporate users

[Slashcrap]

Along with that, I always wait three to four days before pushing the updates out.

Doesn't it cost a lot to educate your users to not download viruses that are less than four days old?

Why don't you just educate them to not download viruses at all? Then you could do without the Anti-virus. You pretty much are anyway.

Re:Advice for corporate users

"McAfee Epolicy Orchestrator"

with a name like that, you trusted your data to it ?

Re:Advice for corporate users

[stevie-boy]

This is exactly why I force all my clients to update their DAT's from MY server, not McAfee's

I remember a few years ago when all of our NT4 machines downloaded a corrupt CrapAfee DAT from a local mirror, and refused to boot up.

That was great fun, visiting every machine armed with an NTFS capable boot disk to manually remove the bogus DAT file, before reinstalling the antivirus...

Re:Advice for corporate users

[0xA]

So all your users are using dat files that are several days old? This just means that they have 3 extra days of vulnerability.

I do the same thing, you have to weigh the potential of a bad update screwing you over versus that extra couple days. There isn't an easy answer, sometimes I'll push an update right away. Virus defs, windows updates whatever, you have to evaluate them all on a case by case basis.

It wastes a lot of time sure but after I got screwed over by a Windows update a few years ago I'm very careful with this stuff.

Re:Advice for corporate users

[futuresheep]

1) You can educate users as much as you want about how to avoid viruses, they'll still get them if they really try. They're users after all.
2) The number of viruses that actually are that serious a threat are next to zero. Have you ever bothered to look at the release files to see what the daily updates actually cover? If you did, did you bother checking what they were and the criticallity of the viruses listed? Do you know how many viruses are listed in the readme for the latest McAfee DAT?
3) Anyone that relies soley on a single AV solution is a fool anyway. Virus protection should be layered on any network and is on mine. AV software on the desktop should be the last stop. We use postfix+spamassassin+amavisd to scan mail before it hits our mail server. Our firewall scans anything incoming before it gets to the desktop. Our desktop software is only there as a last bastion and does it's job well, because there's not much that gets there. None of the systems are perfect on their own, as a team, they work very well.

So do I feel safe? Yes, I haven't had a virus issue inside my network for years. I see shitloads of them getting cleaned when I look at my logfiles though. Does it bother me that I wait a three or four days to deploy DAT files? Not at all, because it's not the only way I protect my users.

Actually..

[Khyber]

It's not that hard to know if your system is infected by a virus. Usually your system's performance just drops like a rock, or, in the cases of some old DOS-based viruses, they'd actually let you know you were infected. Remember the Stoned virus? :) "Oh my god, I am soooooo stoned...."

Re:Actually..

[PFI_Optix]

I got concerned a couple of weeks ago because my network performance ground to a halt. I thought I had a some malware/spyware eating my bandwidth. Ran four different scans, found nothing. Turns out a P2P application had gone berserk and needed to be reinstalled.

GoBack and Ghost

[samalone]

Well, recently I installed two Symantec products that _claim_ to be able to restore the system to a previous state. I haven't had the opportunity to really test either one of them yet, but I do feel a bit safer.

The first product is Norton GoBack, which reserves a certain percentage of hard disk space to maintain an undo history for your hard drive. Theoretically, if you have a bad software install or update, you can simply revert your hard disk to its state before the update. There might be issues with user documents created in that time getting reverted as well, but as long as you were careful you should be able to copy those files to another disk, revert the disk with the problem, and copy the files back. (There may also be built-in support for excluding certain files from being reverted -- I haven't checked.) You'd also need to notice the problem before GoBack's undo buffer got full and started forgetting things.

The second product is Symantec Ghost, which is a backup and disk cloning utility. You can set up Ghost to perform an incremental backup before any software installation. I have mine set up to backup the system disk to another drive before each install. At my company we use EMC Retrospect for network backups, but Retrospect is not really good for restoring a system disk to a bootable state. From what I've heard, Ghost should be able to do this smoothly.

Re:GoBack and Ghost

[martyb]

Thanks for the info. I have not tried GoBack, but do have some experience with Norton Ghost. After my Dad's PC got infested with malware, and we finally got it cleaned up, I picked up a copy of ghost and an extra hard drive and periodically backed up his entire disk.

But this solution is not ideal. I'm cautious about installing new software on my PC, but once in a great while, I find something is broken and it could have happened weeks/months ago. Everything seemed to be okay (at the time), but then I discover that it is not. For example, I can no longer write to my CD drive. The last time I tried, successfully, was 2 months ago, and then had a period where I did not try to write anything to CD. (I've got a spare 300GB USB Maxtor Onetouch drive on which I do my backups).

So, now, I need to be able to backtrack:

1. Find out which one of the umpteen applications I've installed since then caused the problem.
2. Back out just that one application.

If I were to roll back my entire system to where it was 2 months ago (say using a Ghost image), I'd still have a boat load of applications to re-install, program defaults to establish, and the like. :/

In my original post Rolling back - what do YOU do? I suggested it would be helpful if there were a log, in human-readable form, which listed all things that are Created, Read, Updated, or Deleted. That, in concert with SysInternals Filemon, Regmon, and Process Monitors, I can find out what's going wrong NOW, and identify which application bolixed things up. Then, using Windows' Add/Remove programs, I should be able to yank just THAT application.

Does anyone have a file logging tool like this for windows? If so, what has your real-world experience been with it? After this McAfee fiasco, I'm not interested in marketing fluff and instead want info from "down in the trenches!"

So, again I ask: how do you backtrack?

Re:GoBack and Ghost

[samalone]

In my original post Rolling back - what do YOU do? I suggested it would be helpful if there were a log, in human-readable form, which listed all things that are Created, Read, Updated, or Deleted.

The Advanced Disk Drive Restore screen of GoBack provides exactly such a log. The log lists, with timestamps, every file created, modified, replaced, renamed or deleted, every directory created, and every process launched. It also lists "System Safe Points" that it believes your disk could safely be reverted to.

Even if you didn't use the restore capability, the log might be worthwhile on its own.

They are doing a great job!

[slashname3]

Actually it sounds like they are doing a great job. They finally targetted the biggest virus of them all, Windows. Maybe this is the start of something really good. Finally the Windows virus is being actively targetted.

Re: AVG as a solution

[WebbedPete]

What makes you think AVG is any safer?

ALL software requires occasional updates. ALL software can contain bugs. And ALL programmers can mess up. Even with a great QA team.

To me, this whole situation is a great lesson in humility.

According to McAfee, they:
* Use both heuristics and more-specific signatures to find the bad guys. (Heuristics catch about 40%, signatures about 60%, IIRC)
* Have a worldwide team of F/T engineers that work on detection/signatures/etc
* Have a big enough customer base so the cost is spread widely.

So: in what way is AVG (or any other security software system) superior?

Keeping computers safe from increasingly smart malware is an ongoing battle. It's unwise to get uppity about how "MY system can't possibly have that problem!"

I still think McAfee has a Really Good Methodology. But as long as we live on this planet, Murphy rules.

Easier solution

[beantherio]

Just update your virusses and you will be safe. Errr...

it's about time...

someone released a virus to fix the scanner...

Oh Lucky Me!

[blueZhift]

Heh heh! I just dumped all of the McAfee stuff on my daughter's laptop last Friday in favor of another AV package. I guess sometimes it just pays to be lucky! In light of recent news about McAfee's financial state (flat) and the employee data leak, this cannot be good news for them at all.

Opps, they did it again!!!

As some people may remember, long time ago they also released a defective DAT that cause the antivirus to consume near 100% of processor resources as soon the machine load the OS. Version 4 if not mistaken. That was the reason for us to move from them to Norton. How many more times we will allow them to do this kind of things? Does anybody there got fired or beheaded?

Ed.

A tool for media giants

[JasonEngel]

Comcast gives away McAfee AV for free to customers, so I tried it out. The only time it ever caught anything at all was a false-positive. Complete file system scans never ever turned up anything. However, if I opened a folder with a file in it called SetupDVDDecrypter_3.5.4.0.exe in it, McAfee would call it a virus and delete it. Didn't matter which version of the installer actually, it would delete it. Didn't matter if the AV program was configured to only quarantine suspect files, it would delete it. Didn't matter if I made an empty text file then renamed it to SetupDVDDecrypter_3.5.4.0.exe, McAfee AV would delete it. If I renamed the installer to something else, McAfee AV did nothing.

Pretty obvious to me that it was just waiting to find files that media companies didn't like people to have on their own private property so I'm guessing that they must have gotten McAfee to agree to do their dirty work for them and call stuff they don't like a virus and automatically delete the file regardless of settings.

But that's just my conspiracy theory.

Re:A tool for media giants

[Esion+Modnar]

find files that media companies didn't like people to have on their own private property

The problem is that media companies often treat other people's private property as if it were their own. It's a real attitude problem.

Re:A tool for media giants

[jratcliffe]

Looks like there may be a reason for this behavior. That package hasn't been available from its creators for nearly a year, and it seems (as indicated by this site) that there may be versions of the installer floating around that have had trojans attached to them...

Re:A tool for media giants

[ArtStone]

The original post pointed out that it *deletes* the file even if the scanner is configured to only quarentine suspect files. And if the motive was to detect trojans, wouldn't it look for the signature of the modified trojan code, not just delete solely based on a file name?

Something smells fishy

If this guy had all these files deleted shouldn't he be doing work right now instead of having time to post to Slashdot? My files are all here otherwise I would be busy recovering, not posting.

Re: AVG as a solution

[OrangeDoor]

It's unwise to get uppity about how "MY system can't possibly have that problem!" Where did I get uppity? I stated that there might be bugs in any program, though I'd make the case that security software should be held to higher standards because of the risk of bugs having greater consequences.

AVG is superior because it detects infected files and removes them, and is simple to set up, update, and remove. Have you used the latest McAfee offerings for personal computers? Serious pain in the butt, especially if you "upgrade" or start with their on-line version.

I speak almost exclusively from experience. I haven't looked through the business methodologies of the companies, I haven't looked through their code (nor would I know what to look for even if I could). I fix computers, a lot of them. And many times I've had to fix computers that would have been fine had they not been running McAfee's or Norton's A-V/security software, and instead been running AVG or other non-free ones like Kaspersky, Trend Micro, Pandasoft, AntiVir... ). I've never had complaints about AVG. Does it keep computers safer? I think so, because it works... The only times I see it get out of date is when somebodies internet isn't working. McAfee I see out of date all the time because it expires, or was never registered when somebody bought a computer with it. And the computers that I see infected... a few didn't have A/V installed, but the vast majority either had Norton or McAfee installed and either expired or broken.

The only reason McAfee has such a large customer base is because their software is bundled with so many computers and they are a name brand. It's not because they keep computers safer from viruses than their competitors.

I don't know exactly how much you're defending McAfee. You're right about the risk of Malware though. It's more significant than viral risks, and all this A/V software doesn't do anything against it. And some malware is designed to compromise A/V software and usher in viruses.

Anti-virus as virus? Yeah, I knew that already.

[Whumpsnatz]

On an old WinME laptop, the only virus I ever had on it was Norton AntiVirus.

I worked on a consulting job two years ago, and they told me I could use my own PC. No problem - except that, when I got there, they wanted to check it for virii. In an XP world, I was running Windows ME. So they loaded up Norton on my machine, and ran it for about 3 hours.

Result? Nothing. No junk of any kind. Completely clean.

Why? It helped that I had the free version of Zone Alarm, and the firewall on my DSL router definitely helped, but I think the biggest reason I had no problems was

- Mozilla instead of IE
- Eudora instead of Outlook.

Completely clean, that is, except for the antivirus. That monster kept interrupting my work. It took a great deal of effort to get the beast out of my system.

New school excuse

[Spy+der+Mann]

My antivirus ate my homework :(

Re:New school excuse

[Meph_the_Balrog]

funniest slashdot comment _EVER_ =)

McAfee Anti-Virus is a PoS

[eyegone]

I get it free from Comcast, so I installed it on my wife's Windows XP machine. Believe it or not, I have to log in as an Administrator every night, so it can update itself. That's right, a "security" product that can't even handle a non-administrative user properly.

Re:McAfee Anti-Virus is a PoS

[Colonel+Angus]

Symantec is the same.

We use Symantec here and there are a lot of satellite sites that don't log into our domain (libraries, highways stations, etc.) and just use their existing connections to check e-mail and such.

For each new system we put in one of these external operations we have to run a registry patch to allow a regular user to run LiveUpdate. Otherwise, only administrators are able to keep the system up to date.

Comical recovery instructions from McAfee

Even better are McAfee's instructions for how to recover from the damage their product has done. The first option is to restore the files from quarantine, assuming your version of McAfee actually lets you do this (not all, including the corporate version, have this option). The second is to use Windows System Restore.

This probably would have worked great on my machine if it weren't for the fact that half of the files McAfee quarantined were *System Restore files*.

Apparently McAfee hasn't heard of a novel concept called "testing". (I like how they've posted a list on their website of the false positive files, now 7 pages long and still woefully incomplete; they ought to just admit it's going to take a random assortment of exes and dlls on any machine.)

Combine this with the fact that the default settings on a McAfee install are to quarantine without prompting, and IMHO McAfee is the most dangerous virus I've ever had on my machine.

Re:Comical recovery instructions from McAfee

Combine this with the fact that the default settings on a McAfee install are to quarantine without prompting, and IMHO McAfee is the most dangerous virus I've ever had on my machine.

My university distributes VirusScan Enterprise 8 to all students, and I was quite shocked to discover the lack of a "Warn me and do nothing" option. When I a virus is detected, I can set it to "Delete files automatically" "Clean files automatically" "Move files to a folder" or "Deny access to files"... What happens when I want to do none of the above?

Re:Comical recovery instructions from McAfee

[EDOX25]

So this is why Comcast is giving away McAfee Anti-Virus for free. So glad I am using something else at the moment.

Re:Comical recovery instructions from McAfee

[frank_adrian314159]

Apparently McAfee hasn't heard of a novel concept called "testing".

Well, it's no surprise, given how they treat their employees there. They are in a continual state of hiring "alert". Even worse than Symantec. So they lose a few, get a couple of cheap guys who aren't as diligent about testing and... Blammo! Instant chaos. Anyone who buys McAfee gets what they deserve...

Re:Comical recovery instructions from McAfee

[Thuktun]

All this mess reminds me of when I installed a brand-spanking new copy of McAfee VirusScan 2002 on a machine that had Outlook Express. After a few days of using the two together, some pattern in the mailbox files must have triggered VirusScan, and it deleted all the mailbox files. To test this, I left it in this configuration a while longer and it happened again. That was the point I left McAfee for Norton.

It sounds like their testing is still questionable.

last straw for McAfee? Unlikely.

[Gary+W.+Longsine]

They have previously survived other blows. I recall that one problem with signature files led some systems to blue screen a year or two ago, but I can't locate the story online. The source CNet article even says that they normally see a false positive about once a quarter. The other vendors suffer false positives, too, as any signature or heuristics based detection method will do.

Beware of Fridays

[Nom+du+Keyboard]

Always beware of any software updates released on a Friday. If there's a problem, much of the damage will be done before anyone returns on Monday.

get norton

[panic911]

Geez, don't they have any QA testing that they put their definitions through before deploying it to the mass population? There must be several large companies that are "protected" by McAffee, and certain companies will sue in a heartbeat if they had several important documents wiped out. They're going to lose a lot of customers, too. I've used norton anti-virus for a few years now and I haven't even had one file get corrupt from them.

Re:get norton

[RazzleDazzle]

If you have important files you are worried about losing you should have backups, especially if you are a large company.

Norton sucks pretty badly too. We just switched from Norton corp. to Norman AV and it caught TONS of shit Norton had not caught, including some Klez variants. Also, Norman has filters for what they call "aggressive commercials" which is also quite nice.

Nobody is perfect though of course.

GoBack - Poor reviews?

[martyb]

The logging information is just what I was looking for! But a quick search for it on the 'net revealed: this page. Some users lost the contents of their hard disk just by INSTALLING it! (YIKES!) Any other suggestions?

$sys$SafeFile.txt

That's the only file that McAfee DIDN'T delete on my system!

McAfee

To such Operating System, the deserved AntiVirus protection.
In any case Norton and McAfee were from the beginning too intrusive and rebel applications, I never liked the idea that one application will take the charge in changing, blocking, or deleting files and programs without having to first ask/prompt me.
In my opinion this should be a standard to any "protection" application.

Plus... didn't Symantec made nice and admitted they were using rootkits? brrrrr...

And on the third and last thought, I read somewhere someone post: With each virus popping up, the McAfee and Symantec's shares prices are jumping (with joy) as well...

Keep your money for something more useful, efficient or pleasant folks...

In soviet russia

[h2g2bob]

Antivirus deletes YOU!!

AVG Free did the same thing to me a few months ago

No, I'm not trolling. Search the discussion forums on their site. (I'd do it but I've not had coffee yet.)

True, they put out an update later that same day but it still ruined my entire day. (Gigabytes of info had been quarantined. I thought my computer had been owned.)

Self-Detecting?

McAfee's complete list of files includes FrameworkService.exe... which is part of the McAfee suite (Enterprise Policy Orchestrator, I believe). I guess they got one thing right when they started detecting their own software as infected!

Thank God I can now rest easy!

I can imagine the meeting now...

[Obi-w00t]

[Team Leader]: So Steve is new here so, Bob, why don't you show him a simple virus definition for one of these low-priority viruses?
[Bob]: Sure. This virus is low-threat but can masquarade as numerous file names so why don't you just look for a common pattern and write a REGEXP function?
[Steve]: Sure.
[Bob]: You know how to write regular expressions, right?
[Steve]: Yeah, sure, the one's with the asterisks.
[Bob]: Erm, yeah. I'll leave you to it. Just send it to the database so it can get filed in the next update.
[Steve]: OK, see you later.
*Looks around nervously. Briefly glances at long list of file names then timidly enters:*

*.EXE

Re:I can imagine the meeting now...

That's not a regular expression, that's a glob. The corresponding regular expression would be '.*[.]EXE$'

Re:I can imagine the meeting now...

[Obi-w00t]

That's why Steve gave a strange answer to the question "You know how to write regular expressions, right?" The idea I was trying to project was that Steve, in fact, did not know regular expressions. In fact he barely knew how to use a computer.

Seems to hate Cygwin

[creativity]

Add TcL, OpenGL, Xwin and Xterm, plus most Cygwin files, that McAfee seems to hate. Only solution I have found if you are using McAfee 7.1 enterprise is windows system restore.

Re:Anti-virus as virus? Yeah, I knew that already.

[PitaBred]

Ugh... you could stand using WinME? At least XP has some decent wireless settings options, and you can kill a lot of services to make it run about as fast as 2000 in about as much RAM.

Whew! they're still there...

[chivo243]

I just checked the server, all .xls are where they belong.... I manage the ePO... server13 too in case anyone is curious. It's an inherited POC. Nuff said.

Hey NIX freaks

[AmISure]

If you will read the bottom of the linked article for "fixing" the problem you will find. . . that this also affect linux machines running this crap!

Re:last straw for McAfee? Unlikely.

[BigCheese]

My favorite was a few years ago it was getting a false positive on the program I was working on. It deleted the .exe right after it linked. It was very annoying.

Is this the whole story?

[KlomDark]

We've got McAfee where we work, and we found that it was quarantining every file opened on the system for the most part. All kinds of .cs and .aspx files were disappearing. Finally found them in the quarantine after wondering if we had gone insane.

Re: AVG as a solution

[WebbedPete]

Where did I get uppity?

My concern about "uppity" perspectives was directed in general at the idea that some software or methodologies are immune, which many people in this thread have implead.

AVG is superior because it detects infected files and removes them, and is simple to set up, update, and remove. Have you used the latest McAfee offerings for personal computers? Serious pain in the butt, especially if you "upgrade" or start with their on-line version.

Yes, we've evaluated many, and chose (and have used worldwide for several years) McAfee's enterprise-directed "Managed" tools. It's certainly better than McAfee's free-with-PC or cheap-in-a-box versions. (In fact, we advise clients to ignore whatever comes free, and use this. We (a network of IT professional volunteers) picked this to take care of NGO leaders internationally, who are typically clueless about viruses and such. Yet, it serves very nicely for many other environments.

Actually, it's much nicer than anything else we've seen, including AVG and several others. ~Zero or one-click install (zero=push), outsourced policy-based admin (no server s/w to learn/install/maintain), auto-updates, auto-configures on LAN for efficient bandwidth use, one-click enterprisewide summary (no config needed), incorporates anti-malware, blah blah blah.

The only reason McAfee has such a large customer base is...not because they keep computers safer from viruses than their competitors.

In our experience (with the managed solution), ease of install/use/management translates in practical terms to safer computers: we've seen (real-world results) that many admins never bother to fully configure competitive AV management systems, and thus their users can be left on their own.

If we assume (BIG assumption I know) that most Good AV systems will protect from viruses when properly set up and used, then the difference comes down to how well they are implemented and maintained in the real world. That's where we see huge variation among vendors... ease of install/use/admin, support availability (guess which major vendor's "phone support" is only available if you speak Czech!), etc.

My bottom line: AV and AM (AntiMalware) are more important than many people think. If you have lots of time, and are careful, free (i.e. not updated) tools can be helpful. But most people need a paid service, that reliably stays up to date, and that (in practical terms) can and will be fully implemented and properly monitored.

Blaming the victim isn't acceptable.

[jbn-o]

I'd say proprietary software, regardless of its ostensible purpose, "is just another backdoor for anything, be it an attacker or virus, to use to compromise your system/network". No matter how expert you are, you might never know what it does because you are not allowed to learn more. Proprietary programs can do plenty of things you don't want them to do and those bad things can happen without you knowing about the bad things they do. You're denied any opportunity to learn what proprietary software does, to change the program to do something better, or to help others by sharing the improved program with your community. This occurs regardless of how one acquires the proprietary software.

I disagree with blaming the victim for not knowing how their computer works--nobody is "asking" or "begging" for trouble. Users shouldn't have to know what's going on in a technical sense if they don't want to know, even though there are horrible consequences of not knowing (ignorance is never advisable, but people should be free to make that choice). Forbidding people any opportunity to know more is anti-social; it holds people helpless to help themselves or others and leaves them dependant on a master who doesn't have their best interests in mind. Switching to another proprietor (as some in this /. thread have suggested) is no solution because that is just switching from one master to another. What's needed is freedom.

Dilbert

[the+eric+conspiracy]

There was a Dilbert cartoon that closely models this.

Dilbert - We can't ship this new backup program, it has too many bugs.
Marketing - What bugs?
Dilbert - It deletes all of your files. If you are on a network it deletes all of the files on the other networked computers. If you have a sound card it curses at you.
Marketing - We will call it Quick Protect and fix the bugs in an upgrade called Quick Protect Pro.

Interesting vector

oofs available for checksums...

Think about the potential here... verrrrrry interesting indeed.

Re:Well... Monday is here

[MerlynEmrys67]

What were you expecting
Market down insignificatly
MFE down less than 1%
SYMC down less than 1%
Yeah - this looks like a fatal blow to McAfee. This will set them back almost as much as Trend Micro's screwup last year.

So what were you expecting ?

To users who let AV delete their files

[c.gerritsen]

Users who configured McAfee to delete files are left with using backups

I hope anyone who sets up their virus scanner to delete files automatically really trusts their antivirus program. In this case, it looks like that trust was misplaced.

I have never let any program with an option to delete my files without asking me do so.

Suggested Alternate Software

[sedentarygecko]

http://www.kaspersky.com/ Not only does it have a small footprint in memory, it's been very effective for me. The Malware dictionary is also an interesting read. [I'm not paid for this endorsement.]

Avast

[sallgeud]

I moved to Avast! at home. It's free for non-commercial use and was named the best Anti-Virus on the market by SC Magazine. All that marketing jazz aside... I like the program quite a bit, as it also adds a simple-to-use interface for recovering from problems. Trend Micro has slightly faster response times to viruses in the wild, but Avast is darn close... much better than McAf.

The analogy between malware and life expands.

[Ungrounded+Lightning]

It's interesting how the analogy between malware and lifeforms continues to expand.

Viruses are aptly named because they have many similarities to biological viruses. Anti-virus software is a close analogy to an reactive immune system (such as is found in mammals but not, say, sharks).

Now we have an example of a serious auto-immune disease from a self-attacking malfunction of a reactive immune system.

Re:The analogy between malware and life expands.

[ummit]

That's nice, but there's a huge flaw in this analogy as well, which is that Windows doesn't really have an "immune system" at all. Windows is like one of those poor kids with Severe Combined Immunodeficiency Disorder, who has to live in a plastic bubble. Except in this case (a) there is no bubble after all, (b) the kid has a voracious appetite and eats anything in front of him that looks remotely edible, and (c) there are hordes of people parading through the room every day waving enticing pieces of food. His parents have hired a guy named Mac Afee to inspect all the food brought in, and given him a big hammer so he can bonk paraders on the head if they're carrying food that might disagree with the kid. Up until now, Mac has done a pretty good job, but on Friday he want nuts and started bonking the kid on the head...

Most of us can walk around outside without a plastic bubble, and can get by without food testers. A real operating system, with an actual "immune system", wouldn't need to be so severely protected, either.

Re:The analogy between malware and life expands.

[Ungrounded+Lightning]

That's nice, but there's a huge flaw in this analogy as well, which is that Windows doesn't really have an "immune system" at all.

Yes it does. It just isn't born with one. It's transplanted, like bone marrow, from one of several "donors". (Symantec, McAfee, F-secure, Computer Associates, ...)

autoupdates

[LunaticTippy]

I feel the same way about my personal computers.

But at work, I've changed my mind. I got tired of having to repair several/dozens of machines every time somebody across the vpn plugged in an infected laptop.

Now I've got everything updating off WSUS, network usage for updates is 1/100th what it used to be, and after I approve an update (I get emailed when one needs approval) it automatically gets installed on all the machines, whether or not they're on or there.

I highly suggest it for anyone with more than say 3 similar winboxes.

Autoupdate doesn't have to mean "no human interaction."

autoimmunity

[tinkerton]

Is this a bug or an autoimmunity problem?
Since there's some similarity between this event and autoimmunity problems, there's an easy step from here to trying to trigger autoimmune attacks of the antivirus with the appropriate virus tags.

Does an antivirus only use a database of bad things to recognize, or does it also have a database of 'false positives' to ignore?

A conspiracy

[Hoi+Polloi]

It is obviously a clever plot to destroyed pirated software by forcing people to go back to registered original installs.

norton & symantec

huh... funny. i remember using symantec's "pc tools" package before they acquired norton... and while it was totally insecure (running on win3.1) it was a nice little package, with multiple desktops and all sorts of other useful enhancements (like nesting folders on the desktop).

this happened to me!

[technotot]

yes. McAfee anti virus scraped off BF2 like it was Zotob.

Bahahaha

That's what you get for not testing the software. Shame on you McAfee.

Re:Bahahaha

Glad I let VirusScan expire last month!
Goodbye mcAfee, hello CA!

You wouldn't want a bodyguard who's too smart.

[shihonage]

There are two core modules to any antivirus - the standalone scanner, and the realtime protector, which hooks into the OS I/O processes. It is ALL that is needed, 99.99% of the time.
In the past 10 years, most antiviruses, with a few exceptions, have been greatly bloated and overhyped. We've been lead to believe that the new and exciting features they offer are actually an improvement. A lot of the time, they're simply redundant.

For instance, the much-touted Email/IM protection modules are not much more than memory hogs. Their sole existence is for the purpose of identifying the source of infection more accurately - but the infected file would've been stopped before execution either way. Any UU/MIME encoded attachment you receive in your Email has to be written to disk first before being executed. Same goes for receiving files via IM.

The realtime i/o interceptor is the one which is going to catch them anyway !

My philosophy is, antiviruses must be kept as simple as possible. So far I've been using one antivirus for 3 years now which manages to stay tight and focused on what it does (coughfprotcough).

Even though this antivirus actually had an incident similar to McAfee (mistaken identification of .RAR files as viruses), it's minimalistic realtime protector module is incapable of doing anything but its most basic, required function - DENYING ACCESS. That's why, although these false alarms may happen from time to time, the chance of damage being caused is much lower with an antivirus which is not too artsy-fartsy for its own good.

Was affected

[kb6110]

I saw this on a friends computer, many executables for Office, and one for VLC pleyer and other stuff like that.

I only wish Mcaffe's .exe was deleted... hehe.

Re:Well... Monday is here

[winkydink]

Not that I'm defending Trend, but there's a heck of a big difference between chewing up all of your CPU (Trend, last year) and removing executables from your machine (McAfee).

Either way, it's a tough problem to solve. As Zero-Day vulnerabilities become more common, the AV publishers are under more pressure to get a new defintion file out the door. About the only timeline you can squeeze there is pattern testing. The FOSS AVs suffer the same fate, it just hasn't bit them on the ass (yet).

Taking a cue from Sophos

[the+JoshMeister]

Interestingly, Sophos recently had a similar issue. An update to its antivirus software caused Mac OS X computers to delete system files or move them to a quarantine folder. And the best part? The "infection" that this update was supposed to prevent was a proof-of-concept that is not even in the wild.

http://www.sophos.com/pressoffice/news/articles/20 06/02/inqtanafix.html

One would think that all vendors would take note of competitors' mistakes and carefully test updates before publicly deploying them, if for no other reason than to maintain their reputation. What good is anti-virus software that does more damage than it prevents?

Re:Not execuable != not harmful

[kurtdg]

Well, apparently the fact that they are not executable has not prevented that damage was incurred by releasing them without sufficient QA.

Repeat after me: I will not release untested software, be it an executable, data, a bit string, or any string of symbols whatsoever.

Mcafee is evil

[Mouse_103]

I had awful bad experince with Mcafee years ago and they are SO EVIL!!! NEVER touch Mcafee... I would never use or test Macfee ever again. They will be sued by many people and will pay!!! this is proof that Mcafee is still evil anyway.

Sony wasn't alone!

[HiThere]

Looks like McAfee listened to complaints, and decided to get rid of rootkits even if they were issued by major corporations.

Either that, or they made one dilly of a mistake.

McAfee Is History

[Master+of+Transhuman]

Can you imagine the lawsuits?

They're gone.

This may be a wakeup call for software quality assurance.

I mean, this indicates that McAfee simply IS NOT testing its updates on real live machines with a variety of software. I mean, delete MICROSOFT OFFICE FILES? C'mon, that PROVES these idiots aren't testing anything.

Analogies

"Do you see any tigers?"
"No..."
"See, it works!"

I'm not slamming seat belts here - I buckle up before any time I put my car in gear - I'm slamming your strangely peculiar analogy. It seems it's a comparison between a) A simple item one can touch, see and understand how works at first sight, and B) Something you can't see (except for pretty pictures in your tray and annoying-as-hell things popping up on your screen), of which you have no conception of the internals, and made by some people you've never at all met.

Which analogy is better? The Simpsons one, or the parent's?

Solution:PXE boot Linux Thin/Thick Client Desktop.

[NZheretic]

Linux on the Desktop at work and worth it:

Although they have chosen to deploy Linux using the traditional thick desktop/workstation model, they use a spare server that operates as an X11 application server. This is used on a regular basis by the helpdesk, IT support and a few Windows users that access both windows and remote X Linux. The rescue partition, that can be also network booted via PXE, is based on the Linux Terminal Server Project ( http://www.ltsp.org/ ). During an install or if a security violation is detected, the user of the desktop is booted into Linux thin client, and can access all their files though the Application server. Forensic examination, repairs and installs can take place in the background while the person uses the thin client.

The open eleven steps to telecommuting

4) Install a DHCP demon on the local server to allocate local IP addresses, DNS and gateway settings. If the desktops are network boot capable then install TFTP to remotely boot and use Knoppix via PXE and the network. If the desktop OS is constantly crashing, or is infected by malware, the user can select PXE/network boot via the BIOS, and boot into Knoppix. The user can then be instructed over the phone to enable the ssh server to allow remote scan,repair and reimaging of the desktop partitions. The user can use the Knoppix desktop to continue working with full access to files while the the remote administrator fixes/reimages the drive in the background.( Consider hiring someone who knows how to customise Knoppix or another live Linux system for your setup )

AVG exploit too !

AVG is not safe. Updates reset AVG's file permissions to EVERYONE when they should be set to Administrator. This problem was posted on dslreports.com a few days ago and hasn't been fixed yet. You can use AccessEnum from sysinternals to see for yourself. If you change the permissions to Admin they are reset to everyone on the next update

Only on-demand (manual) scans were hit

[WebbedPete]

A note of interest: lost in the noise by many people in this forum is the report (in the mainstream media) that only manual (on-demand) scans resulted in any problem at all.

The vast majority of users today depend on automated scanning of files as they are used. Automated scans had no trouble.

One of those cases where what would normally be thought of as an extra-cautious approach actually caused extra-trouble.

I've got no inside knowledge, but would guess that the automated scanning path is tested far more carefully (since it has larger implications for potential harm).

Is this an argument for staying close to the mainstream, due to the higher QA bar applied to majority users? Interesting that this brings potential pressure on moving away from a slow-but-careful approach and toward a fast-automated approach. An AntiVirus version of "Real Programmers write in Assembler? Hahahahahaha!!!" ;)

Dump McAfee

[deviator]

This is incredibly irresponsible on McAfee's part and if I were an IT manager I'd look at alternatives immediately. I haven't liked McAfee for years. I'm starting to hate Symantec, as well. eTrust is probably OK, as is Trend Micro. But some of the most innovative stuff I've seen lately comes from products like NOD32, Norman, F-Prot, AntiVir and Grisoft - companies that don't get to rely on the inertia of gigantic corporate service contracts to stay afloat. They actually have to produce a good product that people want to buy!

Re:Dump McAfee

[deviator]

FURTHERMORE, I'd recommend Corporate IT Managers adopt a zero-tolerance policy towards this sort of incompetence. There are too many other good products out there; when a software company you are supposedly entrusting your data to goes off and deletes valid information unexpectedly (whether it was accidental or not) you FIRE them. Very simple.

Software, generally speaking, sucks, and is too expensive. Companies should be made more responsible for their errors.

so who pays

if end user pirates mcafee they get sued so i guess mcafee should be paying up big time, get locked up etc
for deleting vast amount of user data in fact for commiting "cyber terrorism" huh, shock, gasp.
shut em down ! .
who says its a mistake maybe its a trial run :)

McAfee ate your PC ? BUY A MAC.

You can still get Norton AntiVirus (and a dozen other programs) for the Mac, OS X.

Buy a nice little Mac Mini Dual-Core, MS Office, and Norton and don't worry about what people do to FUBAR Windows PCs anymore...just configure your firewall correctly and be careful what you install, download or open.

Macs are not perfect, but they seem to handle errors better, and are little more virus proof...

Mac Mini Dual Core

This isn't the first time.

[Pitr]

Anyone remember when you could submit virus definitions to McAfee and they were immediately added to the next definition file download? Then someone used that to distribute a virus. There's a reason I boycott these guys.

If anyone remembers, or has a link to the incident I'm thinking of, please post it. The details are a bit fuzzy in my mind, so corrections are welcome too.

And, I'm not usually one to be this petty, but I'll make an exception in this case, to everyone who said McAfee was a good idea, in spite of my recommendations:

I TOLD YOU SO!!!

Ok, I feel better now.

My wife's reaction to this McAfee mess:

[KWTm]

My wife's company uses McAfee products. I told her about McAfee's blunder, causing computers to crash.

She didn't She said, "But my computer crashes every day, anyway."

I don't.

[VON-MAN]

I have never used an anti-virus product on my Windows 2000 Pro or any other earlier Microsoft OS incarnation at home. But I,

(1) do keep it updated
(2) use a firewall for my ADSL
(3) don't use Explorer or any email program, in fact I try to disable as much of these as sensible
(4) don't download and try cuwl new apps
(5) use Windows only for games (and don't do online gaming)
(6) do _all_ my other and online stuff on Linux

In all, I feel that the number of attack vectors is minimized, here. And so I feel reasonable safe when being on the Windows desktop. And I have never seen a MS computer of mine infected since I started using MS-DOS 6.0 in 1992.

But obviously, such a setup is useless when you want to use Windows for anything else then gaming, but why would you want to do that?

I do see an enormous amount of malware coming in on email under Linux, however. And I would install an anti-virus app whenever I would be forced to use email under Windows. *shudder*

Ok, "I know you don't anti-virus because..." jokes, cue... now.

That's easy...

[VON-MAN]

Yes, i recognize this. If you are running 2000 or XP you may have your PC set to randomly reboot (which is the default). In XP right-click on "My Computer" and select "Properties". Click on "Advanced" tab. Under Startup and Recovery click on "Settings". Under System Failure clear the checkbox next to "Randomly Restart". If you are running 2000 you'll have to find it yourself. It is somewhere under Properties for My Computer.

Sorry...

Re: McAfee ate your PC ? BUY A MAC.

[JavaLord]

Macs are not perfect, but they seem to handle errors better,

Getting something like "Errror -32" instead of "Invalid page fault" is better?

and are little more virus proof...

Until they gain a respectable market share.