Slashdot Mirror
McAfee Anti-Virus Causes Widespread File Damage
AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems.
At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."
Did they forget to include that the risk of installing McAfee Anti-Virus for any user : High?
Wait a minute, it is identifying some system files that Windows put on my machine! I guess the Mac & 'nix freaks are right, Windows really is a virus. I hope it's only a matter of time before my next virus definition assesses Internet Explorer & Windows Media Player as full blown Trojan viruses distributed as malware with my OS.
My work here is dung.
This is one of the major reasons I use open source software. Its hard to trust corporations who only tell you lies to preserve their public image.
Do you really think Open Source AV can't fsck up your PC if there are bugs in it? And let's be honest, how many people actually look at the source of programs (updates) they install? I am a programmer, and I never looked the code of an Open Source program I installed for the sake of "Let's make sure this update won't fsck up my PC". I look at the code because I am curious to see how they do certain things, or I want to change some annoying aspect of it.
Every once in a blue moon, some poor person dies because he or she didn't get out of the burning car because of the belt. Then someone will stand up and say "See? I don't use them and if they didn't, they'd live as well. I drive carefully, I don't get into accidents, so I don't need them!"
The problem is, you never know. It's not only foolishness that gets a trojan onto your system. They come with presumably legit software, even from reputable companies. An infected driver CD is all it takes. Shareware CDs or other CDs slapped on magazines, do you think they have a lot of time to make just perfectly sure the programs are clean? A lot of shareware comes bundled with adware, do you read all those EULAs? And do you think they tell the full truth? Can you read through the legalese?
I won't get into system bugs and other exploits.
So yes, you don't really need safety belts. But it sure feels a bit more secure with them.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
When the virus scanners act like viruses, what should users do? This isn't the first time a virus scanner has screwed up, and it probably won't be the last time, either.
Furthermore, a lot of virus scanners have an option to "auto-update". Imagine if an entire company had this option turned on.
Virus scanners have always been a bad solution to the problem of viruses. They don't fix the problem at its root. Instead of ensuring their operating system has no known security holes, users now rely on virus scanners to just catch everything that comes through. Any determined attacker could still just craft a custom virus to attack any host they desire. Since the virus scanner companies wouldn't have come across that particular virus, it wouldn't get picked up.
Would you fix the holes in a boat with sticky tape instead of checking that the boat doesn't have holes before you put it in the water?
That's wonderful news sir. You've just won yourself an invitation to come to my place of work and train 200 40+ year olds to do the same.
Wow, that'll save us tons of cash!
If you don't know what AltaVista is (was), get off my lawn.
People percieve paid software to be superior to free alternatives because A: nothing could go wrong with paid software and B: if something did go wrong, obviously the company would indemnify / rectify / fix the problem.
Likewise, the perception is that the more expensive the software (and the bigger the box it comes in) the more protection you are afforded. And that the company won't suddenly decide to change direction / stop supporting the software / etc.
Yet time and time again this is shown not to be true. McAfee uninstalls arbitrary files on your computer (how'd that get through testing?) and just tells users to re-install from backup... exactly the kind of calamity the software is supposed to prevent. Part of WinNT5 was found to violate someone's patent, and anyone using that particular (admittedly rare) function had to pony up to the original patent holder or write a workaround.
As far as I can tell, the "little guys" software tends to be better in general than the big boys. Why? Because they're still trying. Before Norton was Symantec, they struggled to create an amazing toolkit of software tweaks that really did some great things. Now that their position is secure, they've hardly updated the suite to even work with XP, let alone taken advantage of the fixes and hacks that smaller houses have found. McAfee, once a nimble little company making a great little product, has been bloating for years. The more developers you add to a project, the less anyone knows about what the system is doing.
A free alternative that has been around for a long time:
AVG Antivirus
There are others. Please post 'em below.
The ______ Agenda
The real irony is that all the people who are too lazy/stupid/uneducated to update their anti-virus subscription were protected against this.....
"City hall" in German is "Rathaus" Kinda explains a few things......
I don't think there really is a way apart from having verifiable restorable backups of every system prior to patching. I was having a conversation along these lines this morning and the agreed solution was to have an identical test platform and install on that first, allow it to run long enough for any problems to arise and only then implement on a production system. That's the ultra-conservative approach but many years in financial services have shown that that's the only way of being certain.
Not to mention that you won't know whether or not your computer has a virus if you don't scan it with some sort of antivirus software.
This honestly sounds like a corrupt memory problem.
Other possibility is that you've hard-set the windows swapfile limit...
Just noticed the screenshot on the McAfee page for W95/CTX. It shows some dlls from the Ethereal program as being infected. Of course those files are in their complete list of affected files, which comes in a convenient easily accesible PDF file as all the most important documents on the web should. It's 7 pages long, but an amusing list to skim through.
Who uses Ethereal and McAfee? Just found that funny/ironic on some levels.
"Too lazy to fail." - Heinlein
Apparently, it is.
I've used it at home for a little over four years and worked with it for three years as an administrator. I have NEVER had a virus on any XP system I was responsible for.
In fact, the only virus I've ever had a problem with was an infected Windows 2000 domain controller that was SUPPOSED to be managed by corporate IT. They hadn't updated it in well over a year and wouldn't let me touch it until it started crashing (and those geniuses had it as the exchange server as well...again, I couldn't change that).
In both cases, I didn't go to extreme measures to secure the systems. I used automatic updates, both a standalone firewall and Windows Firewall, and antivirus (AVG Free at home, Symantec Corporate at work). That, and I educated my users on what NOT to open from their e-mail.
A good way to teach your users not to open strange attachments is to give them a dummy one that will just let you know who opened the file. I arranged with management to do this one day...send out a trojan-like e-mail with a script that would write a file with the username in it to one of the network shares and see who opened it.
The next day I unplugged one of the network switches for fifteen minutes at the beginning of the day, told them it was because some people had opened "virus e-mails" (management knew the truth) and then plugged it back in. I talked to the people who had opened the "virus" e-mails and gave them an in-depth training session on why it's a bad thing to open every attachment you get on e-mail. From then on, they wouldn't touch anything that was even remotely suspicious.
Three years, nearly 100 users, and ZERO penetration on my systems. It's not rocket science.
120 characters for a sig? That's bloody useless.
That's great but what if someone introduces a virus through other means i.e usb key, infected laptop, etc. Firewall won't help much internally
Always beware of any software updates released on a Friday. If there's a problem, much of the damage will be done before anyone returns on Monday.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
If they designed a product that actually worked they wouldn't be able to hammer their customers for a yearly subscription to update it.
Along with that, I always wait three to four days before pushing the updates out.
Doesn't it cost a lot to educate your users to not download viruses that are less than four days old?
Why don't you just educate them to not download viruses at all? Then you could do without the Anti-virus. You pretty much are anyway.
Do you really think Open Source AV can't fsck up your PC if there are bugs in it?
Do you really think it's better to have your system trashed and pay for the privilege?
1) You can educate users as much as you want about how to avoid viruses, they'll still get them if they really try. They're users after all.
2) The number of viruses that actually are that serious a threat are next to zero. Have you ever bothered to look at the release files to see what the daily updates actually cover? If you did, did you bother checking what they were and the criticallity of the viruses listed? Do you know how many viruses are listed in the readme for the latest McAfee DAT?
3) Anyone that relies soley on a single AV solution is a fool anyway. Virus protection should be layered on any network and is on mine. AV software on the desktop should be the last stop. We use postfix+spamassassin+amavisd to scan mail before it hits our mail server. Our firewall scans anything incoming before it gets to the desktop. Our desktop software is only there as a last bastion and does it's job well, because there's not much that gets there. None of the systems are perfect on their own, as a team, they work very well.
So do I feel safe? Yes, I haven't had a virus issue inside my network for years. I see shitloads of them getting cleaned when I look at my logfiles though. Does it bother me that I wait a three or four days to deploy DAT files? Not at all, because it's not the only way I protect my users.
Who in their right mind is going to download and run a script off of an unknown website? I'm sure you're trying to help, but no one should do this. Otherwise they'll need more than just McAfee to fix their computer.