Slashdot Mirror
McAfee Anti-Virus Causes Widespread File Damage
AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems.
At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."
Good thing Mcafee doesn't have liability, via contract, for this mess....
Scanned my Inbox file, and deleted it because there was a virus in it from before I installed Nortons AV.
..... however I turn off automatic scanning these days... just manually scan every so often.
However - like most AV software, you can put it straight back.
No biggy
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
I haven't had a virus on my XP system in four years, including during my dial-up days.
If you keep your system updated, use a firewall, and just generally understand how the typical virus/worm/trojan works, you're 99.9% protected. However, there's always the possibility that someone will get clever enough to get through that, so I use AVG just to be on the safe side.
120 characters for a sig? That's bloody useless.
McAfee doesn't have the greatest rep as it is but this might be the last straw for them.
This is a major problem with anti-virus software. Because of their blacklist model, they have to release definitions and updates very frequently. They have to release these updates as quickly as possible as well, or else their subscribers will be infected with these viruses before they get the updates. In addition, their software is very bloated and complicated, needing to be able to defend against a huge variety of attacks, both immidiate and obsolete. This results in a very error-likely situation. What the network security companies need to work on is an innovative way to effectively protect corporate and home networks without having to use dangerous bloatware.
My computer started rebooting randomly a week or so ago, and is something I've been trying to combat for a while. It would do it when idling or when I was in the middle of websurfing.
I find it interesting that once I disable Mcafee's on-access scanner the system stabilized itself and has been running without a problem for about a week now (I had seen it reboot about 3 times in one day).
Seeing this article makes me more suspicious of the scanner now.
Insert Sig Here
Just last week, in response to: The Trouble With Software Upgrades I posted a question asking what do you do to protect yourself from automatic updates that go bad... but I got no responses. In light of the current situation, I'd really appreciate hearing some responses, here.
I dunno about the rest of that stuff, but the Adobe update manager is a virus in my opinion.
It seems to have "infected" all of Adobe's recent product install CDs. Once it "infects" your computer it displays a popup whenever you open an Adobe app. As far as I can tell, there's no way to shut this off in the latest versions. So I've paid $x00 dollars for Acrobat, and it comes with a virus.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Our main system here downloads the DAT updates at 2 AM every day. As of Friday morning, it had downloaded the 4714 files, then downloaded the 4716's on Saturday morning, completely missing the 4715's. It appears we missed a bullet. Good luck to all the sysadmin's out there working on cleaning this up!
Well, recently I installed two Symantec products that _claim_ to be able to restore the system to a previous state. I haven't had the opportunity to really test either one of them yet, but I do feel a bit safer.
The first product is Norton GoBack, which reserves a certain percentage of hard disk space to maintain an undo history for your hard drive. Theoretically, if you have a bad software install or update, you can simply revert your hard disk to its state before the update. There might be issues with user documents created in that time getting reverted as well, but as long as you were careful you should be able to copy those files to another disk, revert the disk with the problem, and copy the files back. (There may also be built-in support for excluding certain files from being reverted -- I haven't checked.) You'd also need to notice the problem before GoBack's undo buffer got full and started forgetting things.
The second product is Symantec Ghost, which is a backup and disk cloning utility. You can set up Ghost to perform an incremental backup before any software installation. I have mine set up to backup the system disk to another drive before each install. At my company we use EMC Retrospect for network backups, but Retrospect is not really good for restoring a system disk to a bootable state. From what I've heard, Ghost should be able to do this smoothly.
Comcast gives away McAfee AV for free to customers, so I tried it out. The only time it ever caught anything at all was a false-positive. Complete file system scans never ever turned up anything. However, if I opened a folder with a file in it called SetupDVDDecrypter_3.5.4.0.exe in it, McAfee would call it a virus and delete it. Didn't matter which version of the installer actually, it would delete it. Didn't matter if the AV program was configured to only quarantine suspect files, it would delete it. Didn't matter if I made an empty text file then renamed it to SetupDVDDecrypter_3.5.4.0.exe, McAfee AV would delete it. If I renamed the installer to something else, McAfee AV did nothing.
Pretty obvious to me that it was just waiting to find files that media companies didn't like people to have on their own private property so I'm guessing that they must have gotten McAfee to agree to do their dirty work for them and call stuff they don't like a virus and automatically delete the file regardless of settings.
But that's just my conspiracy theory.
On an old WinME laptop, the only virus I ever had on it was Norton AntiVirus.
I worked on a consulting job two years ago, and they told me I could use my own PC. No problem - except that, when I got there, they wanted to check it for virii. In an XP world, I was running Windows ME. So they loaded up Norton on my machine, and ran it for about 3 hours.
Result? Nothing. No junk of any kind. Completely clean.
Why? It helped that I had the free version of Zone Alarm, and the firewall on my DSL router definitely helped, but I think the biggest reason I had no problems was
- Mozilla instead of IE
- Eudora instead of Outlook.
Completely clean, that is, except for the antivirus. That monster kept interrupting my work. It took a great deal of effort to get the beast out of my system.
One of the things that nobody's saying here is that the default behavior for McAfee is to move the files into a quarantine directory, not to delete them. The user would have to change the settings for that to happen. Admittedly, it's still messed up for the program to delete essential files, but I think it's good policy to quarantine first in case something like this happens.
.exe files and another 80 .dll files had been quarantined. VirusScan provides no way to restore quarantined files, so you have to pick through the scan log to find out where they originally lived and put them back yourself. I was wondering if this would come out in the news or if I just had a screwed up system. Thank god it's getting some press and McAfee had to fix it, I've been fighting my virus checker all weekend and it was getting pretty tiresome.
That being said... On Saturday I went to do some work in Flash MX and got a message that it was missing a DLL file and I had to reinstall. No big deal, I must have botched something, so I reinstalled. While I was doing that, I went to get my bills together in Excel and got the message that Excel was no longer installed. My first reaction was that I had some kind of virus or trojan, so I ran a full system virus scan. It took me three hours of panic to realize that something like 40
More often than not, the choice to put AV software on systems wasn't a sysadmin choice, but a management/business choice. IE, cost reasons, CYA reasons, lower priority than say getting that next X million dollar project up and running, or some other reason which pre-empts AV stuff.
I don't use AV software on my systems at home, but that's a personal choice. Not due to laziness, but because other measures have been taken: strong firewalling, restricted software on desktops, strong desktop settings, regular backups, and sufficiently educating anyone who uses the computer of the dangers they can face, what online actions are risky, and to abide by the basic rules so as to avoid putting your data/computer at risk.
For half a decade, I've gone without AV software and have had all of my systems virii/adware/malware free. This isn't due to laziness, but diligence and preparation. This isn't due to OS fanatacism, but making a decision about what compromises to make between security and usability. I use WinXPpro, Linux, and MacOSX systems at home.
When people passively rely on external assistance, like AV software, something like this would eventually happen. People make mistakes. Companies make mistakes. And when you have a large install base, those mistakes can easily become big monstrous mistakes.
Right now, ALOT of sysadmins are probably sweating bullets getting systems back online. This isn't because they were lazy. This was because someone at another company screwed up and it impacted their infrastructure, which in turn impacts their business.
Make no mistake, people will get sued and lawyers will get involved. Think it was just the businesses and end users of the AV software that got screwed? What about the customers of the businesses? What about the home users who run their business off of their home computers? Yeah, there'll be some noise about this down the road, make no mistake.
*listens over the cube walls* I don't hear any cursing or screaming, so it hasn't happened here or the OS admins have done their homework over the weekend. In either case, this will be interesting to follow in the months to come.
Winged Power Photography