Slashdot Mirror
McAfee Anti-Virus Causes Widespread File Damage
AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems.
At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."
I need virus protection from my virus protection!
Vincent J. Murphy
Spandex Justice
Did they forget to include that the risk of installing McAfee Anti-Virus for any user : High?
Wait a minute, it is identifying some system files that Windows put on my machine! I guess the Mac & 'nix freaks are right, Windows really is a virus. I hope it's only a matter of time before my next virus definition assesses Internet Explorer & Windows Media Player as full blown Trojan viruses distributed as malware with my OS.
My work here is dung.
Good thing Mcafee doesn't have liability, via contract, for this mess....
That Microsoft Anti-Virus will be deleting McAfee from the system? And, to be on the safe side, also Norton?
If only McAfee had quarantined itself before this disaster, it would have worked perfectly!
He who knows best knows how little he knows. - Thomas Jefferson
Scanned my Inbox file, and deleted it because there was a virus in it from before I installed Nortons AV.
..... however I turn off automatic scanning these days... just manually scan every so often.
However - like most AV software, you can put it straight back.
No biggy
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
This is one of the major reasons I use open source software. Its hard to trust corporations who only tell you lies to preserve their public image.
Do you really think Open Source AV can't fsck up your PC if there are bugs in it? And let's be honest, how many people actually look at the source of programs (updates) they install? I am a programmer, and I never looked the code of an Open Source program I installed for the sake of "Let's make sure this update won't fsck up my PC". I look at the code because I am curious to see how they do certain things, or I want to change some annoying aspect of it.
What on earth did they lie about? They screwed up and they're trying to tell you how to fix it. This is not a commercial vs. oss debate - sheesh!
-dave
http://millionnumbers.com/ - own the number of your dreams
There's gotta be a way to blame this on Bush. Somehow he was responsible.
Quiet you, we'll have no reasonable thoughts in THIS house!
Closed source is teh $at4n... go linux, w00t!
I haven't had a virus on my XP system in four years, including during my dial-up days.
If you keep your system updated, use a firewall, and just generally understand how the typical virus/worm/trojan works, you're 99.9% protected. However, there's always the possibility that someone will get clever enough to get through that, so I use AVG just to be on the safe side.
120 characters for a sig? That's bloody useless.
McAfee doesn't have the greatest rep as it is but this might be the last straw for them.
This is a major problem with anti-virus software. Because of their blacklist model, they have to release definitions and updates very frequently. They have to release these updates as quickly as possible as well, or else their subscribers will be infected with these viruses before they get the updates. In addition, their software is very bloated and complicated, needing to be able to defend against a huge variety of attacks, both immidiate and obsolete. This results in a very error-likely situation. What the network security companies need to work on is an innovative way to effectively protect corporate and home networks without having to use dangerous bloatware.
Actually... they do "magically propagate" when flaws are found in things like Windows SAMBA sharing or Apache's web server (or any server program that you run for that matter.)
-dave
http://millionnumbers.com/ - own the number of your dreams
My computer started rebooting randomly a week or so ago, and is something I've been trying to combat for a while. It would do it when idling or when I was in the middle of websurfing.
I find it interesting that once I disable Mcafee's on-access scanner the system stabilized itself and has been running without a problem for about a week now (I had seen it reboot about 3 times in one day).
Seeing this article makes me more suspicious of the scanner now.
Insert Sig Here
At last a good AV software removing those virii-ridden bloatware from your computer :)
Why are people complaining ?
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
... by Anonymous Coward on Monday March 13, @09:07AM (#14906906)
All I can say is 'wait 'til monday.'
Heh, now that's funny.
I had a TEXT file deleted by McAfee just a few days ago. The "virus" that it identified was a different one from the one in this article too. Unfortunately, in the version of VirusScan I have (came with Dell computer) there's practically no configurable options, so I have no way to set it to quarantine instead of delete.
Just last week, in response to: The Trouble With Software Upgrades I posted a question asking what do you do to protect yourself from automatic updates that go bad... but I got no responses. In light of the current situation, I'd really appreciate hearing some responses, here.
Ummm...Whoops?
This guy's the limit!
I dunno about the rest of that stuff, but the Adobe update manager is a virus in my opinion.
It seems to have "infected" all of Adobe's recent product install CDs. Once it "infects" your computer it displays a popup whenever you open an Adobe app. As far as I can tell, there's no way to shut this off in the latest versions. So I've paid $x00 dollars for Acrobat, and it comes with a virus.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Our main system here downloads the DAT updates at 2 AM every day. As of Friday morning, it had downloaded the 4714 files, then downloaded the 4716's on Saturday morning, completely missing the 4715's. It appears we missed a bullet. Good luck to all the sysadmin's out there working on cleaning this up!
Every once in a blue moon, some poor person dies because he or she didn't get out of the burning car because of the belt. Then someone will stand up and say "See? I don't use them and if they didn't, they'd live as well. I drive carefully, I don't get into accidents, so I don't need them!"
The problem is, you never know. It's not only foolishness that gets a trojan onto your system. They come with presumably legit software, even from reputable companies. An infected driver CD is all it takes. Shareware CDs or other CDs slapped on magazines, do you think they have a lot of time to make just perfectly sure the programs are clean? A lot of shareware comes bundled with adware, do you read all those EULAs? And do you think they tell the full truth? Can you read through the legalese?
I won't get into system bugs and other exploits.
So yes, you don't really need safety belts. But it sure feels a bit more secure with them.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
When the virus scanners act like viruses, what should users do? This isn't the first time a virus scanner has screwed up, and it probably won't be the last time, either.
Furthermore, a lot of virus scanners have an option to "auto-update". Imagine if an entire company had this option turned on.
Virus scanners have always been a bad solution to the problem of viruses. They don't fix the problem at its root. Instead of ensuring their operating system has no known security holes, users now rely on virus scanners to just catch everything that comes through. Any determined attacker could still just craft a custom virus to attack any host they desire. Since the virus scanner companies wouldn't have come across that particular virus, it wouldn't get picked up.
Would you fix the holes in a boat with sticky tape instead of checking that the boat doesn't have holes before you put it in the water?
I use McAfee and My system is working fi
No matter where you go, there you are.
That's wonderful news sir. You've just won yourself an invitation to come to my place of work and train 200 40+ year olds to do the same.
Wow, that'll save us tons of cash!
If you don't know what AltaVista is (was), get off my lawn.
People percieve paid software to be superior to free alternatives because A: nothing could go wrong with paid software and B: if something did go wrong, obviously the company would indemnify / rectify / fix the problem.
Likewise, the perception is that the more expensive the software (and the bigger the box it comes in) the more protection you are afforded. And that the company won't suddenly decide to change direction / stop supporting the software / etc.
Yet time and time again this is shown not to be true. McAfee uninstalls arbitrary files on your computer (how'd that get through testing?) and just tells users to re-install from backup... exactly the kind of calamity the software is supposed to prevent. Part of WinNT5 was found to violate someone's patent, and anyone using that particular (admittedly rare) function had to pony up to the original patent holder or write a workaround.
As far as I can tell, the "little guys" software tends to be better in general than the big boys. Why? Because they're still trying. Before Norton was Symantec, they struggled to create an amazing toolkit of software tweaks that really did some great things. Now that their position is secure, they've hardly updated the suite to even work with XP, let alone taken advantage of the fixes and hacks that smaller houses have found. McAfee, once a nimble little company making a great little product, has been bloating for years. The more developers you add to a project, the less anyone knows about what the system is doing.
A free alternative that has been around for a long time:
AVG Antivirus
There are others. Please post 'em below.
The ______ Agenda
The real irony is that all the people who are too lazy/stupid/uneducated to update their anti-virus subscription were protected against this.....
"City hall" in German is "Rathaus" Kinda explains a few things......
The files they are gone. It seems McAfee ate them. The backup saved us. or The files they are gone. It seems McAfee ate them. Go home from work now.
A Passionate Independent Musician
Not to mention that you won't know whether or not your computer has a virus if you don't scan it with some sort of antivirus software.
Just noticed the screenshot on the McAfee page for W95/CTX. It shows some dlls from the Ethereal program as being infected. Of course those files are in their complete list of affected files, which comes in a convenient easily accesible PDF file as all the most important documents on the web should. It's 7 pages long, but an amusing list to skim through.
Who uses Ethereal and McAfee? Just found that funny/ironic on some levels.
"Too lazy to fail." - Heinlein
[deep bass voice]It's a world where companies wage a security suite war on other companies. The battlefield is your own desktop. Imagine Mysantec's antivirus attempting to delete Facamee's antivirus, before being both obliterated by Sicromoft's security solution still in beta. Wouldn't it be fun to watch as your CPU cycles get all pulled into the fight, with rampant defense software running around your RAM and filesystem, killing each other out, filling your desktop space, and celebrating victory with funny alerts, baloons, dialogs, pop-ups, windows, and what not, all reaching for you attention? Ah, talk about an exciting desktop! (And really, what could be more boring that a computer that just works and leaves you with nothing to do except to work with it?)
[special effects]
In the ensuing destruction and chaos, nothing remains alive but two things: the memory of your once existing data, and an unidentified hideous sneaky polar bird determined to show you of an alternate dimension of reliability and freedom...
[epic music]
Coming soon, on your desktop: RealityArts presents: THE SOFTWARE WARS, EPISODE 442.75
[/deep bass voice]
I just got off McAfee tech support line. They have an undo script to unquarantine incorrectly identified files. Since the file is not publically available from their site, I have uploaded it here: ctxundo.zip
This incident only goes to show that any file manipulation program (even the essentials like anti-virus and spy-ware/ad-ware removers) can have a profound effect on one's personal files. ALWAYS BACKUP. Even if you trust your media, you'll probably get attacked from within (hackers and now your own software).
Anyone remember Microsoft Anti-Spyware removing Norton? Anyone remember IRC commands such as "startkeylogger" booting systems from the internet running Symantec?
No one's perfect, even the software programmers. And as he laid down in a vicous wrath... the software they trusted most deleted their most precious files. Welcome to Monday everyone.
Give me a productive error over a boring, mundane and unproductive fact any day. ~Anon
This is exactly why I force all my clients to update their DAT's from MY server, not McAfee's, and I push the updates out, the clients never pull them. Along with that, I always wait three to four days before pushing the updates out. Even if you don't use the full McAfee Epolicy Orchestrator, you can still configure the clients to point to an ftp server on your network for updates. Just like with MS patches, it's simply prudent to wait a few days just in case there's any issues like this that may arise.
I'm not excusing McAfee here, but there are ways that we, as admins can minimize the risk to our users and our network.
Well, recently I installed two Symantec products that _claim_ to be able to restore the system to a previous state. I haven't had the opportunity to really test either one of them yet, but I do feel a bit safer.
The first product is Norton GoBack, which reserves a certain percentage of hard disk space to maintain an undo history for your hard drive. Theoretically, if you have a bad software install or update, you can simply revert your hard disk to its state before the update. There might be issues with user documents created in that time getting reverted as well, but as long as you were careful you should be able to copy those files to another disk, revert the disk with the problem, and copy the files back. (There may also be built-in support for excluding certain files from being reverted -- I haven't checked.) You'd also need to notice the problem before GoBack's undo buffer got full and started forgetting things.
The second product is Symantec Ghost, which is a backup and disk cloning utility. You can set up Ghost to perform an incremental backup before any software installation. I have mine set up to backup the system disk to another drive before each install. At my company we use EMC Retrospect for network backups, but Retrospect is not really good for restoring a system disk to a bootable state. From what I've heard, Ghost should be able to do this smoothly.
Actually it sounds like they are doing a great job. They finally targetted the biggest virus of them all, Windows. Maybe this is the start of something really good. Finally the Windows virus is being actively targetted.
Just update your virusses and you will be safe. Errr...
Apparently, it is.
I've used it at home for a little over four years and worked with it for three years as an administrator. I have NEVER had a virus on any XP system I was responsible for.
In fact, the only virus I've ever had a problem with was an infected Windows 2000 domain controller that was SUPPOSED to be managed by corporate IT. They hadn't updated it in well over a year and wouldn't let me touch it until it started crashing (and those geniuses had it as the exchange server as well...again, I couldn't change that).
In both cases, I didn't go to extreme measures to secure the systems. I used automatic updates, both a standalone firewall and Windows Firewall, and antivirus (AVG Free at home, Symantec Corporate at work). That, and I educated my users on what NOT to open from their e-mail.
A good way to teach your users not to open strange attachments is to give them a dummy one that will just let you know who opened the file. I arranged with management to do this one day...send out a trojan-like e-mail with a script that would write a file with the username in it to one of the network shares and see who opened it.
The next day I unplugged one of the network switches for fifteen minutes at the beginning of the day, told them it was because some people had opened "virus e-mails" (management knew the truth) and then plugged it back in. I talked to the people who had opened the "virus" e-mails and gave them an in-depth training session on why it's a bad thing to open every attachment you get on e-mail. From then on, they wouldn't touch anything that was even remotely suspicious.
Three years, nearly 100 users, and ZERO penetration on my systems. It's not rocket science.
120 characters for a sig? That's bloody useless.
Comcast gives away McAfee AV for free to customers, so I tried it out. The only time it ever caught anything at all was a false-positive. Complete file system scans never ever turned up anything. However, if I opened a folder with a file in it called SetupDVDDecrypter_3.5.4.0.exe in it, McAfee would call it a virus and delete it. Didn't matter which version of the installer actually, it would delete it. Didn't matter if the AV program was configured to only quarantine suspect files, it would delete it. Didn't matter if I made an empty text file then renamed it to SetupDVDDecrypter_3.5.4.0.exe, McAfee AV would delete it. If I renamed the installer to something else, McAfee AV did nothing.
Pretty obvious to me that it was just waiting to find files that media companies didn't like people to have on their own private property so I'm guessing that they must have gotten McAfee to agree to do their dirty work for them and call stuff they don't like a virus and automatically delete the file regardless of settings.
But that's just my conspiracy theory.
On an old WinME laptop, the only virus I ever had on it was Norton AntiVirus.
I worked on a consulting job two years ago, and they told me I could use my own PC. No problem - except that, when I got there, they wanted to check it for virii. In an XP world, I was running Windows ME. So they loaded up Norton on my machine, and ran it for about 3 hours.
Result? Nothing. No junk of any kind. Completely clean.
Why? It helped that I had the free version of Zone Alarm, and the firewall on my DSL router definitely helped, but I think the biggest reason I had no problems was
- Mozilla instead of IE
- Eudora instead of Outlook.
Completely clean, that is, except for the antivirus. That monster kept interrupting my work. It took a great deal of effort to get the beast out of my system.
My antivirus ate my homework :(
What, were you out of batteries for your cattle prod? :)
Microsoft has just released their much anticipated hands-free cordless mouse. Warning, it may hurt a little at first.
Even better are McAfee's instructions for how to recover from the damage their product has done. The first option is to restore the files from quarantine, assuming your version of McAfee actually lets you do this (not all, including the corporate version, have this option). The second is to use Windows System Restore.
This probably would have worked great on my machine if it weren't for the fact that half of the files McAfee quarantined were *System Restore files*.
Apparently McAfee hasn't heard of a novel concept called "testing". (I like how they've posted a list on their website of the false positive files, now 7 pages long and still woefully incomplete; they ought to just admit it's going to take a random assortment of exes and dlls on any machine.)
Combine this with the fact that the default settings on a McAfee install are to quarantine without prompting, and IMHO McAfee is the most dangerous virus I've ever had on my machine.
Always beware of any software updates released on a Friday. If there's a problem, much of the damage will be done before anyone returns on Monday.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Do you really think Open Source AV can't fsck up your PC if there are bugs in it?
Do you really think it's better to have your system trashed and pay for the privilege?
[Team Leader]: So Steve is new here so, Bob, why don't you show him a simple virus definition for one of these low-priority viruses?
[Bob]: Sure. This virus is low-threat but can masquarade as numerous file names so why don't you just look for a common pattern and write a REGEXP function?
[Steve]: Sure.
[Bob]: You know how to write regular expressions, right?
[Steve]: Yeah, sure, the one's with the asterisks.
[Bob]: Erm, yeah. I'll leave you to it. Just send it to the database so it can get filed in the next update.
[Steve]: OK, see you later.
*Looks around nervously. Briefly glances at long list of file names then timidly enters:*
*.EXE
let's be honest, how many people actually look at the source of programs (updates) they install? I am a programmer, and I never looked the code of an Open Source program I installed
The point of open source is not that you PERSONALLY can look at the source to find problems (although you can if you like).
The point is that thousands of other people can. And usually, no one's stopping them from reporting a problem if they do find one.
Admittedly, this leaves gaps (what if no one else looks?), but it works pretty damn well, for the most part.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.