Slashdot Mirror
McAfee Kills SVCHost.exe, Sets Off Reboot Loops For Win XP, Win 2000
Kohenkatz writes "A McAfee Update today (DAT 5958) incorrectly identifies svchost.exe, a critical Windows executable, as a virus and tries to remove it, causing endless reboot loops."
Reader jswackh adds this terse description: "So far the fixes are sneakernet only. An IT person will have to touch all affected PCs. Reports say that it quarantines SVCHOST. [Affected computers] have no network access, and missing are taskbar/icons/etc. Basically non-functioning. Windows 7 seems to be unaffected."
Updated 20100421 20:08 GMT by timothy: An anonymous reader points out this easy-to-follow fix for the McAfee flub.
When your Anti-Virus software bombs you out.
Not a good day to be a sysadmin... Good luck out there guys.
It seems to be very willing to take the whole machine down. Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?
For those who seek perfection there can be no rest on this side of the grave.
I work at a university where we use McAfee anti-virus as our corporate AV. Guess what I've been doing all morning?
This space for rent...
oh this isn't going to end well for old Mc
This way running anti-virus is worse for an end user than no anti-virus.
The cure becomes worse than the disease.
At least being part of a spam-spewing botnet keeps the computer mostly functional.
We've known for a long time but it's good that McAffee finally admitted it.
...and constantly keeping up with malware/virii/trojans/etc with software like this, maybe just have a better operating system that is designed to only execute code you trust?
I've always said that Windows was a virus.
`fortune -o`
I know I quit several year ago for my Windows Boxes, mostly because the quality of the software was not up to what was paid for it. It looks like that trend has continued.
I would have gotten first post, but I was running windows with McAfee
Seems not too long ago McAfee was deleting important files....and people kept using it. Here we go again. Can I get a lol?
"To err is human, to mod Funny divine."
What possible scenario allowed this CharlieFox past QA?
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
HA HA HA HA HA HA HA.
McAfee is crap AV software same with Symantec.
Thank goodness I thought it was a re-incarnaion of W32/Wecorl.. I'm glad it's only my protection suite.. wait what. =(
I don't see any indication of when this first went out.
(My wife runs McAfee and launched an update around 3 AM PDT before hitting the sack...)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
So uh, anyone know how to disable McAfee completely? Never caught anything for me but false positives anyway.
I have two days...
...to the MS update fiasco recently?
Maybe it's not McAfee's fault - maybe it's only quarantining svchost.exe on machines where svchost.exe if infected...
at a command prompt when the "windows will shut down in XX seconds" popup us on screen saved me. I'm still waiting for a mcafee update file to fix it properly.
Nullius in verba
Some are running a version of Windows 7 called Windows Vista, and it's also unaffected. Which is not surprising because it's pretty much the same thing with greenish wallpaper.
http://www.freebsd.org/where.html
Next they will be deleting a directory known to be full of malware called system32
Seven puppies were harmed during the making of this post.
My big question is why is Norton and McAfee still so popular in the corporate world?
I understand that the OEM's preload McAfee or Norton because they are paid to, but the corporate world is paying big money for these out-dated anti-virus programs.
There are much better anti-virus providers out there such as Avast, Kaspersky, Nod32 and others.
Don't know something? Look it up. Still don't know? Then ask.
My God! How can something like this possibly get by QA as a company the size of McAfee? Have they outsourced all of their QA to a team with no clue?
-Todd
Omne ignotum pro magnifico.
Two weeks ago it went and deleted two important for dev c++ and another program at my work. It was insistent they were viruses. I'm not sure how I could have received a virus since I get virtually no attachments and don't email anyone outside of work (ie no "fun" emails), I only visit the BBC, Netbean.org, Eclipse.org and a handful of other reputable sites because I rather goof off by writing my own code than doing nothing and I scan all my downloads before installing them.
Sure maybe I got unlucky for the first time in like 3 years. Maybe someone used my computer while I was on holiday but I suspect not. I suspect it's related to this.
Which one is that?
Seriously. They consume CPU. They stay resident and consume usable memory. They occasionally crash and/or cause other applications not to work. And, in this situation, they break Windows. I don't use AV and have had pretty much zero issues over the last 6 years of using Windows XP. All you need to do is:
* Configure Windows update to run daily.
* Don't use IE or Outlook.
* Keep Windows Firewall active.
* Don't connect directly to the internet- sit behind a router that's configured to be (mostly) invisible.
* Don't run random things you get sent in email, on facebook, or that pop up unexpectedly while you're at a questionable website.
* If you think something's amiss, boot into safe mode and use a non-resident tool like MBAM.
I am a a sysadmin running protection pilot from mcafee for my entire office. Were most machines are running XP SP3. My engine version is 5919.0000 and I have yet to see the issue with 72% of my desktops up to date. I currently run Win7 with NOD. Hope all goes well.
So if / when my dad calls to complain that his Windows machine is broken (I think he runs XP, or perhaps it's the other way around), what should I tell him besides "Hmm. My Ubuntu machines are all fine, and the Mac doesn't seem to be affected ..."
In other words, what's the simple bullet-point list of steps to fix this, for simple folk at home? (Can include visiting neighbors with a thumb drive to download fixes ...)
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
A few more refinements to McAffee, and it will simply identify the entirety of Windows as a virus. Then it'll promptly replace it with Ubuntu. They can call it "McAffee: Richard Stallman Edition".
C:\Program Files\Common Files\McAfee\Engine\avv*.dat
Nuff said
Remember when Macafee was distributed on BBS's and it was actually pretty good...
yeah...
those days are long gone.
Its installed in firmware in free (or nearly free) devices near you! Its called...Rock.
If you stayed late yesterday and got your update for yesterday's dat, at least you won't be affected with the millions of people that were affected when they powered up their systems this morning. By now, they would have disabled automatic DAT update and you'll get to skip this caustic update. I guess it pays to stay late, or at least arrive late to work! :p
Heh, I've asked a vendor before how often this sort of thing happens to them (just to see how honest they are and maybe to send a message to whoever is listening).
;).
After all if a hacker/malware causes downtime less often than the vendor's screw-ups, why use the vendor's product? Safer to look for a vendor with a better track record even if they have more false negatives (especially with rare and/or ancient stuff).
There are overheads and performance impacts to using such stuff, in addition to just the price tag (and subscription fees etc). I suspect there's malware out there that's less harmful than running McAfee or Symantec
You will need another/previous .dat file for McAfee named extra.dat
1. Reboot machine into safe mode (WITH networking)
2. User needs to log into machine (or someone with admin rights logs in)
3. Plug in USB drive
4. Go to CMD window
5. CD to USB Drive (root)
6. Execute this command ‘extra.bat”
7. Click “tools” and then “unlock interface”
8. enter your admin password if needed.
9. Double click “Quarantine Manager Policy”
10. Click “Manager” tab
11. Find latest infection of “W32\Wecorl.a”
12. Right click on infection, click “Restore”
13. Click “Yes”
14. You should get message “All items restored”
15. Reboot – CTRL – ALT – DEL
16. Click “Shutdown” and then “Restart”
extra.bat:
copy extra.dat "c:\program files\common files\mcafee\engine"
"c:\program files\mcafee\virusscan enterprise\mcconsol.exe"
If you get an error about file in use while restoring svchost.exe, go to "safe mode command prompt only", and rename c:\windows\system32\svchost.exe to svchost.old, then you can start at step one and it will let you restore from quarantine
Jay Swackhamer http://www.RebootTheUser.com http://www.hotr.com
It's official... Windows is a virus!!!
XP SP3, it's not exactly uncommon...
Basically it looks like command line
shutdown -a (to stop the autorestart)
Put SVChost.exe back in place (out of the quarantine )
and disable McAfee...
DJMD - The fourth man - Planetary
Finally, a virus scanner that correctly identifies Windows as the virus.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
I work at a major chip manufacturing plant. At 4.10 I was conferencing with another fab when all our PCs shutdown. 10 minutes later the place was in chaos. Now don't get me wrong the fab keeps going but my god the cost to the company of this. Say 10 sites world wide with 2-5k employees each the majority of which can't do any meaningful work. McAfee have a lot to answer for.
From a comment on TFA
"One fix is to delete the bad DAT file the client at "C:\Program Files\Common Files\McAfee\Engine". Delete any av*.dat. Then reboot and the old DAT should be grabbed."
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Step 1: Disable McAfee entirely. If you can't because of how affected the computer is, copy the svchost.exe from C:\windows\system32\dllcache up to directly in system32 and then start the DCOM service and others that failed to start because of this. Then disable McAfee entirely.
Step 2: Reboot and uninstall McAfee.
A quick google on the subject brings up many other testing that ranks norton below the ones I mentioned.
So it would all boil down to whom you believe, who is the least beholden to their advertisers?
And Norton and McAfe spend TONS on advertising.
Don't know something? Look it up. Still don't know? Then ask.
> AV-Comparatives' last testing round ranked Norton as the best product on the market
;).
But do they take into account the false positive track record?
That's a relevant point here. I believe Norton/Symantec have also had similar high-impact false positives.
If Antivirus software "A" detects fewer viruses than Norton but only misses out the rare and old ones (e.g. from the DOS era), has been around for years and had zero high impact false positives, I'd prefer it to Norton even if Norton has the lowest false negative rate (highest detection).
I'd prefer it if O/S bunch made more progress towards better sandboxing[1] technologies.
Currently users and AV software regularly have to figure out whether something is malware or not - this is like solving the halting problem without seeing the source code, and without knowing the complete inputs.
[1] I've made some suggestions, they're not exactly easy to implement but easier than solving the halting problem
I bet that after seeing what McAfee can do when it screws up, they won't bitch about what ClamAV did.
(for those who need the summary: ClamAV pulled an update that caused it to shut itself down if it was version 0.94 or older after announcing ~6 months in advance that people needed to update, and kept filling log files with warnings to update. McAfee is breaking a Windows component that causes the entire computer to not function, with a less obvious warning, left for the reader to figure out. The hint is the first word in the previous sentence.)
One of these days, I am going to flip out. When I flip out, I'll be back in five minutes.
Based on what we're seeing and reports from the internet, McAfee 8.0 and 8.5 are unaffected by this problem, while versions 8.7 and 8.9 are. It's also XP specific. Still, that combination has to be a very large number of computers worldwide.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
I run Linux.
*rides off into the sunset*
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Most AV companies have a range of products which are frequently entirely unrelated to each other.
Symantec have Norton (terrible), Symantec Enterprise (actually not too bad, although it's being obsoleted in favour of Endpoint Protection) and Symantec Endpoint Protection (which requires a Windows server even though it's a Java application which installs Tomcat and Apache in order to operate).
McAfee have a home product, an enterprise product and a "serviced" product (fairly standard managed AV product only you don't have to set up your own management server because they run it themselves).
Can't speak for others but quite often by the time you've whittled your requirements down you often find that your application choices are a lot more limited than a first glance would suggest.
I agree that it raises question as to why one should use them, but "down time" is not the biggest threat out there, if you wanna talk loss/cost. While one's time is valuable, I'm thinking that their bank account information, passwords, etc, might be slightly more valuable to them. Personally, I think good secure end-user practices is the best protection, I do think that a good A/V program is needed.
So, while there is malware out there that is less harmful, more of the malware out there is much MORE harmful... if you disagree, please provide your financial account information, or contact me to transfer all funds to a secured off-shore account... maybe buy me a new car too! ;-)
But seriously... this is really bad, and REALLY stupid. But having no protection for most users risks damaging them in ways worse than a few hours of time to manually fix their issue. And from a corporate perspective, loss of sensitive information is a BIG deal and can cost a LOT more. And that's just talking about data loss. Being part of a botnet to help facilitate financial fraud and other badness... that's also double plus ungood... and irresponsible to not take measures to help keep your computer from playing a part in those crimes.
Anyway... I agree it raises question... but there more downside to malware than just downtime.
What I want to know is how does something like this happen? You would think McAfee takes their new patch and tests it to make sure that it doesn't cause this type of annoying issue. How does something like this slip through the cracks?
Next Up! Norton to ID McAfee as a Virus!
~Mekkah
long enough for you to become utterly frustrated that there's no easily downloaded fix from McAfee.
Please do not read this sig. Thank you.
Norton, McAfee and Trend Micro have very solid products that allow for remote management, deployment, updates, forced scans, etc.
Avast (which I use at home) does not have all of these features yet. I can tell you that when dealing with hundreds of machines, having that dashboard for antivirus saves many hours of time. You can run more frequent scans on problem machines, or allow more/less freedom with the click of a button. Many of the products also have URL blocking (by category), email attachment filtering through Exchange plugins, etc. One feature I like about Trend Micro is the "behaviour" plugin, which flags anything out of the ordinary - such as accessing files, programs, or drives that they haven't before.
Corporate networks also typically have edge firewalls that will catch many of the malware infested URLs, email attachments, etc that cause problems. For many businesses 200+ computers, the Windows-installed Anti-virus software is actually the last line of defense. Often times the loss of productivity of a couple viruses getting through isn't worth the extra $$ invested in more products or a "better" product with less management features.
Licencing is also a plus. While Norton, McAfeee and Trend Micro are expensive initially, additional licences for a large number of computers and renewal licences each year actually make it less expensive than others such as Avast and Panda.
Not only do they have to listen to people bitch (rightfully), but since they're likely running Windows XP + McAfee, they can't use their logging tools (meaning they have to do it by hand and then log later), can't get online updates when solutions are available etc.
Took down 3500 machines, all XP/SP3. Lovely morning to work at an IT help desk...
I learned that the Apache Foundation can be hacked, have passwords stolen, and root access to their main servers taken over, and it's not the fault of the OS.
Then I learned that if McAfee Virus scan messes up people's computers, it's not the fault of McAfee, but it's the fault of Microsoft, and their OS!
The comments here can be so enlightening!
dat 5959 is now available IF you can get to the repositories.
We have hundreds of systems down. We were looking at Avira in any event as it was lighter, but now we are moving there at warp speed. Mcaffee's quality assurance really screwed up on this. Major problems worldwide.
John McAfee, eccentric bad-boy founder of the McAffee antivirus company, is in Belized: http://www.boingboing.net/2010/04/21/lawsuit-plagued-mcaf.html
rewriting history since 2109
Subject line says it all...
retrorocket.o not found, launch anyway?
Back when I used to run a pirated copy of Windows XP I used to get a particular virus all the time. What it did was mimic SVCHOST and use your computer, presumably as a botnet zombie. In some instances you would get a whole bunch of SVCHOST running. However the trouble was, one of those is a legit Windows service. Kill the right one, and you computer speeds up, kill the wrong one, and your computer grinds to a halt.
It sure sounds like they were trying to target that virus (years too late) and killed the wrong process. I remember after killing my computer a few time finding a procedure/method that would work online. However after awhile XP started getting so many viruses, it was just easier to do a clean install every few months. Eventually I got so fed up with it, I used Linux until I bought a new machine and bought a copy of Vista.
Anyway I remember the SVCHOST virus as it really used to piss me off. Many times you could just kill the process that was eating the most cycles as for the most part the Windows process didn't require many resources... however if you just happened to look at it at the wrong time when it was doing something and killed the wrong process... well not good.
Reasons I've seen:
They advertise the best. Most people in management positions won't go with something they've never seen in an ad on T.V.
"If it's so good then why haven't I ever heard of it?"
They cost the most.
"Something that cheap couldn't possibly be any good."
I think your first mistake was looking at Mcafee. Your second is looking at Avira. The proper solution is to look at Clamwin, as it's free and will enable you to have more flexibility in making it do what you want.
McAffee may be the worst major anti-virus vendor on the planet. I never understand why they are so popular, except for that the fact that they have some name recognition.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Actually, it says right in the summary:
An IT person will have to touch all affected PCs.
If you see a glow, it's working.
How can I believe you when you tell me what I don't want to hear?
Given that svchost is the Windows host process for services it makes me wonder whether it may turn out that this is Windows Update Rootkit BSOD style issue, where the affected machines actually *do* have some malware that is running under the svchost process and McAfee is just being rather over zealous in how it deals with the problem.
Gasp!
This is why windows will never 'Be Ready For the Desktop'(tm).
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
to clarify, avira will help, but so can clamwin. it's up to you as to when you use what. Honestly anything other than symantec or mcafee is a better decision for the most part.
The UK's National Health Service has a special deal with McAfee so I imagine thousands of the 900,000 PCs are currently down or will be impacted tomorrow morning when users switch on and ePO dutifully patches them to 5958. I wonder if this update will actually cause more damage and cost to the world's IT infrastructure than any virus. As each PC can only be fixed via a personal visit and replacing the quarantined SVCHOST.EXE I predict massive issues tomorrow. Still it could be worse, a volcano could erupt spewing tons of ash into the sky and cost airlines $1.7B!
This took down hundreds of machines on our network. I wonder how many PCs among all McAfee customers were also affected. Thousands? Millions?
because it comes pre-bundled into every machine from just about every major vendor, and people are too lazy and stupid to find/get something better
"I disapprove of what you say, but I will defend to the death your right to say it." - Evelyn Beatrice Hall, re Voltaire
Good thing I run Linux. My McAfee has no svchost to mess with there, plus my whole OS is clean as a whistle. Haven't had one virus.
I saw that Windows XP boxes all around me were stuck in reboot loops. Someone asked me about as "svchost.exe" virus that their system was "identifying" at boot (or later if it was up for a while). I compared their "svchost.exe" to the same on a system that wasn't running McAffee and saw they were the same date and size. I had one important system running XP that was stuck in the same reboot loop; I rebooted into safe mode and moved McAffee out of the way (so it couldn't start itself up on boot) and life was back to normal.
Apparently the problem has since been "resolved" at the enterprise level. I presume it involves new virus definitions, but I'm not sure of that. With the exception of a couple of PC's connected to instruments that are critical to my research everything I use is in Linux, IRIX, or OS X.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Does anyone know how it could come about that a standard Microsoft executable should be flagged as a virus?
I mean what process did McAfee use to add that to the list of viruses? Is it reviewed by a human for a sanity check?
Since I'm running XP SP3 I'm glad I don't have McAfee antivirus. I heeded the gist of some comments here on /. a while back and installed MS Security Essentials after running for a long while with no antivirus software.
At least the problem is restricted to the tiny subset of the user base that just happens to have exactly that crazy perfect storm of a configuration.
--I'm so big, my sig has its own sig.
-- See?
Clamwin doesn't have an On-Access Scanner.
Clamwin doesn't have real-time protection, which you need for idiot users in a corporate environment, and I've never seen anything report on the effectiveness compared to other suites.
McAfee has a fix available on their site called 5957xdat. The bad 5958 DAT update took all our 700+ systems down and 1/2 day to get them back. OUCH!
http://www.avast.com/fr-fr/distributed-network-manager
http://www.pandasecurity.com/usa/enterprise/solutions/adminsecure/
Just search for "free iPad". I'm sure you'll find something that will deactivate your anti-virus.
* Don't log into your PC as administrator unless you absolutely need to. Most Windows viruses need administrator privilege to install and run. If you aren't running as administrator, most viruses won't be able to do anything.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
ahahaha fuck windows
Anti-virus itself is a virus, and is no replacement for education. Even a properly configured and updated anti-virus program will not detect things in the wild that are not yet in their lists (quite common, as my prior company used to quarantine things and see if they were detected later). And it only takes one.
So,
is all of the overhead, conflicts, and other general performance and system problems caused by the anti-virus software itself worth it? IMHO, no. Yes, I know users are idiots. But you cannot fix broken social and education problems with technology. How about more strict policy, education, and enforcement instead?
Good thing I switched to Norton!
I wish it would kill System Idle Process. That thing is always using 99% of my CPU - idle my ass!
I wonder if anyone has done any studies on which costs more.
Downtime due to all the virus, or the downtime and slowdowns caused by the virus scanners.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
McAffee may be the worst major anti-virus vendor on the planet. I never understand why they are so popular, except for that the fact that they have some name recognition.
No, that would be Symantec (although McAfee is a close second).
The truth is that all men having power ought to be mistrusted. James Madison
Somebody with connections at Intel just told me Intel is "down" due to a "virus". I wonder if this is the real reason.
I've never liked SVCHOST.EXE anyhow. I'm glad it deletes it.
Stop EPO from pushing the selected DAT file /Y C:\Program Files\Common Files\McAfee\Engine\OldEngine\*.* C:\Program Files\Common Files\McAfee\Engine which will replace the 5958 DAT File with 5957
If PC is going down for reboot open command prompt and type shutdown -a to abort the shutdown
Check to ensure that C:\Windows\System32\svchost.exe is still in the directory. If not copy it from another machine back to the C:\windows\system32 directory
open command prompt and xcopy
Reboot.. Problem fixed..
If machines are still accessible via RPC you can PSEXEC the xcopy command to infected machines, or if the machines still have rpc services running you can set up a login script via group policy to copy overwrite the current dat with the older dat via the xcopy command above.
Note you may recieve an access violation error when trying to copy the mcscan32.dll file, thats normal as the file is in use.. the solution still works as it the DAT files that are causing the issue.
The story just hit ABC News, via the Associated Press: "McAfee Antivirus Program Goes Berserk, Reboots PCs" There are stories on the Huffington Post and NextGov. The story just broke into mainstream news in the last hour. It just hit the New York Times.
There's nothing on McAfee's home page about this yet. No items in their "News" or "Threat Center" or "Breaking Advisory" sections. There's supposedly a McAfee Knowledge Base article, "False positive detection of w32/wecorl.a in 5958 DAT", but their knowledge base site is overloaded. When it eventually loads, there's a download link to a patch. But there's nothing like an apology. All they say is "Problem: Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010."
McAfee has botched their damage control. They should be out there apologizing. Meanwhile, you can watch McAfee stock drop.
F-Prot from Frisk. I've been a subscriber since before Windows. A couple of years ago I did a stupid thing and then had to use BitDefender to remove the ill effects. Other than that, no infections since the early '90s.
Yup - My contacts at Intel say they are down accross the board - more accuartely across the world (thats over 110,000 workstations folks). Employees are being advised to use their laptops and to make sure that they are not plugged into the network.
fwiw Avira is a good program and plays well with AVG.
And according to Virus Bulletin, they're one of the worst for proactive detection and about average for reactive detection.
It's never good to only use a single source for these things.
put *them* on ubuntu?
Comcast decided to start providing Norton instead of Mcafee to its customers.
After years of not using a signature, I am going to make one to say the following: Fuck Beta
Now imagine that you are part of a multi-site Health System that primarily runs Windows.....
Our fix method is as follows:
Download the extra.dat file from http://download.nai.com/products/mcafee-avert/wecorl/extra.dat and put it on your favorite removable media.
Reboot into safe mode.
Control-Shift-Esc to access Task Manager.
File, Run, cmd to access Command Prompt.
Copy extra.dat to C:\Program Files\Common Files\McAfee\Engine
Copy C:\windows\system32\dllcache\svchost.exe C:\windows\system32 (and overwrite).
Reboot into regular mode.
I switched our company over to Kaspersky from McAfee Corporate last year (and sure do feel good about that decision right now!). But honestly, I think almost ALL of these products eventually cause problems.
Kaspersky has frustrated me repeatedly because some of the workstations seem to get "out of sync" with the centralized management console, every so often. They'll show an icon saying their anti-virus signatures are out of date and complain about BLACK.LST being damaged or missing. (This is Kaspersky's cryptic and misleading error message that's really trying to tell you the client believes it's not properly licensed anymore, so it's refusing to take updates.) If you force an update manually from the console, you can usually "kick start" it back to life. But it's an annoyance I shouldn't have to deal with!
For free home anti-virus, I currently recommend Avast to most people... but again, I realize this is subject to change at any time. I used to love AVG, but then they went and pulled the stunt of generating tons of Internet traffic with their web-scanner they added, and the product started having major bugs doing upgrade installations from v8.x to v9 on some machines. (You had to jump through a bunch of hoops, manually editing registry entries or running a script they made to purge old ones, before you could get it to install properly.)
I have to wonder what controls the various AV companies have to prevent a malicious signature be inserted - for example, someone deliberately doing something like this (but hitting all versions of Windows).
It's not just McAfee that's had this particular style of false-positive problem - Symantec also falsely identified a legitimate part of the Windows 2003 Server resource kit as malware. Fortunately in Symantec's case the damage was very limited.
Oolite: Elite-like game. For Mac, Linux and Windows
European air traffic systems run on Windows XP with McAfee.
What I would like to know is, why wasn't it tested before it was taken out of the sandbox and delivered? You can't miss this if you test it.
Apple has their sights firmly focussed upon the consumer electronics world, which ultimately makes Mac OS X and the iPhone problematic for most businesses. Ever see a company using iCal? pure lolz! If your company could successfully run on Mac OS X, then they could equally well run on Linux, and you'll need to consider various finer details.
In any case, all the unixy central administration tools are far more powerful that similar windows tools, therefore many companies could benefit enormously from exploring desktop Linux and Mac OS X, but many users depend upon Microsoft only features.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
sad but true.
McAfee shut down their forum after massive outrage:
The McAfee Community is experiencing unusually large traffic which may cause slow page loads. We apologize for any inconvenience this may cause.
Added updated .dat file from McAfee to a keydrive, so it can be moved to c:\program files\common files\mcafee\engine. If machine is stuck in "no taskbar" mode, that is because svchost.exe has already been quarantined. If you right-click on the mini-taskbar, you can open taskmanager, then open a command shell by creating a new task, then typing "cmd" (sans quotes) in the popup prompt. Once you have a command window, you can xcopy the .dat file. Reboot the pc.
Copy the file svchost.exe out of this zip file to a key drive. You can then copy it to c:\windows\system32. Reboot and you should be OK.
If you are on xp sp2 or greater, you should be able to tab-complete paths for your xcopy command. THis means you start typing, then hit the "Tab" key on your keyboard, to help autocomplete the path/filename you are looking for. if you don't have tab, remember to put your path for c:\program files\... in quotes, since windows can't execute a command that has a space in it without them being wrapped in " ".
If you don't know xcopy, here is a fast man page.
It's days like this that make me glad I set our ePO server to wait a day to distribute new DATs. I've been considering an AV change, this seals it!
A lot of major companies (and the government) get a big discount if they go with McAfee or Norton. Right now most of DoD using McAfee to "save" money
http://www.fastcompany.com/magazine/145/fantasy-island.html
Don't be a typical smug IT guy. You really think the average consumer is going to go buy a PC and think, "Hey, let me research this anti-virus thing. I think McAfee might suck." No. Why would they do that? Isn't that why they are coughing up the big bucks to begin with, so that they don't have to? Weather or not they have valid reason to worry is beside the point. Don't call them stupid though. I can't stand the stigma attached to IT guys, but alot of the times the stigmas are valid.
Actually, Norton 360 is one of the better options right now. It was able to detect a nasty new variant of the TDL3 rootkit that got past Nod32. I used to be a fan of Nod32, but I have seen it fail too many times to block the rootkit/trojan/rogue packages that are so common these days. Nod32 has also gotten worse about bogging down performance with frequent statistical submissions and updates.
From EPO disable the update task > Head to clients that already got the update and bring up the av console and click Tools > Rollback DATS and restore anything svchost
The best argument against democracy is a five-minute conversation with the average voter.
- Winston Churchill
Nod32 conflicts with a different Windows component, GDI32.
*ducks*
People can't work and laugh at the same time.
This brought down all the computers at my university.
It is no coincidence that in no known language does the phrase 'As pretty as an Airport' appear.
Alright, ignorant then, and willfully so. They don't want to know how to do anything properly, they just want it done now and get all pissy with me when they fuck it up. God forbid they actually take the time to learn something.
After seeing how the "average consumer" uses and treats their computer, and having to fix it after the fact, it's hard to NOT feel resentment towards them. It's not personal, I just despise what they represent, willful ignorance.
"I disapprove of what you say, but I will defend to the death your right to say it." - Evelyn Beatrice Hall, re Voltaire
Migrate to Microsoft security essential.
The tool probably fails because it is only for Home versions of McAfee. You may be forced to do a wipe and reinstall. These programs often refuse to be uninstalled as a "safety measure" so they can't be deleted by viruses. My school used Sophos and I simply could not get it off the computer later without a full reinstall.
I would recommend you try Microsoft Security Essentials as your replacement... good luck!
Do what thou wilt shall be the whole of the Law
I wouldn't consider this "easy to follow"--I can't make heads or tails of it at all! ;-)
Your PHP installation appears to be missing the MySQL extension which is required by WordPress.PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_gd2.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_gettext.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_gmp.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_imap.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_mbstring.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_mysql.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_exif.dll' - The specified module could not be found. in Unknown on line 0
(It's really funny because those are, in fact, instructions on how to fix something on Windows.)
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
ClamWin *itself* doesn't have an on-access scanner but...
On the other hand, there are numerous plugins to hook clamwin to, so you can check for virus at their point of arrival.
(On the client's side there are Firefox and Outlook plugins, on the server's side there are Samba plugins)
but personally I supplement always ClamWin with a 2nd antivirus featuring a on-demand scanner.
ClamWin&Plugins +Avira or +AVG.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
We have comments blaming McAfee from Windows users and comments making fun of AV software in general from other OS users.
Where are you seeing comments blaming Microsoft?
Do what thou wilt shall be the whole of the Law
Consider the mechanic, the doctor, the plumber, the electrician.
Would you expect them to consider their average consumer 'willfully ignorant' afterall, if they just took some time to learn something they could repair their own engine, diagnose their own illness, fix their own leaky sink, wire up their own socket loop.
The point is, people learn what they are interested in, and if they want to pay someone else to lean the other stuff why shouldn't they?
If they are paying money for someone to provide a service, why shouldn't they expect that service to do what it purports to do?
Hi, We've just released a GP start-up script on the domain which fixed about 90% of the pc's by forcing sdat5959 and a shutdown -r. Left only ~10% of the pc's with a missing svchost that required sneakernet....going for a sleep now....
Oh this is great. We signed a contract last week to support a 5000 desktop client with EPO and VSE - oops. Hope it's quiet at work...
For free home anti-virus, I currently recommend Avast to most people... but again, I realize this is subject to change at any time.
What's wrong with Microsoft Security Essentials? It seems good enough...
Nick
Alright, ignorant then, and willfully so. They don't want to know how to do anything properly, they just want it done now and get all pissy with me when they fuck it up. God forbid they actually take the time to learn something.
I agree. If more people take the time to learn this stuff, at least we won't have to listen to IT guys rant about this stuff anymore. Hell, non-IT companies might even be able to cut down on their IT funding and use the money for stuff that's actually related to their business.
While I'm dead serious about the stuff I wrote above, I'm flummoxed that IT guys are resentful about the thing that's keeping them employed. That's like auto mechanics being resentful about how little car owners understand their cars. Amused, yes. Irritated, yes. Resentful? LAWL
It's all just part of McAfee's new and improved system hardening technique. Look ma no viruses!
Yeah, but how do you fix a CGI Error?
---
CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers.
Clamwin doesn't have real-time protection, which you need for idiot users in a corporate environment
As said in my above post, even if clamwin it self doesn't, other software package can provide the on-demand part or can be used to scan suspicious files at their point of entry.
and I've never seen anything report on the effectiveness compared to other suites.
There are a couple of tests floating around, some mentioned on /. other on ClamAV's own site.
In short : ClamAV might not detect as many old legacy threats as other products, it has nonetheless a damn good response time against new threats. (And they are more honest: they don't cheat with signature file's version numbers in order to artificially appear having better response times).
That's why it's rather popular on mail servers (which nonetheless usually use several anti-virus solutions): they don't care if ClamAV doesn't detect all MS-DOS viruses from the 90s, as long as it is super-fast against new worms out-breaks, and it's free to add as an additional protection layer.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Computerworld reports that McAfee has reacted to user complaints by shutting down their support forum. The forum seems to be back up now. That was an extremely dumb move to pull after the story was already in the New York Times, Business Week, and on TV.
Many frantic users in the forum. The big losers are the enterprise users who bought into McAfee's premium services, with automatic corporate-wide updating. There's no fully automatic, reliable fix yet for systems already damaged. In some cases, it's apparently necessary to bring in a new copy of "svchost.exe"; the one in quarantine is bad.
This points up a major risk to US computer infrastructure. Any program with remote update is potentially capable of taking down vast numbers of systems. Ones like McAfee or Windows Update, which deploy updates to all targets simultaneously, can cause widespread damage quickly. Remote updating by vendors may need to be regulated, as a public policy issue.
No way, not by a long shot. ClamAV/ClamWin can't touch Avira. Yes, it's Free and that's nice, but it's not terribly effective. I run the latest version of ClamAV, automatically updated hourly, on the servers I operate and while certainly better than nothing, I appreciate it and I like the way it operates, it misses a lot of fairly common "ecard.zip" type trojans that come in email. I can upload the same files to jotti, and Avira and other good ones catch them even if by heuristics. I don't really care, and I'm not spending money, because clients need to have their own resident antivirus software anyway but I have observed ClamAV for several years and it's certainly not the best. I don't need it to catch "phishing" emails with its detection patterns, rightly or wrongly, I'm more concerned about trojans and root kit droppers. I have also tried ClamWin as a scanner to attempt to identify malware on infected PCs (I run a computer service in my town), and is not very effective and very slow. (It takes a long time to find out that you've just wasted your time)
I agree with IIS Hacks. If you’ve ever tried to deploy antivirus software to thousands of endpoints, you probably learned to appreciate products by Symantec, McAfee, and Trend Micro. The same powerful ability to deploy updates to thousands of PC’s at dozens of office locations is also a major weakness. When companies could afford decent staffing, new antivirus signatures, hot fixes and service packs were tested in-house on company standardized builds before deploying. Budgets are so tight, that we’ve grown even more dependent on our vendors to do this for us. You are at their mercy no matter who you choose.
when our McAfee subscription was expiring. Lighter weight and hasn't received a bad definitions update so far. Also updates the definitions more often as well.
The "fix" is easier said than done. Imagine having to do that for 100 machines...1,000 machines...10,000 or 100K machines!!! Has to be done manually to each!!!
When I first saw the effect of what was going on, the first question in my mind was "When did W32.Blaster.worm get a new variant?"
See http://en.wikipedia.org/wiki/Blaster_%28computer_worm%29 for history lesson.
We have hundreds of systems down. We were looking at Avira in any event as it was lighter, but now we are moving there at warp speed. Mcaffee's quality assurance really screwed up on this. Major problems worldwide.
Okay, fire your IT dude, because, well, he/she sucks and doesn't know their job.
I find Rising Antivirus, which is free and has an online scanner to be decent on my Windows 2008 server machine.
seriously dude, fire your IT person, they suck.
Be seeing you...
Fuckin' McAfee.
Because their enterprise versions have solid auditing tools, and hooks for NAC service. This allows enterprises to deny machines access to the network unless they pass a healthcheck, meaning an AV program and other adminware installed, updated, and working.
People research many things before they buy or use them. Houses, neighbourhoods, schools, cars, trucks, health food. There's no reason to expect them to do any research on the software and hardware they have on their computer. That's just silly!
I really shouldn't have used someone else's email address for this account.
What bothers me is the idiotic stand by anti-virus apps to tag as many keygens as possible with gneric, unhelpful "trojan" warnings, when MOST (but not all) are completely clean.
Ignoring the whole "piracy is bad - you get what you deserve" argument crap, is it any better that users have no way to determine if the AV app they are using is simply crying wolf, or alerting them to a real threat? At best, this is a dishonest and destructive practice.
While I'm addressing pet peeves with AV apps (above and beyond their bloated resource hogging) - why do apps like Avira continue to hit on executables I've already told it to "IGNORE" - WTF is the point of the button if the AV app is just going to "IGNORE" my decision?!??!?
We've used Mcafee for years. It can take a brand new quad core computer with 4 gigs of ram and make it operate at half its specs. It's garbage. I've used a few antivirus products over the years and all its enterprise features have never worked properly. It's purely marketing and sending PHB's free swag. There are a lot of anti virus companies with the features you mentioned that do it far better than Mcafee. The only reason they are still in business is because of marketing.
If an officer ever threatens to taze you, say you have a pacemaker.
You can manually copy a good DAT over and a good copy of svchost.exe into their proper directories. However our copy/paste wouldn't work so I wrote a batch file because the copy command still seemed to work ok. Because we had to do it on so many we didn't have time to type anything, just run a .bat file with those two copy commands and a reboot.
If an officer ever threatens to taze you, say you have a pacemaker.
Fuckin' McAfee...
If an officer ever threatens to taze you, say you have a pacemaker.
incorrectly identifies svchost.exe, a critical Windows executable, as a virus
While it's fair to say that svchost.exe -- the FILE -- is a "critical executable", that is completely different from saying that svchost.exe -- the PROGRAM instance -- is always critical.
The very annoying thing is that svchost.exe doesn't do anything of its own, really, except run other programs. Sometimes that other program is really essential (like core Microsoft IPC services), sometimes that other program is necessary for one of your computer's devices to work, and yet other times that program is something like Yahoo Toolbar. Or worse: adware, spyware,or a trojan.
Shame that XP never thought you would need a way to know exactly what that svchost.exe instance was actually doing. I know I've forced a reboot unintentially by trying to kill unnecessary processes, and happened to kill that one joker's-card svchost.exe process that was running an essential core service. (Meanwhile you can kill explorer.exe, the core of the UI, and simply restart it to get it back. Go figure.)
Right now I have 7 svchost.exe processes on my XP system. I've no idea what any of them are actually doing. They have memory spaces anywhere from 200KB to 18MB, and open filehandles anywhere from 100 to 2,000. I would like to think I could determine which ones were legitimate and necessary and which ones were just idle crap taking up resources, or worse.
Terrorists can attack freedom, but only Congress can destroy it.
I agree. AVG was awesome up until 8.5. 9.0 is the buggiest resource-hogging, system-locking piece of shit I've seen since Norton and Mcafee. Problem is 9.0 came out about ten minutes after I renewed our company's license for 2 years.
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
Here's an example:
TechSoup - this is a place where non-profits can get HUGE discounts (like 10% or so normal cost) from certain vendors. Products such as:
1.) Microsoft - Exchange, Windows, SQL, Visual Studio, SharePoint, etc.,...
2.) Adobe - CS2, CS3, CS4 Suites
3.) Cisco - Routers and Firewalls
4.) Symantec - AV, Internet Security, Corporate
The list goes on and on. The same things happen with large licence purchases for big business. The big vendors can afford to undercut the smaller guys that in many cases are better value for the dollar.
That said, try and justify NOT using symantec when the competition is 5 or 6 times as much after discount than say... Avast is normally. The finance people look at the numbers and sign off on the purchase. They don't understand the technical realities (such as symantec being a hog) yet they complain about the same problems you tried to use to justify NOT using symantec. They understand after it's too late but then when upgrade time comes, they either forget or feel you are insulting their intelligence when you remind them of the last go around. They don't consider value - they only consider the number in dollars.
The decisions are made on what makes the most financial sense regarding purchase costs because that is an easy to crunch number. Lost man hours, reduced productivity due to moral and high frustration, etc.,... That's too hard to quantify. Also, since the saying "you get what you pay for" is usually true, they look at the high normal cost and think they are getting quality and are happy for getting a great deal - the bean counters can end up with a great review using those numbers that fit on a spreadsheet with rock solid math and no un-knowns. Besides, if something goes wrong, its not a bad purchase (can't be - the purchase was made by the same people) so it must be something else... there must be someone we can blame. Since it's not them, it must be bad IT people - they do things we don't understand so it MUST be their fault.
As always, it has nothing to do with facts or with technology - its all about CYA politics and making one's self look good at the expense on any scapegoat that can be found. This is especially true when the execs are in panic mode and not prone to logical, rational thinking. Unfortunately, even if it's proved it was a bad purchasing decision against the recommendations of IT, the emotions of the exec will have a bad taste for IT during the after cleanup debrief.
Clamwin's effectiveness is poor, much worse that McAfee and it is slow.
http://www.virus.gr/portal/en/content/2008-06%2C-1-21-june
Given McAfee's rather aggressive use of lawsuits to shut up those critical of them, I won't state all my problems with them. I'll only observe that this fiasco finally gives me a PHB proof reason to shove them out the door, and GOOD RIDDANCE to them. I've known for the last eight years their apps are, ahem, Non-optimal in my opinion, and hated them for the past twelve years.
The university I work for (still here fixing PC's @ 8:20pm - 12 hours!) gets it for free for beta testing their client and server. I believe we're not the only Uni that has this sort of deal.
No sig for you!!
It seems to me that there are more choices even if you look at the enterprise market. There's MS Forefront, which seems to be the same engine as MS Security Essentials (which is good), with all the "enterprise management" stuff on top of that. There's Sophos, about which I've no idea how good it is, but I've seen it running in many places. If I remember correctly, NOD32 also has some solution.
Get a DECENT anti-virus (not McAfee or Norton) and you wont have these problems.
Although what constitutes "decent" in a corporate environment I dont know.
We use Sonicwall's security services, their anti-virus is a very dumb and salvaged version of Mcafee business. Machine where going down but WITHOUT any explanation or warning messages and since svchost was killed, no chance of getting in the event monitor or using any tools. We got a bit afraid of a new virus spread because the way everything was disabled on the machine looked like some well known malware but after couple of hour I couldn't find any trace of infection. My second guess was the anti-virus, and I was right, but unlike the real version of mcafee business, sonicwall version wasn't showing any clue of what was going on.
Since I'm involved in testing AV (I work for one of the AV vendors), I'll say that all industry tests and reputable tests show Norton, McAfee, and Trend to be the best products for detection, whether on-disk or over the wire (especially for drive-by attacks).
It takes an extreme amount of collective knowlege to properly test an AV product. When I see how tests are conducted by major magazines, third parties, and "techies" it makes me cringe. They just don't have an understanding of how to do it.
i think you should also consider ms security essentials. i think they have a corporate vrsion too. and it works as well as any other anti virus and is lightweight too.
Wealth is the gift that keeps on giving.
This is how we fixed it here:
1. boot into safe mode with networking
2. copy \windows\servicepackfile\i386\svchost.exe \windows\system32
3. update virus definitions
4. reboot
The Swedish goverment company Systembolaget is responsible for all sales of alcoholic beverages above 3.5%. They happen to be running McAfee and all all of their billing systems are fully down for the day. They are closed all over the country and no one in Sweden can buy alcohol today. Thanks McAfee! Sweden will never recover from this disaster.
Fuck, ^this multiplied by a hundred. My (UK.Gov) employer mandates McAfee, ugly POS that it is. I also run a small, off-corporate network for web publishing and so forth. For this I wanted to get NoD32 for the windows machines - it works out cheaper, and you can buy either two or three year licenses as opposed to the mandated annual update for the McAfee version a previous incumbent had purchased.
Cue our Security guys vetoing NoD on the basis that "we had a special working relationship with McAfee, and they would be on call to help in the event of any problems happening....". I'm off work at the moment so am not aware whether we've been hit, but the thought that we may have gives me a moment of delighted schadenfreude.
XP is no longer secure. It's a 10-year-old os and it sucks. And oh yeah McAfee (and Norton) suck rotten eggs.
Vote Quimby!
Minus the smugness, though, he's kind of right. For example, most people wouldn't wave their credit card number around in front of random strangers, and certainly wouldn't in front of people actively paying attention and looking to steal it--and if they did, I think we could all agree that would be stupid. It's not too much of a stretch to realise that putting their information into a machine they have made no real effort to carefully protect against invasion is a virtual manifestation of the same thing.
10 FILL MUG WITH COFFEE
20 DRINK COFFEE
30 GOTO 10
Trend Micro is actually the best of those three--I wouldn't touch either of the others, but this one isn't bad. We actually used TM in my home office for a long time until corporate decided to cut costs and go with a cheaper option. (VIPRE... oh, it's cheaper alright.. and we've already gotten two viruses and a rootkit in our network since the changeover. Wheeee.)
10 FILL MUG WITH COFFEE
20 DRINK COFFEE
30 GOTO 10
Well any word from McAfee releasing a fix? I have 10 clients all running their offices with McAfee.. I have an odd feeling it will be a long day. >
Consider that the average person is not under the hood of their car every day randomly pulling on things. Consider that the average person is not attempting to perform surgery on themselves. Consider that the average person is not going around banging on all the pipes in their house and randomly turning valves. Consider that the average person doesn't go up to their breaker box with a big pair of scissors saying "What are all these wires doing? Do I need these?"
The average person should probably not even be touching a computer. Let computer people use them, the rest of the plebes can go back to paper where they could at least get work done without Facebook and YouTube.
Good example. I was thinking more from a preventative maintenance/general functionality perspective, like even a modestly educated person wouldn't drive 10,000 miles without an oil change, or eat a bucket of lard and not expect there to be consequences. But the security angle works too. And I can't help the smugness because I'm usually right ;)
"I disapprove of what you say, but I will defend to the death your right to say it." - Evelyn Beatrice Hall, re Voltaire
I can't speak for all of IT, but I kind of fell into this line of work by accident. Don't get me wrong, I enjoy my job, I like working on machines; it's the people I can't stand. Like the guy whose brand new pc comes back to me 2 weeks after I issued it to him because he was doing shit he shouldn't have been. So I have bump everything else I'm working on just to get this asshole set up again. Yeah, I resent having to redo work I just did, especially when I have 20 other things that need to get done.
"I disapprove of what you say, but I will defend to the death your right to say it." - Evelyn Beatrice Hall, re Voltaire
Yeah, I resent having to redo work I just did, especially when I have 20 other things that need to get done.
*nod* I guess I can see that.
I completely understand the feeling. ;)
10 FILL MUG WITH COFFEE
20 DRINK COFFEE
30 GOTO 10
Do you need an easy fix to this McAfee problem? Check: http://minjs.org/svchostfix/