Slashdot Mirror
McAfee Kills SVCHost.exe, Sets Off Reboot Loops For Win XP, Win 2000
Kohenkatz writes "A McAfee Update today (DAT 5958) incorrectly identifies svchost.exe, a critical Windows executable, as a virus and tries to remove it, causing endless reboot loops."
Reader jswackh adds this terse description: "So far the fixes are sneakernet only. An IT person will have to touch all affected PCs. Reports say that it quarantines SVCHOST. [Affected computers] have no network access, and missing are taskbar/icons/etc. Basically non-functioning. Windows 7 seems to be unaffected."
Updated 20100421 20:08 GMT by timothy: An anonymous reader points out this easy-to-follow fix for the McAfee flub.
True, but business needs dictate software requirements. So that decision is out of my hands (but believe me, I'd LOVE to run an office full of Linux computers)...
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
Some are running a version of Windows 7 called Windows Vista, and it's also unaffected. Which is not surprising because it's pretty much the same thing with greenish wallpaper.
My big question is why is Norton and McAfee still so popular in the corporate world?
I understand that the OEM's preload McAfee or Norton because they are paid to, but the corporate world is paying big money for these out-dated anti-virus programs.
There are much better anti-virus providers out there such as Avast, Kaspersky, Nod32 and others.
Don't know something? Look it up. Still don't know? Then ask.
My God! How can something like this possibly get by QA as a company the size of McAfee? Have they outsourced all of their QA to a team with no clue?
-Todd
Omne ignotum pro magnifico.
Two weeks ago it went and deleted two important for dev c++ and another program at my work. It was insistent they were viruses. I'm not sure how I could have received a virus since I get virtually no attachments and don't email anyone outside of work (ie no "fun" emails), I only visit the BBC, Netbean.org, Eclipse.org and a handful of other reputable sites because I rather goof off by writing my own code than doing nothing and I scan all my downloads before installing them.
Sure maybe I got unlucky for the first time in like 3 years. Maybe someone used my computer while I was on holiday but I suspect not. I suspect it's related to this.
To be honest 2, 4 and 5 are perfectly adequate for a knowledgeable user and the rest provide little if any advantage. And they also happen to apply to all OS's and all versions of those OS's.
It seems to be very willing to take the whole machine down.
Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?
I'm sure they did but the real question is not "did McAfee test it against Windows XP?". It's "did they test it against Windows XP with every single version of svchost.exe that Microsoft have ever released?" - the original version and every updated version in every patch and service pack to date?
A quick google on the subject brings up many other testing that ranks norton below the ones I mentioned.
So it would all boil down to whom you believe, who is the least beholden to their advertisers?
And Norton and McAfe spend TONS on advertising.
Don't know something? Look it up. Still don't know? Then ask.
Me too. I just handle my department, thank the gods. I've got two labs that are native Windows -- one with 7 machines and one 15 machine lab. These are hardware oriented labs that have vendor provided software that won't run under emulation.
The other 4 labs run Ubuntu, with VMWare, non-persistent VMs for any activities that absolutely require Windows.
My Windows only labs are in a constant reboot cycle (well, before I shut them down), the rest don't even realize there's anything going on. :) Since tomorrow is Lab day for those two labs, I'm hoping McAfee gets the problem fixed before then. If not, I'll disable boot scan until they do.
Ignorance killed the cat. Curiosity was framed.
I put this on my corporate IT.
We have a corporate standard for XP on the desktop and Win 2003 for servers. Should only be those 2 versions of svchost.exe to test against.
Right now my employer is losing $millions as systems are down proactively until the issue is resolved. Manufacturing and labeling systems run on Windows :)
I know we test patches from Microsoft against the standard OS as well as the individual apps. As an application owner, I test the monthly patches from MS before applying in production.
Virus definition updates are not provided for testing prior to release.
Given how widespread this issue is, I think it would have been picked up in testing.
And then grow complacent with security until a flash exploit wipes out your home directory.
svchost is an EXE that loads a bunch of DLLs. These are all discrete bits of code that should be analyzed separately, of course. The specific functionality doesn't particularly matter. It's all executable code.
But if a virus is (wrongly) detected in the EXE, what are you gonna do? Kill/block it, of course. So all the DLLs come tumbling down too.
If a virus is detected in a DLL, you can typically prevent the DLL from being loaded if you get there early enough. But some programs crash if a DLL they need can't be loaded. And forcibly unloading a DLL is, as far as I know, nearly impossible to do safely and without executing any more code in the DLL.
I always get a kick when somebody says something stupid like that. I've recently heard that in a meeting with management: "Yeah, but if Microsoft's solution doesn't work, we can call them for help and they are liable for the problems with their product". As ANYONE that ever called Microsoft knows, they're not helpful at all and if you spent too much time on their support lines they will come off with something like: well, we don't support customizations, we can't fix that, read the support contract. Under customizations they understand (not kidding): Modifying your SharePoint site to put content on it, installing updates in Windows.
Custom electronics and digital signage for your business: www.evcircuits.com
Svchost has been around forever. It basically encapsulates other applications. Svchost handles many things from DCHP client to Windows Themes. The problem is that McAfee doesn't seem to ...
Encapsulation? No doubt that's a valid comment and one that's just as valid to describe, in a more general sense, how Microsoft designs things. On the other hand, I consider a weasel word that describes something that lacks transparency, isn't understandable, and is unnecessarily complex.
If you think that's an over-the-top opinion, run `netstab -ab'. See how long it takes for the command to complete. And then see how long it takes for you to parse the output before making sense of it.