Slashdot Mirror
McAfee Kills SVCHost.exe, Sets Off Reboot Loops For Win XP, Win 2000
Kohenkatz writes "A McAfee Update today (DAT 5958) incorrectly identifies svchost.exe, a critical Windows executable, as a virus and tries to remove it, causing endless reboot loops."
Reader jswackh adds this terse description: "So far the fixes are sneakernet only. An IT person will have to touch all affected PCs. Reports say that it quarantines SVCHOST. [Affected computers] have no network access, and missing are taskbar/icons/etc. Basically non-functioning. Windows 7 seems to be unaffected."
Updated 20100421 20:08 GMT by timothy: An anonymous reader points out this easy-to-follow fix for the McAfee flub.
Should help windows 7.
Way to go!
When your Anti-Virus software bombs you out.
Not a good day to be a sysadmin... Good luck out there guys.
It seems to be very willing to take the whole machine down. Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?
For those who seek perfection there can be no rest on this side of the grave.
I work at a university where we use McAfee anti-virus as our corporate AV. Guess what I've been doing all morning?
This space for rent...
oh this isn't going to end well for old Mc
This way running anti-virus is worse for an end user than no anti-virus.
The cure becomes worse than the disease.
At least being part of a spam-spewing botnet keeps the computer mostly functional.
We've known for a long time but it's good that McAffee finally admitted it.
...and constantly keeping up with malware/virii/trojans/etc with software like this, maybe just have a better operating system that is designed to only execute code you trust?
2003 called, it wants it's OS back. Oh, and the garbage called too, it wants McAfee.
Ok, so yes there are going to be a bunch of legacy systems that will need to run WinXP for the next 10 years. Do they need to be on the net? If so, for the love of _insert_favorite_deity_or_atheistic_views_here_ can you please not use McAfee or Norton anti-virus products?
"Be prepared, son. That's my motto. Be prepared." --Joe Hallenbeck
I've always said that Windows was a virus.
`fortune -o`
8==C=O=C=K=S=L=A=P==D~~
I know I quit several year ago for my Windows Boxes, mostly because the quality of the software was not up to what was paid for it. It looks like that trend has continued.
I would have gotten first post, but I was running windows with McAfee
Seems not too long ago McAfee was deleting important files....and people kept using it. Here we go again. Can I get a lol?
"To err is human, to mod Funny divine."
What possible scenario allowed this CharlieFox past QA?
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
HA HA HA HA HA HA HA.
McAfee is crap AV software same with Symantec.
Thank goodness I thought it was a re-incarnaion of W32/Wecorl.. I'm glad it's only my protection suite.. wait what. =(
I don't see any indication of when this first went out.
(My wife runs McAfee and launched an update around 3 AM PDT before hitting the sack...)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
So uh, anyone know how to disable McAfee completely? Never caught anything for me but false positives anyway.
I have two days...
...to the MS update fiasco recently?
Maybe it's not McAfee's fault - maybe it's only quarantining svchost.exe on machines where svchost.exe if infected...
at a command prompt when the "windows will shut down in XX seconds" popup us on screen saved me. I'm still waiting for a mcafee update file to fix it properly.
Nullius in verba
Some are running a version of Windows 7 called Windows Vista, and it's also unaffected. Which is not surprising because it's pretty much the same thing with greenish wallpaper.
http://www.freebsd.org/where.html
Next they will be deleting a directory known to be full of malware called system32
Seven puppies were harmed during the making of this post.
My God! How can something like this possibly get by QA as a company the size of McAfee? Have they outsourced all of their QA to a team with no clue?
-Todd
Omne ignotum pro magnifico.
Two weeks ago it went and deleted two important for dev c++ and another program at my work. It was insistent they were viruses. I'm not sure how I could have received a virus since I get virtually no attachments and don't email anyone outside of work (ie no "fun" emails), I only visit the BBC, Netbean.org, Eclipse.org and a handful of other reputable sites because I rather goof off by writing my own code than doing nothing and I scan all my downloads before installing them.
Sure maybe I got unlucky for the first time in like 3 years. Maybe someone used my computer while I was on holiday but I suspect not. I suspect it's related to this.
Which one is that?
Seriously. They consume CPU. They stay resident and consume usable memory. They occasionally crash and/or cause other applications not to work. And, in this situation, they break Windows. I don't use AV and have had pretty much zero issues over the last 6 years of using Windows XP. All you need to do is:
* Configure Windows update to run daily.
* Don't use IE or Outlook.
* Keep Windows Firewall active.
* Don't connect directly to the internet- sit behind a router that's configured to be (mostly) invisible.
* Don't run random things you get sent in email, on facebook, or that pop up unexpectedly while you're at a questionable website.
* If you think something's amiss, boot into safe mode and use a non-resident tool like MBAM.
I am a a sysadmin running protection pilot from mcafee for my entire office. Were most machines are running XP SP3. My engine version is 5919.0000 and I have yet to see the issue with 72% of my desktops up to date. I currently run Win7 with NOD. Hope all goes well.
So if / when my dad calls to complain that his Windows machine is broken (I think he runs XP, or perhaps it's the other way around), what should I tell him besides "Hmm. My Ubuntu machines are all fine, and the Mac doesn't seem to be affected ..."
In other words, what's the simple bullet-point list of steps to fix this, for simple folk at home? (Can include visiting neighbors with a thumb drive to download fixes ...)
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
A few more refinements to McAffee, and it will simply identify the entirety of Windows as a virus. Then it'll promptly replace it with Ubuntu. They can call it "McAffee: Richard Stallman Edition".
C:\Program Files\Common Files\McAfee\Engine\avv*.dat
Nuff said
Remember when Macafee was distributed on BBS's and it was actually pretty good...
yeah...
those days are long gone.
Its installed in firmware in free (or nearly free) devices near you! Its called...Rock.
If you stayed late yesterday and got your update for yesterday's dat, at least you won't be affected with the millions of people that were affected when they powered up their systems this morning. By now, they would have disabled automatic DAT update and you'll get to skip this caustic update. I guess it pays to stay late, or at least arrive late to work! :p
Heh, I've asked a vendor before how often this sort of thing happens to them (just to see how honest they are and maybe to send a message to whoever is listening).
;).
After all if a hacker/malware causes downtime less often than the vendor's screw-ups, why use the vendor's product? Safer to look for a vendor with a better track record even if they have more false negatives (especially with rare and/or ancient stuff).
There are overheads and performance impacts to using such stuff, in addition to just the price tag (and subscription fees etc). I suspect there's malware out there that's less harmful than running McAfee or Symantec
You will need another/previous .dat file for McAfee named extra.dat
1. Reboot machine into safe mode (WITH networking)
2. User needs to log into machine (or someone with admin rights logs in)
3. Plug in USB drive
4. Go to CMD window
5. CD to USB Drive (root)
6. Execute this command ‘extra.bat”
7. Click “tools” and then “unlock interface”
8. enter your admin password if needed.
9. Double click “Quarantine Manager Policy”
10. Click “Manager” tab
11. Find latest infection of “W32\Wecorl.a”
12. Right click on infection, click “Restore”
13. Click “Yes”
14. You should get message “All items restored”
15. Reboot – CTRL – ALT – DEL
16. Click “Shutdown” and then “Restart”
extra.bat:
copy extra.dat "c:\program files\common files\mcafee\engine"
"c:\program files\mcafee\virusscan enterprise\mcconsol.exe"
If you get an error about file in use while restoring svchost.exe, go to "safe mode command prompt only", and rename c:\windows\system32\svchost.exe to svchost.old, then you can start at step one and it will let you restore from quarantine
Jay Swackhamer http://www.RebootTheUser.com http://www.hotr.com
"Basically non-functioning. Windows 7 seems to be unaffected."
Only because Windows 7 wasn't functioning in the first place.
It's official... Windows is a virus!!!
XP SP3, it's not exactly uncommon...
Basically it looks like command line
shutdown -a (to stop the autorestart)
Put SVChost.exe back in place (out of the quarantine )
and disable McAfee...
DJMD - The fourth man - Planetary
Finally, a virus scanner that correctly identifies Windows as the virus.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
I work at a major chip manufacturing plant. At 4.10 I was conferencing with another fab when all our PCs shutdown. 10 minutes later the place was in chaos. Now don't get me wrong the fab keeps going but my god the cost to the company of this. Say 10 sites world wide with 2-5k employees each the majority of which can't do any meaningful work. McAfee have a lot to answer for.
From a comment on TFA
"One fix is to delete the bad DAT file the client at "C:\Program Files\Common Files\McAfee\Engine". Delete any av*.dat. Then reboot and the old DAT should be grabbed."
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Step 1: Disable McAfee entirely. If you can't because of how affected the computer is, copy the svchost.exe from C:\windows\system32\dllcache up to directly in system32 and then start the DCOM service and others that failed to start because of this. Then disable McAfee entirely.
Step 2: Reboot and uninstall McAfee.
I bet that after seeing what McAfee can do when it screws up, they won't bitch about what ClamAV did.
(for those who need the summary: ClamAV pulled an update that caused it to shut itself down if it was version 0.94 or older after announcing ~6 months in advance that people needed to update, and kept filling log files with warnings to update. McAfee is breaking a Windows component that causes the entire computer to not function, with a less obvious warning, left for the reader to figure out. The hint is the first word in the previous sentence.)
One of these days, I am going to flip out. When I flip out, I'll be back in five minutes.
Based on what we're seeing and reports from the internet, McAfee 8.0 and 8.5 are unaffected by this problem, while versions 8.7 and 8.9 are. It's also XP specific. Still, that combination has to be a very large number of computers worldwide.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
I run Linux.
*rides off into the sunset*
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
I agree that it raises question as to why one should use them, but "down time" is not the biggest threat out there, if you wanna talk loss/cost. While one's time is valuable, I'm thinking that their bank account information, passwords, etc, might be slightly more valuable to them. Personally, I think good secure end-user practices is the best protection, I do think that a good A/V program is needed.
So, while there is malware out there that is less harmful, more of the malware out there is much MORE harmful... if you disagree, please provide your financial account information, or contact me to transfer all funds to a secured off-shore account... maybe buy me a new car too! ;-)
But seriously... this is really bad, and REALLY stupid. But having no protection for most users risks damaging them in ways worse than a few hours of time to manually fix their issue. And from a corporate perspective, loss of sensitive information is a BIG deal and can cost a LOT more. And that's just talking about data loss. Being part of a botnet to help facilitate financial fraud and other badness... that's also double plus ungood... and irresponsible to not take measures to help keep your computer from playing a part in those crimes.
Anyway... I agree it raises question... but there more downside to malware than just downtime.
What I want to know is how does something like this happen? You would think McAfee takes their new patch and tests it to make sure that it doesn't cause this type of annoying issue. How does something like this slip through the cracks?
Next Up! Norton to ID McAfee as a Virus!
~Mekkah
long enough for you to become utterly frustrated that there's no easily downloaded fix from McAfee.
Please do not read this sig. Thank you.
Not only do they have to listen to people bitch (rightfully), but since they're likely running Windows XP + McAfee, they can't use their logging tools (meaning they have to do it by hand and then log later), can't get online updates when solutions are available etc.
Took down 3500 machines, all XP/SP3. Lovely morning to work at an IT help desk...
I learned that the Apache Foundation can be hacked, have passwords stolen, and root access to their main servers taken over, and it's not the fault of the OS.
Then I learned that if McAfee Virus scan messes up people's computers, it's not the fault of McAfee, but it's the fault of Microsoft, and their OS!
The comments here can be so enlightening!
dat 5959 is now available IF you can get to the repositories.
John McAfee, eccentric bad-boy founder of the McAffee antivirus company, is in Belized: http://www.boingboing.net/2010/04/21/lawsuit-plagued-mcaf.html
rewriting history since 2109
Subject line says it all...
retrorocket.o not found, launch anyway?
Back when I used to run a pirated copy of Windows XP I used to get a particular virus all the time. What it did was mimic SVCHOST and use your computer, presumably as a botnet zombie. In some instances you would get a whole bunch of SVCHOST running. However the trouble was, one of those is a legit Windows service. Kill the right one, and you computer speeds up, kill the wrong one, and your computer grinds to a halt.
It sure sounds like they were trying to target that virus (years too late) and killed the wrong process. I remember after killing my computer a few time finding a procedure/method that would work online. However after awhile XP started getting so many viruses, it was just easier to do a clean install every few months. Eventually I got so fed up with it, I used Linux until I bought a new machine and bought a copy of Vista.
Anyway I remember the SVCHOST virus as it really used to piss me off. Many times you could just kill the process that was eating the most cycles as for the most part the Windows process didn't require many resources... however if you just happened to look at it at the wrong time when it was doing something and killed the wrong process... well not good.
Actually, it says right in the summary:
An IT person will have to touch all affected PCs.
If you see a glow, it's working.
How can I believe you when you tell me what I don't want to hear?
Given that svchost is the Windows host process for services it makes me wonder whether it may turn out that this is Windows Update Rootkit BSOD style issue, where the affected machines actually *do* have some malware that is running under the svchost process and McAfee is just being rather over zealous in how it deals with the problem.
Gasp!
This is why windows will never 'Be Ready For the Desktop'(tm).
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
The UK's National Health Service has a special deal with McAfee so I imagine thousands of the 900,000 PCs are currently down or will be impacted tomorrow morning when users switch on and ePO dutifully patches them to 5958. I wonder if this update will actually cause more damage and cost to the world's IT infrastructure than any virus. As each PC can only be fixed via a personal visit and replacing the quarantined SVCHOST.EXE I predict massive issues tomorrow. Still it could be worse, a volcano could erupt spewing tons of ash into the sky and cost airlines $1.7B!
This took down hundreds of machines on our network. I wonder how many PCs among all McAfee customers were also affected. Thousands? Millions?
Good thing I run Linux. My McAfee has no svchost to mess with there, plus my whole OS is clean as a whistle. Haven't had one virus.
I saw that Windows XP boxes all around me were stuck in reboot loops. Someone asked me about as "svchost.exe" virus that their system was "identifying" at boot (or later if it was up for a while). I compared their "svchost.exe" to the same on a system that wasn't running McAffee and saw they were the same date and size. I had one important system running XP that was stuck in the same reboot loop; I rebooted into safe mode and moved McAffee out of the way (so it couldn't start itself up on boot) and life was back to normal.
Apparently the problem has since been "resolved" at the enterprise level. I presume it involves new virus definitions, but I'm not sure of that. With the exception of a couple of PC's connected to instruments that are critical to my research everything I use is in Linux, IRIX, or OS X.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Does anyone know how it could come about that a standard Microsoft executable should be flagged as a virus?
I mean what process did McAfee use to add that to the list of viruses? Is it reviewed by a human for a sanity check?
Since I'm running XP SP3 I'm glad I don't have McAfee antivirus. I heeded the gist of some comments here on /. a while back and installed MS Security Essentials after running for a long while with no antivirus software.
At least the problem is restricted to the tiny subset of the user base that just happens to have exactly that crazy perfect storm of a configuration.
--I'm so big, my sig has its own sig.
-- See?
McAfee has a fix available on their site called 5957xdat. The bad 5958 DAT update took all our 700+ systems down and 1/2 day to get them back. OUCH!
Just search for "free iPad". I'm sure you'll find something that will deactivate your anti-virus.
* Don't log into your PC as administrator unless you absolutely need to. Most Windows viruses need administrator privilege to install and run. If you aren't running as administrator, most viruses won't be able to do anything.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
ahahaha fuck windows
Anti-virus itself is a virus, and is no replacement for education. Even a properly configured and updated anti-virus program will not detect things in the wild that are not yet in their lists (quite common, as my prior company used to quarantine things and see if they were detected later). And it only takes one.
So,
is all of the overhead, conflicts, and other general performance and system problems caused by the anti-virus software itself worth it? IMHO, no. Yes, I know users are idiots. But you cannot fix broken social and education problems with technology. How about more strict policy, education, and enforcement instead?
Good thing I switched to Norton!
I wish it would kill System Idle Process. That thing is always using 99% of my CPU - idle my ass!
I wonder if anyone has done any studies on which costs more.
Downtime due to all the virus, or the downtime and slowdowns caused by the virus scanners.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
Somebody with connections at Intel just told me Intel is "down" due to a "virus". I wonder if this is the real reason.
I've never liked SVCHOST.EXE anyhow. I'm glad it deletes it.
Stop EPO from pushing the selected DAT file /Y C:\Program Files\Common Files\McAfee\Engine\OldEngine\*.* C:\Program Files\Common Files\McAfee\Engine which will replace the 5958 DAT File with 5957
If PC is going down for reboot open command prompt and type shutdown -a to abort the shutdown
Check to ensure that C:\Windows\System32\svchost.exe is still in the directory. If not copy it from another machine back to the C:\windows\system32 directory
open command prompt and xcopy
Reboot.. Problem fixed..
If machines are still accessible via RPC you can PSEXEC the xcopy command to infected machines, or if the machines still have rpc services running you can set up a login script via group policy to copy overwrite the current dat with the older dat via the xcopy command above.
Note you may recieve an access violation error when trying to copy the mcscan32.dll file, thats normal as the file is in use.. the solution still works as it the DAT files that are causing the issue.
The story just hit ABC News, via the Associated Press: "McAfee Antivirus Program Goes Berserk, Reboots PCs" There are stories on the Huffington Post and NextGov. The story just broke into mainstream news in the last hour. It just hit the New York Times.
There's nothing on McAfee's home page about this yet. No items in their "News" or "Threat Center" or "Breaking Advisory" sections. There's supposedly a McAfee Knowledge Base article, "False positive detection of w32/wecorl.a in 5958 DAT", but their knowledge base site is overloaded. When it eventually loads, there's a download link to a patch. But there's nothing like an apology. All they say is "Problem: Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010."
McAfee has botched their damage control. They should be out there apologizing. Meanwhile, you can watch McAfee stock drop.
F-Prot from Frisk. I've been a subscriber since before Windows. A couple of years ago I did a stupid thing and then had to use BitDefender to remove the ill effects. Other than that, no infections since the early '90s.
Yup - My contacts at Intel say they are down accross the board - more accuartely across the world (thats over 110,000 workstations folks). Employees are being advised to use their laptops and to make sure that they are not plugged into the network.
put *them* on ubuntu?
Comcast decided to start providing Norton instead of Mcafee to its customers.
After years of not using a signature, I am going to make one to say the following: Fuck Beta
Now imagine that you are part of a multi-site Health System that primarily runs Windows.....
Our fix method is as follows:
Download the extra.dat file from http://download.nai.com/products/mcafee-avert/wecorl/extra.dat and put it on your favorite removable media.
Reboot into safe mode.
Control-Shift-Esc to access Task Manager.
File, Run, cmd to access Command Prompt.
Copy extra.dat to C:\Program Files\Common Files\McAfee\Engine
Copy C:\windows\system32\dllcache\svchost.exe C:\windows\system32 (and overwrite).
Reboot into regular mode.
I switched our company over to Kaspersky from McAfee Corporate last year (and sure do feel good about that decision right now!). But honestly, I think almost ALL of these products eventually cause problems.
Kaspersky has frustrated me repeatedly because some of the workstations seem to get "out of sync" with the centralized management console, every so often. They'll show an icon saying their anti-virus signatures are out of date and complain about BLACK.LST being damaged or missing. (This is Kaspersky's cryptic and misleading error message that's really trying to tell you the client believes it's not properly licensed anymore, so it's refusing to take updates.) If you force an update manually from the console, you can usually "kick start" it back to life. But it's an annoyance I shouldn't have to deal with!
For free home anti-virus, I currently recommend Avast to most people... but again, I realize this is subject to change at any time. I used to love AVG, but then they went and pulled the stunt of generating tons of Internet traffic with their web-scanner they added, and the product started having major bugs doing upgrade installations from v8.x to v9 on some machines. (You had to jump through a bunch of hoops, manually editing registry entries or running a script they made to purge old ones, before you could get it to install properly.)
I have to wonder what controls the various AV companies have to prevent a malicious signature be inserted - for example, someone deliberately doing something like this (but hitting all versions of Windows).
It's not just McAfee that's had this particular style of false-positive problem - Symantec also falsely identified a legitimate part of the Windows 2003 Server resource kit as malware. Fortunately in Symantec's case the damage was very limited.
Oolite: Elite-like game. For Mac, Linux and Windows
European air traffic systems run on Windows XP with McAfee.
What I would like to know is, why wasn't it tested before it was taken out of the sandbox and delivered? You can't miss this if you test it.
Apple has their sights firmly focussed upon the consumer electronics world, which ultimately makes Mac OS X and the iPhone problematic for most businesses. Ever see a company using iCal? pure lolz! If your company could successfully run on Mac OS X, then they could equally well run on Linux, and you'll need to consider various finer details.
In any case, all the unixy central administration tools are far more powerful that similar windows tools, therefore many companies could benefit enormously from exploring desktop Linux and Mac OS X, but many users depend upon Microsoft only features.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
McAfee shut down their forum after massive outrage:
The McAfee Community is experiencing unusually large traffic which may cause slow page loads. We apologize for any inconvenience this may cause.
Added updated .dat file from McAfee to a keydrive, so it can be moved to c:\program files\common files\mcafee\engine. If machine is stuck in "no taskbar" mode, that is because svchost.exe has already been quarantined. If you right-click on the mini-taskbar, you can open taskmanager, then open a command shell by creating a new task, then typing "cmd" (sans quotes) in the popup prompt. Once you have a command window, you can xcopy the .dat file. Reboot the pc.
Copy the file svchost.exe out of this zip file to a key drive. You can then copy it to c:\windows\system32. Reboot and you should be OK.
If you are on xp sp2 or greater, you should be able to tab-complete paths for your xcopy command. THis means you start typing, then hit the "Tab" key on your keyboard, to help autocomplete the path/filename you are looking for. if you don't have tab, remember to put your path for c:\program files\... in quotes, since windows can't execute a command that has a space in it without them being wrapped in " ".
If you don't know xcopy, here is a fast man page.
It's days like this that make me glad I set our ePO server to wait a day to distribute new DATs. I've been considering an AV change, this seals it!
http://www.fastcompany.com/magazine/145/fantasy-island.html
From EPO disable the update task > Head to clients that already got the update and bring up the av console and click Tools > Rollback DATS and restore anything svchost
The best argument against democracy is a five-minute conversation with the average voter.
- Winston Churchill
People can't work and laugh at the same time.
This brought down all the computers at my university.
It is no coincidence that in no known language does the phrase 'As pretty as an Airport' appear.
Migrate to Microsoft security essential.
The tool probably fails because it is only for Home versions of McAfee. You may be forced to do a wipe and reinstall. These programs often refuse to be uninstalled as a "safety measure" so they can't be deleted by viruses. My school used Sophos and I simply could not get it off the computer later without a full reinstall.
I would recommend you try Microsoft Security Essentials as your replacement... good luck!
Do what thou wilt shall be the whole of the Law
I wouldn't consider this "easy to follow"--I can't make heads or tails of it at all! ;-)
Your PHP installation appears to be missing the MySQL extension which is required by WordPress.PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_gd2.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_gettext.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_gmp.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_imap.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_mbstring.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_mysql.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_exif.dll' - The specified module could not be found. in Unknown on line 0
(It's really funny because those are, in fact, instructions on how to fix something on Windows.)
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
ClamWin *itself* doesn't have an on-access scanner but...
On the other hand, there are numerous plugins to hook clamwin to, so you can check for virus at their point of arrival.
(On the client's side there are Firefox and Outlook plugins, on the server's side there are Samba plugins)
but personally I supplement always ClamWin with a 2nd antivirus featuring a on-demand scanner.
ClamWin&Plugins +Avira or +AVG.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
We have comments blaming McAfee from Windows users and comments making fun of AV software in general from other OS users.
Where are you seeing comments blaming Microsoft?
Do what thou wilt shall be the whole of the Law
Hi, We've just released a GP start-up script on the domain which fixed about 90% of the pc's by forcing sdat5959 and a shutdown -r. Left only ~10% of the pc's with a missing svchost that required sneakernet....going for a sleep now....
Oh this is great. We signed a contract last week to support a 5000 desktop client with EPO and VSE - oops. Hope it's quiet at work...
For free home anti-virus, I currently recommend Avast to most people... but again, I realize this is subject to change at any time.
What's wrong with Microsoft Security Essentials? It seems good enough...
Nick
It's all just part of McAfee's new and improved system hardening technique. Look ma no viruses!
Yeah, but how do you fix a CGI Error?
---
CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers.
Clamwin doesn't have real-time protection, which you need for idiot users in a corporate environment
As said in my above post, even if clamwin it self doesn't, other software package can provide the on-demand part or can be used to scan suspicious files at their point of entry.
and I've never seen anything report on the effectiveness compared to other suites.
There are a couple of tests floating around, some mentioned on /. other on ClamAV's own site.
In short : ClamAV might not detect as many old legacy threats as other products, it has nonetheless a damn good response time against new threats. (And they are more honest: they don't cheat with signature file's version numbers in order to artificially appear having better response times).
That's why it's rather popular on mail servers (which nonetheless usually use several anti-virus solutions): they don't care if ClamAV doesn't detect all MS-DOS viruses from the 90s, as long as it is super-fast against new worms out-breaks, and it's free to add as an additional protection layer.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Computerworld reports that McAfee has reacted to user complaints by shutting down their support forum. The forum seems to be back up now. That was an extremely dumb move to pull after the story was already in the New York Times, Business Week, and on TV.
Many frantic users in the forum. The big losers are the enterprise users who bought into McAfee's premium services, with automatic corporate-wide updating. There's no fully automatic, reliable fix yet for systems already damaged. In some cases, it's apparently necessary to bring in a new copy of "svchost.exe"; the one in quarantine is bad.
This points up a major risk to US computer infrastructure. Any program with remote update is potentially capable of taking down vast numbers of systems. Ones like McAfee or Windows Update, which deploy updates to all targets simultaneously, can cause widespread damage quickly. Remote updating by vendors may need to be regulated, as a public policy issue.
when our McAfee subscription was expiring. Lighter weight and hasn't received a bad definitions update so far. Also updates the definitions more often as well.
The "fix" is easier said than done. Imagine having to do that for 100 machines...1,000 machines...10,000 or 100K machines!!! Has to be done manually to each!!!
When I first saw the effect of what was going on, the first question in my mind was "When did W32.Blaster.worm get a new variant?"
See http://en.wikipedia.org/wiki/Blaster_%28computer_worm%29 for history lesson.
Fuckin' McAfee.
What bothers me is the idiotic stand by anti-virus apps to tag as many keygens as possible with gneric, unhelpful "trojan" warnings, when MOST (but not all) are completely clean.
Ignoring the whole "piracy is bad - you get what you deserve" argument crap, is it any better that users have no way to determine if the AV app they are using is simply crying wolf, or alerting them to a real threat? At best, this is a dishonest and destructive practice.
While I'm addressing pet peeves with AV apps (above and beyond their bloated resource hogging) - why do apps like Avira continue to hit on executables I've already told it to "IGNORE" - WTF is the point of the button if the AV app is just going to "IGNORE" my decision?!??!?
You can manually copy a good DAT over and a good copy of svchost.exe into their proper directories. However our copy/paste wouldn't work so I wrote a batch file because the copy command still seemed to work ok. Because we had to do it on so many we didn't have time to type anything, just run a .bat file with those two copy commands and a reboot.
If an officer ever threatens to taze you, say you have a pacemaker.
Fuckin' McAfee...
If an officer ever threatens to taze you, say you have a pacemaker.
incorrectly identifies svchost.exe, a critical Windows executable, as a virus
While it's fair to say that svchost.exe -- the FILE -- is a "critical executable", that is completely different from saying that svchost.exe -- the PROGRAM instance -- is always critical.
The very annoying thing is that svchost.exe doesn't do anything of its own, really, except run other programs. Sometimes that other program is really essential (like core Microsoft IPC services), sometimes that other program is necessary for one of your computer's devices to work, and yet other times that program is something like Yahoo Toolbar. Or worse: adware, spyware,or a trojan.
Shame that XP never thought you would need a way to know exactly what that svchost.exe instance was actually doing. I know I've forced a reboot unintentially by trying to kill unnecessary processes, and happened to kill that one joker's-card svchost.exe process that was running an essential core service. (Meanwhile you can kill explorer.exe, the core of the UI, and simply restart it to get it back. Go figure.)
Right now I have 7 svchost.exe processes on my XP system. I've no idea what any of them are actually doing. They have memory spaces anywhere from 200KB to 18MB, and open filehandles anywhere from 100 to 2,000. I would like to think I could determine which ones were legitimate and necessary and which ones were just idle crap taking up resources, or worse.
Terrorists can attack freedom, but only Congress can destroy it.
I agree. AVG was awesome up until 8.5. 9.0 is the buggiest resource-hogging, system-locking piece of shit I've seen since Norton and Mcafee. Problem is 9.0 came out about ten minutes after I renewed our company's license for 2 years.
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
Given McAfee's rather aggressive use of lawsuits to shut up those critical of them, I won't state all my problems with them. I'll only observe that this fiasco finally gives me a PHB proof reason to shove them out the door, and GOOD RIDDANCE to them. I've known for the last eight years their apps are, ahem, Non-optimal in my opinion, and hated them for the past twelve years.
Get a DECENT anti-virus (not McAfee or Norton) and you wont have these problems.
Although what constitutes "decent" in a corporate environment I dont know.
We use Sonicwall's security services, their anti-virus is a very dumb and salvaged version of Mcafee business. Machine where going down but WITHOUT any explanation or warning messages and since svchost was killed, no chance of getting in the event monitor or using any tools. We got a bit afraid of a new virus spread because the way everything was disabled on the machine looked like some well known malware but after couple of hour I couldn't find any trace of infection. My second guess was the anti-virus, and I was right, but unlike the real version of mcafee business, sonicwall version wasn't showing any clue of what was going on.
This is how we fixed it here:
1. boot into safe mode with networking
2. copy \windows\servicepackfile\i386\svchost.exe \windows\system32
3. update virus definitions
4. reboot
The Swedish goverment company Systembolaget is responsible for all sales of alcoholic beverages above 3.5%. They happen to be running McAfee and all all of their billing systems are fully down for the day. They are closed all over the country and no one in Sweden can buy alcohol today. Thanks McAfee! Sweden will never recover from this disaster.
XP is no longer secure. It's a 10-year-old os and it sucks. And oh yeah McAfee (and Norton) suck rotten eggs.
Vote Quimby!
Well any word from McAfee releasing a fix? I have 10 clients all running their offices with McAfee.. I have an odd feeling it will be a long day. >
Do you need an easy fix to this McAfee problem? Check: http://minjs.org/svchostfix/