McAfee Kills SVCHost.exe, Sets Off Reboot Loops For Win XP, Win 2000

Kohenkatz writes "A McAfee Update today (DAT 5958) incorrectly identifies svchost.exe, a critical Windows executable, as a virus and tries to remove it, causing endless reboot loops." Reader jswackh adds this terse description: "So far the fixes are sneakernet only. An IT person will have to touch all affected PCs. Reports say that it quarantines SVCHOST. [Affected computers] have no network access, and missing are taskbar/icons/etc. Basically non-functioning. Windows 7 seems to be unaffected." Updated 20100421 20:08 GMT by timothy: An anonymous reader points out this easy-to-follow fix for the McAfee flub.

Why Worry about Malware-Viruses...

[BoRegardless]

When your Anti-Virus software bombs you out.

Re:Why Worry about Malware-Viruses...

[coasterfan]

I have DAT file 5958 on my system and it works fine. While I've blamed McAfee for problems in the past, I don't think this one is as cut and dried as it's being made out to be.

Re:Why Worry about Malware-Viruses...

[grumpyman]

Do you use XP/2000?

Re:Why Worry about Malware-Viruses...

My boss, who knows just enough about computers to get himself in trouble, is an idiot.

A few days ago, he called me in to come look at his laptop. He said that his computer was infected and that the virus killed his email. After further inspection, I found out that he pressed "ctrl+alt+del" and brought up the Task Manager. He went through and ended all of the svchost.exe's that he could. When I asked him about it, here was his response:

"I was closing all of those system virus hosts on my machine!"

I hate my job sometimes.

Re:Why Worry about Malware-Viruses...

[coasterfan]

Yes. Windows XP Professional SP 3.

Re:Why Worry about Malware-Viruses...

[coasterfan]

It looks like it only affects the corporate version. I have the home version of McAfee Total Protection 2010.

Re:Why Worry about Malware-Viruses...

[gander666]

Dear god, you must work at the same place I left not too long ago. The boss did something just about as bad...

Re:Why Worry about Malware-Viruses...

[networkBoy]

What I want to know is WTF my IT dept is doing?
Not their job, that's for damn sure.

We are impacted (~100K employees multinational semiconductor). Our machines do not pull patches from the vendors, but rather from an internal server (Windows, McAfee, etc.) The whole damn point of this is so that IT can vet patches don't affect the software we use. I would understand if the DAT borked a couple specialized non-standard machines (like my dev box, which ironically is unaffected), but this borked the standard IT build. While I sympathize that IT support can be a PITA, they have only themselves to blame on this one. Should have been trapped in eval before being pushed out to the corporate network.

-nB

Re:Why Worry about Malware-Viruses...

[MrKevvy]

In the W95 days, I had to reinstall Windows on my ex-father-in-law's PC several times.
Once it was because he deleted a bunch of .DLL files.
When I asked him why he would delete files in the Windows folder that had a gear icon, which would seem to indicate that they were part of the workings of the system, he replied, and I kid you not:
"I thought Dee-Ell-Ell meant they were safe to Duh-Luh-Lete."

Re:Why Worry about Malware-Viruses...

[networkBoy]

no, I'm pissed off that I lost several days of testing...

Seriously, how is it being an ass to expect IT to test these patches and updates against the standard build (which is why they claim to need draconian control over our machines rather than letting us update as we feel is necessary.)

Re:Why Worry about Malware-Viruses...

[Ritchie70]

At the company I work for, we do actually run every set of virus updates through our QA group prior to deploying to our retail locations.

That means that the update frequency is monthly, but the retail locations are firewalled, and the retail users' web access is white listed, so we think this is the right trade-off for us.

For a program so hard to turn off

[ZeroSerenity]

It seems to be very willing to take the whole machine down. Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?

Re:For a program so hard to turn off

[jimicus]

It seems to be very willing to take the whole machine down.

Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?

I'm sure they did but the real question is not "did McAfee test it against Windows XP?". It's "did they test it against Windows XP with every single version of svchost.exe that Microsoft have ever released?" - the original version and every updated version in every patch and service pack to date?

Re:For a program so hard to turn off

[ZeroSerenity]

You bring up a valid point. But as SVCHost is nothing more than an encapsulator you would think the program would be smart enough to go in and figure out what's been attached to it and remove that paticular problem?

Re:For a program so hard to turn off

[Joce640k]

A decent antivirus would have every critical Windows whitelisted just to avoid this sort of problem.

This isn't some user-installed application, it's svchost.exe.

Re:For a program so hard to turn off

[mcmonkey]

I put this on my corporate IT.

We have a corporate standard for XP on the desktop and Win 2003 for servers. Should only be those 2 versions of svchost.exe to test against.

Right now my employer is losing $millions as systems are down proactively until the issue is resolved. Manufacturing and labeling systems run on Windows :)

I know we test patches from Microsoft against the standard OS as well as the individual apps. As an application owner, I test the monthly patches from MS before applying in production.

Virus definition updates are not provided for testing prior to release.

Given how widespread this issue is, I think it would have been picked up in testing.

Re:For a program so hard to turn off

[UnknowingFool]

Svchost has been around forever. It basically encapsulates other applications. Svchost handles many things from DCHP client to Windows Themes. The problem is that McAfee doesn't seem to discriminate between any of them in this case. Which would cripple any XP system today.

Re:For a program so hard to turn off

[jimicus]

The problem with doing that is all a virus needs to do now is to infect a critical Windows file and you'd never know about it.

Re:For a program so hard to turn off

[clone53421]

Whitelist them by checksum, not filename.

Re:For a program so hard to turn off

[jimicus]

Virus definition updates are not provided for testing prior to release.

Given how widespread this issue is, I think it would have been picked up in testing.

That's a very good point. Most corporate AV products allow you to set up your own update server and have your PCs update against that, but relatively few companies actually set up a separate update server and run the latest updates there first. Even if you did, any half-decent AV product is updated daily, sometimes more often. Testing every updated DAT file would be an exercise in extreme pain.

Re:For a program so hard to turn off

svchost is an EXE that loads a bunch of DLLs. These are all discrete bits of code that should be analyzed separately, of course. The specific functionality doesn't particularly matter. It's all executable code.

But if a virus is (wrongly) detected in the EXE, what are you gonna do? Kill/block it, of course. So all the DLLs come tumbling down too.

If a virus is detected in a DLL, you can typically prevent the DLL from being loaded if you get there early enough. But some programs crash if a DLL they need can't be loaded. And forcibly unloading a DLL is, as far as I know, nearly impossible to do safely and without executing any more code in the DLL.

Re:For a program so hard to turn off

[mrzaph0d]

perfect, now all my trojan has to do is rename itself to any critical microsoft file.

Re:For a program so hard to turn off

[Mr.+Sketch]

And that antivirus program would be susceptible to many types of viruses that modify system files. This particular virus that it detects (W32.Wecorl.a) does change svchost.exe:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-110306-2212-99

What McAfee should have is a better way of quarantining critical system files (replace with known good copies, have a robust patch/repair process for system files, have a more stringent fingerprint detection, etc). Maybe a whitelist of known good md5sums for system files (of course, this would have to be updated with every version of those files ever released in any patch by Microsoft).

Re:For a program so hard to turn off

[Intron]

Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?

If proofreading is any indication, testing their work is not McAfee's strong point. From the link:

"The affected systems will enter a reboot loop and loose all network access."

Re:For a program so hard to turn off

[clone53421]

Actually, you can't trust anything once a machine's compromised, which to my mind is a huge problem with modern Windows systems, but I'm not even going to go there....

It’s a huge problem with any system.

Re:For a program so hard to turn off

[DarkOx]

Right and the current mode of IT is 100 users plus per system administrator. (S)[Hh]e does not have time to do that if you expect them to test every DAT file.

Re:For a program so hard to turn off

[Chazzarazzx]

Why wouldn't you test this on a "test" PC before you deployed ANY AV update to a whole network? *Boggle*

Re:For a program so hard to turn off

[Eunuchswear]

We have a corporate standard for XP on the desktop and Win 2003 for servers. Should only be those 2 versions of svchost.exe to test against.

Two versions! You think there have only been two versions of svchost.exe on XP and 2003?

The whole antivirus thing is clearly impossible, a Red Queens race.

Re:For a program so hard to turn off

[shutdown+-p+now]

Actually, you can't trust anything once a machine's compromised, which to my mind is a huge problem with modern Windows systems, but I'm not even going to go there....

Guess where the "root" in "rootkit" comes from?

Hint: it ain't Windows.

Re:For a program so hard to turn off

[Kumiorava]

I'm sure they did but the real question is not "did McAfee test it against Windows XP?". It's "did they test it against Windows XP with every single version of svchost.exe that Microsoft have ever released?" - the original version and every updated version in every patch and service pack to date?

I don't see testing the previous versions that difficult. They should (and most likely do) have all the Windows versions in a giant hard drive that is scanned with each new version and any false alarm can be investigated. Problem is when each McAfee version (or even the latest) needs to be tested on any future version of any software.

Re:For a program so hard to turn off

[Dynedain]

If you're that big, and downtime costs that much, Norton offers the ability to run your own virus db server, just like MS lets you run your own Windows Update server.. I remember my university had this for managing the virus profiles that were distributed to faculty and students.

They had that in place 13 years ago when I started, and last I saw, the system was still in place.

Re:For a program so hard to turn off

[mR.bRiGhTsId3]

And how precisely does that work when svchost works by loading other .dll's and executing them?

Re:For a program so hard to turn off

[clone53421]

It doesn’t clean or quarantine svchost.exe.

Whether or not it detects a bad .dll is another question, but not deleting or moving critical Windows files is a good start.

Re:For a program so hard to turn off

[Darth_brooks]

....then when the system file is updated via windows update, your AV goes ape-shit and you're back to where folks running Mcafee are today. Unless microsoft proactively notifies every AV vendor of the coming patch with a new valid checksum, and every AV vendor updates their def's with the new checksum, and the end user updates the virus defs before running the appropriate windows update, and the defs contain valid checksums for both the old and the new copy of the file, and......

Re:For a program so hard to turn off

[clone53421]

So what you’re saying is... it would require cooperation between Microsoft and the antivirus vendors?

You’re right... it’ll never happen.

Re:For a program so hard to turn off

[Target+Practice]

I wonder how intentional this was? Seriously donning a tinfoil wizard robe and hat here, but with such an obvious fatal blow, it seems it wouldn't have survived their QA process for more than ten minutes. The effect is quasi immediate, and it's a pain in the ass for one of the most common versions of one of the most common OSes available.

Yeah, my money is on this being an inside job designed to splash mud on McAfee. Look at the alternative: McAfee have suddenly proved themselves incompetent to check for basic contingencies, and should have all their computers replaced with Etch-a-Sketches.

Re:For a program so hard to turn off

[value_added]

Svchost has been around forever. It basically encapsulates other applications. Svchost handles many things from DCHP client to Windows Themes. The problem is that McAfee doesn't seem to ...

Encapsulation? No doubt that's a valid comment and one that's just as valid to describe, in a more general sense, how Microsoft designs things. On the other hand, I consider a weasel word that describes something that lacks transparency, isn't understandable, and is unnecessarily complex.

If you think that's an over-the-top opinion, run `netstab -ab'. See how long it takes for the command to complete. And then see how long it takes for you to parse the output before making sense of it.

Re:For a program so hard to turn off

[Jorl17]

And what if there's an update? When will the AV distinguish between *real* updates and *virus* updates to recalculate the checksum? Life's a bitch, isn't it?

Re:For a program so hard to turn off

[DrgnDancer]

I don't think that's even the more significant issue. Microsoft may well be willing to provide the info, but it would be havoc getting users to do upgrades in the same specific order every time. Even if you automated things so that the AV system always updates before the OS you'd have problems. What if the AV vendor's site was down and the AV update goes through late? What if the user shuts the computer down then powers it back up in between update times? There is just no practical way to assure that the AV is ALWAYS updated before the OS.

Re:For a program so hard to turn off

[TheQuantumShift]

Except some common viruses hide behind names like SCVHOST and SVCHOSTS and what not, could have just been a simple typo. But yeah, I wish my machine still let me disable or uninstall McAfee, I can't even do it in safe mode logged in as the LOCAL admin account... I love how it literally takes 10-15 minutes to become usable after a reboot...

Re:For a program so hard to turn off

[Anpheus]

The word you're looking for, when trying to describe what happens when you unload a live DLL, is "interesting".

Here, like this:

And forcibly unloading a DLL is, as far I know, interesting.

Re:For a program so hard to turn off

[mcmonkey]

Two versions! You think there have only been two versions of svchost.exe on XP and 2003?

Not in all the universe. But I don't care about the universe, I just care about my company.

And in my company, with very few exceptions, all Windows systems get the same patches (that is, all workstations get the same workstation patches, all servers get the same server patches). So yes, at any one time, my Windows group can focus their attention on testing with those two versions of Windows--one XP and one Server.

Anyway, going back to how patches from MS are handled, not only are they made available for testing before pushed out to production, they are also pushed out in phases.

About 10% of the workstations in the company are in the pilot group and get MS patches about 5 days before everyone else. If this AV dat update was handled in the same manner, my company would have saved a few $million in lost productivity today. The issue would have been noticed before it went company-wide.

Re:For a program so hard to turn off

[toadlife]

Yeah, and "LOCALSYSTEMkit" doesn't exactly roll off the tongue.

Re:For a program so hard to turn off

[mlts]

Shouldn't Microsoft just Authenticode-sign the small executable files, like they do install .exe files, .MSIs, and .cab files? This way, all an AV utility has to do is check to see if the executable is signed by MS's signature key, and then it is proven to be known and good, barring rootkits?

Re:For a program so hard to turn off

[Lehk228]

Look at the alternative: McAfee have suddenly proved themselves incompetent to check for basic contingencies, and should have all their computers replaced with Etch-a-Sketches.

i have no trouble at all believing that.

Re:For a program so hard to turn off

[mlts]

In this instance, the test would work perfectly. Only when the scan fired off would people get stung by this issue. So unless one ran a scan on the test PC before a full deployment, it would get past.

Re:For a program so hard to turn off

[cyphercell]

No, this is just wrong. There is no reason whatsoever to test AV signatures before deploying them. The company is at fault. If you want to set up a server on the network, then do it because it saves bandwidth and deploys the updates QUICKER.

Your antivirus is your first line of defense, it is supposed to compensate for the other holes in your systems, it is not supposed to be so dangerous that it can't do it's job.

Re:For a program so hard to turn off

[Arthur+Grumbine]

If you think that's an over-the-top opinion, run `netstab -ab'.

I tried this and all it did was kill all my current connections and produced the message "From Hell's heart..."

Re:For a program so hard to turn off

[yukk]

You should be updating a local server from Mcafee and then disseminating your .DATs from there when you're happy with them. That's how enterprise systems are usually set up. In this case it's your admin's fault that your company is losing $millions by being down proactively.. Though by fighting fires in panic mode he/she will look good to management for saving the computers.

Re:For a program so hard to turn off

[cyphercell]

Okay, I've thought about it a little bit more, I'd say one day - tops. Then if something goofy like this happens you can hit the kill switch, but you do not want to get caught dicking around with test cases when a virus hits. However, it's a catch 22 and the real answer is that they should not be putting you in this position.

The shit list at this point is:

AVG
Bitdefender
McAfee

Re:For a program so hard to turn off

[unixan]

Happy shall he be, that taketh and dasheth thy little ones against the stones

This is an ancient Israeli wish for bitter revenge against invaders. Here is more context (in alternate translation):

8 People of Babylon, you will be destroyed.
The people who pay you back for what you did to us will be happy.
9 They will grab your babies and throw them against the rocks.

Re:For a program so hard to turn off

[Eivind]

You can't trust the checksum, but you can't trust the data you get when you "read" from the file either, so either is about as good as the other, frankly.

Re:For a program so hard to turn off

[petermgreen]

Antivirus is dangerous pretty much by definition. It's job is to identify viruses which often use self modification techniques. With viruses getting ever better at avoiding detection false positives are practically a certainty.

Not saying this incident is excusable (they REALLY should be testing every version of core windows files, surely it can't be that hard to extract every MS patch to a "test clean" directory) but they can't be expected to check every bit of software out there.

And desktop antivirus should really be your last line of defense. If things are hitting it on a regular basis you have bigger problems to fix. Even if you update it regulally as soon as the definitions come out there will still be threats too new to be detected.

Re:For a program so hard to turn off

[clone53421]

As long as the AV didn’t automatically flag any system file that didn’t match its whitelisted expectation, it wouldn’t be a really huge problem.

Flag it if it doesn’t match the whitelist and it triggers the malware heuristics. But even if a whitelisted executable happens to trigger a malware alarm, the whitelist would prevent it from being detected as malware. And if the filename matches a vital system file, and the whitelist doesn’t cover it, and it does happen to trigger the malware detection... make damn sure that the virus definitions are the most recent ones before you go deleting or moving the file.

You’d still have the possibility that some system update would bizarrely get detected as malware, but at least most of the users should have updated AV and the problem should be fairly minor.

Re:For a program so hard to turn off

[clone53421]

Actually, it’s [not being able to trust a rooted machine]. Whether it got that way by surfing from your admin account or whether it was a privilege escalation is pretty irrelevant at that point.

Re:For a program so hard to turn off

[clone53421]

You can't trust the checksum, but you can't trust the data you get when you "read" from the file either

You’re repeating yourself. You get the checksum by reading from the file and hashing its contents. If you can’t trust the data you’re reading, you can’t trust the checksum.

Re:For a program so hard to turn off

[clone53421]

Update the virus definitions to whitelist the updated file before the system update is officially released.

Check the filenames too and don’t touch a vital system component unless you’ve contacted your AV update server and it says you have the most up-to-date virus definitions.

It’s not a fool-proof situation, but it’s much less likely to end up like this one did.

Re:For a program so hard to turn off

[that+IT+girl]

It definitely does take the entire machine down. One of my main customers runs McAfee, and got hit hard by this. About 90 sites have all their PCs affected by this. We and their corporate office are still scrambling around to get everything back to normal.

Re:For a program so hard to turn off

[Mr.+Sketch]

That's a much better idea than a simple hash (md5 or sha-224, etc I didn't have a preference, just some sort of known-good hash).

A signature on the executable would be easy for the AV software (and the OS) to check and make sure it hasn't been tampered with. This should probably be more widely deployed in general. Maybe we'll get it for version WinX?

Re:For a program so hard to turn off

[Ralish]

On the other hand, I consider a weasel word that describes something that lacks transparency, isn't understandable, and is unnecessarily complex.

Not really, it makes a lot of sense once you bother to learn about it rather than just flame about it on Slashdot. Although, you may not necessarily agree with the design principles behind it. Svchost (Service Host) isn't difficult to understand; "encapsulates" is a fair choice of word as that's really all that it does: executes multiple services under a single process (ie. hosts them). An important distinction is that it hosts services that exist as DLLs, not binary executables (most Windows OS services are implemented in this way, 3rd-party services far less so). Multiple svchost processes can exist concurrently and each host one or more services, commonly loosely grouped into different svchost processes by category, importance, etc...

Why have svchost at all? The answer is basically performance. Windows processes are "expensive" relative to Unix systems from a resources perspective. They require greater overhead to setup and for the OS to maintain, and so Windows tends to have a greater emphasis on a proliferation of threads than a proliferation of processes. At any given time a modern Windows OS is likely to be running a lot of services, and hosting each of these in a different process would potentially incur a lot of resource overhead that is ultimately just a waste. The primary benefit of doing so would be stability. Why? Because if one of the services hosted in a svchost process crashes, it'll bring down the rest of the services in the svchost process with it. Obviously, if it's a svchost process running important services and/or a lot of services, the results can be catastrophic. To be fair, this is in my experience extremely rare (I can't in living memory remember ever seeing this occur firsthand).

Netstat is admittedly fairly useless for inspecting ports with respect to svchost hosted services, but the reason why is obvious: it would need "special" coding to give it an understanding of svchost specifically, rather than just an understanding of processes. However, Sysinternals Process Explorer can quickly and easily show you which services are hosted in which svchost process, as well as which TCP/IP connections (and listening ports) belong to which service in any given svchost process. It's not ideal, but it does work and well at that; any Windows sysadmin worth their paycheck should have a copy of the Sysinternals Suite on hand anyway.

Re:For a program so hard to turn off

The advantage of signing every executable, even if one is only a few k is that it is a lot harder to tamper with the executables. Yes, a rootkit might have the OS think they are untouched, but booting from a recovery CD and doing an integrity scan will immediately show which executables are signed and intact, which have no signature, and which were signed, but the executable contents don't match the signature.

And this should be considered for every OS. It will add space tacking on signature information to the end of the files, but it will make catching tampering very easy. Manifest files with lists of hashes help to a far lesser extent, but all malicious software has to do is tamper with the manifest file's signature, and one doesn't know what file on the list might be modified or not.

Re:For a program so hard to turn off

[cyphercell]

Well that depends on how restrictive your firewall can be otherwise it is your AV. Maybe removing administrative access? That would be a point, but it's worse than an overbearing firewall. What's next, keeping your software up to date? Good luck with that! No, if you work somewhere where the users have decided they will use youtube and that's the way it is, you've got to have an AV.

Re:For a program so hard to turn off

[cyphercell]

Why test? Just hold the updates for a day or so and if there's no news don't worry about it.

Guess what I've been doing all morning?

[uvsc_wolverine]

I work at a university where we use McAfee anti-virus as our corporate AV. Guess what I've been doing all morning?

Re:Guess what I've been doing all morning?

[2names]

Um, hiding in the bathroom like I have been doing?

Seriously, though, we got hit hard with this. I don't mind fixing the problem, what pisses me off is that we didn't want McAfee in here in the first place but Corporate HQ forced it on us.

Re:Guess what I've been doing all morning?

[oldspewey]

Reading Slashdot?

Re:Guess what I've been doing all morning?

wanking furiously?

Re:Guess what I've been doing all morning?

[Hatta]

Updating your resume?

Re:Guess what I've been doing all morning?

[JamesP]

Funny that one of the 'false reasons' against Open Source is liability

So are you going to sue the bastards for lost time and productivity?? You should.

Re:Guess what I've been doing all morning?

[Spazztastic]

Seriously, though, we got hit hard with this.

I'm trying to avoid having this happen. I just called our guy who manages the AV server (among other things) and sent him this. He was skeptical, but wasn't opposed to rolling back the server to using 5957 for now until more builds on this story. My system hasn't updated to 5958 yet, even though the AV server was set to deploy that. Let's hope for the best...

Re:Guess what I've been doing all morning?

[poena.dare]

Crap! I wish more of my clients used McAfee!

Re:Guess what I've been doing all morning?

[2names]

Every system that we had that was XP SP3 that got updated to the 5958 DAT file became useless. We are now forced to visit each machine and manually fix it. Rubbish.

Re:Guess what I've been doing all morning?

[steveg]

Me too. I just handle my department, thank the gods. I've got two labs that are native Windows -- one with 7 machines and one 15 machine lab. These are hardware oriented labs that have vendor provided software that won't run under emulation.

The other 4 labs run Ubuntu, with VMWare, non-persistent VMs for any activities that absolutely require Windows.

My Windows only labs are in a constant reboot cycle (well, before I shut them down), the rest don't even realize there's anything going on. :) Since tomorrow is Lab day for those two labs, I'm hoping McAfee gets the problem fixed before then. If not, I'll disable boot scan until they do.

Re:Guess what I've been doing all morning?

[barzok]

Seriously, though, we got hit hard with this. I don't mind fixing the problem, what pisses me off is that we didn't want McAfee in here in the first place but Corporate HQ forced it on us.

I'm sure they'll find some way to blame your department too.

Re:Guess what I've been doing all morning?

[mortonda]

removing McAfee, right?

Re:Guess what I've been doing all morning?

[Bearhouse]

Urm...reading up on how you should test patches etc. before massively rolling them out?

Re:Guess what I've been doing all morning?

[tacokill]

Cue the powerpoints to management in 5....4....3....2....

Seriously. If you really want to get McAfee out of your org, then just present the business case based on this event. This is so egregious that it's hard to understand how a company of any size could miss this level of QA.

There are plenty of alternatives out there, starting first and foremost with the free option from Microsoft (Microsoft Security Essentials).

Re:Guess what I've been doing all morning?

[ginbot462]

Um, hiding in the bathroom like I have been doing?

Bob is that you?

Can you spare a square in the next stall?

Re:Guess what I've been doing all morning?

[GungaDan]

WTF? All of my systems are updated to 5959 already...

Re:Guess what I've been doing all morning?

[Mr.+DOS]

So, you're suggesting a full suite of testing on daily antivirus signatures? Yeah, that's a great use of time.

Re:Guess what I've been doing all morning?

[LinuxIsGarbage]

Antivirus definitions are updated daily. Several times daily. That'd be an impossible task for IT depts (though hopefully some testing is done by AV writers.

Re:Guess what I've been doing all morning?

[guruevi]

I always get a kick when somebody says something stupid like that. I've recently heard that in a meeting with management: "Yeah, but if Microsoft's solution doesn't work, we can call them for help and they are liable for the problems with their product". As ANYONE that ever called Microsoft knows, they're not helpful at all and if you spent too much time on their support lines they will come off with something like: well, we don't support customizations, we can't fix that, read the support contract. Under customizations they understand (not kidding): Modifying your SharePoint site to put content on it, installing updates in Windows.

Re:Guess what I've been doing all morning?

[ashridah]

For a corporate environment, MSE isn't really the right approach, it has next to no management available.
Forefront endpoint protection and the related management tools are the corporate option.

Re:Guess what I've been doing all morning?

[mu51c10rd]

Hopefully you all don't force McAfee upon all those UVU students too. At least you all let your people know.

Re:Guess what I've been doing all morning?

[DrgnDancer]

Yep, this. Spent the afternoon manually fixing machines, myself. I'm not normally a Windows Admin, I handle Unix systems, but they co-opted everyone with an admin account for this mess.

Re:Guess what I've been doing all morning?

[kernelphr34k]

I use to be in the same boat with Corporate HQ forcing it to everyone!

My contract for employment with one of the top Tech companies ended a few months ago, and its another company who uses McAfee. Why is a huge company who could afford a better AV solution choose something like McAfee? I can find other solutions that would be less resource intense, and have fewer process running in the background. McAfee is the BIGGEST peice of sh*t I have ever had to administer. Anyone care to shed some light?

Re:Guess what I've been doing all morning?

[JamesP]

Really depends on your contract

Also, Microsoft is one vendor that takes the most responsibility for their products (yes, really)

Re:Guess what I've been doing all morning?

[porkThreeWays]

Same here. I love that we spent 3 hours on hold with Mcafee w/ no automated message acknowledging the problem. In fact, they gave us a solution that didn't work once we got on the phone with them so we had to come up with a fix based on internet reports and manually do it on hundreds of machines. I also love how the EULA will probably mean we have no legal recourse for hundreds of people sitting around with their thumbs up their butts today with useless computers.

Re:Guess what I've been doing all morning?

[Flammon]

Yep, we gathered all the IT staff that we could, programmers, operations, qa, managers etc. and just finished repairing, in about 8 hours about 1000 systems. I estimate the our company lost between $150,000.00 to $200,000.00.

Re:Guess what I've been doing all morning?

[Zxern]

Well sure, but you're an actual Microsoft customer unlike the GP who is most likely a Dell, HP, Asus, ect customer looking for help with his desktop pc.

antivirus... poison for cure

[wvmarle]

This way running anti-virus is worse for an end user than no anti-virus.

The cure becomes worse than the disease.

At least being part of a spam-spewing botnet keeps the computer mostly functional.

Re:antivirus... poison for cure

[timster]

Well, with McAfee, the cure has been worse than the disease for over a decade now. But the cure is easier to explain to management.

Re:antivirus... poison for cure

[SCHecklerX]

People will always prefer to take an aspirin for their headache rather than avoid what gives them the headache in the first place.

Re:antivirus... poison for cure

[VGPowerlord]

Well, with McAfee, the cure has been worse than the disease for over a decade now. But the cure is easier to explain to management.

If the cure temporarily kills my machine, that's still considerably better than stealing information from it or the other computers on the network, and/or making my computer attack other computers.

Windows is a virus

[Wonko+the+Sane]

We've known for a long time but it's good that McAffee finally admitted it.

Re:Black Wednesday

[ircmaxell]

Unless as a sysadmin you chose another product other than McAfee (I personally use Symantec)...

Sigh...

I would have gotten first post, but I was running windows with McAfee

Re:Sigh...

[CTalkobt]

The first post was posted at 2:03pm (in my timezone) .. yours was posted at 2:07 so all things considering, a 4 minute fix isn't too bad...

Re:Sigh...

[Jorl17]

Sir, if I had mod points, I would hand them all to you.

Fool me twice....

[get+quad]

Seems not too long ago McAfee was deleting important files....and people kept using it. Here we go again. Can I get a lol?

QA

[sycodon]

What possible scenario allowed this CharlieFox past QA?

Re:QA

[PolyDwarf]

Easy peasy..

The scenario is, there was no (decent) QA.

Re:Black Wednesday

You could also choose Linux instead of Windows.

Any idea when this was pushed out?

[Ungrounded+Lightning]

I don't see any indication of when this first went out.

(My wife runs McAfee and launched an update around 3 AM PDT before hitting the sack...)

Re:Any idea when this was pushed out?

[Stevecrox]

Judging by my workplace it went out today around 17:00 GMT, our entire office of 500 people decided to go home early.

Re:Any idea when this was pushed out?

[cryogenix]

It hit my system about 9:45am Central time US. I was able to yank it out of the updates for the rest of the company before it went farther. I had 3 machines out of about 200 affected by this. On my machine it didn't delete svchost.exe on the others it did. One machine did not auto reboot. It was just very slow, the start menu looked like it had been pulled all the way down to the bottom however you could not drag it back up. All USB ports except one stopped working and there was no network access.. On that machine svchost.exe had 0 bytes. Adding the updated extra.dat to program files\common files\mcafee\engine and replacing svchost.exe resolved all issues. There's an updated 5959 dat file out now that forgoes having to deal with extra.dat.

Re:Black Wednesday

[ircmaxell]

True, but business needs dictate software requirements. So that decision is out of my hands (but believe me, I'd LOVE to run an office full of Linux computers)...

Re:Black Wednesday

Or you can go back to pencil and paper. Much more cost effective than Linux.

shutdown -a

[bugs2squash]

at a command prompt when the "windows will shut down in XX seconds" popup us on screen saved me. I'm still waiting for a mcafee update file to fix it properly.

Re:shutdown -a

[cryogenix]

The updated dat is available now, an updated extra.dat was available earlier this morning. I was the one that posted it in the tech support forums. You could have however just disabled access protection and on access scan to keep it from scanning at all. Not a great solution but at least your machine works. If your svchost.exe got nuked, copy it back from the system32\dllcache folder.

Re:shutdown -a

[Taibhsear]

Thank you! I've been wondering if there was a command to stop that. IT dept fixed my office computer already but it's good to know in case something stupid like this happens again.

Also unaffected

Some are running a version of Windows 7 called Windows Vista, and it's also unaffected. Which is not surprising because it's pretty much the same thing with greenish wallpaper.

I heard

[Dunbal]

Next they will be deleting a directory known to be full of malware called system32

Re:Double ouch.

[Jeng]

My big question is why is Norton and McAfee still so popular in the corporate world?

I understand that the OEM's preload McAfee or Norton because they are paid to, but the corporate world is paying big money for these out-dated anti-virus programs.

There are much better anti-virus providers out there such as Avast, Kaspersky, Nod32 and others.

Doesn't McAfee Do Testing On Releases?

[bezenek]

My God! How can something like this possibly get by QA as a company the size of McAfee? Have they outsourced all of their QA to a team with no clue?

-Todd

Re:Doesn't McAfee Do Testing On Releases?

[jimicus]

Well, if their support is anything to go by, the answer to that is a resounding yes.

Re:Doesn't McAfee Do Testing On Releases?

[ZachPruckowski]

My God! How can something like this possibly get by QA as a company the size of McAfee? Have they outsourced all of their QA to a team with no clue?

If it only hits certain versions of Windows 2000 and Windows XP, it's possible McAfee testing didn't cover those versions for some reason. Given all the various patches, updates, and service packs for Windows 2000 or XP, either one of those is gonna have dozens if not hundreds of possible states for SVCHost.exe, depending on which patch it received. Of course, if it affects the fully-updated build or all the builds, that's no excuse.

I'm not saying that is what happened, I'm saying that that could possibly get by QA at a large company. Testing against every permutation of Windows update would mean thousands of installations of Windows to test.

Re:Doesn't McAfee Do Testing On Releases?

[broken_chaos]

From some of the other comments on this story, from sysadmins fixing this, it sounds like it hits near completely- or completely-patched XP machines. That's extremely silly a thing to just 'whoops' on.

Re:Doesn't McAfee Do Testing On Releases?

[Rallion]

Outsourced? You talk as if is this came out of nowhere. A sudden problem with a product that has NOT been shit for years. That does not describe McAfee.

The really big AV outfits (I really just mean Symantec and McAfee, here) are terrible. It always seemed to me that they got big via OEM bundling, which is great because it has zilch to do with the actual quality of their products, support, or anything except for their ability to make deals with their partners.

McAfee recently screwed me over

[thetoadwarrior]

Two weeks ago it went and deleted two important for dev c++ and another program at my work. It was insistent they were viruses. I'm not sure how I could have received a virus since I get virtually no attachments and don't email anyone outside of work (ie no "fun" emails), I only visit the BBC, Netbean.org, Eclipse.org and a handful of other reputable sites because I rather goof off by writing my own code than doing nothing and I scan all my downloads before installing them.

Sure maybe I got unlucky for the first time in like 3 years. Maybe someone used my computer while I was on holiday but I suspect not. I suspect it's related to this.

Re:McAfee recently screwed me over

[zonky]

There is no such thing as a reputable site on the internet.
Some sites use ad networks, which have happily served malware.
Other sites are run by clueless admins and left vulnerable to commodity exploits.

Drive by Downloads exist, and a risk everywhere.

Re:McAfee recently screwed me over

[gman003]

Sure, any site can theoretically be cracked and used to distribute crap like that. The thing is, many sites are well-run enough that the odds of that are relatively miniscule.

If you don't trust anything, you may as well cut the cable, remove your network card and disable any removable media.

If you want to use the Internet, at some point you're going to have to trust someone.

Re:McAfee recently screwed me over

[thetoadwarrior]

True, but netbeans and the BBC don't serve ads. Those two are probably the two sites I visit the most. Eclipse.org is mainly just got grabbing new versions.

Re:McAfee recently screwed me over

[Joce640k]

As a developer I've had several cases of Antivirus programs thinking my app is a virus.

They've always fixed it after I send them a copy but it causes a bad impression among customers when it happens (most of them are totally paranoid about installing anything anyway.

Imagine: they have to jump through many hoops just to install a demo and when they do it pops up and says "virus". Great, thanks guys.

As a sideline I do virus removals/cleanups and I've seen *every* major antivirus fail to prevent infection on many occasions. They mostly only work for preventing month-old viruses and exploits.

Re:McAfee recently screwed me over

[BenoitRen]

Sure, any site can theoretically be cracked and used to distribute crap like that. The thing is, many sites are well-run enough that the odds of that are relatively miniscule.

Wrong. Shit can hit the fan anywhere. Even if your site is run well by yourself, that doesn't mean your hosting company can't get hacked, for example. As already mentioned, third-party content can serve malware as well.

If you don't trust anything, you may as well cut the cable, remove your network card and disable any removable media.

Hyperbole.

If you want to use the Internet, at some point you're going to have to trust someone.

Bullshit. You don't have to trust anyone as long as you don't download an executable of any kind. You can and should treat untrusted content with care.

Re:McAfee recently screwed me over

[King_TJ]

Pathetic, but not surprising, unfortunately.

I just dealt with an issue last week where I was trying to recover a forgotten but stored password in Outlook Express on a Windows XP system. I downloaded a shareware "password recovery" tool that was supposed to expose the saved password - but as soon as it ran, the anti-virus software (AVG in this case) flagged it as a potential security risk and stopped it from running. Unfortunately, it apparently was able to partially run, faster than AVG could kill the process, resulting in corruption of the stored password. (Outlook Express couldn't retrieve email anymore with whatever was saved in there, after the tool tried to run and AVG nuked it.)

Re:McAfee recently screwed me over

[Pteraspidomorphi]

Antiviruses have false positives sometimes - Better than false negatives. If the alert looks odd to you upload the file to virustotal.

Re:McAfee recently screwed me over

[lgw]

The days when you had to "download an executable" are long gone - everything's dangerous, because everything requires an executable to open, and nothing is perfect. I'm getting hit now with PDF-based attacks from banner ads (and I still can't figure out how that works, but fortunately I patched my PDF viewer a while back so it's toothless).

Re:McAfee recently screwed me over

[CrazeeCracker]

Drive by Downloads exist, and a risk everywhere.

Sounds like the next RIAA ad campaign.

Re:McAfee recently screwed me over

[dkf]

True, but netbeans and the BBC don't serve ads.

The BBC does, but only outside the UK.

Re:McAfee recently screwed me over

[BenoitRen]

An executable can't be managed (unless you really go out of your way by implementing appliation policies, but let's not go there), because it's a bunch of binary. For things like PDF files, though, we have viewer that we can configure to disable possible attack vectors. So it's not quite the same thing.

Re:McAfee recently screwed me over

[lgw]

These days, it's safer to run an executable from a non-admin account than to open a document from an admin account. Heck, in many ways exe's are safer, becuase while you can disable automatic opening of a long list of document typs that you have decided to disapprove of, the default behavior of a typical broswer is to automatically open a broad variety of document types. Not even IE will automatically run an exe just because it's on the site your browsed to.

And once you make that decision to open a PDF, you have no defense against any attack you haven't patched against yet. There's no telling how long some of these attacks are in the wild before we hear about them, as the botnet guys have become subtle, and work hard to stay under the radar these days.

Re:McAfee recently screwed me over

[BenoitRen]

Heck, in many ways exe's are safer, becuase while you can disable automatic opening of a long list of document typs that you have decided to disapprove of, the default behavior of a typical broswer is to automatically open a broad variety of document types.

The documents that a web browser can open are limited. Everything else is managed by plug-ins. Just disable/remove those.

And once you make that decision to open a PDF, you have no defense against any attack you haven't patched against yet.

Which is why you disable JavaScript, and any other way for the document to interact with the program and/or request for external content.

Re:McAfee recently screwed me over

[lgw]

Yes, sure, if you want to run Lynx you're going to be pretty safe. But if you want to crawl out of your bunker and actually consume web content, it's a dangerous internet these days. And it's not like there haven't been vulnerabilities in HTML rendering engines and basic graphics display before. I can remember when "jpg virus" was an urban legend, not a 0-day.

Re:McAfee recently screwed me over

[BenoitRen]

I like to think that rapid patching of an open-source web browser alleviates most of this. As for 0-days, well, it's not like an anti-virus program will protect you from that either. :)

virus scanners are the devil

[buddyglass]

Seriously. They consume CPU. They stay resident and consume usable memory. They occasionally crash and/or cause other applications not to work. And, in this situation, they break Windows. I don't use AV and have had pretty much zero issues over the last 6 years of using Windows XP. All you need to do is:

* Configure Windows update to run daily.

* Don't use IE or Outlook.

* Keep Windows Firewall active.

* Don't connect directly to the internet- sit behind a router that's configured to be (mostly) invisible.

* Don't run random things you get sent in email, on facebook, or that pop up unexpectedly while you're at a questionable website.

* If you think something's amiss, boot into safe mode and use a non-resident tool like MBAM.

Re:virus scanners are the devil

[ledow]

To be honest 2, 4 and 5 are perfectly adequate for a knowledgeable user and the rest provide little if any advantage. And they also happen to apply to all OS's and all versions of those OS's.

Re:virus scanners are the devil

You missed the obligatory:

* Run Linux

Re:virus scanners are the devil

[Spad]

That's not enough any more; even reputable websites can often be easily compromised either through SQL injection, XSS, compromised ad server or some other mechanism and apps like Adobe Reader, Office, Flash, Foxit Reader, Firefox, Java, VLC and more have all experienced serious vulnerabilities in recent months, which have often remained unpatched for long periods of time.

I finally gave in and installed my home-licensed copy of Sophos (provided by my work) because there are too many factors outside of my control these days and short of isolating my PC from all external data sources there's no way to be sure and I'd rather have a backup in case I miss something.

Re:virus scanners are the devil

[ducomputergeek]

I have an easy solution: buy a mac.

Re:virus scanners are the devil

[blincoln]

I used to believe something along those lines. Then my PC was infected with a worm when I plugged an mp3 player into the USB port. I'd bought the player new, factory-sealed, so it must have picked it up at the manufacturing plant. I disabled all autorun/autoplay after that, but I'm still wary enough that I run Avast to help avoid another similar situation.

Also, none of the things you mention will detect/remove a rootkit if one does manage to make its way onto your PC. I cleaned one up off of a PC that belongs to my sister a few weeks ago, and that was a headache. I did a scan of the infected drive in an external USB case, and that got nearly all of the infected files taken care of, but because most virus scanners apparently don't scan the MBR of non-boot drives, the rootkit was still waiting there and I had to use the Windows recovery console to write a new MBR.

As far as I can tell, her PC was infected through some variation of the "malicious PDF in a hidden IFRAME which belongs to an online advertisement" scenario, because she was already using Firefox exclusively. So maybe you should at least add "don't install Adobe Reader, or if you do, disable browser integration, update it daily, and set Firefox to download PDFs instead of opening them" and "install and use AdBlock Plus, and possibly NoScript" to your list.

Re:virus scanners are the devil

[djdanlib]

You forgot a couple things:
1) Don't run as an admin account except for admin tasks.
2) Keep your Adobe products up to date - including Flash and Reader. Someone else you trust might have been compromised and send you an infected PDF file.
3) Allow Windows Update to install MRT and update it every time the monthly definitions update comes out.

Running Windows Update daily won't really help you so much but I agree with the reasons you have for keeping it that way. Microsoft releases most patches on the 2nd Tuesday of every month. There is an occasional out-of-band patch.

Unfortunately, drive-by downloads have been sneaking into banner advertisements on legitimate websites, and those criminals are getting crafty. So, not using A/V is pretty much leaving the door wide open. I've been hit with one in the past 2 weeks (which exploited a 0day in Firefox that was patched very shortly thereafter) that still ran in safe mode and disabled Task manager, Regedit, and MBAM - I had to repeatedly press Ctrl+Alt+Del to find out its PID while task manager would flash on and off my screen thanks to this malware, and eventually got the whole PID and used taskkill to slay it. THEN I was able to run MBAM. Good thing I had the PID column enabled... Would not have expected that kind of thing from a reputable news website!

Virus scanners are typically worse than most of the viruses they are designed to prevent, I agree, but I'll take $antivirus_software with all of its on-access scanning disabled over having to deal with malware like that any day.

Re:virus scanners are the devil

[Beardo+the+Bearded]

I have a better solution:

Install Linux.

Re:virus scanners are the devil

[Andy+Dodd]

2/4/5 are basically all I do on my Windows machines. Admittely, I rarely use Windows for anything other than games.

1/3 have often caused more problems than they solve for me once 2/4/5 are in place.

6 is of course the good "oh shit" solution, although in my case I go beyond that and run ClamAV from a Linux partition.

However, Clam frequently doesn't find stuff MBAM finds, and vice versa. Well, I can't really say for sure, I think I've had a grand total of two infections in 6+ years.

Re:virus scanners are the devil

[Sandbags]

Additionally,

* Don't click on links without verifying the actual link matches the name displayed in HTML when you mouse over it. When in doubt, type the root URL in by hand and browse to the specific page.

* Don't read spam. Anything anyone sends you, even family members, providing you with news, alerts, health related info, virus warnings, saftey warnings, etc, is ALL bullshit. HaoxBusters and snopes.com are your friends, when in doubt, LOOK UP the email there, and then tell your friend/family member to check themselves next time or risk being blacklisted. (I actually created a default reply script so when a family member sent me something that looked fishy, i ran a script that made a fairly convincing looking e-mail that would appear to come from a security server indicating the content of thier e-mail was blocked as it was known SPAM and may contain a virus, took a few months and they ALL stopped sending me crap...)

* Don't download and install anything unless its direct from a nationally known vendor and its a product sold commercially (or a known safe FOSS vendor). If it's not sold on a shelf in a store, ask yourself why not? Clearly, if it was a legit product, it should be... (yes, I know, many perfectly acceptable FOSS packages out there. in that case a good rule of thumb is that If 3 PC literate people you know can't name it, its not safe).

* ignore all adverts, block them if you can

* Don't use any account with admin privileged unless you're doing something at that moment that requires it.

* Use strong passwords, and use a DIFFERENT ONE on EVERY site. There are lots of tricks for coming up with good passwords, and for remembering which one is for which site.

* only sign up for what you have to; don't enter contests, marketing programs, or provide email addresses or phone numbers of your primary accounts. Some web sites insist on sending you an e-mail to validate an account ID: use a special, separate email account just for that, and immediately change any password they may issue you in that e-mail.

* never give out your personal/primary email address to a company or someone you do not personally trust for any reason.

* stay off P2P and other sharing systems completely.

* there's not just AntiVirus software, there's also AntiSpyware software, USE BOTH!

* Back up regularly, to a drive that is NOT always connected to your system (leaving a backup USB drive or network share mounted all the time means a virus can wipe out your backups too!) back up stuff you want to save from fire and other disasters online to a secure hosted system.

* When browsing questionable sites, do so from a virtual machine or a machine that uses completely different account information from your primary accounts and contains none of your personal files. A cheap old laptop is a good solution for that).

Re:virus scanners are the devil

[Enderandrew]

Even better, use an alternative PDF reader like Foxit or Sumo. Acrobat Reader is just riddled with security vulnerabilities.

Re:virus scanners are the devil

[izomiac]

And then grow complacent with security until a flash exploit wipes out your home directory.

Re:virus scanners are the devil

[Culture20]

Will you come to my workplace and enforce these rules (and the rules that others are responding with)? I see several desktops on my network downloading infected pdfs or trojans according to my SEP console. Thankfully these users aren't administrators, but the exploits are just a privilege escalation away from ownage.

Re:virus scanners are the devil

[Coren22]

Bull

http://www.google.com/search?q=mac+virus

Re:virus scanners are the devil

[Tromad]

This does nothing at all to prevent drive-by ad malware, which has happened to me twice on "reputable" sites, even using firefox. I now use adblock and noscript, but no longer is it "safe" to simply just not use IE.

Re:virus scanners are the devil

[TheRedDuke]

This is all very good advice, but it's not good enough, especially when you're trying to protect computers in a corporate environment. Telling your users to follow these best practices and having them actually follow that advice are two entirely different things. Human nature dictates that over a long enough stretch of time, someone will, knowingly or unknowingly, click that flashy banner to download smiley faces. That's where AV comes in, provided your latest DAT didn't just pwn you.

There are plenty of AV apps out there with a small(ish) memory footprint. We're using Avira's corporate solution, and of the commercial apps, it's among the smallest out there - last I checked, it uses about 12MB at idle. Compare that to how much memory XP/Vista/7 use by themselves at idle, and it's not that much of a performance hit. So, in a sense, I guess you could say that _some_ virus scanners are the devil, and I wouldn't disagree with that sentiment where McAfee is concerned. Aside from this DAT debacle, it's bloated, the scan is painfully slow, and without some tweakage, the false positive rate is off the scale. I spent five years managing a McAfee server and I'm still glad it's gone.

Re:virus scanners are the devil

[BenoitRen]

Like you said, some attack vectors got missed. Keep those in mind as well, as you've done, and you should be fine.

Re:virus scanners are the devil

[Blakey+Rat]

IE is sandboxed, it's safer than most other browsers.

The real problem you're missing, though, is browser plug-ins-- Java or Adobe Reader can open wide holes in your computer no matter what browser you're running.

Re:virus scanners are the devil

[Jeian]

"I don't use AV and have had pretty much zero issues over the last 6 years" ... that you know of.

Re:virus scanners are the devil

[flibuste]

I'd agree with you but how do you know your computers are "clean"? That's basically the only reason I have an antivirus on the Windows box - to be 95% sure, not 80 something %.

Re:virus scanners are the devil

"I disabled all autorun/autoplay after that, but I'm still wary enough that I run Avast to help avoid another similar situation."

Yes to disabling autorun. That's the vector for the only worm I've seen in 10 years of running XP in the way the previous post described (it came in on a USB flash drive). So, add to his list:

* Disable autorun/autoplay correctly (note: Microsoft's advice will NOT kill it off completely).

* Run something lightweight like StartupMonitor to catch programs that try to install things in the various startup locations (useful to control bloatware too)

And something else I've done:

* make a fake, read-only AUTORUN.INF directory on usb flash drives and other portable devices so that when a worm tries to write on there, the filename already exists and it fails. So far I've not seen any worms smart enough to look for pre-existing files and delete them before attempting overwriting, and by making it a directory with that name the deletion process is more complicated.

Re:virus scanners are the devil

[desertjedi85]

You forgot * Don't download animal pr0n

Re:virus scanners are the devil

[jaavaaguru]

How about nothing is executable until you explicitly change the permissions, and nothing on removable media is executable. That way there is no accidental running of any programs.

Autorun should have been killed when Windows 95 was still around. It's such an obvious security risk.

Re:virus scanners are the devil

[Matheus]

Completely agree although I would even shorten your list...

I loved McAfee when it was a simple tool that I could use when needed to clean out some nasty infection. These days it is WAY worse than what it is there to prevent. (I spent a while on tech support with them a few years back trying to get the answer to this simple question "How do I uninstall ALL of the automated tools without preventing me from running a scan or clean manually?" It took them over an hour to come up with the answer that it was impossible with recent versions of the software.

On the extremely rare occasion I need to actually clean a machine (usually some friend's box) I've actually been using M$'s online tools and they do the job without putting the suck on the host. MSRT is even handy if you need to clean without a 'net' just not as comprehensive.

Re:virus scanners are the devil

[darkmeridian]

This used to be more or less true but then spammers realized that they can expand their botnet used hacked advertising servers to push zero-day vulnerabilities onto regular people browsing the New York Times online. Most of the vulnerabilities deal with Adobe PDF. Without a virus scanner that intercepted several of these hack attacks, there's no doubt that I would have had my computer compromised. I have been using only Foxit Reader as well.

Re:virus scanners are the devil

[haxot]

Not too sure about MBAM, but ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix is a splendiferous tool, detects generic malware threats and rootkits.
I run clamshell so I can manually scan files I download, and I've had autoplay turned off since windows 95 - What had possessed Gates and the Windows Team to automagicaly run untrusted stuff off any device, I'll never know. New York Hooker, and all that jazz.
Anyways - yeah, any time I think something fishy has happened that I missed, drop to safe mode and run Combofix. Works Swell.

Re:virus scanners are the devil

[djdanlib]

Good choice. Foxit is definitely faster.

Did you know Foxit had the same vulnerability, though? Sure, they patched it, but it's not bulletproof.

Lots of corporate stiffs (myself included) are forced to use Adobe's Reader at work, regardless of the availability of superior products. In fact, where I work at a very large company you're probably familiar with, Foxit is explicitly blocked.

Re:virus scanners are the devil

[koro666]

Mod parent up. Most attacks come from the "huge attack surface" from web browser plugins these days.

I, for one, have disabled each and every Firefox add-on and unwanted plugin, and use Windows Vista/7's integrity levels to run the browser in Low Integrity. That way, the worse it can do is trash its profile directory and one designated download directory, both of which are easily wiped and re-created fresh.

Re:virus scanners are the devil

[syousef]

That still doesn't protect you from drive by downloads. Firefox and Opera are not immune. If you haven't had an issue it's either because you're lucky or you only think you don't. Without a tool to check how do you know???

Of course it could also be that you don't do anything interesting or different enough to get a virus. If you're suspicious of any web address you Google and only go there if you've heard of it for instance.

What we need is decent anti-virus, not to give up on the concept altogether. Just because it's been done badly doesn't mean it can't be done well.

Re:virus scanners are the devil

[petermgreen]

Is there a complete list of attack vectors including bugs in software? no
Can all those all reasonably be closed? no

It's good to close as many attack vectors as possible but in the modern hostile world I would still keep antivirus as a second line of defence.

Re:virus scanners are the devil

[ekhben]

Reformat and reinstall is the only way to remove a root kit.

I abandoned Windows about six months ago as being simply too expensive to maintain. I do not look forward to the inevitable increase in attacks targeting macs. At least OS X doesn't do autorun.

Re:virus scanners are the devil

[rastoboy29]

You cannot "de-rootkit" any computer, Linux or Windows.  New MBR or not, forget it, it can never be trusted again.

Re:virus scanners are the devil

[mlts]

One suggestion I have is to consider using VMs for Web browsing if your machine is fast enough. VMWare Workstation allows for "seamless" program running, which makes it easy to just keep the Web browser running, and with an add on like BetterPrivacy which periodically wipes the Flash object cache, this should keep the damage a rogue process can do to a minimum. A rogue process would have to get past the Web browser, find a way to get admin rights, and then get out of the VM.

Caveat: Sometimes a rogue process only needs to get user access in a VM if the VM's network is not configured securely. It could scan and get a network topology (IP addresses, router placement) and send that back up, which can be used for a more targeted attack. So, if using a VM for Web browsing, set it to NAT mode where the VM host controls the IP addresses, so the VM doesn't see anything but the host for the gateway.

Re:virus scanners are the devil

[vidnet]

Autorun should have been killed when Windows 95 was still around. It's such an obvious security risk.

Perhaps, but it was also extremely convenient for the common folk. Contrast "Insert the CD and follow the on-screen menu" to "Insert the cd. Click the start menu, point to All Programs, then Accessories, and finally click Windows Explorer. [snip explaining how to determine if your cdrom is D: or E: and how to run setup.exe]".

Once such a system is in place, it's hard for Microsoft to break compatibility ("Windows NT is so stupid, none of the CDs I inserted work!!")

In a better world, the CDs would have been signed from the start, and instead of autorun, you would have gotten some sort of Play button when the signatures checked out. Adding such a feature now would be less fruitful, since anyone who wanted to write a worm would join the masses of existing CDs and software developers set on the old way.

Re:virus scanners are the devil

[ledow]

I don't think that's true at all. The purpose of the web browser is to display content. Thus, almost by definition, any browser that can end up executing arbitrary code by doing so is not doing its job. With Opera, the only avenues are from things like null-pointers, buffer overflows etc. - the usual methods that do apply to *all* software and are covered by your reasoning. You can compromise a plugin, but that is common to all browsers that use that plugin - that's not a "browser" problem (I don't blame Opera if Java is compromisable, unless it's something to do with the way Opera implements Java). However, IE has in the past had any number of ways of executing code directly without the user's knowledge or consent - sadly Firefox followed suit by allowing things like ActiveX on the Windows platform. Those avenues may be fixed now but it's the design that's bad, not just the execution. Still, Firefox doesn't do half as many stupid things as IE has done in its history.

I've used Opera for years, always kept it up to date, and I've actually used it in the past to go to those websites that people hand me and say "Is this safe to click?" - with Opera the worst that happens is you get a download link or something asks for permission to execute... with IE, a VAST proportion of the time, even with automatic updates, the same actions would instantly and without permission start executing code. Try it - set up a virtual machine (on a host you don't care about and on a secured network) and patch IE to the hilt - then go off exploring (googling for pirate games is a good way to flag up some malware websites)... you will get code executions and compromises all over the place. Now do the same in Opera - because it doesn't even *try* to trust things from the web, it will survive a lot better - not because it's less targetted, but because it really doesn't do a lot of the stupid crap that IE has done in the past.

And please don't give me the "IE has more users" crap - any software with a hole can and will be exploited but the fact is that IE is *also* an easy target. If it has more users, then they should/can/do put more developers on fixing it. And that's *NO* excuse for having insecure software - I don't care if the software on my networks has 1 or 1,000,000 users outside my company - I damn well expect it to be secure and to have timely patches to known (and HUGELY announced) problems, especially if I'm paying money for support for it.

http://secunia.com/advisories/product/26745/?task=statistics

vs

http://secunia.com/advisories/product/21625/?task=statistics

The graphs speak for themselves and they only cover Opera 10 and IE 8 - go back into the historical versions and the picture is even more damning to Microsoft.

The simple fact is: stick an idiot user on IE and you *will* get "Advanced Registry Optimisers" and all sorts of crap automatically installing, a lot of the time without any dialogs at all. I know, I just cleaned off *YET ANOTHER* private laptop for the staff where I work where they'd done just that. Stick them on Firefox, the chances are reduced. Stick them on Opera, the chances are reduced again. Yes, an expert on IE can probably circumvent some of those problems with IE but there are some things you just *cannot* stop on IE and there's no *WAY* on Earth I would ever browse around on IE on my networks - it's just so easy to compromise with nothing more than a bit of dodgy HTML.

According to Secunia, 40% of the known, documented and reported security problems with IE 8.0 are still unpatched - only one of those is from 2010, the rest are in previous years. That's just *disgusting* for a major software vendor. How many problems does Opera have unpatched?

v10: 0%
v9: 4% (1 advisory)
v8: 0%
v7: 0%
v6: 3% (1 advisory)
v5 (year 2000): 4% (1 advisory)

So IE actually has a MULTIPLE of th

Re:virus scanners are the devil

[BenoitRen]

The amount of applications that enable documents to interact with its host is not that big. It's certainly manageable. Know your applications, and disable those capabilities.

Re:virus scanners are the devil

[buddyglass]

Refraining from using IE/Outlook is sort of the same rationale as using OS X. Sure it sucks from a security point of view, but less people attack it. So using something like Chrome gives you a measure of "security through obscurity". Though, I'm a little hypocritical in this regard in that I primarily use Firefox.

Re:virus scanners are the devil

[buddyglass]

I tried that once. Oddly, all my Windows apps stopped working.

Re:virus scanners are the devil

[buddyglass]

Unless the compromised website exploits a zero-day exploit in Firefox (or Flash, I guess) that allows remote code execution...I think I'm okay.

Re:virus scanners are the devil

[buddyglass]

That would represent more "effort" than just safely running my copy of XP. So, no. Side note: I used a Mac for Java development for the last 3 years at work, so I'm not "anti-Mac".

Re:virus scanners are the devil

[buddyglass]

True. I also run AdBlock Plus and use Foxit instead of Acrobat Reader.

Re:virus scanners are the devil

[buddyglass]

I was posting more about why I personally don't run AV. For my purposes and given my ability to follow best practices, the performance degradation from AV is a bigger annoyance than the risk of actually becoming infected. I (most of the time) back up my data, so worst case is I have to reinstall Windows and a few apps. Which, honestly, I've never had to do.

Re:virus scanners are the devil

[buddyglass]

I'm pretty anal about performance. If my machine were acting as a bot, spewing out thousands of spam mails or running DDOS attacks, I'm "relatively" sure I'd notice. I'm not opposed to running anti-virus scans in a "one off" fashion, just to give a machine a clean bill of health. What bugs me is the "stay resident" nature of them, and how they tend to bog down everything with incessant on-the-fly scanning.

Re:virus scanners are the devil

[buddyglass]

Avoiding IE or Outlook buys you very little

It means I'm not vulnerable to two common attack vectors. Alternative browsers have security defects, sure. Possibly fewer than IE, but that's debatable. What's not debatable, though, is that they're targeted less frequently.

plus no browser protects you from social engineering attacks

Not being gullible largely protects me from social engineering attacks.

Selecting known "reliable" software from "reputable" sources isnt' effective. Eventually you will violate that rule.

I haven't violated it yet.

Any user thinking they've created an environment so perfect that they don't need AV is just deluding themselves.

I don't think my environment is "perfect". I acknowledge that I'm vulnerable to a drive-by exploit of a zero-day flaw in Firefox/Foxit/Java/Flash. I just consider the risk of that happening to be sufficiently low that the irritation of running AV outweighs its benefits.

Chances are you are infected, you just don't know it.

Doubtful. I've run a couple online scans and they came up empty. Running MBAM in safe mode comes up empty. I can account for pretty much every entry Hijack This! displays. Sure its entirely possible I've contracted a sophisticated root kit and my machine is actually acting as a bot. If so, though, I've noticed zero performance degradation or uptick in outbound bandwidth.

Re:virus scanners are the devil

[Itninja]

True dat. Noscript in FF has eliminated most (all?) the danger of visiting unknown sites. I go, get nothing but pure HTML. I see nothing unless I 'allow' a dozen scripts? Forget it. No well coded site needs multiple 3rd party scripts to function. The only sites I allow are my bank and a few government agencies. And for online shopping I use the 'temporarily allow' feature. Love that feature.

Sysadmin Running Protection Pilot

[jamesyouwish]

I am a a sysadmin running protection pilot from mcafee for my entire office. Were most machines are running XP SP3. My engine version is 5919.0000 and I have yet to see the issue with 72% of my desktops up to date. I currently run Win7 with NOD. Hope all goes well.

For non-Windows-expert family tech-support types

[timothy]

So if / when my dad calls to complain that his Windows machine is broken (I think he runs XP, or perhaps it's the other way around), what should I tell him besides "Hmm. My Ubuntu machines are all fine, and the Mac doesn't seem to be affected ..."

In other words, what's the simple bullet-point list of steps to fix this, for simple folk at home? (Can include visiting neighbors with a thumb drive to download fixes ...)

timothy

DAT

[dmitriy]

C:\Program Files\Common Files\McAfee\Engine\avv*.dat
Nuff said

Remember when....

[Jackie_Chan_Fan]

Remember when Macafee was distributed on BBS's and it was actually pretty good...

yeah...

those days are long gone.

Re:Remember when....

[KStieers]

I was on the McAfee tech support line back then... It was SO nice when your users had half a clue...(getting a modem up an running, downloading a file, downloading PKzip, and then unzipping the app all took at least half a clue back then)

Then they started selling it in stores... I still have nightmares...

Re:Remember when....

[hellop2]

Ever try Thunderbyte av?

Re:Insted of plugging and endless stream of holes.

[bakawolf]

Its installed in firmware in free (or nearly free) devices near you! Its called...Rock.

If you stayed late, you're out of date!

[klashn]

If you stayed late yesterday and got your update for yesterday's dat, at least you won't be affected with the millions of people that were affected when they powered up their systems this morning. By now, they would have disabled automatic DAT update and you'll get to skip this caustic update. I guess it pays to stay late, or at least arrive late to work! :p

Sometimes the cure is worse than the disease

[TheLink]

Heh, I've asked a vendor before how often this sort of thing happens to them (just to see how honest they are and maybe to send a message to whoever is listening).

After all if a hacker/malware causes downtime less often than the vendor's screw-ups, why use the vendor's product? Safer to look for a vendor with a better track record even if they have more false negatives (especially with rare and/or ancient stuff).

There are overheads and performance impacts to using such stuff, in addition to just the price tag (and subscription fees etc). I suspect there's malware out there that's less harmful than running McAfee or Symantec ;).

Re:Sometimes the cure is worse than the disease

[Kvasio]

Safer to look for a vendor with a better track record even if they have more false negatives (especially with rare and/or ancient stuff).

Don't you underestimate the power of Dark Avenger

Re:Sometimes the cure is worse than the disease

[TheLink]

Don't underestimate the impact of AV or IPS software going nuts.

Don't forget that AV software costs you ALL the time when it's installed in "real time" scanning mode.

Re:Sometimes the cure is worse than the disease

[nabsltd]

Don't forget that AV software costs you ALL the time when it's installed in "real time" scanning mode.

Most AV software can be configured to only scan on write, instead of on access.

This is a big help for the vast majority of cases (like loading a program, which would require no extra work), but still can be an unnecessary burden if you have a lot of files being written that can't really be virus carriers (e.g., log files).

Re:Sometimes the cure is worse than the disease

[gilgongo]

After all if a hacker/malware causes downtime less often than the vendor's screw-ups, why use the vendor's product?

You should probably also add the number of times that an attack has got past the product. I remember ExploreZip and the "I love you" virus bringing our network down within months of each othe. We were paying top dollar for protection that didn't work.

Re:Sometimes the cure is worse than the disease

[calzakk]

In that case just make sure it only scans infectable file types (exe, dll, ocx, etc.), it's pointless scanning text files.

Re:Sometimes the cure is worse than the disease

[beav007]

Personally, I think that identifying Windows services as harmful is right on the money...

Re:Sometimes the cure is worse than the disease

[nabsltd]

There are a lot of "text files" that are really interpreted code, like JavaScript.

I really don't want to spend the time whitelisting "safe" text files when there's not that much of a loss of speed for scanning a few writes to those files.

Re:Good thing I auto-update on Fridays!

[Khyber]

"So uh, anyone know how to disable McAfee completely?"

Wipe Windows completely and reinstall from a fresh disc without all the crapware added.

Fix it....go to best buy, get flash drives....

[jswackh]

You will need another/previous .dat file for McAfee named extra.dat 1. Reboot machine into safe mode (WITH networking) 2. User needs to log into machine (or someone with admin rights logs in) 3. Plug in USB drive 4. Go to CMD window 5. CD to USB Drive (root) 6. Execute this command ‘extra.bat” 7. Click “tools” and then “unlock interface” 8. enter your admin password if needed. 9. Double click “Quarantine Manager Policy” 10. Click “Manager” tab 11. Find latest infection of “W32\Wecorl.a” 12. Right click on infection, click “Restore” 13. Click “Yes” 14. You should get message “All items restored” 15. Reboot – CTRL – ALT – DEL 16. Click “Shutdown” and then “Restart” extra.bat: copy extra.dat "c:\program files\common files\mcafee\engine" "c:\program files\mcafee\virusscan enterprise\mcconsol.exe" If you get an error about file in use while restoring svchost.exe, go to "safe mode command prompt only", and rename c:\windows\system32\svchost.exe to svchost.old, then you can start at step one and it will let you restore from quarantine

Re:Fix it....go to best buy, get flash drives....

[thsths]

And you have exactly 60 seconds to do that? :-)

Re:Fix it....go to best buy, get flash drives....

[Coren22]

start -> run -> shutdown -a

Re:Good thing I auto-update on Fridays!

[bakawolf]

http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
McAfee Removal tool.

So they don't do any QA at all then?

[nedlohs]

XP SP3, it's not exactly uncommon...

Re:So they don't do any QA at all then?

[gestalt_n_pepper]

As a QA guy, I can tell you from experience at past companies (not the present one, thankfully) that some dimwitted middle manager was in a hurry to make a deadline. You get to pay for that.

Re:For non-Windows-expert family tech-support type

[DjMd]

http://isc.sans.org/diary.html?storyid=8656
Basically it looks like command line

shutdown -a (to stop the autorestart)

Put SVChost.exe back in place (out of the quarantine )

and disable McAfee...

My Experience

[jibster]

I work at a major chip manufacturing plant. At 4.10 I was conferencing with another fab when all our PCs shutdown. 10 minutes later the place was in chaos. Now don't get me wrong the fab keeps going but my god the cost to the company of this. Say 10 sites world wide with 2-5k employees each the majority of which can't do any meaningful work. McAfee have a lot to answer for.

Re:My Experience

[ledow]

I think the people who have software that autodeploys updates to 20-50k employees without getting a say in the matter (i.e. testing, change management, etc.) have a lot more to answer for. When the software that supposed to *save* your productivity by preventing viruses ends up doing this to your sites, it's time to just throw it in the bin.

Re:My Experience

[jibster]

I'm not a USAer - not that there is anything wrong with that. Don't you find that people who make baseless assumptions sound like children.

Re:My Experience

[Jorl17]

McAfee have a lot to answer for? Spare me! They only want the money, and they'll fuck whoever they have to to get it.

Re:My Experience

[WarlockD]

Well, that might make sense to a company that has been burned before on this kind of thing (Nokia has some annoying software policy's BECAUSE of security failures in software over the last 20 years).

Look at it from someone who just started, lets say 10 years ago. You buy McAffee because of general reputation. It has decent coperate monitoring tools. They also offer decent protection for the cost. By buying with a "big vendor" you ASSUME they do a quality test first before any anti-virus patch goes out. Its why you have the system do auto updates from McAffe because of that trust.

That, and if McAffee DID screw up on a patch it would practically ruin them. So you feel safe investing in them.

This kind of story happens once every few years. Some major vendor (Norton, Microsoft, etc) has a VERY serious issue that kills the business for a few days. Then all the company's make policy's around protecting themselves from said vendor. (ie most company's do tests on ALL Microsoft patches and prevent auto updates) I think cooperation are children. They learn by trial and error:P

Re:For non-Windows-expert family tech-support type

[petermgreen]

From a comment on TFA

"One fix is to delete the bad DAT file the client at "C:\Program Files\Common Files\McAfee\Engine". Delete any av*.dat. Then reboot and the old DAT should be grabbed."

Re:For non-Windows-expert family tech-support type

[aicrules]

Step 1: Disable McAfee entirely. If you can't because of how affected the computer is, copy the svchost.exe from C:\windows\system32\dllcache up to directly in system32 and then start the DCOM service and others that failed to start because of this. Then disable McAfee entirely.

Step 2: Reboot and uninstall McAfee.

Re:Double ouch.

[Jeng]

A quick google on the subject brings up many other testing that ranks norton below the ones I mentioned.

So it would all boil down to whom you believe, who is the least beholden to their advertisers?

And Norton and McAfe spend TONS on advertising.

Re:Black Wednesday

[GNious]

True, but business needs dictate software requirements. So that decision is out of my hands (but believe me, I'd LOVE to run an office full of Linux computers)...

Interesting.
We're forced to use Windows on Dell laptops, though I can see no business needs for it, nor any technical requirements (SaaS suites are used, and our various applications are almost all running on some Unix derivative). Our Exec team are all using OSX, showing that non-techies are quite able to do their business without Windows. Even then, there is no way in hell we'll get away from Windows, and almost as little chance we'd get away from Dell even if everyone in Internal IT hates Dell.

Re:Double ouch.

[TheLink]

> AV-Comparatives' last testing round ranked Norton as the best product on the market

But do they take into account the false positive track record?

That's a relevant point here. I believe Norton/Symantec have also had similar high-impact false positives.

If Antivirus software "A" detects fewer viruses than Norton but only misses out the rare and old ones (e.g. from the DOS era), has been around for years and had zero high impact false positives, I'd prefer it to Norton even if Norton has the lowest false negative rate (highest detection).

I'd prefer it if O/S bunch made more progress towards better sandboxing[1] technologies.

Currently users and AV software regularly have to figure out whether something is malware or not - this is like solving the halting problem without seeing the source code, and without knowing the complete inputs.

[1] I've made some suggestions, they're not exactly easy to implement but easier than solving the halting problem ;).

Too bad it wasn't ClamAV this time.

[Orbijx]

I bet that after seeing what McAfee can do when it screws up, they won't bitch about what ClamAV did.

(for those who need the summary: ClamAV pulled an update that caused it to shut itself down if it was version 0.94 or older after announcing ~6 months in advance that people needed to update, and kept filling log files with warnings to update. McAfee is breaking a Windows component that causes the entire computer to not function, with a less obvious warning, left for the reader to figure out. The hint is the first word in the previous sentence.)

Some versions of McAfee, not others

[proxima]

Based on what we're seeing and reports from the internet, McAfee 8.0 and 8.5 are unaffected by this problem, while versions 8.7 and 8.9 are. It's also XP specific. Still, that combination has to be a very large number of computers worldwide.

Re:Double ouch.

[jimicus]

Most AV companies have a range of products which are frequently entirely unrelated to each other.

Symantec have Norton (terrible), Symantec Enterprise (actually not too bad, although it's being obsoleted in favour of Endpoint Protection) and Symantec Endpoint Protection (which requires a Windows server even though it's a Java application which installs Tomcat and Apache in order to operate).

McAfee have a home product, an enterprise product and a "serviced" product (fairly standard managed AV product only you don't have to set up your own management server because they run it themselves).

Can't speak for others but quite often by the time you've whittled your requirements down you often find that your application choices are a lot more limited than a first glance would suggest.

More downside to malware than just downtime.

[diverman]

I agree that it raises question as to why one should use them, but "down time" is not the biggest threat out there, if you wanna talk loss/cost. While one's time is valuable, I'm thinking that their bank account information, passwords, etc, might be slightly more valuable to them. Personally, I think good secure end-user practices is the best protection, I do think that a good A/V program is needed.

So, while there is malware out there that is less harmful, more of the malware out there is much MORE harmful... if you disagree, please provide your financial account information, or contact me to transfer all funds to a secured off-shore account... maybe buy me a new car too! ;-)

But seriously... this is really bad, and REALLY stupid. But having no protection for most users risks damaging them in ways worse than a few hours of time to manually fix their issue. And from a corporate perspective, loss of sensitive information is a BIG deal and can cost a LOT more. And that's just talking about data loss. Being part of a botnet to help facilitate financial fraud and other badness... that's also double plus ungood... and irresponsible to not take measures to help keep your computer from playing a part in those crimes.

Anyway... I agree it raises question... but there more downside to malware than just downtime.

How does this happen?

[Jayws]

What I want to know is how does something like this happen? You would think McAfee takes their new patch and tests it to make sure that it doesn't cause this type of annoying issue. How does something like this slip through the cracks?

Next Up! Norton to ID McAfee as a Virus!

[Mekkah]

Next Up! Norton to ID McAfee as a Virus!

Running "shutdown -a" will stop the reboot

[gestalt_n_pepper]

long enough for you to become utterly frustrated that there's no easily downloaded fix from McAfee.

Re:Double ouch.

[Jazz-Masta]

Norton, McAfee and Trend Micro have very solid products that allow for remote management, deployment, updates, forced scans, etc.

Avast (which I use at home) does not have all of these features yet. I can tell you that when dealing with hundreds of machines, having that dashboard for antivirus saves many hours of time. You can run more frequent scans on problem machines, or allow more/less freedom with the click of a button. Many of the products also have URL blocking (by category), email attachment filtering through Exchange plugins, etc. One feature I like about Trend Micro is the "behaviour" plugin, which flags anything out of the ordinary - such as accessing files, programs, or drives that they haven't before.

Corporate networks also typically have edge firewalls that will catch many of the malware infested URLs, email attachments, etc that cause problems. For many businesses 200+ computers, the Windows-installed Anti-virus software is actually the last line of defense. Often times the loss of productivity of a couple viruses getting through isn't worth the extra $$ invested in more products or a "better" product with less management features.

Licencing is also a plus. While Norton, McAfeee and Trend Micro are expensive initially, additional licences for a large number of computers and renewal licences each year actually make it less expensive than others such as Avast and Panda.

I feel sorry for their phone support staff

[MartinSchou]

Not only do they have to listen to people bitch (rightfully), but since they're likely running Windows XP + McAfee, they can't use their logging tools (meaning they have to do it by hand and then log later), can't get online updates when solutions are available etc.

Re:I can attest to this horror.

[ledow]

Nice change management you have there.

Re:Wonder what microsoft paid for this?

[kwandar]

We have hundreds of systems down. We were looking at Avira in any event as it was lighter, but now we are moving there at warp speed. Mcaffee's quality assurance really screwed up on this. Major problems worldwide.

Meanwhile

[JustOK]

John McAfee, eccentric bad-boy founder of the McAffee antivirus company, is in Belized: http://www.boingboing.net/2010/04/21/lawsuit-plagued-mcaf.html

Marketing

[Andy+Dodd]

Subject line says it all...

SVCHOST

[DarthVain]

Back when I used to run a pirated copy of Windows XP I used to get a particular virus all the time. What it did was mimic SVCHOST and use your computer, presumably as a botnet zombie. In some instances you would get a whole bunch of SVCHOST running. However the trouble was, one of those is a legit Windows service. Kill the right one, and you computer speeds up, kill the wrong one, and your computer grinds to a halt.

It sure sounds like they were trying to target that virus (years too late) and killed the wrong process. I remember after killing my computer a few time finding a procedure/method that would work online. However after awhile XP started getting so many viruses, it was just easier to do a clean install every few months. Eventually I got so fed up with it, I used Linux until I bought a new machine and bought a copy of Vista.

Anyway I remember the SVCHOST virus as it really used to piss me off. Many times you could just kill the process that was eating the most cycles as for the most part the Windows process didn't require many resources... however if you just happened to look at it at the wrong time when it was doing something and killed the wrong process... well not good.

Re:SVCHOST

[clone53421]

svchost is a generic process wrapper, like rundll32. It isn’t svchost itself that is the virus. (Probably.)

Re:SVCHOST

[maxume]

Process Explorer does a nice job of showing what services are hosted by each instance of svchost.exe:

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Re:SVCHOST

[DarthVain]

Interesting and insidious... I always just assumed that it was some important windows service/process and that the virus just named itself that to escape detection. Generic process name eh? Brutal.

Re:SVCHOST

[clone53421]

There’s a tool called Process Explorer that will show you what service a svchost.exe process is running. Search for it on the Microsoft website.

Re:Double ouch.

[alzoron]

Reasons I've seen:

They advertise the best. Most people in management positions won't go with something they've never seen in an ad on T.V.
"If it's so good then why haven't I ever heard of it?"

They cost the most.
"Something that cheap couldn't possibly be any good."

Re:Wonder what microsoft paid for this?

[poetmatt]

I think your first mistake was looking at Mcafee. Your second is looking at Avira. The proper solution is to look at Clamwin, as it's free and will enable you to have more flexibility in making it do what you want.

Re:Wonder what microsoft paid for this?

[Enderandrew]

McAffee may be the worst major anti-virus vendor on the planet. I never understand why they are so popular, except for that the fact that they have some name recognition.

Re:For non-Windows-expert family tech-support type

[pushing-robot]

Actually, it says right in the summary:

An IT person will have to touch all affected PCs.

If you see a glow, it's working.

Correct Detection?

[Spad]

Given that svchost is the Windows host process for services it makes me wonder whether it may turn out that this is Windows Update Rootkit BSOD style issue, where the affected machines actually *do* have some malware that is running under the svchost process and McAfee is just being rather over zealous in how it deals with the problem.

Re:For non-Windows-expert family tech-support type

[Sir_Lewk]

Basically it looks like command line

Gasp!

This is why windows will never 'Be Ready For the Desktop'(tm).

Re:Wonder what microsoft paid for this?

[poetmatt]

to clarify, avira will help, but so can clamwin. it's up to you as to when you use what. Honestly anything other than symantec or mcafee is a better decision for the most part.

Re:its crap-ware

[net28573]

not all symantec software is bad. i have had experience with norton antivirus, internet security and other stand alone single minded programs which admitedly are pretty much a coin flip. the one product i have seen as the best altogether is norton 360. despite its higher than average price, it has been working since the beginning. i used norton 360 on a machine that was infected with 3 worm variants each having multiplied hundreds of times within the computer. when it finished with the scan it went from a slow useless device to a working machine. i tend to dive pretty deep into unsecured areas to get what i need too and all the different virus scanners i use (i use many scanners but only norton 360 to remove them) have turned up 0 virus /spyware/malware infections. hell i even wanted to examine a new viruse's code and it wouldnt even let me download its quarantined version. ive been using norton 360 for 3 years now and i havent had a problem since.

Re:Black Wednesday

[History's+Coming+To]

Given that you usually have to pay for a paper and pencil, even if it's a nominal amount, I don't quite get you?

Re:Wonder what microsoft paid for this?

[spidercoz]

because it comes pre-bundled into every machine from just about every major vendor, and people are too lazy and stupid to find/get something better

That was what I suspected

[damn_registrars]

I saw that Windows XP boxes all around me were stuck in reboot loops. Someone asked me about as "svchost.exe" virus that their system was "identifying" at boot (or later if it was up for a while). I compared their "svchost.exe" to the same on a system that wasn't running McAffee and saw they were the same date and size. I had one important system running XP that was stuck in the same reboot loop; I rebooted into safe mode and moved McAffee out of the way (so it couldn't start itself up on boot) and life was back to normal.

Apparently the problem has since been "resolved" at the enterprise level. I presume it involves new virus definitions, but I'm not sure of that. With the exception of a couple of PC's connected to instruments that are critical to my research everything I use is in Linux, IRIX, or OS X.

Whew...

[Chysn]

Early analysis leads us to believe the false positive only occurs on WinXP workstations with SP3 installed.

At least the problem is restricted to the tiny subset of the user base that just happens to have exactly that crazy perfect storm of a configuration.

Re:Whew...

[O('_')O_Bush]

Yea, WinXP only makes up 58% of the world market share. (http://www.w3schools.com/browsers/browsers_os.asp)

I suspect that thanks to an aggressive auto-update campaign, the vast majority of those are SP3.

Re:Whew...

[SuiteSisterMary]

Looks like McAfee's also quarantined sarcasamdetector.dll in certain hosts.

Re:Wonder what microsoft paid for this?

[lukas84]

Clamwin doesn't have an On-Access Scanner.

Re:Wonder what microsoft paid for this?

[LinuxIsGarbage]

Clamwin doesn't have real-time protection, which you need for idiot users in a corporate environment, and I've never seen anything report on the effectiveness compared to other suites.

Re:Double ouch.

[futuresheep]

Avast and Panda both have management servers with realtime monitors, remote installation, policy enforcement etc...

http://www.avast.com/fr-fr/distributed-network-manager

http://www.pandasecurity.com/usa/enterprise/solutions/adminsecure/

Re:I smell a class action suit

Class action lawsuit with a settlement for a one dollar McAffee credit for all affected users?

You forgot the important one

[damn_registrars]

* Don't log into your PC as administrator unless you absolutely need to. Most Windows viruses need administrator privilege to install and run. If you aren't running as administrator, most viruses won't be able to do anything.

Re:You forgot the important one

[david_thornley]

* If you do get to decide on accounts, never give anybody just an administrator account. Give that person a slightly restricted account also, and encourage use of that. I have two choices on this computer: run as administrator, or log out and get nothing done.

This backs up my view.

[SCHecklerX]

Anti-virus itself is a virus, and is no replacement for education. Even a properly configured and updated anti-virus program will not detect things in the wild that are not yet in their lists (quite common, as my prior company used to quarantine things and see if they were detected later). And it only takes one.

So,
is all of the overhead, conflicts, and other general performance and system problems caused by the anti-virus software itself worth it? IMHO, no. Yes, I know users are idiots. But you cannot fix broken social and education problems with technology. How about more strict policy, education, and enforcement instead?

Re:This backs up my view.

[Spad]

Even a properly configured and updated anti-virus program will not detect everything in the wild that are not yet in their lists

Fixed that for you.

Any AV worth its salt has had reasonable to excellent heuristic and adaptive detection, that will catch a lot of "unknown" malware based on its behaviour, for several years.

Re:This backs up my view.

[pclminion]

Enforcement? What do you mean? Get infected, go to jail?

dodged a bullet

[Drake4551]

Good thing I switched to Norton!

Forget svchost.exe

[organgtool]

I wish it would kill System Idle Process. That thing is always using 99% of my CPU - idle my ass!

Re:Forget svchost.exe

[magarity]

is always using 99% of my CPU
 
The problem with that one is that it scales UP; it used to take 98% of my CPU then I got dual core and now it uses 99%. I bet if I get one of the new 8 cores it will round up to taking all 100%. Cursed thing!

Which costs more

[SnarfQuest]

I wonder if anyone has done any studies on which costs more.

Downtime due to all the virus, or the downtime and slowdowns caused by the virus scanners.

Re:Which costs more

[damn_registrars]

Downtime due to all the virus, or the downtime and slowdowns caused by the virus scanners.

Quite possibly the latter. I know of one system at my work that for some stupid reason is set to do a full virus scan of the entire hard drive everytime it reboots (regardless of how long it has been since it last rebooted). And the virus scan itself is so CPU/RAM intensive that the system is pretty well unusable while scanning - hence the system is unusable for a solid 10 minutes after rebooting.

Oh, and to make it more interesting, the virus scanner won't start until someone logs in. So you have to reboot, then log in, then go get coffee. If you're lucky, the system will be usable by the time you're back.

And yes, that's McAffee enterprise edition.

Re:Wonder what microsoft paid for this?

[Attila+Dimedici]

McAffee may be the worst major anti-virus vendor on the planet. I never understand why they are so popular, except for that the fact that they have some name recognition.

No, that would be Symantec (although McAfee is a close second).

Intel down?

[KingTank]

Somebody with connections at Intel just told me Intel is "down" due to a "virus". I wonder if this is the real reason.

Re:Intel down?

[treeves]

I can't believe they'd use McAfee. Really? Naaaaah.

Are you sure it's not a virus?

[wonkavader]

I've never liked SVCHOST.EXE anyhow. I'm glad it deletes it.

Re:I smell a class action suit

[Attila+Dimedici]

This won't be a class action lawsuit, most of the computers effected are corporate. Corporations don't as a general rule do class action lawsuits. They want a direct peice of the action.

McAfee botching damage control

[Animats]

The story just hit ABC News, via the Associated Press: "McAfee Antivirus Program Goes Berserk, Reboots PCs" There are stories on the Huffington Post and NextGov. The story just broke into mainstream news in the last hour. It just hit the New York Times.

There's nothing on McAfee's home page about this yet. No items in their "News" or "Threat Center" or "Breaking Advisory" sections. There's supposedly a McAfee Knowledge Base article, "False positive detection of w32/wecorl.a in 5958 DAT", but their knowledge base site is overloaded. When it eventually loads, there's a download link to a patch. But there's nothing like an apology. All they say is "Problem: Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010."

McAfee has botched their damage control. They should be out there apologizing. Meanwhile, you can watch McAfee stock drop.

Re:McAfee botching damage control

[CountZer0]

I work in the financial industry, and this issue caused significant disruption to trading floors throughout Wall Street. Traders are generally quite upset with McAfee right now, so it makes sense that their stock is dropping :)

Re:McAfee botching damage control

[Cro+Magnon]

You think it's dropping now? Just wait until more of the traders get their computers working!

Re:McAfee botching damage control

[shutdown+-p+now]

I suspect the reason is that no-one wants to take up responsibility for saying something wrong, so to speak. It is already clear to everyone that this will hit McAfee reputation very badly, and a careless word can bring it to the whole new level.

Re:McAfee botching damage control

[Z8]

There's a summary and apology now on their site and it's linked from the front page (albeit not in huge letters). I'm not saying this is good enough, just providing an update.

Anonymous Coward

Yup - My contacts at Intel say they are down accross the board - more accuartely across the world (thats over 110,000 workstations folks). Employees are being advised to use their laptops and to make sure that they are not plugged into the network.

Re:Wonder what microsoft paid for this?

[delta98]

fwiw Avira is a good program and plays well with AVG.

Re:Double ouch.

[Spad]

And according to Virus Bulletin, they're one of the worst for proactive detection and about average for reactive detection.

It's never good to only use a single source for these things.

Re:For non-Windows-expert family tech-support type

[SCHecklerX]

put *them* on ubuntu?

Thank god....

[FunPika]

Comcast decided to start providing Norton instead of Mcafee to its customers.

Re:Thank god....

[iceOlate]

Oh boy, Comcast must have gotten paid well by Norton to unleash that load of crap on their customers. For the clueless consumer who chooses either McAfee or Norton, here's a good analogy. Its like trying to decide between two big piles of shit, and making your decision based upon which one doesn't smell as bad. McAfee and Norton: They are both shit, and they both stink!

There are way better choices out there, but those companies don't waste billions on advertising every year, they actually put more money into development.

Re:Good thing I auto-update on Fridays!

[kent_eh]

"So uh, anyone know how to disable McAfee completely?"

Perhaps the next version will do everyone a favor and quarantine "scan32.exe".
Imagine how much more powerful the typical office machine will seem.

Re:Black Wednesday

[gothzilla]

There is a lot of business software that runs only on windows so the whole "just switch to linux" thing is quite impossible in many cases. Of course the problem here isn't windows, it's McAfee, but don't let that stop you from pretending that linux is superior to windows in every way.

The needs of the business dictates what O/S is used. Sometimes linux is best, sometimes windows is. If I acted like a fanboy and let my personal bias overrun the needs of the company then I wouldn't have a job for very long, and neither would a lot of other people in I.T.

In my case it's pretty easy though. The software doesn't exist for linux that could fill our business needs so switching from windows to linux would be a horrible choice, ruin the company, and put a lot of people out of work.

Remember, dreaming is free...until you forget your dreaming.

Our fix method

Our fix method is as follows:

Download the extra.dat file from http://download.nai.com/products/mcafee-avert/wecorl/extra.dat and put it on your favorite removable media.
Reboot into safe mode.
Control-Shift-Esc to access Task Manager.
File, Run, cmd to access Command Prompt.
Copy extra.dat to C:\Program Files\Common Files\McAfee\Engine
Copy C:\windows\system32\dllcache\svchost.exe C:\windows\system32 (and overwrite).
Reboot into regular mode.

re: why still popular?

[King_TJ]

I switched our company over to Kaspersky from McAfee Corporate last year (and sure do feel good about that decision right now!). But honestly, I think almost ALL of these products eventually cause problems.

Kaspersky has frustrated me repeatedly because some of the workstations seem to get "out of sync" with the centralized management console, every so often. They'll show an icon saying their anti-virus signatures are out of date and complain about BLACK.LST being damaged or missing. (This is Kaspersky's cryptic and misleading error message that's really trying to tell you the client believes it's not properly licensed anymore, so it's refusing to take updates.) If you force an update manually from the console, you can usually "kick start" it back to life. But it's an annoyance I shouldn't have to deal with!

For free home anti-virus, I currently recommend Avast to most people... but again, I realize this is subject to change at any time. I used to love AVG, but then they went and pulled the stunt of generating tons of Internet traffic with their web-scanner they added, and the product started having major bugs doing upgrade installations from v8.x to v9 on some machines. (You had to jump through a bunch of hoops, manually editing registry entries or running a script they made to purge old ones, before you could get it to install properly.)

I have to wonder...

[Alioth]

I have to wonder what controls the various AV companies have to prevent a malicious signature be inserted - for example, someone deliberately doing something like this (but hitting all versions of Windows).

It's not just McAfee that's had this particular style of false-positive problem - Symantec also falsely identified a legitimate part of the Windows 2003 Server resource kit as malware. Fortunately in Symantec's case the damage was very limited.

Did you know?

[lavamind]

European air traffic systems run on Windows XP with McAfee.

Re:Black Wednesday

[onkelonkel]

By God, you're right!

Your wise advice has galvanized me to action!

I am switching the entire company over to Linux this very instant.

Just as soon as I find the AutoCAD for Linux install CDs.

consumer electronics

[Weezul]

Apple has their sights firmly focussed upon the consumer electronics world, which ultimately makes Mac OS X and the iPhone problematic for most businesses. Ever see a company using iCal? pure lolz! If your company could successfully run on Mac OS X, then they could equally well run on Linux, and you'll need to consider various finer details.

In any case, all the unixy central administration tools are far more powerful that similar windows tools, therefore many companies could benefit enormously from exploring desktop Linux and Mac OS X, but many users depend upon Microsoft only features.

Re:consumer electronics

[buddyglass]

The place I used to work (small company, ~15 employees) used Macs exclusively for our developer boxes. The HR/Sales/etc. folks were also given Macs. Our production servers were either Linux or Solaris.

Re:Wonder what microsoft paid for this?

[poetmatt]

sad but true.

How We FIxed this issue:

[delascabezas]

Added updated .dat file from McAfee to a keydrive, so it can be moved to c:\program files\common files\mcafee\engine. If machine is stuck in "no taskbar" mode, that is because svchost.exe has already been quarantined. If you right-click on the mini-taskbar, you can open taskmanager, then open a command shell by creating a new task, then typing "cmd" (sans quotes) in the popup prompt. Once you have a command window, you can xcopy the .dat file. Reboot the pc.

Copy the file svchost.exe out of this zip file to a key drive. You can then copy it to c:\windows\system32. Reboot and you should be OK.

If you are on xp sp2 or greater, you should be able to tab-complete paths for your xcopy command. THis means you start typing, then hit the "Tab" key on your keyboard, to help autocomplete the path/filename you are looking for. if you don't have tab, remember to put your path for c:\program files\... in quotes, since windows can't execute a command that has a space in it without them being wrapped in " ".

If you don't know xcopy, here is a fast man page.

Re:How We FIxed this issue:

[pclminion]

Did you seriously just post a link to a zip file containing a .exe and suggest that people copy this program into their system32 directory? Look at the ground -- I think your brain may have fallen out.

Re:Black Wednesday

[jonbryce]

I use Linux whenever possible, which means that one computer in the office has it.

Alas, poor McAfee..

[Haidon]

It's days like this that make me glad I set our ePO server to wait a day to distribute new DATs. I've been considering an AV change, this seals it!

Re:Double ouch.

[desertjedi85]

A lot of major companies (and the government) get a big discount if they go with McAfee or Norton. Right now most of DoD using McAfee to "save" money

Re:This just confirms my feeling...

[Spatial]

Ah. So it was just friendliness and fellowship with its own kind all those years, and not security problems.

Re:Wonder what microsoft paid for this?

[drew127]

Don't be a typical smug IT guy. You really think the average consumer is going to go buy a PC and think, "Hey, let me research this anti-virus thing. I think McAfee might suck." No. Why would they do that? Isn't that why they are coughing up the big bucks to begin with, so that they don't have to? Weather or not they have valid reason to worry is beside the point. Don't call them stupid though. I can't stand the stigma attached to IT guys, but alot of the times the stigmas are valid.

Quick Fix

[NVP_Radical_Dreamer]

From EPO disable the update task > Head to clients that already got the update and bring up the av console and click Tools > Rollback DATS and restore anything svchost

Re:Double ouch.

[Jeian]

Nod32 conflicts with a different Windows component, GDI32.

*ducks*

Sigh

[drcosquared]

This brought down all the computers at my university.

Re:Sigh

[Lord+of+Hyphens]

Hehe, slammed my university too. Wonder if it'll affect the decision campus IT makes regarding renewing the contract at the end of the fiscal year more than inertia/kickbacks/fellatio.

I'm also quite pleased with myself that I called the "false positive" scenario when the issue was first noticed here.

Re:Wonder what microsoft paid for this?

[spidercoz]

Alright, ignorant then, and willfully so. They don't want to know how to do anything properly, they just want it done now and get all pissy with me when they fuck it up. God forbid they actually take the time to learn something.

After seeing how the "average consumer" uses and treats their computer, and having to fix it after the fact, it's hard to NOT feel resentment towards them. It's not personal, I just despise what they represent, willful ignorance.

Re:Good thing I auto-update on Fridays!

[wastedlife]

Go to add/remove programs and uninstall it. If that doesn't work or it leaves shit behind follow this:

https://kc.mcafee.com/corporate/index?page=content&id=kb50602

Then, you will need to get something new.

-NOD32/eset has a long history of doing extremely well in most antivirus testing that I've read about. However, it is not free.

-AVG used to be an excellent free AV, then a mediocre one, then a malicious one, then mediocre again, and now I hear it is still improving.

-Avira has an excellent free AV that I have been using regularly since AVG started to slide downhill. The downside is an ad that comes up for the pay one when it updates.

-I have also heard some good things about Avast (free), Windows Security Essentials (free, shockingly), and Trend Micro (not free).

Reinstall may be necessary

[mister_playboy]

The tool probably fails because it is only for Home versions of McAfee. You may be forced to do a wipe and reinstall. These programs often refuse to be uninstalled as a "safety measure" so they can't be deleted by viruses. My school used Sophos and I simply could not get it off the computer later without a full reinstall.

I would recommend you try Microsoft Security Essentials as your replacement... good luck!

Update to the update

[sootman]

I wouldn't consider this "easy to follow"--I can't make heads or tails of it at all! ;-)

Your PHP installation appears to be missing the MySQL extension which is required by WordPress.PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_gd2.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_gettext.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_gmp.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_imap.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_mbstring.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_mysql.dll' - The paging file is too small for this operation to complete. in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library 'C:\Program Files\PHP\ext\php_exif.dll' - The specified module could not be found. in Unknown on line 0

(It's really funny because those are, in fact, instructions on how to fix something on Windows.)

Plug-ins

[DrYak]

ClamWin *itself* doesn't have an on-access scanner but...

• External apps :
  • External packages clamsentinel can automatically scan files upon modifications
  • And software packages like WinPooch can, among other stuff, hook the "execute" and "open" OS' functions to scan files before accessing them.
• Plug-ins :
  On the other hand, there are numerous plugins to hook clamwin to, so you can check for virus at their point of arrival.
  (On the client's side there are Firefox and Outlook plugins, on the server's side there are Samba plugins)

but personally I supplement always ClamWin with a 2nd antivirus featuring a on-demand scanner.

ClamWin&Plugins +Avira or +AVG.

Um, what?

[mister_playboy]

We have comments blaming McAfee from Windows users and comments making fun of AV software in general from other OS users.

Where are you seeing comments blaming Microsoft?

Boogershite

[veeoh]

Oh this is great. We signed a contract last week to support a 5000 desktop client with EPO and VSE - oops. Hope it's quiet at work...

Re: why still popular?

[Nick+Ives]

For free home anti-virus, I currently recommend Avast to most people... but again, I realize this is subject to change at any time.

What's wrong with Microsoft Security Essentials? It seems good enough...

Re:Wonder what microsoft paid for this?

[thrawn_aj]

Alright, ignorant then, and willfully so. They don't want to know how to do anything properly, they just want it done now and get all pissy with me when they fuck it up. God forbid they actually take the time to learn something.

I agree. If more people take the time to learn this stuff, at least we won't have to listen to IT guys rant about this stuff anymore. Hell, non-IT companies might even be able to cut down on their IT funding and use the money for stuff that's actually related to their business.

While I'm dead serious about the stuff I wrote above, I'm flummoxed that IT guys are resentful about the thing that's keeping them employed. That's like auto mechanics being resentful about how little car owners understand their cars. Amused, yes. Irritated, yes. Resentful? LAWL

Bulletproof

[samsonaod]

It's all just part of McAfee's new and improved system hardening technique. Look ma no viruses!

Effectiveness

[DrYak]

Clamwin doesn't have real-time protection, which you need for idiot users in a corporate environment

As said in my above post, even if clamwin it self doesn't, other software package can provide the on-demand part or can be used to scan suspicious files at their point of entry.

and I've never seen anything report on the effectiveness compared to other suites.

There are a couple of tests floating around, some mentioned on /. other on ClamAV's own site.
In short : ClamAV might not detect as many old legacy threats as other products, it has nonetheless a damn good response time against new threats. (And they are more honest: they don't cheat with signature file's version numbers in order to artificially appear having better response times).

That's why it's rather popular on mail servers (which nonetheless usually use several anti-virus solutions): they don't care if ClamAV doesn't detect all MS-DOS viruses from the 90s, as long as it is super-fast against new worms out-breaks, and it's free to add as an additional protection layer.

Re:Black Wednesday

[Dogtanian]

Given that you usually have to pay for a paper and pencil, even if it's a nominal amount, I don't quite get you?

I think he was implying that fresh air doesn't meet the minimum requirements for most Linux distros, you need a computer or something.

Damn bloatware.

McAfee responds - by shutting down forum

[Animats]

Computerworld reports that McAfee has reacted to user complaints by shutting down their support forum. The forum seems to be back up now. That was an extremely dumb move to pull after the story was already in the New York Times, Business Week, and on TV.

Many frantic users in the forum. The big losers are the enterprise users who bought into McAfee's premium services, with automatic corporate-wide updating. There's no fully automatic, reliable fix yet for systems already damaged. In some cases, it's apparently necessary to bring in a new copy of "svchost.exe"; the one in quarantine is bad.

This points up a major risk to US computer infrastructure. Any program with remote update is potentially capable of taking down vast numbers of systems. Ones like McAfee or Windows Update, which deploy updates to all targets simultaneously, can cause widespread damage quickly. Remote updating by vendors may need to be regulated, as a public policy issue.

Re:McAfee responds - by shutting down forum

[porkThreeWays]

For us, there was no possibility of anything automated, the machines lost all network access. svchost.exe was 0 bytes. At around 2pm when we realized what actually happened we hung up with them and their "rollback to last dat" bullshit (how can you push that out to a machine with no network access) and manually restored svchost.exe and the last dat to all our machines affected. Hundreds of them. It was quite a day. Fuckin mcafee....

Re:McAfee responds - by shutting down forum

[pandrijeczko]

I actually have a lot of respect for good Windows sysadmins but I've never understood why everything on Windows system administration has to be so bloody convoluted.

What can be simpler than having all your configurations for applications held in your home directory in flat text or XML files that you can just copy off to another machine when you need to or write up a shell script to automatically parse and do clever tricks with?

People moan about UNIX being "difficult" or "unfriendly" but how unfriendly or difficult is the Windows registry to get around??? Not only that, make one minor change in the wrong place and you can end up trashing a machine completely...

I do use Linux and Windows regularly, I quite like them both for their own reasons, but the whole registry idea was a bad, bad architectural design blunder made by Microsoft.

Re:McAfee responds - by shutting down forum

[dkf]

I do use Linux and Windows regularly, I quite like them both for their own reasons, but the whole registry idea was a bad, bad architectural design blunder made by Microsoft.

It was marginally better than keeping everything in WIN.INI like they used to do back in the Bad Old Days. It's just a shame that they didn't pick a better technique like having multiple text files, but then it all dates from when there weren't any user-specific directories either.

It's a poor decision on a crappy foundation to get rid of the faults of the even-worse thing that was there before.

Re:McAfee responds - by shutting down forum

[lazyforker]

This points up a major risk to US computer infrastructure. Any program with remote update is potentially capable of taking down vast numbers of systems. Ones like McAfee or Windows Update, which deploy updates to all targets simultaneously, can cause widespread damage quickly. Remote updating by vendors may need to be regulated, as a public policy issue.

In a corporate/enterprise/govt environment shouldn't IT people be testing and piloting those updates before deploying them en masse? I'm not excusing McAfee's incompetence, but as sysadmins we shouldn't blindly trust vendors. My company has been burned by bad McAfee DATs before so we actually delay the DAT deployment for about 18 hours - we let someone else have the pain of being on the bleeding edge. Although one of the EPO servers was misconfigured (lazy admin) and the DAT went out immediately - took out hundreds of PCs in one office.

Re:Wonder what microsoft paid for this?

[TheRealGrogan]

No way, not by a long shot. ClamAV/ClamWin can't touch Avira. Yes, it's Free and that's nice, but it's not terribly effective. I run the latest version of ClamAV, automatically updated hourly, on the servers I operate and while certainly better than nothing, I appreciate it and I like the way it operates, it misses a lot of fairly common "ecard.zip" type trojans that come in email. I can upload the same files to jotti, and Avira and other good ones catch them even if by heuristics. I don't really care, and I'm not spending money, because clients need to have their own resident antivirus software anyway but I have observed ClamAV for several years and it's certainly not the best. I don't need it to catch "phishing" emails with its detection patterns, rightly or wrongly, I'm more concerned about trojans and root kit droppers. I have also tried ClamWin as a scanner to attempt to identify malware on infected PCs (I run a computer service in my town), and is not very effective and very slow. (It takes a long time to find out that you've just wasted your time)

Re:Double ouch.

[MajorFork]

I agree with IIS Hacks. If you’ve ever tried to deploy antivirus software to thousands of endpoints, you probably learned to appreciate products by Symantec, McAfee, and Trend Micro. The same powerful ability to deploy updates to thousands of PC’s at dozens of office locations is also a major weakness. When companies could afford decent staffing, new antivirus signatures, hot fixes and service packs were tested in-house on company standardized builds before deploying. Budgets are so tight, that we’ve grown even more dependent on our vendors to do this for us. You are at their mercy no matter who you choose.

Re:Wonder what microsoft paid for this?

[Nyder]

We have hundreds of systems down. We were looking at Avira in any event as it was lighter, but now we are moving there at warp speed. Mcaffee's quality assurance really screwed up on this. Major problems worldwide.

Okay, fire your IT dude, because, well, he/she sucks and doesn't know their job.

I find Rising Antivirus, which is free and has an online scanner to be decent on my Windows 2008 server machine.

seriously dude, fire your IT person, they suck.

The cure is worse than the disease...

[AthleteMusicianNerd]

Fuckin' McAfee.

Re:Wonder what microsoft paid for this?

[ewieling]

People research many things before they buy or use them. Houses, neighbourhoods, schools, cars, trucks, health food. There's no reason to expect them to do any research on the software and hardware they have on their computer. That's just silly!

Re:Double ouch.

[porkThreeWays]

We've used Mcafee for years. It can take a brand new quad core computer with 4 gigs of ram and make it operate at half its specs. It's garbage. I've used a few antivirus products over the years and all its enterprise features have never worked properly. It's purely marketing and sending PHB's free swag. There are a lot of anti virus companies with the features you mentioned that do it far better than Mcafee. The only reason they are still in business is because of marketing.

Re:Black Wednesday

[mlts]

I know some businesses who run McAfee on Linux, Solaris, and AIX.. Not because the boxes will likely get the next Trojan from the net, but because of contracts saying that all machines will have some sort of antivirus present. Even if all the McAfee does is run a scan down the filesystem every couple nights, it fulfills the letter of the contracts given.

So, don't expect to be free of antivirus software even if you jump platforms.

Re:For non-Windows-expert family tech-support type

[porkThreeWays]

You can manually copy a good DAT over and a good copy of svchost.exe into their proper directories. However our copy/paste wouldn't work so I wrote a batch file because the copy command still seemed to work ok. Because we had to do it on so many we didn't have time to type anything, just run a .bat file with those two copy commands and a reboot.

The "fuckin' mcafee" thread

[porkThreeWays]

Fuckin' McAfee...

Let's not misstage the issue

[RomulusNR]

incorrectly identifies svchost.exe, a critical Windows executable, as a virus

While it's fair to say that svchost.exe -- the FILE -- is a "critical executable", that is completely different from saying that svchost.exe -- the PROGRAM instance -- is always critical.

The very annoying thing is that svchost.exe doesn't do anything of its own, really, except run other programs. Sometimes that other program is really essential (like core Microsoft IPC services), sometimes that other program is necessary for one of your computer's devices to work, and yet other times that program is something like Yahoo Toolbar. Or worse: adware, spyware,or a trojan.

Shame that XP never thought you would need a way to know exactly what that svchost.exe instance was actually doing. I know I've forced a reboot unintentially by trying to kill unnecessary processes, and happened to kill that one joker's-card svchost.exe process that was running an essential core service. (Meanwhile you can kill explorer.exe, the core of the UI, and simply restart it to get it back. Go figure.)

Right now I have 7 svchost.exe processes on my XP system. I've no idea what any of them are actually doing. They have memory spaces anywhere from 200KB to 18MB, and open filehandles anywhere from 100 to 2,000. I would like to think I could determine which ones were legitimate and necessary and which ones were just idle crap taking up resources, or worse.

Re:Let's not misstage the issue

[pclminion]

The very annoying thing is that svchost.exe doesn't do anything of its own, really, except run other programs.

Uh, kind of like /sbin/init on UNIX systems? It may not "do anything" by itself, but it only happens to be one of the most important processes on the system...

Shame that XP never thought you would need a way to know exactly what that svchost.exe instance was actually doing.

And that's really the major difference between svchost.exe and /sbin/init. init launches standalone instances -- svchost.exe loads service DLLs and runs them in its own context. However, there are ways to see what's going on. Anybody who does anything serious with Windows should have a copy of Process Explorer. It will show you what is going on.

Re:Let's not misstage the issue

[shutdown+-p+now]

Sometimes that other program is really essential (like core Microsoft IPC services), sometimes that other program is necessary for one of your computer's devices to work, and yet other times that program is something like Yahoo Toolbar

Does Yahoo Toolbar really use svchost.exe? It is explicitly documented as "for system use only" in platform docs, so any such use is entirely unsupported, and if they do so, they should be slapped for it.

Re: why still popular?

[dr_strang]

I agree. AVG was awesome up until 8.5. 9.0 is the buggiest resource-hogging, system-locking piece of shit I've seen since Norton and Mcafee. Problem is 9.0 came out about ten minutes after I renewed our company's license for 2 years.

Re:Wonder what microsoft paid for this?

[ThurstonMoore]

Clamwin's effectiveness is poor, much worse that McAfee and it is slow.

http://www.virus.gr/portal/en/content/2008-06%2C-1-21-june

Re:Double ouch.

[aztektum]

The university I work for (still here fixing PC's @ 8:20pm - 12 hours!) gets it for free for beta testing their client and server. I believe we're not the only Uni that has this sort of deal.

Re:Double ouch.

[shutdown+-p+now]

It seems to me that there are more choices even if you look at the enterprise market. There's MS Forefront, which seems to be the same engine as MS Security Essentials (which is good), with all the "enterprise management" stuff on top of that. There's Sophos, about which I've no idea how good it is, but I've seen it running in many places. If I remember correctly, NOD32 also has some solution.

This is why you dont buy McAfee junk

[jonwil]

Get a DECENT anti-virus (not McAfee or Norton) and you wont have these problems.

Although what constitutes "decent" in a corporate environment I dont know.

Re:This is why you dont buy McAfee junk

[Chris+Mattern]

Although what constitutes "decent" in a corporate environment I dont know.

NOD32.

Re:Black Wednesday

[countertrolling]

Yeh, but it's the erasers that'll bust the bank.

Don't forget third party product who use Mcafee

[JaCKeL+1.0]

We use Sonicwall's security services, their anti-virus is a very dumb and salvaged version of Mcafee business. Machine where going down but WITHOUT any explanation or warning messages and since svchost was killed, no chance of getting in the event monitor or using any tools. We got a bit afraid of a new virus spread because the way everything was disabled on the machine looked like some well known malware but after couple of hour I couldn't find any trace of infection. My second guess was the anti-virus, and I was right, but unlike the real version of mcafee business, sonicwall version wasn't showing any clue of what was going on.

Re:Wonder what microsoft paid for this?

[perryizgr8]

i think you should also consider ms security essentials. i think they have a corporate vrsion too. and it works as well as any other anti virus and is lightweight too.

Re:Black Wednesday

[Flammon]

Actually the AutoCAD for Windows install CDs should do just fine.

We thought this would be a stumbling block but it turned out to be the opposite - not only did we get AutoCad R14 running on Debian GNU/Linux within 24 hours but it actually ran faster! Can you believe that?

http://architectafrica.com/bin0/news200411111_wine.html

How about VMWare?

Maybe one of these might work for you? http://www.tech-edv.co.at/lunix/CADlinks.html

No alcohol for Sweden.

[Daethorian]

The Swedish goverment company Systembolaget is responsible for all sales of alcoholic beverages above 3.5%. They happen to be running McAfee and all all of their billing systems are fully down for the day. They are closed all over the country and no one in Sweden can buy alcohol today. Thanks McAfee! Sweden will never recover from this disaster.

Just upgrade to Windows 7.

[g0hare]

XP is no longer secure. It's a 10-year-old os and it sucks. And oh yeah McAfee (and Norton) suck rotten eggs.

Re:Wonder what microsoft paid for this?

[that+IT+girl]

Minus the smugness, though, he's kind of right. For example, most people wouldn't wave their credit card number around in front of random strangers, and certainly wouldn't in front of people actively paying attention and looking to steal it--and if they did, I think we could all agree that would be stupid. It's not too much of a stretch to realise that putting their information into a machine they have made no real effort to carefully protect against invasion is a virtual manifestation of the same thing.

Re:Double ouch.

[that+IT+girl]

Trend Micro is actually the best of those three--I wouldn't touch either of the others, but this one isn't bad. We actually used TM in my home office for a long time until corporate decided to cut costs and go with a cheaper option. (VIPRE... oh, it's cheaper alright.. and we've already gotten two viruses and a rootkit in our network since the changeover. Wheeee.)

=\ uh oh

[Tirith45]

Well any word from McAfee releasing a fix? I have 10 clients all running their offices with McAfee.. I have an odd feeling it will be a long day. >

Re:Wonder what microsoft paid for this?

[Feanturi]

Consider that the average person is not under the hood of their car every day randomly pulling on things. Consider that the average person is not attempting to perform surgery on themselves. Consider that the average person is not going around banging on all the pipes in their house and randomly turning valves. Consider that the average person doesn't go up to their breaker box with a big pair of scissors saying "What are all these wires doing? Do I need these?"

The average person should probably not even be touching a computer. Let computer people use them, the rest of the plebes can go back to paper where they could at least get work done without Facebook and YouTube.

Re:Wonder what microsoft paid for this?

[spidercoz]

Good example. I was thinking more from a preventative maintenance/general functionality perspective, like even a modestly educated person wouldn't drive 10,000 miles without an oil change, or eat a bucket of lard and not expect there to be consequences. But the security angle works too. And I can't help the smugness because I'm usually right ;)

Re:Wonder what microsoft paid for this?

[spidercoz]

I can't speak for all of IT, but I kind of fell into this line of work by accident. Don't get me wrong, I enjoy my job, I like working on machines; it's the people I can't stand. Like the guy whose brand new pc comes back to me 2 weeks after I issued it to him because he was doing shit he shouldn't have been. So I have bump everything else I'm working on just to get this asshole set up again. Yeah, I resent having to redo work I just did, especially when I have 20 other things that need to get done.

Re:Wonder what microsoft paid for this?

[thrawn_aj]

Yeah, I resent having to redo work I just did, especially when I have 20 other things that need to get done.

*nod* I guess I can see that.

Re:Wonder what microsoft paid for this?

[that+IT+girl]

I completely understand the feeling. ;)

Re:Black Wednesday

[lazyforker]

They're under the PhotoShop for Linux DVDs.