McAfee Kills SVCHost.exe, Sets Off Reboot Loops For Win XP, Win 2000

Kohenkatz writes "A McAfee Update today (DAT 5958) incorrectly identifies svchost.exe, a critical Windows executable, as a virus and tries to remove it, causing endless reboot loops." Reader jswackh adds this terse description: "So far the fixes are sneakernet only. An IT person will have to touch all affected PCs. Reports say that it quarantines SVCHOST. [Affected computers] have no network access, and missing are taskbar/icons/etc. Basically non-functioning. Windows 7 seems to be unaffected." Updated 20100421 20:08 GMT by timothy: An anonymous reader points out this easy-to-follow fix for the McAfee flub.

Why Worry about Malware-Viruses...

[BoRegardless]

When your Anti-Virus software bombs you out.

Re:Why Worry about Malware-Viruses...

My boss, who knows just enough about computers to get himself in trouble, is an idiot.

A few days ago, he called me in to come look at his laptop. He said that his computer was infected and that the virus killed his email. After further inspection, I found out that he pressed "ctrl+alt+del" and brought up the Task Manager. He went through and ended all of the svchost.exe's that he could. When I asked him about it, here was his response:

"I was closing all of those system virus hosts on my machine!"

I hate my job sometimes.

For a program so hard to turn off

[ZeroSerenity]

It seems to be very willing to take the whole machine down. Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?

Re:For a program so hard to turn off

[jimicus]

It seems to be very willing to take the whole machine down.

Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?

I'm sure they did but the real question is not "did McAfee test it against Windows XP?". It's "did they test it against Windows XP with every single version of svchost.exe that Microsoft have ever released?" - the original version and every updated version in every patch and service pack to date?

Re:For a program so hard to turn off

[Joce640k]

A decent antivirus would have every critical Windows whitelisted just to avoid this sort of problem.

This isn't some user-installed application, it's svchost.exe.

Re:For a program so hard to turn off

[mcmonkey]

I put this on my corporate IT.

We have a corporate standard for XP on the desktop and Win 2003 for servers. Should only be those 2 versions of svchost.exe to test against.

Right now my employer is losing $millions as systems are down proactively until the issue is resolved. Manufacturing and labeling systems run on Windows :)

I know we test patches from Microsoft against the standard OS as well as the individual apps. As an application owner, I test the monthly patches from MS before applying in production.

Virus definition updates are not provided for testing prior to release.

Given how widespread this issue is, I think it would have been picked up in testing.

Re:For a program so hard to turn off

[UnknowingFool]

Svchost has been around forever. It basically encapsulates other applications. Svchost handles many things from DCHP client to Windows Themes. The problem is that McAfee doesn't seem to discriminate between any of them in this case. Which would cripple any XP system today.

Re:For a program so hard to turn off

[jimicus]

The problem with doing that is all a virus needs to do now is to infect a critical Windows file and you'd never know about it.

Re:For a program so hard to turn off

[clone53421]

Whitelist them by checksum, not filename.

Re:For a program so hard to turn off

svchost is an EXE that loads a bunch of DLLs. These are all discrete bits of code that should be analyzed separately, of course. The specific functionality doesn't particularly matter. It's all executable code.

But if a virus is (wrongly) detected in the EXE, what are you gonna do? Kill/block it, of course. So all the DLLs come tumbling down too.

If a virus is detected in a DLL, you can typically prevent the DLL from being loaded if you get there early enough. But some programs crash if a DLL they need can't be loaded. And forcibly unloading a DLL is, as far as I know, nearly impossible to do safely and without executing any more code in the DLL.

Re:For a program so hard to turn off

[Mr.+Sketch]

And that antivirus program would be susceptible to many types of viruses that modify system files. This particular virus that it detects (W32.Wecorl.a) does change svchost.exe:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-110306-2212-99

What McAfee should have is a better way of quarantining critical system files (replace with known good copies, have a robust patch/repair process for system files, have a more stringent fingerprint detection, etc). Maybe a whitelist of known good md5sums for system files (of course, this would have to be updated with every version of those files ever released in any patch by Microsoft).

Re:For a program so hard to turn off

[clone53421]

Actually, you can't trust anything once a machine's compromised, which to my mind is a huge problem with modern Windows systems, but I'm not even going to go there....

It’s a huge problem with any system.

Re:For a program so hard to turn off

[shutdown+-p+now]

Actually, you can't trust anything once a machine's compromised, which to my mind is a huge problem with modern Windows systems, but I'm not even going to go there....

Guess where the "root" in "rootkit" comes from?

Hint: it ain't Windows.

Re:For a program so hard to turn off

[value_added]

Svchost has been around forever. It basically encapsulates other applications. Svchost handles many things from DCHP client to Windows Themes. The problem is that McAfee doesn't seem to ...

Encapsulation? No doubt that's a valid comment and one that's just as valid to describe, in a more general sense, how Microsoft designs things. On the other hand, I consider a weasel word that describes something that lacks transparency, isn't understandable, and is unnecessarily complex.

If you think that's an over-the-top opinion, run `netstab -ab'. See how long it takes for the command to complete. And then see how long it takes for you to parse the output before making sense of it.

Re:For a program so hard to turn off

[mcmonkey]

Two versions! You think there have only been two versions of svchost.exe on XP and 2003?

Not in all the universe. But I don't care about the universe, I just care about my company.

And in my company, with very few exceptions, all Windows systems get the same patches (that is, all workstations get the same workstation patches, all servers get the same server patches). So yes, at any one time, my Windows group can focus their attention on testing with those two versions of Windows--one XP and one Server.

Anyway, going back to how patches from MS are handled, not only are they made available for testing before pushed out to production, they are also pushed out in phases.

About 10% of the workstations in the company are in the pilot group and get MS patches about 5 days before everyone else. If this AV dat update was handled in the same manner, my company would have saved a few $million in lost productivity today. The issue would have been noticed before it went company-wide.

Guess what I've been doing all morning?

[uvsc_wolverine]

I work at a university where we use McAfee anti-virus as our corporate AV. Guess what I've been doing all morning?

Re:Guess what I've been doing all morning?

[2names]

Um, hiding in the bathroom like I have been doing?

Seriously, though, we got hit hard with this. I don't mind fixing the problem, what pisses me off is that we didn't want McAfee in here in the first place but Corporate HQ forced it on us.

Re:Guess what I've been doing all morning?

[oldspewey]

Reading Slashdot?

Re:Guess what I've been doing all morning?

[JamesP]

Funny that one of the 'false reasons' against Open Source is liability

So are you going to sue the bastards for lost time and productivity?? You should.

Re:Guess what I've been doing all morning?

[Spazztastic]

Seriously, though, we got hit hard with this.

I'm trying to avoid having this happen. I just called our guy who manages the AV server (among other things) and sent him this. He was skeptical, but wasn't opposed to rolling back the server to using 5957 for now until more builds on this story. My system hasn't updated to 5958 yet, even though the AV server was set to deploy that. Let's hope for the best...

Re:Guess what I've been doing all morning?

[2names]

Every system that we had that was XP SP3 that got updated to the 5958 DAT file became useless. We are now forced to visit each machine and manually fix it. Rubbish.

Re:Guess what I've been doing all morning?

[steveg]

Me too. I just handle my department, thank the gods. I've got two labs that are native Windows -- one with 7 machines and one 15 machine lab. These are hardware oriented labs that have vendor provided software that won't run under emulation.

The other 4 labs run Ubuntu, with VMWare, non-persistent VMs for any activities that absolutely require Windows.

My Windows only labs are in a constant reboot cycle (well, before I shut them down), the rest don't even realize there's anything going on. :) Since tomorrow is Lab day for those two labs, I'm hoping McAfee gets the problem fixed before then. If not, I'll disable boot scan until they do.

Re:Guess what I've been doing all morning?

[guruevi]

I always get a kick when somebody says something stupid like that. I've recently heard that in a meeting with management: "Yeah, but if Microsoft's solution doesn't work, we can call them for help and they are liable for the problems with their product". As ANYONE that ever called Microsoft knows, they're not helpful at all and if you spent too much time on their support lines they will come off with something like: well, we don't support customizations, we can't fix that, read the support contract. Under customizations they understand (not kidding): Modifying your SharePoint site to put content on it, installing updates in Windows.

Windows is a virus

[Wonko+the+Sane]

We've known for a long time but it's good that McAffee finally admitted it.

Sigh...

I would have gotten first post, but I was running windows with McAfee

Re:Sigh...

[CTalkobt]

The first post was posted at 2:03pm (in my timezone) .. yours was posted at 2:07 so all things considering, a 4 minute fix isn't too bad...

Re:antivirus... poison for cure

[timster]

Well, with McAfee, the cure has been worse than the disease for over a decade now. But the cure is easier to explain to management.

Re:Black Wednesday

[ircmaxell]

True, but business needs dictate software requirements. So that decision is out of my hands (but believe me, I'd LOVE to run an office full of Linux computers)...

Re:Black Wednesday

Or you can go back to pencil and paper. Much more cost effective than Linux.

shutdown -a

[bugs2squash]

at a command prompt when the "windows will shut down in XX seconds" popup us on screen saved me. I'm still waiting for a mcafee update file to fix it properly.

Re:shutdown -a

[cryogenix]

The updated dat is available now, an updated extra.dat was available earlier this morning. I was the one that posted it in the tech support forums. You could have however just disabled access protection and on access scan to keep it from scanning at all. Not a great solution but at least your machine works. If your svchost.exe got nuked, copy it back from the system32\dllcache folder.

I heard

[Dunbal]

Next they will be deleting a directory known to be full of malware called system32

Re:Double ouch.

[Jeng]

My big question is why is Norton and McAfee still so popular in the corporate world?

I understand that the OEM's preload McAfee or Norton because they are paid to, but the corporate world is paying big money for these out-dated anti-virus programs.

There are much better anti-virus providers out there such as Avast, Kaspersky, Nod32 and others.

Doesn't McAfee Do Testing On Releases?

[bezenek]

My God! How can something like this possibly get by QA as a company the size of McAfee? Have they outsourced all of their QA to a team with no clue?

-Todd

Re:Doesn't McAfee Do Testing On Releases?

[broken_chaos]

From some of the other comments on this story, from sysadmins fixing this, it sounds like it hits near completely- or completely-patched XP machines. That's extremely silly a thing to just 'whoops' on.

McAfee recently screwed me over

[thetoadwarrior]

Two weeks ago it went and deleted two important for dev c++ and another program at my work. It was insistent they were viruses. I'm not sure how I could have received a virus since I get virtually no attachments and don't email anyone outside of work (ie no "fun" emails), I only visit the BBC, Netbean.org, Eclipse.org and a handful of other reputable sites because I rather goof off by writing my own code than doing nothing and I scan all my downloads before installing them.

Sure maybe I got unlucky for the first time in like 3 years. Maybe someone used my computer while I was on holiday but I suspect not. I suspect it's related to this.

Re:McAfee recently screwed me over

[zonky]

There is no such thing as a reputable site on the internet.
Some sites use ad networks, which have happily served malware.
Other sites are run by clueless admins and left vulnerable to commodity exploits.

Drive by Downloads exist, and a risk everywhere.

virus scanners are the devil

[buddyglass]

Seriously. They consume CPU. They stay resident and consume usable memory. They occasionally crash and/or cause other applications not to work. And, in this situation, they break Windows. I don't use AV and have had pretty much zero issues over the last 6 years of using Windows XP. All you need to do is:

* Configure Windows update to run daily.

* Don't use IE or Outlook.

* Keep Windows Firewall active.

* Don't connect directly to the internet- sit behind a router that's configured to be (mostly) invisible.

* Don't run random things you get sent in email, on facebook, or that pop up unexpectedly while you're at a questionable website.

* If you think something's amiss, boot into safe mode and use a non-resident tool like MBAM.

Re:virus scanners are the devil

[ledow]

To be honest 2, 4 and 5 are perfectly adequate for a knowledgeable user and the rest provide little if any advantage. And they also happen to apply to all OS's and all versions of those OS's.

Re:virus scanners are the devil

You missed the obligatory:

* Run Linux

Re:virus scanners are the devil

[Spad]

That's not enough any more; even reputable websites can often be easily compromised either through SQL injection, XSS, compromised ad server or some other mechanism and apps like Adobe Reader, Office, Flash, Foxit Reader, Firefox, Java, VLC and more have all experienced serious vulnerabilities in recent months, which have often remained unpatched for long periods of time.

I finally gave in and installed my home-licensed copy of Sophos (provided by my work) because there are too many factors outside of my control these days and short of isolating my PC from all external data sources there's no way to be sure and I'd rather have a backup in case I miss something.

Re:virus scanners are the devil

[blincoln]

I used to believe something along those lines. Then my PC was infected with a worm when I plugged an mp3 player into the USB port. I'd bought the player new, factory-sealed, so it must have picked it up at the manufacturing plant. I disabled all autorun/autoplay after that, but I'm still wary enough that I run Avast to help avoid another similar situation.

Also, none of the things you mention will detect/remove a rootkit if one does manage to make its way onto your PC. I cleaned one up off of a PC that belongs to my sister a few weeks ago, and that was a headache. I did a scan of the infected drive in an external USB case, and that got nearly all of the infected files taken care of, but because most virus scanners apparently don't scan the MBR of non-boot drives, the rootkit was still waiting there and I had to use the Windows recovery console to write a new MBR.

As far as I can tell, her PC was infected through some variation of the "malicious PDF in a hidden IFRAME which belongs to an online advertisement" scenario, because she was already using Firefox exclusively. So maybe you should at least add "don't install Adobe Reader, or if you do, disable browser integration, update it daily, and set Firefox to download PDFs instead of opening them" and "install and use AdBlock Plus, and possibly NoScript" to your list.

Re:virus scanners are the devil

[Sandbags]

Additionally,

* Don't click on links without verifying the actual link matches the name displayed in HTML when you mouse over it. When in doubt, type the root URL in by hand and browse to the specific page.

* Don't read spam. Anything anyone sends you, even family members, providing you with news, alerts, health related info, virus warnings, saftey warnings, etc, is ALL bullshit. HaoxBusters and snopes.com are your friends, when in doubt, LOOK UP the email there, and then tell your friend/family member to check themselves next time or risk being blacklisted. (I actually created a default reply script so when a family member sent me something that looked fishy, i ran a script that made a fairly convincing looking e-mail that would appear to come from a security server indicating the content of thier e-mail was blocked as it was known SPAM and may contain a virus, took a few months and they ALL stopped sending me crap...)

* Don't download and install anything unless its direct from a nationally known vendor and its a product sold commercially (or a known safe FOSS vendor). If it's not sold on a shelf in a store, ask yourself why not? Clearly, if it was a legit product, it should be... (yes, I know, many perfectly acceptable FOSS packages out there. in that case a good rule of thumb is that If 3 PC literate people you know can't name it, its not safe).

* ignore all adverts, block them if you can

* Don't use any account with admin privileged unless you're doing something at that moment that requires it.

* Use strong passwords, and use a DIFFERENT ONE on EVERY site. There are lots of tricks for coming up with good passwords, and for remembering which one is for which site.

* only sign up for what you have to; don't enter contests, marketing programs, or provide email addresses or phone numbers of your primary accounts. Some web sites insist on sending you an e-mail to validate an account ID: use a special, separate email account just for that, and immediately change any password they may issue you in that e-mail.

* never give out your personal/primary email address to a company or someone you do not personally trust for any reason.

* stay off P2P and other sharing systems completely.

* there's not just AntiVirus software, there's also AntiSpyware software, USE BOTH!

* Back up regularly, to a drive that is NOT always connected to your system (leaving a backup USB drive or network share mounted all the time means a virus can wipe out your backups too!) back up stuff you want to save from fire and other disasters online to a secure hosted system.

* When browsing questionable sites, do so from a virtual machine or a machine that uses completely different account information from your primary accounts and contains none of your personal files. A cheap old laptop is a good solution for that).

Re:virus scanners are the devil

[izomiac]

And then grow complacent with security until a flash exploit wipes out your home directory.

Re:virus scanners are the devil

[Culture20]

Will you come to my workplace and enforce these rules (and the rules that others are responding with)? I see several desktops on my network downloading infected pdfs or trojans according to my SEP console. Thankfully these users aren't administrators, but the exploits are just a privilege escalation away from ownage.

Re:virus scanners are the devil

"I disabled all autorun/autoplay after that, but I'm still wary enough that I run Avast to help avoid another similar situation."

Yes to disabling autorun. That's the vector for the only worm I've seen in 10 years of running XP in the way the previous post described (it came in on a USB flash drive). So, add to his list:

* Disable autorun/autoplay correctly (note: Microsoft's advice will NOT kill it off completely).

* Run something lightweight like StartupMonitor to catch programs that try to install things in the various startup locations (useful to control bloatware too)

And something else I've done:

* make a fake, read-only AUTORUN.INF directory on usb flash drives and other portable devices so that when a worm tries to write on there, the filename already exists and it fails. So far I've not seen any worms smart enough to look for pre-existing files and delete them before attempting overwriting, and by making it a directory with that name the deletion process is more complicated.

Re:virus scanners are the devil

[jaavaaguru]

How about nothing is executable until you explicitly change the permissions, and nothing on removable media is executable. That way there is no accidental running of any programs.

Autorun should have been killed when Windows 95 was still around. It's such an obvious security risk.

Re:For non-Windows-expert family tech-support type

[DjMd]

http://isc.sans.org/diary.html?storyid=8656
Basically it looks like command line

shutdown -a (to stop the autorestart)

Put SVChost.exe back in place (out of the quarantine )

and disable McAfee...

My Experience

[jibster]

I work at a major chip manufacturing plant. At 4.10 I was conferencing with another fab when all our PCs shutdown. 10 minutes later the place was in chaos. Now don't get me wrong the fab keeps going but my god the cost to the company of this. Say 10 sites world wide with 2-5k employees each the majority of which can't do any meaningful work. McAfee have a lot to answer for.

Re:My Experience

[ledow]

I think the people who have software that autodeploys updates to 20-50k employees without getting a say in the matter (i.e. testing, change management, etc.) have a lot more to answer for. When the software that supposed to *save* your productivity by preventing viruses ends up doing this to your sites, it's time to just throw it in the bin.

Re:Double ouch.

[Jeng]

A quick google on the subject brings up many other testing that ranks norton below the ones I mentioned.

So it would all boil down to whom you believe, who is the least beholden to their advertisers?

And Norton and McAfe spend TONS on advertising.

More downside to malware than just downtime.

[diverman]

I agree that it raises question as to why one should use them, but "down time" is not the biggest threat out there, if you wanna talk loss/cost. While one's time is valuable, I'm thinking that their bank account information, passwords, etc, might be slightly more valuable to them. Personally, I think good secure end-user practices is the best protection, I do think that a good A/V program is needed.

So, while there is malware out there that is less harmful, more of the malware out there is much MORE harmful... if you disagree, please provide your financial account information, or contact me to transfer all funds to a secured off-shore account... maybe buy me a new car too! ;-)

But seriously... this is really bad, and REALLY stupid. But having no protection for most users risks damaging them in ways worse than a few hours of time to manually fix their issue. And from a corporate perspective, loss of sensitive information is a BIG deal and can cost a LOT more. And that's just talking about data loss. Being part of a botnet to help facilitate financial fraud and other badness... that's also double plus ungood... and irresponsible to not take measures to help keep your computer from playing a part in those crimes.

Anyway... I agree it raises question... but there more downside to malware than just downtime.

How does this happen?

[Jayws]

What I want to know is how does something like this happen? You would think McAfee takes their new patch and tests it to make sure that it doesn't cause this type of annoying issue. How does something like this slip through the cracks?

Re:Double ouch.

[Jazz-Masta]

Norton, McAfee and Trend Micro have very solid products that allow for remote management, deployment, updates, forced scans, etc.

Avast (which I use at home) does not have all of these features yet. I can tell you that when dealing with hundreds of machines, having that dashboard for antivirus saves many hours of time. You can run more frequent scans on problem machines, or allow more/less freedom with the click of a button. Many of the products also have URL blocking (by category), email attachment filtering through Exchange plugins, etc. One feature I like about Trend Micro is the "behaviour" plugin, which flags anything out of the ordinary - such as accessing files, programs, or drives that they haven't before.

Corporate networks also typically have edge firewalls that will catch many of the malware infested URLs, email attachments, etc that cause problems. For many businesses 200+ computers, the Windows-installed Anti-virus software is actually the last line of defense. Often times the loss of productivity of a couple viruses getting through isn't worth the extra $$ invested in more products or a "better" product with less management features.

Licencing is also a plus. While Norton, McAfeee and Trend Micro are expensive initially, additional licences for a large number of computers and renewal licences each year actually make it less expensive than others such as Avast and Panda.

Re:Wonder what microsoft paid for this?

[kwandar]

We have hundreds of systems down. We were looking at Avira in any event as it was lighter, but now we are moving there at warp speed. Mcaffee's quality assurance really screwed up on this. Major problems worldwide.

Marketing

[Andy+Dodd]

Subject line says it all...

Re:Wonder what microsoft paid for this?

[spidercoz]

because it comes pre-bundled into every machine from just about every major vendor, and people are too lazy and stupid to find/get something better

dodged a bullet

[Drake4551]

Good thing I switched to Norton!

Are you sure it's not a virus?

[wonkavader]

I've never liked SVCHOST.EXE anyhow. I'm glad it deletes it.

McAfee botching damage control

[Animats]

The story just hit ABC News, via the Associated Press: "McAfee Antivirus Program Goes Berserk, Reboots PCs" There are stories on the Huffington Post and NextGov. The story just broke into mainstream news in the last hour. It just hit the New York Times.

There's nothing on McAfee's home page about this yet. No items in their "News" or "Threat Center" or "Breaking Advisory" sections. There's supposedly a McAfee Knowledge Base article, "False positive detection of w32/wecorl.a in 5958 DAT", but their knowledge base site is overloaded. When it eventually loads, there's a download link to a patch. But there's nothing like an apology. All they say is "Problem: Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010."

McAfee has botched their damage control. They should be out there apologizing. Meanwhile, you can watch McAfee stock drop.

Re:McAfee botching damage control

[CountZer0]

I work in the financial industry, and this issue caused significant disruption to trading floors throughout Wall Street. Traders are generally quite upset with McAfee right now, so it makes sense that their stock is dropping :)

Re:McAfee botching damage control

[Cro+Magnon]

You think it's dropping now? Just wait until more of the traders get their computers working!

Thank god....

[FunPika]

Comcast decided to start providing Norton instead of Mcafee to its customers.

Re:Black Wednesday

[gothzilla]

There is a lot of business software that runs only on windows so the whole "just switch to linux" thing is quite impossible in many cases. Of course the problem here isn't windows, it's McAfee, but don't let that stop you from pretending that linux is superior to windows in every way.

The needs of the business dictates what O/S is used. Sometimes linux is best, sometimes windows is. If I acted like a fanboy and let my personal bias overrun the needs of the company then I wouldn't have a job for very long, and neither would a lot of other people in I.T.

In my case it's pretty easy though. The software doesn't exist for linux that could fill our business needs so switching from windows to linux would be a horrible choice, ruin the company, and put a lot of people out of work.

Remember, dreaming is free...until you forget your dreaming.

I have to wonder...

[Alioth]

I have to wonder what controls the various AV companies have to prevent a malicious signature be inserted - for example, someone deliberately doing something like this (but hitting all versions of Windows).

It's not just McAfee that's had this particular style of false-positive problem - Symantec also falsely identified a legitimate part of the Windows 2003 Server resource kit as malware. Fortunately in Symantec's case the damage was very limited.

Re:Black Wednesday

[onkelonkel]

By God, you're right!

Your wise advice has galvanized me to action!

I am switching the entire company over to Linux this very instant.

Just as soon as I find the AutoCAD for Linux install CDs.

Alas, poor McAfee..

[Haidon]

It's days like this that make me glad I set our ePO server to wait a day to distribute new DATs. I've been considering an AV change, this seals it!

Re:Wonder what microsoft paid for this?

[drew127]

Don't be a typical smug IT guy. You really think the average consumer is going to go buy a PC and think, "Hey, let me research this anti-virus thing. I think McAfee might suck." No. Why would they do that? Isn't that why they are coughing up the big bucks to begin with, so that they don't have to? Weather or not they have valid reason to worry is beside the point. Don't call them stupid though. I can't stand the stigma attached to IT guys, but alot of the times the stigmas are valid.

Plug-ins

[DrYak]

ClamWin *itself* doesn't have an on-access scanner but...

• External apps :
  • External packages clamsentinel can automatically scan files upon modifications
  • And software packages like WinPooch can, among other stuff, hook the "execute" and "open" OS' functions to scan files before accessing them.
• Plug-ins :
  On the other hand, there are numerous plugins to hook clamwin to, so you can check for virus at their point of arrival.
  (On the client's side there are Firefox and Outlook plugins, on the server's side there are Samba plugins)

but personally I supplement always ClamWin with a 2nd antivirus featuring a on-demand scanner.

ClamWin&Plugins +Avira or +AVG.

McAfee responds - by shutting down forum

[Animats]

Computerworld reports that McAfee has reacted to user complaints by shutting down their support forum. The forum seems to be back up now. That was an extremely dumb move to pull after the story was already in the New York Times, Business Week, and on TV.

Many frantic users in the forum. The big losers are the enterprise users who bought into McAfee's premium services, with automatic corporate-wide updating. There's no fully automatic, reliable fix yet for systems already damaged. In some cases, it's apparently necessary to bring in a new copy of "svchost.exe"; the one in quarantine is bad.

This points up a major risk to US computer infrastructure. Any program with remote update is potentially capable of taking down vast numbers of systems. Ones like McAfee or Windows Update, which deploy updates to all targets simultaneously, can cause widespread damage quickly. Remote updating by vendors may need to be regulated, as a public policy issue.

Re:Double ouch.

[porkThreeWays]

We've used Mcafee for years. It can take a brand new quad core computer with 4 gigs of ram and make it operate at half its specs. It's garbage. I've used a few antivirus products over the years and all its enterprise features have never worked properly. It's purely marketing and sending PHB's free swag. There are a lot of anti virus companies with the features you mentioned that do it far better than Mcafee. The only reason they are still in business is because of marketing.