McAfee Retracts Lowball Bug Damage Estimate

bennyboy64 writes "McAfee has changed its official response [warning: interstitial] on how many enterprise customers were affected by a bug that caused havoc on computers globally. It originally stated the bug affected 'less than half of 1 per cent' of enterprise customers. Now McAfee's blog states it was a 'small percentage' of enterprise customers. ZDNet is running a poll and opinion piece on whether McAfee should compensate customers. ZDNet notes a supermarket giant in Australia that had to close down its stores as they were affected by the bug, causing a loss of thousands of dollars."

XP SP3

[Enderandrew]

I thought this affected anyone running XP SP3, which I expect would be a majority of enterprise desktops, not less than half of one percent.

Re:XP SP3

[SharpFang]

I guess less than half of 1% of all corporate customers are customers of McAffee.
The right wording is everything.

Re:XP SP3

[ircmaxell]

Well, it depends. How many have their computers set to pull updates hourly? If you pulled the updates daily, and it was released an hour after you checked, you were fine (considering they pulled it the same day). So the only computers affected were those that polled in the several hour window that the update was available (Something like 8 hours IIRC). And that's not to mention those configurations that are set to pull updates weekly or more.

Re:XP SP3

[kiehlster]

You should also add to this the statistic of how many corporations use their own distribution server (middleman). Even if clients poll daily, the corporation as a whole may only deliver updates weekly or may stagger updates to ensure they are tested in the wild before pushing them out to corporate clients.

Re:XP SP3

[GIL_Dude]

It really depends on the intersection of folks running McAfee along with SP 3 in the enterprise. My company is just finishing a migration to Vista, but we still do have about 15,000 Windows XP SP3 desktops (not done deploying yet). However, late last year, I was at a MS Global Accounts meeting (35 very large companies) and NONE of the rest of them had deployed SP 3 for their XP machines. They were all on SP 2 and were harping on Microsoft about the end of support for SP 2 that was fast approaching. None of them wanted to deploy SP 3. It was flabbergasting to me, but they just didn't want to do it. So none of those companies were impacted - even if they ran McAffee.

Re:XP SP3

[Jazz-Masta]

You should also add to this the statistic of how many corporations use their own distribution server (middleman). Even if clients poll daily, the corporation as a whole may only deliver updates weekly or may stagger updates to ensure they are tested in the wild before pushing them out to corporate clients.

Not only this, but many Administrators manually review virus' before they are cleaned. I have caught a few false positives by doing manual checks.

Re:XP SP3

[The+MAZZTer]

At my work we run XPSP3 and McAfee, had no problems here.

@WithinRafael on Twitter (from www.withinwindows.com) was trying to reproduce it and had problems, I think he recently succeeded but hasn't provided details yet.

Re:XP SP3

[poetmatt]

yeah, the media spin is strong with mcafee.

Reality? It affected everyone who has automatic updates on mcafee for enterprise, which roughly translates to a large majority of enterprise customers. Usually from a security perspective it's seen as bad form to not have updates available as soon as possible.

It also shows that mcafee's quality control is nothing short of crap. It's known that viruses do rename as svchost sometimes, but clearly they didn't test the heuristics here.

Re:XP SP3

[EvilBudMan]

I would guess there are more than that because of previous licensing. Luckily their licensing ran out on us and we switched to Norton since McAfee hasn't really done much since 2003. There enterprise stuff has really sucked for a while now but we had to wait to get out of the deal with them because of "you know" the economy.

Re:XP SP3

[swb]

None of them wanted to deploy SP 3. It was flabbergasting to me, but they just didn't want to do it.

Some fucktard in a suit gets told that they don't care about problems caused by not running SP3, running SP3 requires a bunch of money to get spent and if he spends it he doesn't get a new BMW 7 series this year.

Really, so many of these decisions have nothing to do with rationality. At some high level it comes down to some guy in a suit angling for a new car, a new house or some other luxury/status symbol.

Re:XP SP3

It knocked out roughly 3500 of Suncor's North American Desktop computers. They have 2000 fixed as of this morning and there are still enough computers knocked out to impact daily work.

Re:XP SP3

[proxima]

I thought this affected anyone running XP SP3, which I expect would be a majority of enterprise desktops, not less than half of one percent.

You had to be running versions 8.7 or 8.9 it seems to be affected. 8.0 or 8.5 did not exhibit this problem, even if the virus definitions were updated to 5958.

It wouldn't surprise me if the enterprise rollouts of McAfee often used 8.5 (released in Nov 2006) rather than 8.7 (released in Sep 2008) or newer.

Re:XP SP3

It only affected you if you were set to autoupdate right when the new DAT was released. No major threat announcements = set autoupdate a few hours behind release from McAfee; risk/benefit and others beta test the new DAT...

Re:XP SP3

[coniferous]

I really wouldn't trust Norton any more then McAfee.

Honestly - I don't know what the right answer for a corporate entity is... There is just something really scummy about both companies that I don't like.

Re:XP SP3

[coniferous]

He tried to reproduce it and had problems? The summary of the problem made it seem like all svchost.exe's would get deleted no matter what.

I wonder what sort of specific conditions had to be met? Not that I like coming to the defense of McAfee... But has this been overblown?

Re:XP SP3

[Enderandrew]

Microsoft Forefront is what I'd suggest.

Re:XP SP3

[__aamnbm3774]

Trend Micro has performed well for us.
Kaspersky is *supposed* to be the up-and-comer, but we've had our share of issues with it.

But none of them are immune from a rushed update.

Re:XP SP3

[coniferous]

I really like MS Security essentials... I hate to say it.. but I actully do trust Microsoft much more then McAfee and Symantec. I would try this out in a heartbeat.

Re:XP SP3

[Col.+Klink+(retired)]

Presumably at least a few enterprise customers have enough brains to internally test updates before rolling them out. I expect McAfee doesn't consider those customers "affected".

Re:XP SP3

[Piranhaa]

Everyone that received the patch running XP SP3, yes. However, where I work, they download the patches in the morning and deploy them later on in the evening. So yes, there is a window of attack there, but it saved us from having to go through every SP3 machine and copying the deleted OS file. Basically, everyone else that gets the patches instantly are 'our' guinea pigs.

Re:XP SP3

[MadKeithV]

That 'tard in a suit just got proven right by McAfee for not upgrading to SP3. Coincidence, yes. Fun, no.

Re:XP SP3

My father is a "Home" customer and was bit by this, so I suspect the numbers are FAR larger. Jacked his PC up nicely, including trashing any internet access.

He lives in the boonies where houses are about 1/2 mile apart. He's having to, hopefully, burn a CD with the fix on it by going to his local PC tech shop 20 miles away. The instructions McAfee provides for users without a working internet connection do not work for him, as they reference %systemroot%\system32\dllcache which does not exist on his box.

Yay for PC tech calls from relatives.

Re:XP SP3

[travisco_nabisco]

I will second TrendMicro. We have a small organization ( 50 computers + servers) and have had no problems with TrendMicro's security suite.

Re:XP SP3

[Jazz-Masta]

The plural of virus is viruses. Also, there's no reason to capitalize administrators here.

I know, I should proof-read more often.

Oh well, we all make mistakes - some larger than others (McAfee).

Re:XP SP3

[thsths]

> Honestly - I don't know what the right answer for a corporate entity is...

Sophos is another good choice. But really any choice is better than Norton or McAfee. Avoid these at all costs.

Re:XP SP3

[Spazztastic]

He tried to reproduce it and had problems? The summary of the problem made it seem like all svchost.exe's would get deleted no matter what.

I wonder what sort of specific conditions had to be met? Not that I like coming to the defense of McAfee... But has this been overblown?

We were hit by this but I called the guy who manages the AV server and told him to halt any updates and roll back to 5957. Only about 15 systems were hit with it, but none of them had SVCHOST deleted. I was able to isolate one and it was fine since we didn't have the "scan process" enabled. Here is an e-mail I sent to my department:

1. It was on 5958, but everything was running fine.
2. Since I knew there was a fix, I ran an on-demand scan.
3. McAfee picked up SVCHOST.EXE as a virus, and it tried to delete it but the clean failed.
4. Since the clean failed, all I had to do was manually run SVCHOST.EXE from the command line, force an update by right-clicking on the McAfee icon in the systray, and reboot. I ran another memory scan and there were no red flags.

And for this:

I wonder what sort of specific conditions had to be met? Not that I like coming to the defense of McAfee... But has this been overblown?

Specific conditions had to be met, but they were broad. The following were necessary:
- Windows XP SP3
- Real-time Scanning Enabled
- Definitions version 5958

The real time scanning pretty much does nothing but crawl the drive and inspect the processes regularly, so it would have eventually caught SVCHOST.EXE, killed it, and bricked your machine until you had a chance to apply the manual fix.

Overblown? No. Clusterfuck? Yes. It could have been a LOT worse.

Re:XP SP3

[Spazztastic]

To rephrase, "a LOT worse for us." A buddy of mine had to get their entire IT department to go around by hand and fix every computer by hand.

Re:XP SP3

[oldspewey]

I suspect that after this event, lots of enterprise customers will adopt the stance you propose ... either that or they'll abandon McAfee altogether.

The company I work for got hit by this. My personal machine was spared (not running XPSP3), but many, many of my colleagues were down for an entire day or longer while this was getting figured out and cleaned up. A quick back-of-the-envelope calculation for lost productivity at my company alone would easily climb into 7 digits ... possibly even 8 digits. Now multiply that by the number of corporate customers that got hit.

Re:XP SP3

[shutdown+-p+now]

It also affected W2K3 servers.

Re:XP SP3

[Richy_T]

To be fair though, we did have an issue a few years ago where a Trend update caused every workstation on our network to grind to a halt with 100% CPU usage. Not a fun day for anyone.

Re:XP SP3

[DarkSabreLord]

I have heard mixed things about the security about Kaspersky. Been running it myself without any problems, but I have friends in IT who are SysAdmins who say they can't trust it because of how it might be handling customer data (Sorry, no real citations here)

Re:XP SP3

[EvilBudMan]

Well you are right, but right now at this moment, that's the answer. It's not perfect but it uses much less resources than MacAfee does.

Maybe AGV or Kaspersky might be technically better, but buying virus software from the same countries that produces most of the best viruii is not my idea of someone you can trust.

And Microsoft stuff just doesn't catch as much IMO. Trend Micro might have been the one I would have got but it wasn't on a short list between AVG, Norton, and McAfee. That's the choices that I had.

Re:XP SP3

[hawguy]

Does any enterprise really test Virus updates before they are pushed out? I work in a relatively small shop (less than 1000 desktops), and we have about a dozen "mission critical" desktop applications that would impact business if any went down. Things like AP, HR, and other applications related to business.

Not to mention that even though we've tried to standardize our hardware platform, we have almost a half dozen hardware configs that we support -- all would need to be tested to make sure a bad AV update doesn't kill some hardware dependent driver.

While we do serious QA across all applications before rolling out most software patches, I just can't believe that management would agree to let us triple the size of our QA team so we can thoroughly test daily anti-virus updates.

Do any companies do this?

Re:XP SP3

[SalaSSin]

Same here.

I'm actually the person in charge of our security, and, as we take security quite serious, the auto-update is set hourly (which is btw the default). McAfee let the faulty DAT 4 hours (!) online, ...

I got it offline about 20 minutes after the first machine "hit the ground", but by then 95% of my machines had the update (550 machines over the whole of our country).

With the IT team we figured out a solution about 2 hours after it hit, even before McAfee came with a solution (which, at that time, wasn't even working...) and we had everything cleared up in 7 hours time, but i can tell you, those were hell...

Luckily, the whole it team is on Windows 7, for testing purposes, so we were able to continue to work and coordinate the "rescue mission".

I don't even want to imagine what the damage would have been if it also affected 2008 machines, which meant all our servers...

Re:XP SP3

[sasha328]

I run XP SP3 in my corporate environment, and also run McAfee. We were not affected! It must be a special set of circumstances that caused the agent to go beserk.
I haven't heard from our international offices if anyone's been affected.

Re:XP SP3

[dangitman]

My company is just finishing a migration to Vista,

Now that's the funniest thing I've read all week.

Re:XP SP3

[Crimsonjade]

You don't need to personally QA them. We just delay them for a specific time period and let the world test for us. We were not affected by this issue at all because we saw the announcement and blocked the update from going out.

Re:XP SP3

[Rophuine]

If you're really in charge of security, I'd like to make a suggestion. Rely less on insta-virus-updates and focus more on testing and multi-layer security. If you have instant updates turned on for ANY system, it's a single point of failure for both security and IT. You should be able to weather being a little behind the cutting edge by having several layers of defense.

I was primarily a developer role, but had security responsibilities for a MasterCard provider who was subject to horrible security requirements and audits. If we deployed ANY vendor update, be it an Oracle database patch or an AV signature, without testing, we would fail an audit, and for good reason. This isn't the first time a bad AV signature has made systems bomb, and it definitely won't be the last.

Re:XP SP3

[Rophuine]

I was around for this, except it only caused our test machine to grind to a halt. There's a lesson there.

Re:XP SP3

[Rophuine]

Wot, companies are s'posed to, y'know, focus on making Microsoft happy (or their IT teams happy) instead of earning god-damned money? What a stupid idea. They're looking at life-cycles and returns on investment, and if Microsoft can't get it right, they're not paying enough attention.

Re:XP SP3

[Rophuine]

I guess they're really regretting not putting some budget towards the "Testing vendor updates" line item.

Re:XP SP3

[Rophuine]

I worked for a company with about 60 desktops, and we tested all vendor patches, including AV, before pushing them out. Try this:

When you buy a new hardware batch, flick one to admin. They usually have the shittiest, oldest machines anyway, and they're also pretty good at organising stuff for you, so it's nice to have them on side. They're also the cheapest people to impact with desktop downtime. They're your new QA department. They get updates first, and if they don't bomb, it gets rolled out to everyone else. Because they get one from each hardware batch, you test on every hardware set by default before pushing out to your hundreds-of-dollars-per-hour engineering/finance/whatever staff.

If you have trouble getting budget for an extra desktop PC now and then, ask them how much it cost to lose 1000 desktops for a day or so.

Also, up-to-the-second anti-virus isn't necessary if your security program is slightly above the useless level. There are at least three security barriers I can think of which help keep viruses out of your network, and to have all of them let something through is just one of those business risks. When was the last time an actual virus incursion took down as many PCs as this did in badly affected organisations?

Re:XP SP3

[SalaSSin]

True,

that's where i'd like it to go, but, as in, i imagine, almost every big company, changes come slow, and after a lot of lobbying...

Re:XP SP3

[Rophuine]

Spend some time working out how much this cost, and then show them how cheap it would be to avoid. A cost-effective way is to have juniors or admin staff crash-dummy the updates, and it doesn't cost too much in lost productivity if their machines bomb. Roll updates out to everyone else a day or so later.

You can get a good hardware spread by sending one machine from each new batch into the testing pool.

Re:XP SP3

[Richy_T]

Yes indeed. Though the lesson for who exactly depends on your point of view.

Really?

[ircmaxell]

ZDNet notes a supermarket giant in Australia that had to close down its stores as they were affected by the bug, causing a loss of thousands of dollars.

A chain of supermarkets close down, and they only lose thousands

of dollars? Really? I would expect that figure to be a lot higher than that for a single store... Think about all the fresh produce that'll go bad (that have daily deliveries). Think of the power usage (lights, refrigerators). And that's assuming that they aren't paying any of their employees while the store is closed. I'd imagine the loss would be on the order of tens of thousands of dollars per store. Not thousands of dollars across all of the stores...

Re:Really?

Tens of thousands is still thousands... just more of 'em.

Re:Really?

[pinkj]

Maybe Australia only has one big grocery store somewhere in the Outback. Kinda of like what we have in Canada except it's a giant igloo in northern Toronto.

Re:Really?

[kiehlster]

I would think the same, but it could be a discount supermarket with really low profit margins on dirt-cheap products from second-rate suppliers. We have a chain like that in our area where they leave out the produce until it gets moldy and then offer a replacement guarantee. So if you're 5-day old fruit turns moldy on you, you can return it, but they don't have to toss out as much because people tend to use the fruit within a day or two of purchase. If this was a reputable supermarket, I could see shorter shelf-lives affecting them more, but for discount supermarkets with cheap computer systems they don't care and just leave the food out for an extra day.

Re:Really?

[eggoeater]

Agreed. And that's just the immediate cost. When things like this happen, stores/businesses lose loyal customers to competitors and it takes months to recover.
And what about the IT costs? I guarantee you, there is now an effort underway in all major businesses to (1) test new anti-virus patches before rolling them out, (2) re-review all anti-virus software being used, (3) developing and testing mitigation plans for another failure. All of this is VERY expensive.
Here's another example: Airlines shut down because of a volcano. You think when the volcano stops that their business is going to go back to the previous levels? Nope. Even for something like airlines where people often don't have a choice, it will take quite some time to recover. 9/11 is another example of this; it took years for airlines to get back to pre-9/11 levels, although there were other economic factors that led to the decline in '01.

Re:Really?

[Cimexus]

Nah - this is Coles. That'd be one of the "big two" Australian grocery retailers, with thousands of stores nationwide. I expect that 'loss of thousands of dollars' was many, many thousands (either that or it only affected a very small number of stores for a very small time before getting fixed).

Actually I used to work at Coles (it was my first job!). Our store was the smallest one in the state but still had revenue of ~$300,000 a day...

Re:Really?

[ducomputergeek]

At least one of our customers were affected as they run our point of sale software on XP Pro SP3 and used McAffee as their anti-virus. That was the IT environment they chose, we told them we prefer OSX as our first choice/Linux as second choice, but they already had a previous POS solution deployed on Windows.

They've requested price quotes on the OSX and Linux hardware solutions.

Re:Really?

[mcrbids]

That was my thought. "Thousands of dollars" seemed ridiculously low. I'd be highly surprised if it wasn't a loss of at least tens of millions of dollars?

I wouldn't be surprised if this was the point where future historians mark McAfee's final demise? I really don't understand why anybody would use such a product so utterly poisoned with suckage. Remember when McAfee was good? Back, in the beautiful days before Norton took it over and turned it into a bloated whale of a product that somehow manages to miss obvious infections while simultaneously slowing down your system more than any virus ever would?

I wonder if you could actually count the amount of CO2 released into the atmosphere due to increased system load on computers (slowly) running their product?

Re:Really?

[bami]

At least one of your customers is retarded for allowing internet access to a Point of Sale machine, and if they didn't, why have antivirus? The POS network should be shielded from any external networks, either by VPN or hardwire.
Point of Sale machines are for sales, not for browsing youtube for cat videos. It should be invisible to users that it is a Windows, Linux or OSX machine.

Re:Really?

[Rophuine]

I guarantee you, there is now an effort underway in all major businesses to (1) test new anti-virus patches before rolling them out ...

Any business that would stand to lose big amounts of money by PCs going down should have already been doing this. Most of them were. I've worked for two companies with fewer than 60 employees that tested AV signatures before they went out. For Coles to not bother is beyond irresponsible.

Re:Really?

[Rophuine]

Lots of Point of Sale machines rely on internet access for a wide variety of functions these days. We used to provide a popular Point of Sale value-add which required internet access, and provided lots of great business benefits. That said, viruses are usually picked up by users doing stupid things with web browsers, so PoS systems should be able to stand being a few days out of date with their AV.

I'm still wondering ...

[khasim]

... why they didn't test the new dat file against Windows system files.

Seriously, we pay them a LOT of money for their product licenses and they cannot even test against known system files?

Re:I'm still wondering ...

Maybe it was a "reminder" so we don't get complacent about license renewal?

"Gee, that's a nice operating system ya got there..."

Re:I'm still wondering ...

[bstreiff]

Not every XP SP3 machine was bitten. There were some XP SP3 machines here that were affected, but just as many that weren't.

It's possible that they did test against XP SP3, and just got 'lucky'.

Re:I'm still wondering ...

[lennier1]

Knowing Windows and McAfee it wouldn't surprise me if some malware had patched that file and while McAfee doesn't trigger on the file's checksum the malware is left untouched as well. j/k

Re:I'm still wondering ...

[Bakkster]

The machines which had not crashed were the machines that had not scanned svchost.exe yet. The problem still wouldn't have happened if they tested against svchost.

Re:I'm still wondering ...

[tokul]

... why they didn't test the new dat file against Windows system files.

Seriously, we pay them a LOT of money for their product licenses and they cannot even test against known system files?

Which versions of system files. You don't pay enough to cover expenses of tracking and maintaining database of all good third party files.

Re:I'm still wondering ...

[eharvill]

Yup. Same in the organization I am currently working with. Out of 10s of thousands PCs potentially affected, only ~800 actually got nailed, fortunately none at their retail locations. I was one of the lucky ones. After we determined it was an AV issue I was up and running a few minutes later. Safe mode -> rename/delete the latest .dat files -> reboot. Mine didn't delete the svchost.exe like some others did for some reason. Sucks for the folks that aren't somewhat computer savvy and had to have someone walk them through the steps over the phone.

Re:I'm still wondering ...

[Richy_T]

Third party? This was *system* files. Yes, I would expect an AV company to be on top of those.

Re:I'm still wondering ...

[tokul]

Third party? This was *system* files. Yes, I would expect an AV company to be on top of those.

Microsoft. It is not McAfee files. If Microsoft does not provide list of all standard files from all Windows variations (patches, localizations, etc), McAfee don't know which ones are good.

I wonder

[mr_da3m0n]

...If McAfee has a clause in their EULA somewhere that limits their responsibility, and should that be the case, if it is legally enforcable.

Maybe someone with access to said EULA could look it up?

Microsoft once pushed their accountability as a selling point for the Windows Server platform against Linux, if I recall well -- however their maximum responsibility was something like 50$. I wonder what is McAfee's stance in this regard.

Re:I wonder

[ProdigyPuNk]

Here's an online version of their EULA: http://home.mcafee.com/Root/AboutUs.aspx?id=eula Of course there's a limited liability clause: Limitation of Liability UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER IN TORT, CONTRACT, OR OTHERWISE, SHALL MCAFEE, OR ITS AUTHORIZED PARTNERS OR SUPPLIERS BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR LOSS OF PROFITS, LOSS OF GOODWILL, OR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR NEGLIGENCE OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, LOSS OF DATA, COMPUTER FAILURE OR MALFUNCTION, OR FOR ANY OTHER DAMAGE OR LOSS. IN NO EVENT SHALL MCAFEE, OR ITS AUTHORIZED PARTNERS OR SUPPLIERS BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE PRICE PAID FOR THE SOFTWARE, IF ANY, EVEN IF MCAFEE, OR ITS AUTHORIZED PARTNERS OR SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. This limitation shall not apply to liability for death or personal injury to the extent that applicable law prohibits such limitation. Furthermore, some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this limitation and exclusion may not apply to you. Nothing contained in this Agreement limits McAfees liability to you for McAfees gross negligence or for the tort of fraud. McAfee is acting on behalf of its suppliers and Authorized Partners for the purpose of disclaiming, excluding and/or limiting obligations, warranties and liability as provided in this Agreement, but in no other respects and for no other purpose. The foregoing provisions shall be enforceable to the maximum extent permitted by applicable law. And under warranties: Warranty Disclaimer. Except for the limited warranty set forth herein, THE SOFTWARE IS PROVIDED "AS IS" AND McAfee MAKES NO WARRANTY AS TO ITS USE OR PERFORMANCE. EXCEPT FOR ANY WARRANTY, CONDITION, REPRESENTATION OR TERM THE EXTENT TO WHICH CANNOT BE EXCLUDED OR LIMITED BY APPLICABLE LAW, (The warranty they give is basically just for defective install media). It's rather telling if you look at the selling points on their website, and then look at the EULA.... I understand that most places have EULA's like this now, but they aren't standing behind their product when it comes down to it one bit.

Re:I wonder

[The+Wooden+Badger]

I think they would still have a case even with that EULA. A victory for McAfee in the courts would set an incredibly bad precedent.

Re:I wonder

[green1]

By the time you are dealing with large enterprise customers, you aren't dealing in EULAs anymore, you're dealing in negotiated contracts where the legal department of each company goes over each and every clause in the contract.
I was talking with some of our IT folks as this unfolded (as my work machine was one of the ones affected) apparently after we were bitten badly by a vendor bug a few years ago, we re-negotiated with most of our software vendors. Our contracts now include penalty clauses for this sort of thing. There's a good bet that this bug just cost Mcafee several thousands (possibly many times more) of dollars on our contract alone.

As for "a small percent" in our company the patch apparently affected approximately 11,000 computers out of approximately 30,000 total (many of whom were saved because the problem was noticed, and the patch blocked, before they could download it) I don't consider 33% to be a "small percent"

Re:I wonder

That isn't necessarily true. It's a terrible misconception that if something is written on paper and two people sign it, then a court will automatically enforce it. Justice is slightly more nuanced than that.

Many portions of EULAs are actually unenforceable.

Most courts will not enforce clauses of contracts that are offered in a non-negotiable "take it or leave it" manner if said clause is unconscionable.

EULAs are definitely presented in a "take it or leave it" manner with no room for revision offered. And clauses that essentially boil down to "you submit to our will" or "we do whatever we want and you agree that we never face consequences for it" are certainly unconscionable.

McAfee fucked up in a huge way here. One line of text in a EULA isn't going to protect them on this. They will be sued; and they will lose.

Re:I wonder

[Rophuine]

That's because it would drive the price of their product up across the board if they accepted liability. Do you want to pay five hundred bucks a licence for AV? No? Nor does anyone else. Companies that will be hit hard by the AV bricking PCs should be testing updates or buying insurance. Companies that won't be affected so hard should be enjoying the cheap licence.

Re:I wonder

[Rophuine]

11,000 machines down for what, on average three hours? What's the productivity of an employee? $100 an hour? 33,000 x $100/hr comes out to $3,300,000. Bet you guys wish you'd forked out a few extra hundred grand a year on testing vendor patches.

If it only cost McAfee several thousands, or even several tens of thousands, or hey, even a million bucks... You would still have been better off spending some money QAing all your vendor patches.

Re:I wonder

[Rophuine]

I doubt a court will consider that McAfee offered very much in the way of guarantees for $39.95pa. Or whatever it comes to. Value proposition is another consideration in court action. No court will hold any provider to ridiculous standards if the consideration was low.

Re:I wonder

[green1]

I'm not privy to the details of the contracts, however it could easily be a penalty in to the millions, my machine was down for two and a half hours, however my loss of productivity was less than one hour (and many of our people were similar, work can still be done without computers, my job position has been around for over 100 years, I'm sure they didn't rely on a laptop for the first 70 or 80 of those.)

The deals with the vendors shifts the responsibility to them for QA, if they screw up, they pay. Keep in mind that in-house QA can miss things just as much as vendor QA can (and in fact, our in-house QA has a pretty poor track record!)

Re:I wonder

[Rophuine]

If the penalty does run that high, it was a good trade-off to do penalty clauses instead of your own QA. Lots of job roles these days do grind to a halt, though: the company I work for at the moment grinds to a total halt without computers (we're doing weather modeling, and slide rules just don't cut it anymore).

McAfee

[rocket97]

I don't know which one anymore I dislike more, McAfee or Symantec. I stopped using both several years ago, I not run Avast Home on my gaming system at home.

Re:McAfee

I, too, not run Avast Home. Me switch to MS Security Essentials.

Re:McAfee

Why not just use Microsoft Security Essentials? It's free for personal use, isn't nagware like AVG (dunno about Avast), and is probably as lightweight as you can get for a real-time scanner. When you're the company writing the low-level system APIs, you probably know how to use them in the most efficient way.

Anything remotely fishy gets run in a disposable VM anyway.

Re:McAfee

[rocket97]

I not sleep last night. Tarzan sleepy.

Re:McAfee

mse is pretty dope.

Re:McAfee

[miggyb]

Why not just run Windows raw, without any protection? Especially if it's just a "gaming system," just run everything under a really limited user account and practice good judgement. Oh, and use noscript in firefox.

Re:McAfee

[durdur]

>I don't know which one anymore I dislike more, McAfee or Symantec.

I'm with you there. They are both practically malware themselves: intrusive, take excessive system resources, hard to remove ..

Re:McAfee

[indi0144]

How is that going to protect you against the random cornficker bot roaming in your ISP.

About a month ago I reinstalled a Win XP with the SP2 OEM CD, off line. Installed the AV (Nod32) and got everything ready to connect the cable and rush for the updates, bad luck that while Windows Update was doing the check Nod advised me against an attack from a neighbor IP (that is, no browser launched, no crapware installed, vanilla SP2 and AV only). Unplug the cable kill the PC and take the disk to another machine to scan it. Even if Nod32 (not updated by then) stopped the attack, cornficker managed to infect two system files and to add 1 registry entry.

Lesson learned, now I nLite SP3 and all critical updates and start from there.

Chile affected

In Chile, this bug affected operations of the judiciary systems. They had to suspend hearings and other proceedings for the day.

Delayed update

[z4ns4stu]

I would bet that the reason the affected numbers are so low is because a large number of corporations know to delay the application of patches for at least a day. This isn't the first time McAfee has done this, and it definitely won't be the last. It's the same concept with Microsoft/Apple/other OS patches. Every organization needs a patch strategy and the good ones include some kind of lab environment to make sure stuff isn't going to break before it's rolled out.

Only under certain conditions.

[khasim]

Well, one condition - that the v8.7 McAfee app scanned the svchost.exe file of a WinXPsp3 machine.

Which could happen under three situations:

1. You manually launched a scan.
or
2. A scheduled scan launched.
or
3. A setting in your policy said "scan processes on enable".

Re:Only under certain conditions.

[Enderandrew]

In most enterprise environments McAfee is going to have real time protection against running processes. Can you point me to an enterprise environment where this wouldn't be the case?

Re:Only under certain conditions.

[Enderandrew]

We're talking about McAfee running on Windows. Way to be off-topic and ignorant yourself.

That isn't to say Unix and Linux boxes never run anti-virus protection. Some just run on mail servers to protect against virus attachments. But when you run anti-virus in a *nix environment, you often still run real time protection.

Re:Only under certain conditions.

[Spazztastic]

We're talking about McAfee running on Windows. Way to be off-topic and ignorant yourself.

Not only that, but open source platforms aren't immune to their own fuckups. From just a little while ago: Clam AV screwup.

Re:Only under certain conditions.

[dissy]

Your link does not support your claims, in fact it proves you wrong.

ClamAV didn't fuckup anything, all those old clamscan engines shutting down was 100% the goal, and it 100% worked as planned.

McAfee admits it was not on purpose and was a mistake.
Of course if it WAS on purpose they would say the same thing, but I haven't seen any reasons to think it would be on purpose, as they have nothing to gain and everything to lose.

To be fair, your troll mod should be flamebait instead, lacking a "-1 factually incorrect, but posted just to anger others" option

My employer dodged a bullet on this one.

[Nadaka]

Everything here is windows xp sp3 with McAfee installed.

Fortunately for us, all software updates are filtered through and managed by an internal server due to security restrictions on some of the work we do for the government.

Re:My employer dodged a bullet on this one.

[Mister+Whirly]

all software updates are filtered through and managed by an internal server due to security restrictions on some of the work we do for the government.

And this is a perfect example of why an internal server to distribute updates is a Good Thing(TM). Hey, the government got something right!

Re:My employer dodged a bullet on this one.

[chill]

Hey, the government got something right!

Whoa there, pardner! Before jumping to any wild conclusions, re-read what he said.

...on some of the work we do for the government.

That most likely means contractor, not actual government employee.

The gov't didn't do something right. The world is not going to end. Moped Jesus was not spotted on I-55 heading west.

Re:My employer dodged a bullet on this one.

[Mister+Whirly]

Yes, but it is the government who put that stipulation in for the contractor. So I am still maintaining they did something right. Whether or not the contractor actually works for the government or is just contracted is irrelevant. The stipulation is there and is there becasue of the government.

Necessary Evil

[RayRuest]

It could only effect that few if the policies were set up update infrequently (ever few days or so). My policies are set to check for updates and push them frequently, so I got bitten. I have less than 100 desktops but am a 1 person shop. 4 hours of sneaker net repairs and corporate downtime. Thanks McAfee. There was at least 1 hospital in the area that had to resort to turning non-critical patients away. Don't these things get testing before release? These products are a necessary evil... they don't need to be more evil than the purpose they are attempting to provide.

In the many millions of dollars...

[mother_reincarnated]

Heck I was at a small IT security trade event yesterday and like a quarter of the attendees had to cancel because they were dealing with the aftermath...

McAfee had almost a 50% corporate AV market share, and nearly all of those companies still run many XP SP3 boxes. If 10% pulled the DAT before it was yanked, that's a metric buttload of machines...

My estimate

[Monkeedude1212]

Is that it would only take 1 oil and gas company who usually handles Million Dollar deals. Lets see.
International Corporation... Lets say 3000+ Employees... lets say just half the company goes down. Rule of thumb is 1 IT guy for every 100 computers (but we all know thats in a perfect world).
So, the simplest way to get out of downtime is to go into safe mode and disable the Antivirus, right? Lets say it takes on average 5 minutes to walk to each machine and preform the steps. 500 minutes, or 8.3repeating hours.

MCaffee basically put you out of business for the day.

Re:My estimate

[poena.dare]

Chances are this will put McAfee out of business for more than a day, so I guess it all balances out.

Re:My estimate

[Rophuine]

Try again. Large company which handles Million Dollar deals and would lose lots of money if all their PCs went down... They have an IT budget, and their IT administrators, who they pay lots of money (collectively) to think of things like this, pull the update to their test environment, it bombs the machine, so they don't release it to production systems. Then they sit back and watch the IT losers of the world deploy it to production and lose lots of money.

Really, the reason corporations are still running XP is because it costs lots of money to test upgrading their OS. Because, you know, they do testing before they release vendor patches. Like AV signatures.

WHAT????

[FearKratos]

People still use McAfee for support, that's laughable.

Re:WHAT????

[FearKratos]

Symantec is so much better.

Re:WHAT????

Sure, if you don't love your RAM or processor. And have nothing against an AV scanner that's helpless against viruses, and whose tech-support team uses ComboFix instead of their own software.

Impact Probably Much Higher

[jonnyboy3us]

I imagine this impact was much higher than they stated. One of the small operations I support on the side called a couple of days ago about this issue when it cropped up. The Windows XP computer would not even allow him to do a system restore let aloneuse his computer. Luckily, we found out about the fix yesterday or it could have cost them a couple hundred dollars to fix. Along with the lost productivity time, this isn't a good thing for McAfee. While we use other solutions for our systems, this highlights how much testing needs to take place before a patch is deployed. It's amazing these types of 'issues' occur in today's world. Time for McAfee to step up QA.

Testing before deploying?

[adosch]

I've read a few interviewed accounts where the story was much like this:

We applied the updates, and rebooted, then I went on to kick off the others. When I went back to the first couple of servers, I noticed they had rebooted again... then I knew something was wrong.

I know things can't be 100% perfect in an IT world, and yes, virus definitions can be touchy when sometimes zero-day shit can really cause havoc, but I, myself, have of test boxen on my network that I test all patches/updates/virus definitions on for *NIX and Windows boxen. It's not perfect, because to test and interrogate everything is impossible, but I don't apply things blindly. And yes, I've had a few fallout where the package/patch/update applied fine, but there was a bug in it that affected something. But at least you had some comforting notion that you prepared as best as you could. It just is mind numbing that 1) things still get deployed blindly at the enterprise level and 2) for the amount we all in an IT organization fork out for trust and support from these companies for services and big fallouts are happening.

Re:Testing before deploying?

[X0563511]

I know assumptions are bad, but is it really that big a stretch to assume the vendor tests their updates on their supported platforms?

It's not like these were weird corner-cases.

Re:Testing before deploying?

[alen]

i've been using Winders since the mid 1990's along with AV software. I have never seen an issue where a definition update has caused something like this. i've seen plenty of times where you can't run an old version on a new OS or issues with games or some software. but letting something out like this into the wild just shows that there was no testing done just to make sure it's OK

Re:Testing before deploying?

what this tells everyone is that most businesses do not test updates on their own systems and just expect the vendor to do that work. Proof that a large number of Windows admins suck. Of course it could also be that their platform sucks and doesn't let them easily, and cheaply, maintain their own local update server.

Re:Testing before deploying?

I've actually seen this several times, although the previous instances weren't as severe.

Re:Testing before deploying?

[X0563511]

I'm not a windows administrator. I'm on the sidelines.

So you can take your flawed logic and shove it right back up your ass, AC.

Re:Testing before deploying?

[Rophuine]

It's not that big a stretch to assume they'll test. But if it's gonna cost you a bunch of money if it breaks, it behooves you to test. If it would cost more to test than you'd lose, don't bother.

Maybe there's a market for insurance against this sort of thing?

Yep.

[khasim]

In most enterprise environments McAfee is going to have real time protection against running processes.

It is "real time protection" even if that setting is set to "off".

McAfee's documentation specifically mentions turning it off because there is a high processor utilization bug still in it. Although you'd need to read the "read me" file that came with the patches.

Other than that, unless you choose the highest security setting, it is off by default in a BRAND NEW VANILLA install. But not if you had upgraded from a previous version where it was set to "on" by default.

This is 100% McAfee's fault on so many levels.

Re:Yep.

[thsths]

> McAfee's documentation specifically mentions turning it off because there is a high processor utilization bug still in it. Although you'd need to read the "read me" file that came with the patches.

And stupid me thought that high processor utilization is a "feature" of McAfee. Seriously, if it is bug, why has it been there for years if not decades?

AV on POS computer??

[wvmarle]

I feel sorry for that super market chain but: wtf is AV doing on a POS computer?

POS should be a dedicated computer, running one and only one application (the POS software), on a thoroughly shielded LAN, talking to only a centralised server (or small network of servers if one is not enough) that collects the sales data and distributes prices etc. That server should itself be connected only to the POS network and a corporate LAN. In other words: no direct access out of the Internet, no web browsing, no local storage of any data files, no downloading, nothing that could have the most remote risk of a virus.

Or am I missing something here?

Re:AV on POS computer??

... how naive....

Many of these POS (piece of ...) devices are either 3rd party managed, or are connected via slow (dial-up) links to the central office.

Many of them run Windows XP or before (some still running '98 "until it breaks"), so AV is a good idea on many of these machines...

Re:AV on POS computer??

[ifrag]

Or am I missing something here?

That it was in Australia?

Re:AV on POS computer??

[SmallMonkeyPirate]

The Co-Op a huge grocery retail chain in the UK use XP based tills. I only noticed them because the customer facing part of them often displays Win errors :)

http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000001958

Also I know of a large Radiography company whose X-Ray machines all had Dell workstations running XP inside..now that's scary.

Re:AV on POS computer??

[JaCKeL+1.0]

This comic explain AV on POS : http://xkcd.com/463/

Re:AV on POS computer??

It's called a dream world, good luck achieving it. I would consider any windows based system not running Antivirus to be considered a red light district or petri dish just waiting to be infected.

Re:AV on POS computer??

wtf is AV doing on a POS computer?

This setup also seems somewhat redundant, since McAfee's AV itself is a POS.

Re:AV on POS computer??

[EMG+at+MU]

I agree.
However, when you have 200,000+ POS machines, management wants an AV.
I hate McAfee, I hate using a AV instead of isolating a machine from removable media and the Internet. I hate spending money on AV when we could use it on something else. But when a franchise manager on the other side of the world lets one of his employees use the wifi or a printer or something, I'm glad there's an AV to protect my ass. Even though there shouldn't be a way the POS machines get a virus, the AV is kind of like car insurance: It protects you from accidents, costs too much money per year, someone else forced you to get it, and in the end when something shitty happens it kind of saves your ass.

Re:AV on POS computer??

[Dragee]

You're confusing "should be" vs. "real-world." Even if the actual POS machines are dumb terminals, they'd connect back to the server, which is probably Windows. Marketing Department and/or Customer demand says that more POS systems will be sold if Corporate can push out pricing updates to the servers and check inventory levels across the Internet, instead of having leased lines all over the place. And since there's Internet connectivity, you need Antivirus. The fact that POS machines aren't quarantined the way they should be isn't the worst of it. I walked up to my bank branch once, and the ATM was showing a WinXP BSOD.

Re:AV on POS computer??

[Artifakt]

Most small businesses that are service related have at least one Point Of Sale machine up front at their physical store, but the person operating it is also the person who makes appointments, so they just about have to be able to bring up a scheduler and appointment manager. A separate terminal for appointments is a serious cost, as would be keeping separate people to operate it, or training across skill sets (your cosmetologist or hair stylist or auto mechanic now needs to be trained to schedule appointments and take payments - and to log out or whatever every time they go back to what they think of as their main job - that's already likely to create an environment with much more serious security problems than having POS run other programs).
      When your auto mechanics make 25 an hour, the solution is to hire a receptionist at half that, but splitting that job to a clerk for payments and a 'customer service associate' for scheduling appointments just wiped out much of the savings you would normally get by keeping the more skilled workers on their primary jobs. Meanwhile customers are constantly going to the 'wrong' desk to try to do the 'wrong' task there (Yes, even if there's a big sign saying "Payments" hanging over one desk - many customers go to whichever one's closest, and they can't all be closest).
      I work for a large company, a fortune 500 - the 'skilled professionals' usually float between multiple offices to handle appointments (one of my areas of specialization is taxation and planning on author's often very irregular royalties, particularly as those of the deceased authors are being passed through LLCs set up for their heirs - you can imagine how that increases my normal operations range, but several of my co-workers have some area that they support, but for which the market is simply too spread out to draw all the customers into one location. I put up with the driving by scheduling several clients in the same area back to back, and because I often get free autographed copies as tips). Even for us, a secretary handling both appointments and payments on the same machine is common, especially where the physical layout of an office doesn't allow a separate entire room for a separate client manager to handle the appointment process. Plus, we have pros both constructing their billable hours statements and scheduling for themselves, to further link the processes.
      Since some of our pros are self scheduling at distant locations, our appointment manager actually runs as an Internet app! Of course, we have VPN, damned good encryption, and UNIX based systems between anything Windows and the net, but still, I can't see most small companies doing all those things, yet they may face the same sort of problems, and the others I have outlined above, and probably many more. Saying POS should always run on a dedicated machine by itself is saying that there has to be some other good solution to all these sorts of issues, and if you really have that, there are people who would gladly pay you at least 500 K a year to implement it.

Re:AV on POS computer??

[Scyth3]

Typically the POS desktops are talking directly to a server in the backroom. The server in the backroom is typically where a manager will check their emails (via Outlook), take training via a web site, etc. and it's also where the database for the POS client desktops is stored. Every night that small store server submits the data to a main server at the "home base". So, if the virus scan is on the server (typically is), and the machine goes down, then the business is effectively closed. It's not that the POS machines had a virus scanner on them, it's that the server does since it's used as a work machine for the manager as well. That's how one of the biggest auto part chains in the US operates. It wouldn't surprise me to see this elsewhere.

Re:AV on POS computer??

[c]

> Or am I missing something here?

Slavish adherence to corporate IT policies which require AV software on any system which can run it?

c.

Re:AV on POS computer??

[Trailer+Trash]

You're missing nothing except one minor point: no POS system - or anything else in the chain - should be running Windows. This should be a non-issue. My advice to the Australian grocery chain is to fire whomever in the IT department thought this was a reasonable idea.

Re:AV on POS computer??

[Locutus]

and why does a POS computer have an internet connection to get the updates? It reminds me of the story of how a bunch of trains had no signal systems because the computers controlling the railway signals were running Windows, connected to a LAN, and got infected with a virus and stopped operating the signals. I guess with admins, you get what you pay for and maybe those MCSE certs are worthless.

LoB

Re:AV on POS computer??

Easy answer: VISA compliancy

If you swipe credit cards on a POS terminal, you MUST have antivirus on it to be in compliance with rules from the credit card industry. It does not matter what OS.

IF you don't have anti-virus, and then have a data-breach, your company is subject to massive fines.
They aren't criminal fines, but you have to pay off VISA if you want to continue processing credit cards.

Re:AV on POS computer??

[wvmarle]

the AV is kind of like car insurance: It protects you from accidents

Since when does insurance protect you from accidents? It only compensates you when an accident happened already. If you want to have a car analogy then you should compare AV with seat belts or air bags, that are prevention measures.

Re:AV on POS computer??

Except in this case, something shitty happened and it was the direct cause of it.

Or, to use your car (insurance) analogy, you buy car insurance for your car to cover problems, but because they updated your policy and did a typo, your insurance agent came to your house and took a sledgehammer to your engine.

Hope you didn't have a hot date tonight [ed: this is Slashdot we're talking about].

Re:AV on POS computer??

[ducomputergeek]

It's required by PCI-DSS. Anything that is touching Credit Card data has to be running AV. Our e-commerce servers run on FreeBSD. Guess what, they're running ClamAV. Not because there are viruses for FreeBSD, but it's a PCI requirement.

Re:AV on POS computer??

[TavisJohn]

I have to agree. I have a DVR computer that has had no AV or firewall software at all on it. It's only task is to record TV shows, and play them on my HDTV. It has had no AV or firewall software for 2 years.
My router does have a firewall tho, to protect my whole lan from intrusions via the internet.

Re:AV on POS computer??

[Bert64]

It is generally accepted practice that windows systems _require_ av, wether it does much good or not is highly debatable (i do a lot of incident response work - ie identifying the source of a breakin, and every system that i get to investigate has some kind of av installed slowing it down)... Infact, i have often had people complain about linux or mac systems without av installed. It's very hard to fight against "standard practices" even when those practices are blatantly flawed.

Ideally such devices wouldn't be running windows at al.

Re:AV on POS computer??

[eXFeLoN]

Uh maybe the chains servers went down, thus not being able to provide the POS terminals with information? maybe? you yourself said NO LOCAL STORAGE OF DATA FILES. where do you think the POS gets it's "DATA" from? it doesn't all come from the UPC.

Re:AV on POS computer??

The POS computers need to be on the internet because they need to connect to a licensing server. I'm not making this up.

Re:AV on POS computer??

[gtbritishskull]

Air bags and seat belts don't protect you from accidents either. But, I think they are a good analogy for AV software. You still have an accident and it still hurts, but you are less hurt and might survive because of it.

Re:AV on POS computer??

Or am I missing something here?

Yes,

Some IT guy had when he quite reasonably thought "well this setup is pretty straightforward but one day someone might try to break into this and it's handling financial transactions. I don't want to be the guy who has to explain that it didn't even have anti-virus. Plus, it shouldn't hurt to put some on there."

There have been stories on /. before about POS running over wireless (probably old, non-WPA2 wireless), and what if some disgruntled sales guy decides to try to load on some backdoor, somehow? You're looking at this without any knowledge of their system design and assuming that it's wrong, and with 20/20 hindsight.

Re:AV on POS computer??

[FooHentai]

Yeah you are. PoS systems are rarely able to be adequately physically secured, and located out in public areas, handling financial transactions, and operated by staff with minimal training and accountability. Not saying that AV is correct in this scenario, but you shouldn't pretend PoS is an environment that can be securely isolated, or that the network is the only vector for an attack.

Re:AV on POS computer??

[wvmarle]

Physical security: solid case, no USB/floppy/whatever. That should do the trick. Staff normally does not start meddling with hardware - if they start doing that, you will have bigger problems on your hands than just a virus risk.

Re:AV on POS computer??

[Rophuine]

Modern PoS software ties in to all sorts of third-party systems. Loyalty platforms are a good example. They're also really complicated.

The real question is, why did a big chain release a vendor patch to a whole bunch of production systems without testing it?

Re:AV on POS computer??

[Rophuine]

You're living in the dark ages. Lots of modern PoS addons require internet access. Loyalty is a high-profile example at the moment.

Re:AV on POS computer??

[Rophuine]

Lots of modern PoS systems do all sorts of live processing. Loyalty. Marketing. They're all run by third-party systems, and they're often live. That's why the PoS computer has an internet connection.

Re:AV on POS computer??

[Rophuine]

Physical security: solid case, no USB/floppy/whatever. That should do the trick. Staff normally does not start meddling with hardware - if they start doing that, you will have bigger problems on your hands than just a virus risk.

Yep. You've hired GEEKS. Employers should be screening for this stuff.

Re:AV on POS computer??

[Locutus]

pathetic and dumb IMO. if that really is the case, they should be on a private LAN connected to a server supplying that data and info, not every POS having their own live connection. dumb dumb dumb.

LoB

Re:AV on POS computer??

[Rophuine]

I guess you've never worked in this space. When there's one provider serving PoS machines across thousands of sites, with everything from single-register florists up to supermarket and fuel chains, you need a cost-effective way of connecting tons of different sites.

Add to that the fact that a single PoS installation may be using live services from four or five different providers, and the best solution by far is to use the internet.

Perhaps you should go spend five or six years working in retail payment software before you decide how dumb we all are.

Re:AV on POS computer??

[Locutus]

sounds like the easier solution for the vendor, probably not very good for securing the platform. "Cost effective" means pushing off upfront costs because security breaches are not tied to the original purchase and often not even considered in TCO numbers.

And if security does not sell, ie having POS's on a private LAN with a gateway device between the POS LAN and the live services vendors, someone isn't trying to sell very hard. IMO.

LoB

Re:AV on POS computer??

[Rophuine]

I don't see what the problem is. The TJX data breach WAS on a private lan (albeit one someone had plugged a wireless router into). I can't think of any major PoS breaches which occurred over the internet. The simple fact is, there are easier ways to steal. Are you gonna come up with complicated exploits and try to crack encryption or steal keys, or are you just gonna get a minimum wage checkout job and shove a USB key into the boss's computer?

Anyway, as the service vendor, we're not interested in fixing the security problems of our clients. We're interested in providing a secure service. We expect our clients to secure their PoS machines, using firewalls and by buying actually secure PoS systems, but we can't force them. MasterCard takes care of that for us, and we're not going to convince them we know better than MasterCard.

My point is that they need an internet connection.

Re:AV on POS computer??

[Locutus]

it would be silly to think that all private LANs are 100% safe so pulling TJX out of the air is a worthless counter point.

the fact that every POS needs to be maintained to the highest level of security to keep each one from being taken offline or attacked should be a good enough reason to not require every POS have their own internet connection. You require your customers to go to great lengths and if running Windows, almost impossible lengths to keep each and every POS machine running.

And you know, getting onto a POS is a good way to collect alot of credit cards if a keyboard shim or I/O shim could be installed. That is all those devices do so I would not be too sure about what is a target and what is not.

LoB

Re:AV on POS computer??

[Rophuine]

I suppose the ultimate counter-point is that a PoS without an internet connection cannot deliver enough functionality to be attractive to a merchant to use. Merchants want to be able to opt in to new PoS value-added services for no cost (any more than "install the software and select some options" will never sell). PoS machines are usually on a LAN behind a NAT/firewall, like I said, so they're still behind some basic security; they still usually have full out-going 'net access.

As well as that, PoS machines generally don't have access to payment details. The financial transaction will usually go through a separate payment device provided by the bank (that little terminal they swipe your card through), and the best sniffer on earth can't access data which just isn't there. These payment devices are, increasingly, connecting to the banks via the internet as well! The device is much better secured than the PoS PC would be, though, and the encryption uses a rolling-key approach which is much stronger than standard SSL. So you see, lots and lots of attention has already been paid to a sensible multi-layered security model which includes internet access.

The problem with TJX was that several layers failed: the private LAN they were using wasn't really private; the PoS systems were also processing the payments (some other larger retailers still do this, but it isn't the prevalent model); the payment system in use was nowhere near PCI compliant. Breaches don't happen simply because PoS systems have internet connections: they happen because a range of different levels of security fail. "No internet access" would add a layer of protection much weaker than most of the existing layers, while being a major impediment to functionality.

Which is why PoS systems have, and will continue to have, internet connections.

Which is more harmful?

[goffster]

McAfee or being part of a botnet?

Re:Which is more harmful?

What is more likely in most instances? If you are running a fairly well managed Firewall and IPS, then I would say that McAfee is more likely...
So it becomes a cost-benefit.
Delaying the AV signatures by ~10 hours would be a good balance, but if everyone did that, it would be useless...

I'm not sure what the right answer is... but I would factor likelyhood into the equation..

Re:Which is more harmful?

[JaCKeL+1.0]

I think by definition, Mcafee and other AV are not very far from a Botnet. Hackers could find a way to exploit their update systems and put down MILLIONS of machines.

Re:Which is more harmful?

[TheVelvetFlamebait]

What, no Cowboy Neal option?

Re:Which is more harmful?

[nlinecomputers]

All your svchost belong to us.

Re:Which is more harmful?

[Monkeedude1212]

Depends, do you host scientology websites?

Getting real about things here

[onyxruby]

First, McAfee blew this big time, that such a bug made it to production shows a complete breakdown in their internal processes. XP with SP3 is the number one OS combination in enterprise environments, and should have been the first thing that they tested on. Without doubt McAfee has liability on this and needs to get aggressive about damage control with clients.

That being said, every one of these clients that was hit by this is just as guilty as McAfee is! They are in no better shape and those responsible need to be going management review for their failure. Enterprise Management 101 - nothing goes into production that has not been tested in a lab for pre-pilot and a small group of production computers for pilot! This is as basic as enterprise management gets. Every single environment that was taken down by this shows professional incompetence by their requisite IT departments.

The only question is if it is the fault of management for failing to allow the budget and support needed for a lab for testing or if it is the fault of the IT staffer who never tested things as they should. This is without doubt one of the most public examples of IT incompetence to make the news in years. This is a case of sheer and utter incompetence by every affected party and no pity should be given. If pity were to be given, give it to the poor desktop techs that have to go around making apologies and manual fixes for everything.

Re:Getting real about things here

I would kill to mod you up.

how somebody deploys something into a mass production environment without even testing it on a few virtual machines, is beyond me!

I'd love to claim that "I had deployed the update in a controlled environment and watched it kill things, thus deciding to not deploy"

but I've never even met an admin that seriously uses McAfee in a production environment. that's like deploying a d-link 8 port switch to "add ports" to the 3550.

Re:Getting real about things here

How is this also the IT departments fault? This bug was in a virus definition file (DAT file) not a application update. Do you expect offline lab testing of every singe virus definition file that is released? Do you realize that there is a new definition file released at least once a day and sometimes up to 3 per day? If you have the time to test each one in a lab great. But who's fault is it when while you are "testing" in the lab a new worm spreads through your corporate network?

We use McAfee in our environment (6000 PC's) and were not affected due to running version 8.5 of the software, apparently only 8.7 clients had the issue. Just to recap the bad DAT file was released 4/21 at 6 AM PST, in our environment we look for and pickup DAT files every hour and update the clients automatically on a staggered schedule. By the time we were made aware of the issue via a email from our McAfee rep. (4/21 9AM) 2500 of our PC's already had the bad dat file, if we would have been impacted by the bug we would have been screwed.

I do agree that McAfee has quite a bit of explaining to do and also will nee provide some type of compensation for companies that were impacted by their screw-up.

Re:Getting real about things here

[onyxruby]

As a matter of fact I do expect that. I have designed and set up processes for patch management, software distribution and similar testing for large enterprise environments for years. I have done so everywhere from very large financial institutions to health-care and government. The fact that you need to test daily does not change any principal of what I have said. For any enterprise not to have a dedicated lab to do exactly this kind of testing, or ever worse, not to to use it is sheer and utter incompetence.

In no case should an automated update for an environment ever be released into production without testing. Even Microsoft gets this point and allows you to disable automatic patching to ensure that proper testing can be conducted. I'm not trying to sound harsh, but in all seriousness if you can't learn why testing /every/ production change is necessary from this debacle, than you do not belong in enterprise management. It really is that simple.

Re:Getting real about things here

I agree. While the anti-virus software should have been tested better before it was pushed to customers, the IT departments should have tested the deployment on a test machine before rolling out the update. Granted, that doesn't help really small shops or home users, but medium and large IT groups should have seen this coming.

Re:Getting real about things here

[idjohnston]

Up until this week, I was actually wondering why in the hell we hadn't upgraded to SP3, now I'm extremely glad we're not. All of our McAfee just went to 8.7i a week ago, this would have been an insane hit on us. Especially since the one member of our IT Security team is on vacation! I wouldn't have been surprised if he had turned on auto-updates before he left since he wouldn't be around to lab test them.

Re:Getting real about things here

[Kimen]

You would only be correct for the clients where they are a large enough organization to justify their own testing and deployment infrastructure. However, I suspect a very large number of customers are small enough that they just let the software update itself on a routine schedule and do not have the resources to build a complete IT test and deploy infrastructure. In that regard, the smaller McAfee clients had no responsibility for the failure at all.

Re:Getting real about things here

[MadKeithV]

The cost of a rare black swan event like this one can be dwarfed by the cost of having a separate lab to test daily updates and a good system to deploy them. Sometimes you just have to think of the bottom line.
It also depends on the definition of "production". Mission-critical (and possibly life-critical) stuff, yes. That should be locked down like nobody's business anyway. Mass homogeneous systems, also probably yes, since if something gets in, it'll probably take everything with it. Large heterogeneous systems: it's just going to cost you more to test than to fix an occasional debacle.

Re:Getting real about things here

The fact that you need to test daily does not change any principal of what I have said. For any enterprise not to have a dedicated lab to do exactly this kind of testing, or ever worse, not to to use it is sheer and utter incompetence.

I'm not trying to sound harsh, but in all seriousness if you can't learn why testing /every/ production change is necessary from this debacle, than you do not belong in enterprise management. It really is that simple.

It's not that simple really. Are you testing every update and AV DAT released in your environment? Are you doing code audits of every update to every one of your applications to ensure security and compatibility? When testing applications after patches do you test each and every function of every application in your enterprise? I'm sorry but I just hate this idea of having to do QA for software companies. I've worked in IT for a while now, and most problems I've run into with software should have been caught in QA/Development.

'testing' is not so black and white as you portray. And yes you can brag about spending truckloads of money testing everything in your enterprise, but if the cost of downtime is lower than the cost spent testing then you might be making the wrong business decision.

It's about risk/reward and trying to judge that for your environment. In a car you probably don't drive the most expensive car on the face of the planet, nor do you drive a cardboard box, you probably pick something in between suited to your level of risk/reward.

Not to mention what happens when a virus hits that you haven't fully tested yet.

Re:Getting real about things here

You must be working for one of those companies were viruses run amok because neither the Windows Updates or Virus Updates gets through to the users because they are all stuck in the testing lab.

Except for servers and sensitive PC's you are talking absolute RUBBISH.

Corporates that do that type of deployment process on their desktop PC are a) wasting their money b) exchanging a low probability risk for a high probability risk.

Procedures on servers and sensitive PC's should be such that you cannot get a virus easily - e.g. separate network, limited or no file sharing, restriction of USB devices, no internet surfing etc. And on those machines - no automatic updates allowed - but low probability of virus attack.

Desktop PC's however are connected to the internet, flash-disks are plugged in and removed and users do things users do (e-mailing the nice picture of the cat that just require you to run an exe embed in a Word document). You must have zero-day protection on those machines and therefor have automatic updates. The chances of Trojan's running amok is FAR GREATER than the anti-virus taking the entire company down at once.

Of course what you describe look good on paper, you can generate lots of documentation and keep people employed and "be the patch gateway". You can even get a title with the words "enterprise" , "risk" and "architect" in it and have lots of meetings where each Microsoft KB number and virus database version can be discussed using words that does not actually mean anything. And you can exercise your power over people that actually try to make a company work.

Re:Getting real about things here

[onyxruby]

How much is your organizations downtime worth? When you have a computer go down, how much is the downtime for computer per hour? If that computer is in a factory your downtime could easily be in the ten's of thousands of dollars per hour. How much is your downtime for a financial computer worth? How much money does your call center lose per hour for downtime? Perhaps you don't care about how much money your company loses for downtime, but you might care about the workers who can no longer perform their job and get sent home early without pay?

I was a system admin for a fortune 50 company when the original Nimda virus struck. It took down one of the largest networks in the world and shut down operations on six continents. The cost of 48 hours of downtime to bring everything back up was internally estimated at over $100 million dollars. You don't need to be a fortune 50 company for the same principal to apply though. All you have do to do is compare the cost of a lab against the cost of downtime. In most environments the cost of a lab is dwarfed by the cost of downtime within a few hours.

Until you can answer the downtime for a given computer (or an enterprise of computers), you have no business judging that the cost of a lab is too much money. You lose power to a factory it shuts down one piece of your organization. You screw up with all your desktops and you shut down the entire enterprise. Do the math at your organization, tell me how much a lab and support costs would cost and then come back and tell me that a lab and testing aren't needed.

Re:Getting real about things here

[curare19]

Antivirus companies release between one and 250 (yes, really) pattern updates per day. The majority release far more than one.

When a pattern update is released, the worm or virus detected has already been in the wild for several days. Our AV company takes at least 24 hours to issue an official pattern for the viruses I've found in the wild. So there is literally no time to spare in getting out detection for viruses. By the time it comes out, we're already in the danger zone.

Can you please explain how an average sysadmin would test, approve, and implement dozens of pattern updates across multiple platforms on a daily (including weekends/holidays) basis without significantly delaying detection across production (thus potentially compromising corporate security with a worm, which will almost certainly cause downtime and data theft)? Also, can you explain how this sysadmin would time- and cost-justify it to management, especially considering that a worm getting into your system while you're in the process of testing would do at least as much damage as the McAfee snafu?

I'm not trying to be snarky, I'm just puzzled how the IT staffs would be considered incompetent for not testing each pattern file under the conditions I stated above.

The entire system of antiviral detection by using patterns is completely inadequate. Even the AV companies admit it, but I'm hoping this incident will spur them to put some investment into approaching virus detection via another method.

Re:Getting real about things here

[onyxruby]

You runs things in batches and you test against common builds. Most organizations have no need for more than a dozen common builds, even multinationals may only need 20. Every common build gets represented with a VM in the lab. Here's an example for a 15k manufacturing company that I helped set up their lab a few years back:

Engineer systems, Customer Service, Management, Accounting, Factory, Shipping, Developers, IT, HR, Legal and Office Workers. Each build had a certain set of software that was used by everyone that performed a given role (factory worker, engineer etc). Variances were required if someone needed software outside the common build, and granted as necessary. The idea is not to exclusively eliminate any possible risk, the idea is to mitigate the greatest amount of risk for a given reasonable work effort.

Each build was reflected with a corresponding VM in the lab. Whenever production code would go out the code would be submitted to the lab for pre-pilot testing. The code would be distributed to each of the common builds. Lab staff had the role of restoring VM's and setting up for the next step. Whoever wanted to implement the code would submit the code, change request and review the results. In the event of a critical piece of software an owner / advocate for that software was identified.

The change would be implemented in the lab and then undergo review by those with sign off authority. Advocates for specialized software knew that they needed to remote in and verify that nothing was out of place. In the events of patches a junior level security personnel would track all patches and see what was cleared, and where things broke. Part of their job was to make the patch exclusions, follow up with the vendors and ensure that any vulnerability was tracked until the software publisher resolved the patch problem.

None of this changes with anti-virus patching. You test updates each day by batch, once a day should be fine. Remember the idea is not check for every possible bad combination, the idea is to identify common, high visibility, financially or security sensitive scenarios and test against those. In the case of the McAfee debacle I take a hardline as even the most basic of testing would have discovered the error and prevented enterprise wide meltdowns. Look for your common use scenarios, insist on standard builds, do things in batches, identify owners and follow process. There is no reason you cannot test all production code and do so in a time expedient manner.

Re:Getting real about things here

[rcw-home]

"A new antivirus update installed by my administrators. All the computers crash and burn. Now, should we have tested that? Take the number of tests, A, multiplied by the time it takes to do each test, B, multiplied by the tester's salary, C. A times B times C equals X. If X is more than the cost of the downtime, we don't test."

"Is there a lot of this kind of downtime?"

"You wouldn't believe."

"Which company do you work for again?"

"A major one."

Re:Getting real about things here

[Rophuine]

...if we would have been impacted by the bug we would have been screwed....

This is your clue that you should be spending money QAing virus definitions. Everyone else does. Well, nearly everyone else. The rest end up on /..

Re:Getting real about things here

[Rophuine]

Your point is correct, but it's rare to do the CBA and come out with "don't bother testing anything", at least for any moderately-sized business. Numbers like 1,000 PCs have been thrown around. Let's assume:

200xAdmin machines - productivity $50/hr. 700xProfessional worker machines - productivity $200/hr. 100xInfrastructure machines - affects multiple users, cost of downtime $1,000hr.

The cost per hour of downtime is $10,000 + $140,000 + $100,000 = $250,000. For one hour. Imagine it takes half a day. You get to add in lost IT productivity, opportunity cost, and reputational loss as you fail to deliver to your clients. One incident can cost millions. A testing-in-production policy (where a few guinea pigs get all updates a day or so early) is incredibly cheap to run.

Made quite a mess of some college networks, too.

[ProdigyPuNk]

A buddy of mine is in IT at a college in the area. This affected almost all of their computers. Although it's harder to put a dollar figure on, the students and professors were NOT happy when all of the computer labs on campus went down, along with a "server" or two. Ever seen professors gets mad ? Now imagine your an IT guy and the professors can't access their online grade books that you pushed them into using. I really think McAfee is going to have a big problem on it's hands come contract renewal time. Pissed off IT people have long memories!

I am sure they "forgot" to count third party AV.

[JaCKeL+1.0]

We use Sonicwall's security services, their anti-virus is a crippled version of Mcafee business. And we've been hit hard: Machine where going down but WITHOUT any explanation or any warning messages (this version is silent to the user) and since svchost was killed, no chance of getting in the event monitor or using any tools, it took me couple of hour to figure it was the AV. I am sure they "forgot" to add all those third party security solution who rebrand Mcafee solutions. What is making me mad is the way they try to play with "numbers" (a small percentage, half of a percent...) and the way they hide everything and to act like it didn't happen(go navigate on their website and try to find any information about this bug, they even closed their support form in the peak of the crisis). C'mon if you screwed up, at least PLAY FAIR and be sorry, we might forgive you.Pplaying the ostrich game will make us angrier.

Re:You morons are still using Windows?

[X0563511]

This was hardly the fault of Windows.

100% third-party problem, here... troll.

Oblig. xkcd

[wvmarle]

Quite apt, even though not POS: http://xkcd.com/463/.

Huge impact where I work

[Jon_Hanson]

At a certain large semi-conductor manufacturer this false positive wreaked havoc. Most of our IT-supported laptops are running XP. Fortunately I figured out what was going on pretty quickly and knew how to fix it. Other people here weren't so lucky and it took the IT department at least half the day to figure out a solution. Most people were down the entire day.

Re:Huge impact where I work

Huge impact here, some locations had as many as 80% to 95% of the machines affected by this update.

My location had the least problems (10-20%), and our department (development) even less, because we noticed what was going on very fast and acted on it.

Exactly what I was thinking

[Freaky+Spook]

McAfee must have had a really good sales guy to convince a Project manager that the POS machines needed AV, either that or who ever developed the POS machines didn't decide to secure them with Enhanced Write Filter, SteadyState, DeepFreeze or some other disk write protection so every time the machine is rebooted it loses all its write cache.

Even though it is Windows, there is absolutely no need for AV when the application is so limited.

this exposed internal Q&A flaws too

i work at a Fortune 25 company that was CLOBBERED by the antivirus virus. because we span all timezones, the impact was greatest on the east coast while the west coast was minimal [due to halt in DAT push]--except for those early-risers who connected to the network before business hours.

yes, mcafee really dropped the ball. but it's equally careless not to have it internally tested before allowing ANY updates; moreover, because our corporate image is XP-SP2, our Q&A team could've easily--but didn't/dont--test the DAT on SP2 & SP3.

Damage Limitation

[MrNemesis]

"McAfee Interwebs Secrutiny has detected that your outgoing mail to customerservices@mcafee.com, subject "You f**king idiotic t**tballs of a son of a ****** in the ******** with a hatstand!!!!" has been detected as Offensive Spam and will be deleted. Thank you for Trusting in McAfee! [TM]"

On a more serious note, I ran into a few small shops that were badly hit, but most of the people I know who work in the enterprise have a time delay before the updates hit the machines, which is usually a hangover from the last time $av_vendor bollocksed up an update.

Personally, I'm still a believer in most AV's being worse that the viruses themselves, and don't run any on my windows boxes - I don't think I've used a single one that hasn't fucked up at some point. Most of my colleagues feel the same way (and, IMHO, by the time it's hit your filesystem and you have that 20% chance of the AV detecting it, it's already too late anyway) and the only reason we run it at work is because of compliance issues... that and the majority of machines being a poorly patched IE6. Yay!

Re:Damage Limitation

[bootup]

If it is a PCI compliance issue! Read the PCI compliance audit procedures again. If you read the PCI audit procedures on page 23 it says under requirement 5: Use and regularly update anti-virus software or programs the following: 5.1 Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers) If you read that carefully it says "commonly affected"- which means not GNU/Linux or Unix systems and if you read under that it specifically excludes UNIX based systems: Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes. So I was right about it all along. It doesn't require anti-virus on UNIX or GNU/Linux machines. Next time show him this and you should be off the hook.

screw corporatespeak

screw corporatespeak

Compensate customers?

[northernfrights]

"ZDNet is running a poll and opinion piece on whether McAfee should compensate customers."

Poll? Opinion piece??? This is fucking America. Spare me the nonsense, show me the lawyers.

what it did to my 11'000 computers

[Atreide]

we have 11K computers

only XP SP3 computers were impacted
whether running Virus Scan 8.7 or 8.5

but in fact less than 100 computers were impacted,
1% compared to our total

one thing that helped
was employees had started to leave after work when update propagated
and they shutdown computer when they leave

it could have been a nightmare
we were very lucky

Re:what it did to my 11'000 computers

Burma Shave

Re:what it did to my 11'000 computers

[Blakey+Rat]

who the
fuck taught you to
type? your
line spacing is the
strangest thing i've ever seen and

your reluctance to use punctuation and the
shift key (except for one comma that
snuck through) boggles the
mind

Re:what it did to my 11'000 computers

[himself]

This Is Just To Say
by William Carlos Williams

I have eaten
the plums
that were in
the icebox

and which
you were probably
saving
for breakfast

Forgive me
they were delicious
so sweet
and so cold

Re:what it did to my 11'000 computers

And to top it off, none of it rhymes, either.

Who the hell taught him how to write limericks.

Re:what it did to my 11'000 computers

[frank_adrian314159]

That's the most beautiful poem I've ever read! Author! Author!

Re:what it did to my 11'000 computers

[SpeZek]

Well, that's good news. At least the Enterprise can continue her mission.

Isn't this a problem with the IT departments?

From my perspective the IT departments that had issues should be to blame. The patch or dat file for an anti-virus program should be treated like any software update. Update one system only, test that nothing serious goes wrong, then deploy the patch to production machinces. Do these guys just allow the anti-virus application to update itself? That seems seriously wrong, and I only blame the IT group for that.

I lost...

[Schnoogs]

about a day and a half of productivity time at work. Granted some of that was because of how slowly information was passed out. It wasn't til the next day that I found the solution on my own using my own personal notebook and internet connection.

Regardless it was a massive disruption and when you work for a company that has 50,000 customers world wide the task of fixing the problem is massive and the effects of downtime can be disastrous as it spans entire divisions, etc.

On a correctly designed OS...

On a correctly designed OS:

a) there's no need to run an anti-virus

b) a third-party party software does NOT need to know the admin/root password to do its job

c) a software running without admin/root priviledges CANNOT break havoc in anything but the user account

Tech-savvy companies who switched tens of thousands of XP machines to Linux and were
criticized for doing so by MS fanbois/astroturfers (don't forget to add *that* to your CTO reports
if they were running Mc Afee) are now laughing all the way to the bank.

But, I know dear MS fanbois/astroturfers: nothing to see here, move along, Windows has
nothing to do with this issue right!? Because the Windows family are the most well-designed
OSes on earth right!? It's of course the fault of McAfee (nonetheless on *my* OS there's
no third-party software that can render my system unusable)... And all the paid "reporters"
that make a living by ever only talking about the Microsoft ecosystem would be silly to
cut the grass under their feet by pointing out the *real* guilty one here.

But, no, dear paid MS astroturfer/fanboi, I won't find your answer compelling.

Re:On a correctly designed OS...

[0123456]

software running without admin/root priviledges CANNOT break havoc in anything but the user account

If that user account is a POS terminal communicating credit card information to banks, controlling it could be just as bad as gaining root access.

Re:On a correctly designed OS...

[ducomputergeek]

Try telling that to the PCI-DSS folks (Payment Card Industry, aka if you're running E-Commerce/Point of Sale/anything that touches credit card data). They make running anti-virus part of the requirement REGARDLESS of OS. Running on OSX, Linux, or FreeBSD? Doesn't matter. You still HAVE to run AV software on each terminal that touches credit card data.

Re:On a correctly designed OS...

[shutdown+-p+now]

there's no need to run an anti-virus

Only if the user isn't prone to open random attachments which may be executable (experience shows that that this doesn't hold). So long as he does, then you need AV software on any OS.

a third-party party software does NOT need to know the admin/root password to do its job

This has been the case since Windows NT. The key part that you've missed is "well-writte third-party software". Most Windows software was not, historically, well-written in that respect, largely because the primary platform was Win 9x, which didn't have the notion of user accounts to begin with.

Nonetheless, pretty much all software released in the last 5 years or so does not require admin rights to run unless it really needs it (e.g. installers, disk partitioning, etc).

a software running without admin/root priviledges CANNOT break havoc in anything but the user account

True since the very first version of WinNT.

But, I know dear MS fanbois/astroturfers: nothing to see here, move along, Windows has
nothing to do with this issue right!?

Yep, naturally.

Of course, it would help if you'd actually get your "facts" right to begin with, or generally explained your points so that there is actually something substantial to talk about. From your talking points, it's clear that you, at best, properly know how Win9x worked, and are completely clueless about NT family.

Not Windows' fault, but still its problem...

[Animaether]

( Title after the VirtualDUB developer's excellent post entitled "Just because it is not your fault does not mean it is not your problem"; http://www.virtualdub.org/blog/pivot/entry.php?id=245 )

Here's the thing.. it's not Windows' fault that some random program deletes svchost.exe , just as it isn't Windows' fault that any app or user can delete ntldr (e.g. a badly designed uninstaller).

But it -is- a Windows problem because without those, it won't start up. So why is Windows even allowing these files to be deleted?
I can't delete by hiberfil.sys even though all it is, is pre-allocated space for the hibernation functionality. If I deleted it, nothing would be lost, and upon hibernation it could re-allocate the required space or tell the user the drive is too full and they're SOL. But no - I simply can't delete it. But I -can- delete vital system files.

So, no.. it's not Windows' fault that McAfee's virus scanner deleted the file. It -is- Windows' problem that they -can- in the first place.

I realize that sometimes there may be a need for a 3rd party application to modify a system file - however rare - but then provide this through a proper mechanism that backs up the original and deletes/replaces on reboot only, with the option to deny the change on boot-up. ( System Restore points only go so far as you'll need the Windows CD/DVD in order to get to the restore utility if you can't boot into Windows anymore. It's also an overly complex solution to the simple problem of renaming files on bootup. )

Re:Not Windows' fault, but still its problem...

[washu_k]

You can delete the kernel, system libraries or any other vital file on Linux too and it won't stop you. You need root you say? You need admin on Windows to delete them.

Non-admin accounts on Windows can't delete start up files unless someone has screwed with the default permissions. Any sane corporate environment is not giving admin rights to the general users.

System utilities like AV programs need full access to do their jobs so of course they have rights to do stupid things. Same thing could happen on Linux if a package manager or other system utility made a similar mistake.

On Windows, files in use can't be deleted. hiberfil.sys can't be deleted because it is held open by the OS, not because of specific protection. It is protected against regular users from deleting it, not that it maters much. NTLDR can be deleted because it's no longer in needed after control is passed to the kernel, so it's not in use. It still requires admin access in the default config to delete.

If you really want it to be *impossible* to delete system files on Windows then start complaining to Microsoft. If they implement the feature I'm sure you won't join the complainers about how MS is taking more control away.

Re:Not Windows' fault, but still its problem...

[X0563511]

The whole point of an antivirus solution is to remove viruses. Viruses can get in deep (and even above) the OS - so to function they require the access they have.

Sure, other programs don't need the access... I'll take your point here on this condition.

Don't take me as an apologist though. I'm a Windows hater. I just don't like it when people point blame completely on someone who isn't (in the indicated case) wholly at fault.

Read the EULA

Read the EULA people, your software, written by "Software Engineers" comes with:

NO WARRANTY
NO FITNESS FOR A PARTICULAR PURPOSE
CONTAINS KNOWN DEFECTS

You paid your money, now you take your chances.

Unlike real engineers, you can't sue a software engineer, report them to some sort of professional body, or seek any type of remedy, besides a possible refund of the money paid for the software.

Aren't you glad you paid the full retail price of windows, the most secure OS ever?

Enjoy the FREE*:

-Digital-Restrictions-Managements
-Viruses, Trojans, Etc
-Internet Explorer
-Shiny New Icons(TM)

*: some restrictions apply, co

Re:Read the EULA

[HeckRuler]

I thought this was the whole point of why the PHB buys the expensive proprietary software vs. the free open software; they want someone to sue. The PHBs of the business world distrust free software, don't understand the motivations behind it's existence. But with Paid For(tm) software, the worker bees need to keep the client happy. And if things explode then they get fired or lose their job, or the company gets sued, and the CEO loses 20% of his bonus that year.

So if McAfee (and the security industry on the whole) doesn't face any repercussions for fucking shit up, why go with the costly proprietary solution?

No, not possible.

[khasim]

Not every XP SP3 machine was bitten. There were some XP SP3 machines here that were affected, but just as many that weren't.

There's no magic here. They have a signature that matches a specific version of svchost.exe.

They did not test the scan engine with that dat against that version of the file.

That's all it is.

Re:No, not possible.

[miguelfrommars]

We temporarily lost 15 pcs yet company productivity went up. Less pron so they might as well work,eh? I've got no problem if McAfee would reissue that botched update now and then...

Re:Necessary Evil - bull

Don't businesses run their own update server and categorize, verify, and deploy those updates based on what software THEY have running?

If you're telling me that a hospital IT system is setup to take any and all updates directly from vendors( McAfee, Microsoft, etc ) all I can say is they get what they deserve for doing that and it's nobodies fault but their own. Let me guess, this is how most Windows shops are run these days and that is why Windows admins cost much less than *nix admins. IMO

so 4 hours of corporate downtime for this one issue. And why do you not have a few machines configured to represent your standard corporate computers and run the updates on them before expecting some other company to have tested their update with _your_ software configuration? Does Microsoft Windows not give you the power to push out updates locally? The very first time I setup a classroom configuration using Linux it dawned on me that I did not want every computer doing auto updates so I mirrored the Ubuntu repo, setup a cron to keep that updated, and configured all the lab computers to pull from a secondary local mirror where I'd move updates over as they got tested. dah.

LoB

Worse than the disease?

[Atrox666]

When was the last virus outbreak that caused this much damage?

Re:Worse than the disease?

zero cool in 1988. well, technically it was a worm...

Lawsuits

if companies dont claim large amounts of damage - wait till a virus hits them and they sue the virus writers... and claim... this mcafee incident should be interesting for FUTURE lawsuits... either against mcafee or virus writers...

Sorry. PCI Rears its ugly head again.

[knarfling]

Even though it is Windows, there is absolutely no technical need for AV when the application is so limited.

Fixed that. I am afraid that the Payment Card Industry (PCI) differs from your opinion.* In their infinite wisdom**, PCI has decreed that ALL computers need to be running AV. After, all, if it is good for the desktop, it must be good for the servers, right? And since a virus can be spread from anywhere to anywhere, all computers need to have their own protection.

I know it seems silly, but many of the PCI Audit Drones actually believe this. I spent hours trying to convince an auditor that we did not need AV on a Linux server that cannot accept email and has no internet connection. If the PCI Audit Drone finds a computer without AV, you fail the PCI Audit. If you fail the Audit, you get marked as failing on a public web site. If you fail enough times, you lose your ability to accept credit cards. So the need to have AV on a POS is there, it is just not a technical need.

*Reality
**For very, very small values of infinite

Re:Sorry. PCI Rears its ugly head again.

Did you read the PCI. I am almost positive it says no such thing. That auditor was wrong.

Re:Sorry. PCI Rears its ugly head again.

If you read the PCI audit procedures on page 23 it says under requirement 5: Use and regularly update anti-virus software or programs the following: 5.1 Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers) If you read that carefully it says "commonly affected"- which means not GNU/Linux or Unix systems and if you read under that it specifically excludes UNIX based systems: Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes. So I was right about it all along. It doesn't require anti-virus on UNIX or GNU/Linux machines. Next time show him this and you should be off the hook.

Re:Sorry. PCI Rears its ugly head again.

[knarfling]

Tried that. Didn't work. If you look at the Testing Procedures under 5.1 you will find "For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists." It did not matter that the first part of that statement included the "commonly affected by malicious software", the auditor read the part about "if applicable anti-virus technology exists." His argument went along the lines of "If there is AV software for an OS, it needs to be deployed on all servers running that OS." Since there is ClamAV, as well as a few Linux clients made by AV companies, we needed to have it installed. After all, why would an AV company program a Linux client unless it was needed? (And yes, his primary experience was with Windows systems.)

I will say that I finally got through to the auditor, although it did take hours. I finally convinced him that SELinux was performing that role and that a specialized AV client was not necessary.

Fun to bash, but..

[Junta]

a) Windows has serious flaws that exacerbate the problem (only recently did they get something roughly sudo like that is still laughably trivial to bypass, and even then poor third-party implementations that haven't grown out of the Win9x days further torture things), nothing short of disciplined users can do anything to get rid of anti-virus market. So long as a user is actually allowed to execute what they want on a system, some stupid thing will convince them to execute it, and damage/manipulate any data that user has access to.
b) ok, that seems fair enough
c) I concur, but back to point a, most users have all the stuff they care about under their account and aren't mollified that the system files are ok when all their personal documents have been corrupted.

I will say the ability to, in the worst case scenario, boot a system single or log into an existing alternate account to 'clean' the afflicted user account is perfect. I've spent a lot of time trying to rescue a windows system that was malware infected because I couldn't clean it from within the afflicted system (the malware already had control, and did an effective job blocking attempts).

Re:Fun to bash, but..

[thsths]

> So long as a user is actually allowed to execute what they want on a system

BTW, who even thought that was a good idea? Corporate users get a PC for a purpose, and all required applications should be provided. And even if not, a white list should cover 99% of all required software.

Of course as a user I know that things are not that simple. If the only provided browser is IE6 (actually IE7 since recently), Java, Flash, Acrobat, Quicktime and WinZip are all outdated, and the command line is disabled, then obviously I demand to install my own software. Or I just use PortableApps.

But from a security point of view users should not be able to execute their own files. That is only required for developers.

Re:Fun to bash, but..

[RandomFactor]

I've spent a lot of time trying to rescue a windows system that was malware infected because I couldn't clean it from within the afflicted system (the malware already had control, and did an effective job blocking attempts).

I don't even go there anymore. If i want to recover a system rather than rebuild it, I yank the HD, toss it in the appropriate USB external enclosure, attach it to a clean machine (disable autorun if it isn't already), and clean it from there.

McAfee

Well, low detection rates and excessive hardware utilization didn't get anybody to kick McAfee out of companies, but massive downtime like this certainly get the ball rolling. We are replacing McAfee on corporate computers :-)

Seriously
1) McAfee did not stop a single virus outbreak we had in the past couple of months - i had to send a couple of files to their research labs. Most other anti-viruses already detected the virus if I submitted it to VirusTotal.
2) Hardware utilization for McAfee is INSANE - especially memory utilization. Older PC's just grind to a halt.

Why does McAfee have so many corporate customers? Their software simply does not work!

Re:Necessary Evil - bull

[NeoSkandranon]

Just because it's a hospital doesn't mean it has an IT department much more elaborate than a server admin and 2 techs, or that it has budget for the kind of stuff you're talking about.

There is just no way that Mcaffee

[Stan92057]

There is just no way that Mcafee can make whole everyone that they screwed up,the only ones that will make the money are the lawyers. What good is that going to do? I say make Mcafee fire everyone that way a part of the mistake,and 1 year of free virus updates to the affected company's. Just keep the dam lawyers out of it.

Re:There is just no way that Mcaffee

[gujo-odori]

The problem with firing everyone involved with the mistake is that if you do, you're getting rid of the people most able and most motivated to be sure this never happens again. Firing someone for a single incident is almost always the wrong thing to do. It certainly would be here.

Re:There is just no way that Mcaffee

[Stan92057]

Its not like they are working at Burger King or MC D's here,Its a Computer Security Company. Responsible for Billions of dolors worth Computers,Billions of dollars of Data and so on. No, i have to disagree with you here,they are Sposato be Professionals making top dollars, this kinda mistake to me is just unacceptable. They completely ignored Protocol,not forgot it but completely ignored it here,A second chance in this instance isnt justified. Its all IMO so its just how i feel, i know mistakes are going to be made in every business,hell ive had a few chances myself. But they weren't billion dollar mistakes either lol

Re:Made quite a mess of some college networks, too

[nevillethedevil]

We managed to keep our labs up during this debacle but the staff and the profs were hit pretty bad. Apparently UVU had to close down all of their labs. The funny thing is that just few days before, our windows guys were talking about finding an alternate solution to McAfee. This pretty much made their minds up for them.

Damages?

[gmuslera]

All that time the computer weren't running windows. I tought that at the end of the day the economic balance should have been positive.

New TV AD

[m0s3m8n]

I can see it now. Mesothelioma, YAZ and now McAfee lawsuit ads trolling for money.

Re:I am sure they "forgot" to count third party AV

I'm going out on a limb here and guessing that you aren't a native English speaker. It looks like you're well on your way to fluency, but you should really take some more writing classes. Your post contains a lot of easily-correctable flaws.

Re:I am sure they "forgot" to count third party AV

[JaCKeL+1.0]

I am a native French Canadian, and yes my English need improvement, thanks for your understanding.

This only affect compters...

[toadlife]

..if a certain option, "Scan Process on Enable", was turned on. That option is disabled by default. We run XPSP3 and McAfee 8.7i and machines loaded the bad DAT but we were unaffected because when I configure the policy for VirusScan in EPO I did not turn the "Scan Process on Enable" option on.

I saw it happen

[TheSync]

I was working with a group of employees from a MAJOR computer systems company, and suddenly no one could use their PCs - we were about to set up a Web conference call, and luckily one of the personnel had been traveling and had not hooked up to the corporate network for a day or two. He was the only one with a functioning PC. It was pretty embarrassing...

(I have a MacBook myself.)

Quite frankly, IT departments should be punished

[rwade]

The corporate IT departments that are using McAfee should just take this as a lesson and pull McAfee off of their computers. It's not as if McAfee AV is held-up by users as this amazing piece of software. See. See.

Corporate IT departments need to get the message that McAfee is a piece of junk -- in that sense, McAfee kind of did them a favor...

SAme here

I spent hours trying to explain we don't need AV on old mainframe system, which use an operating system only known from a few grey beard. In the end she only accepted it if we signed a document that we take responsability or something, with the management. *sigh*

Depends on context

[Junta]

In a corporate environment, what you say comes close to flying (practically speaking, it's horribly expensive to have enough IT to cover all the edge cases to get enough productive work), but even then the user is able to spawn executables of some sort. I guess if /tmp, /var/tmp, and /home in a *nix env are mounted noexec, you're pretty much where you describe, and I suppose Windows is disadvantaged from that perspective.

That, however, ignores the home market where most everyone is their own administrator.

Re:Quite frankly, IT departments should be punishe

[Rophuine]

The corporate IT departments that are using AV should just take this as a lesson and test signature updates. It's not as if AVs don't do this sort of thing now and again.

Corporate IT departments need to get the message that AV vendors don't test against all hardware and software configurations - in that sense, McAfee kind of did them a favor...