McAfee pushes bad update, takes down Windows XP computers

Posted by Dan Hughes Categories: Corporate News, Editorial, Internet, PC / Laptop, Software

Yesterday, McAfee pushed out a DAT file for its Enterprise virus-scanning software that tracked down a core Windows XP system file and quarantined it as malware.  Thousands, if not tens of thousands, of computer systems were damaged as a result.  Windows XP cannot run without the quarantined file, SVCHOST.EXE, and as a result, automatically shut itself down.  Other weird settings and symptoms were evident, such as taskbars disappearing, blue-screens-of-death, and other crash-related symptoms.

On one hand, relief simply did not come fast enough.  On the other…what more could McAfee have done to repair the damage?  McAfee rolled back the virus definition as quickly as it found out, and released an addendum file that could be manually applied to infected PCs.  The servers hosting the offered file were strained by the demand, resulting in disconnect errors and failures to update the McAfee software.

“We believe that this incident has impacted less than one half of one percent of our enterprise accounts globally, and a fraction of that within the consumer base,” said Barry McPherson, on McAfee’s blog Wednesday.  He goes on to identify the error in the update, stating that it was an attempt to detect a potentially damaging virus, and the update “clearly did more harm than good.”

“Having talked to literally hundreds of my colleagues around the world and emailed thousands to try and find the best way to correct these issues, let me say this has not been my favorite day. Not for me, or for McAfee. Not by a long shot.”

In the anti-virus industry, this incident is truly the worst thing that could happen.  At least when a real virus gets loose and the AV companies have to play catch-up, they can (very audibly) blame the virus programmers and the holes in the operating systems.  They make themselves appear as the knights in shining armor, working on a fix to rescue all from their distress.

In this case, however, companies have opened up their most-protected asset—their infrastructure—to be accessed and protected on-the-fly by AV companies: automatic updates are enabled, allowing AV companies to change the behavior of their software installed on client computers immediately and without prior notification.  Few companies do complete internal testing on new anti-virus definitions, too many are released too regularly, and the standard IT view on AV is that it is better to at least be partially protected with a bad patch then to have no protection that it provides while it tests it.  Let’s face it: virus definitions are reactive, meaning the virus has to exist already and be in circulation before the virus companies can detect it.  Heuristics can only do so much.

This is not an argument to ditch AV protection, far from it.  This just proves that allowing a company access to software that has the highest priority on all computers in your organization is like hiding near a dangerous beast: it keeps all the big bads away, but it can turn on you, and needs to be watched carefully.  If companies don’t make at least some changes in their deployment system, they’re just asking to be bitten.

Read More | McAfee SI Blog