McAfee false-positive glitch fells PCs worldwide IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attacked their core system files. In some cases, this caused the machines to display the dreaded blue screen of death. Details are still coming in, but forums here and here …
I use the AVG on my traveling lapdog, and McAfee on my home pc that the missus uses. When I bought the lapdog, it came with AVG free. When it expired I reloaded it and checked the box to say I would participate in development, so far, so good. It has been 4 months and counting and this thing has not been any trouble at all.
As far as large networked environments go, it is obvious that paying for the right to use comes with much needed support.
As far as the DAT update spitting up a dialog box saying "Your version of the Engine is out of date, and this DAT update is about to destroy your machine, continue, Yes/No?" Is likely something they could have done had they tested it before releasing it.
Terminator, obviously the machines and their programmers are to blame.
This issue only affects people running the 5100 engine. McAfee stopped supporting the 5100 engine way back at the beginning of 2008. Even it's replacement, the 5200 engine is no longer supported. No longer supported means that they no longer test their daily dat releases against it to check for false positives.
Do people expect them to go on checking the 10,000 new detections added to the Dats every day against every single version of their product ever released, despite making very clear statements and giving very clear notice regarding end of support dates?
Or Norton, come to that. Sophos *maybe*, but McCrapy?
Get real.
There are free AV products for the PC out there that are just as effective, and frankly better managed, than McCrapy will ever be.
Also - can anyone answer this one - why has practically no-one mentioned another part of system protection - take REGULAR backups of your system? That's most definitely a major part of protecting your system from screwups, and I'm very surprised that more haven't mentioned that!
Grenade, as without adequate PC protection routines, you're playing with one without a pin!
I'll probably get shouted down for this, but I've given up running anti-virus software completely in the home. I DON'T advise this if you're the sort of user that clicks any exe you see in your email, (or uses IE as your main browser).
However if you're the sort of person with a clue (and you read The Register, so you probably are), then relying on your own common sense and a GOOD firewall (one that notifies you of unauthorised outgoing connections) will protect you just as well as relying on some dubious AV software.
Before I learned-the hard way- I used to use an odd piece of software that helped to slow the response of my pc to something of 10 years older, and still would not protect my files.
Then after learning, after all the cost, after all the b.s. from the software supplier I simply switched to Ubuntu: 2 years of NO antivirus, and NO problems! Lesson learned. Just accept the facts and move on.
I wonder whether my last company has had a problem with this - I shall have to find out from my friends who still work there.
Why? Because my old boss used to start doing things about 5 minutes after it became critical (Proactive is that funny yoghurt stuff his wife eats) and although he used to claim he documented everything, it was handwritten in an A4 pad. There were a stack of these in the office and even he couldn't find anything when he needed it so no one else had a chance.
The antivirus he had bought many years before was McAfee and although the DAT files were constantly updated the main program itself was very old. Even when the company was making a lot of money the AV wasn't updated despite the anti-spam addon often crashing the exchange server.
And 50% of the users work remotely around the entire country. Most of these have worked their way up from the shop floor so IT is something they don't like dealing with but know they have to. If their machines are blue screening they will be turning the air just as blue as they are fighting for survival in an industry heavily affected by the recession.
I am so glad I hit the escape key...
I've been using Sophos AV for years on various client sites with none of these problems.....it itsn't the cheapest AV around but there seems to be a reason for that.....because it's bloody good!
Can't see why people use the failure of McAfee to start bashing Widnows.....it's just the AV vendor being a tit and nothing to do with the Windows OS........get over it!
You can find all you need to know here:
http://blogs.msdn.com/aaron_margosis/pages/TOC.aspx
Summary: Running as Limited Users most of the time and only using an Admin account to install software/drivers will make your XP-and-onwards system very secure. I've been happily running XP for over 2 years this way without infection. It takes about 20 minutes to set up and is a helluva lot easier than installing and getting used to a Linux distro.
Im with you Henry 9. What I want to know is why is it that Norton and McAfee who USED to be the best at what they did (when all they really focused on was the AV package) decided to put their collective heads up their asses all for the sake of a dollar? The trend I notice is that it seems that the more these AV companies start looking out for the shareholder. Problem with this concept is that the more crap like this happens the more that people will start to shy away from them and the only way they can keep their names in front of people is to make deals with the manufactures to have their software preinstalled. Oh well hope some more people learn from these things as they continue to happen.
/Can someone explain to me why when journalists call someplace they always expect an immediate response and if they dont get one you tend to see this "A McAfee representative in the US didn't immediately respond to phone calls seeking comment." in the article? Mainly curious as it seems like the PR people or whoever is called should be at their beck and call....never understood it. Thanks
Hey James,
Not sure if your question is just bait. Assuming it isn't, here's the answer:
In journalism, as in many other aspects of life, there are real-time deadlines. So what to do when it's time to hit to publish button and you still haven't gotten an answer to your question? Do you:
a) lay out the fact that you indeed asked the company for their side of the story and didn't get a response by press time (i.e. an "immediate response")? or
b) not mention it at all and let readers wonder if you bothered to email the company at all?
No, companies aren't at journalists' beck and call. But they have a right to have their voice heard in stories that directly concern them. I was only trying to make sure it was clear I tried to give them that opportunity and for whatever reason had not gotten a response by press time.
The reason we say didn't "immediately respond" is to make it clear that there wasn't a whole lot of time between the time we asked and the time the story was published. In the case of this story, it was about 2 and a half hours.
Make sense?
"This issue only affects people running the 5100 engine. McAfee stopped supporting the 5100 engine way back at the beginning of 2008. Even it's replacement, the 5200 engine is no longer supported. No longer supported means that they no longer test their daily dat releases against it to check for false positives."
I totally agree with you. I quite don't get so many angry users. You should keep your AV software up to date as well. I remember people patching XP with Win2000 files because they saw similar bug going on ... at the same time it's easy to be critical without knowing $0 budgets some IT folks have to deal with ....
McAffee was great product back in the MS DOS age after they acquired pretty amazing Dr Solomon's Antivirus (I loved that tool back in MS DOS 3.0 age)
ahhh the old days
>'ll probably get shouted down for this, but I've given up running anti-virus software completely in the home.
Actually you would be correct about the general technical level on the site probably, but no antivirus for many or most in here would be a no go. The reason is most of us are savy enough to not have to pay for software (haha anybody preaching ethics is either a hypocrite or owns software company stock). One risk of being a pirate is dodgy websites and executables. Without piracy and porn no way the internet is worth more than a few dollars a month.
"Block all emails with executables."
In a perfect world this would work.
Unfortunately too many people want HTML email and documents that can contain scripts. Plus you never know when the next bright idea is going to come out of Redmond for including "active" capability inside some otherwise safe format.
Badgers because.. I can.
Yes system admins should be running current McAfee software and doing regular updates, but it's irresponsible and unacceptable to crash systems using year old software. I mean come on McAfee and every other software and O/S supplier most definitely has a responsibility to support their product for year(s). I'll bet there are some lawsuits over this deal.
I don't get this, if McAfee are no longer testing the updates on older versions of the software then the older versions of the software shouldn't allow the updates to be applied.
Also why isn't the AV engine updated along with the Virus updates?
To the people saying that all updates should be tested before being pushed out, I agree with this for updates to applications or drivers but AV updates can happen several times a day you have to trust your AV supplier that their updates will work correctly with their software. If you don't, then you're using the wrong AV program.
> "I can remember the time when a 20Mb hard disk was huge and McAcfee was the virus hunter
> of choice in the DOS world."
>
> Somehow, my version of history doesn't match yours. Maybe it's me ...
It's you. I can remember when 10MB hard was big deal and certainly then McAfee was the av of choice. You could catch a virus off those 5 1/4 inch floppies back then. Praise the gods for the arrival of Linux! A proud user since before Windows 3.2!
If the engine is no longer supported, why is it still downloading updates?
If the engine is known to download updates, why are these updates not tested against it?
Sorry, but the excuse "Oh, that engine isn't supported" is complete and total rubbish. If it's not supported, IT MUST NOT DOWNLOAD AND OPEN A FILE THAT IT DOESN'T UNDERSTAND.
Even if you aren't going to support everything you ever made, you still have a duty not to break it.
It is *trivial* to do version checking at the top of a file. Are McAfee saying that they don't know how?
AVG does that - a while after the 7.0 engine went obsolete, it stopped downloading new updates and told me so.
...and we shall see what the fallout is like. Luckily my work used the v8.5i engine, so we haven't got any BSOD's.
This sort of thing is not good - because you'll never know when those sons of fun will decide to target v8.5i and higher with their pranks...
Going to suggest to damagement that we look at alternatives ASAP.
Terminator - terminating dumb software.
Dont make me fucking piss myself,
When in Gods name has any self respecting virus ever not managed to rip right through everything in its path and install to the system restore directory? something to do with raw socket access or what but every decent virus writes straight to it, when you are denied access until you change permissions.
How utterly hopeless is that?
& as for 'system restore ' it seldom works anyway.
The Lusers and sysadmins having all the nightmares are the ones running an old engine. So old that it's actually 2 versions too old. That's like compalining when your seatbelt pre-tensioners and airbag fail to work when you've ignored both recall notices saying that they must be replaced or you're going to go through the windscreen when you have an accident.
"Mainly curious as it seems like the PR people or whoever is called should be at their beck and call....never understood it. Thanks"
Actually James, that"s *exactly* what the Public Relations department is for - answering questions from the Media. Not the Engineering Dpt, not the Publicity Dpt (though they may want to put a spin on it), but the *Public* *Relations* Dpt. This is their Raison D'etres.
The fact they didn't answer tells me they were caught with their trousers at half mast and hadn't even planned a canned response in case of emergencies. (How hard can it be to state "We are aware of this problem and are working to rectify it"?).
Sack the person whose job it was to hold the store at the time - s/he obviously cannot do the job satisfactorily.
The only way this can be explained is that someone working for McAfee must've sabotaged this update.
The change that a virus would have the same "fingerprint" as a system file is minimal and the chance that McAfee would just roll out the update without testing is tiny. That leaves only one logical explanation.
"no operating system doesn't need AV"
Er, wrong.
Please. Do yourself a favour and find out what the differences between Windows and Linux/OSX are BEFORE you post mindless rubbish like that.
The ONLY reason to run AV on either OSX or Linux is as a courtesy to any Windows users you may (unintentionally) pass infected forwarded emails onto.
Privilege escalation using buffer overflow vulnerabilities are not viruses, they are exploitations.
To infect a Linux/OSX box would require running code in order to install. This requires deceiving the user into installing it in the first place. Cus guess what? Linux distros aren't so fucking stupid as to allow remote sites to install to the root file system.
Seeing as Windows boxes are rarely set up correctly and are almost always left with an unexplained Administrator Account as default, Microsoft are completely and totally 100% responsible for this current mess.
They've had umpteen iterations of Windows now and they refuse pointblank to use a decent Unix-like model for security, choosing instead to repeat the same retarded mistake over and over again.
Sympathy?
Absolutely none at all.
Top 5 whiney comments from this thread.
1. Ohhh my linux box is safe, join us. We love you. Please?
2. IT guys must test things before releasing it. Agreed, but AV updates can be daily. Not all companies are big enough to have staff assigned to testing only.
3. It's Windows's fault.
4. Don't release an update before I go on holiday. (Selfish a**hole?)
5. I'm not running any AV and i'm fine
This post has been deleted by its author
"Sack the person whose job it was to hold the store at the time - s/he obviously cannot do the job satisfactorily."
I think you're forgetting the fact that it was weekend, most PR shops don't open 24/7. El Reg did the right thing (and McAfee still have right of reply as well).
In this case the issue is with McAfee emergency management procedures which appear not to include external communication (I'm still assuming they have emergency handling processes to start with). It thus appears they may need to talk to us about disaster planning as theirs appears to suffer deficiencies.. Just putting out a canned statement isn't enough, you need to follow up with some facts or report status.
Bottom line: PR is important, but don't assume the company isn't dealing with the problem because they forgot to manage the press coverage. I would prefer them concentrating on solving the issue..
To everyone who says the best solution is to just not use antivirus: You clearly don't work in an organisation with any actual users.
As for McAfee, this incident was definitely a massive fail on their part but I do think lazy sys admins should take the blame for not updating their engine even though it hasn't been supported for quite some time.
Furthermore, while McAfee is definitely a pain in the arse sometimes (for example, we've discovered a problem here on 'older' machines where performing DAT updates takes up 100% CPU and absolutely kills a machine for 5 minutes every day - McAfee have told me this is normal behaviour) but I have it on good authority that their management/deployment solution (epo) is pretty much unmatched by it's rivals.
Lastly, I just want to point out that in my experience people (users mainly, but IT people as well) have a tendency to blame every problem that arises on McAfee (or whatever AntiVirus product is installed) even if it is completely obviously unrelated.
I used to use AVG Free, but that seems to have gone the way of the bloatware over the past year. Now I use Avast! Antivirus on my home PC, also free. I would recommend it - it seems to have a smallish footprint and not require the constant attention that AVG now seems to need.
We use McAfee at work. It is a well known fact that we won't get much done on a Friday afternoon, when the weekly scan kicks off, and the best thing to do after turning your machine on in the morning, is to go and make a cup of tea...
Most of my "constituents" are using 2002 or later, most of them using 2005. So I have not had the opportunity to cross this particular issue. Even so, when AVG removes an offending binary it is placed in the Virus Vault, which can be restored and set to ignore in the event of false positives. FAQ 1203 tells you how to deal with false positives, including submitting them to AVG.
AVG Free tends to be a little more "in your face" than the full editions. Anything free has a trade-off. I am running Internet Security on my production laptop and I never see it.
But that is not to say that I do not have some objections to the AVG system. In particular, as IT I frequently advocate against the use of browser tool bars as multiple tool bars can conflict with each other, and older or poorly coded ones can simply stop the browser from working (*ahem* Lexmark.) So AVG introduces the AVG Toolbar. Not exactly a happiness for me, and I certainly expressed that to them.
As for any other problems I have with AVG, I submit my concerns and they are quickly answered. I often field feedback from my, and from other, users and get them up to AVG which, again, deals with them in a timely manner. I even go so far as to send ElReg articles up through my support channels, though I believe some folks in the chain are regulars here already.
Believe me, AVG listens to you. I think it is one of the few software vendors which still does. Even the LinkScanner debacle (on which you can find my opinion in other Reg articles) was dealt with based upon user and non-user feedback.
And I fall back upon my previous statement that no AV vendor is perfect, and doubly so for software vendors as a whole. But that does not excuse them from completely disabling a system. And given that, I believe that AVG has never rendered a system non-bootable by its own actions.
In any case, my intention is not to hijack this article to push AVG, but rather to answer to what I can.
Paris, a little more in-your-face as well.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
