McAfee false-positive glitch fells PCs worldwide IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attacked their core system files. In some cases, this caused the machines to display the dreaded blue screen of death. Details are still coming in, but forums here and here …
Mcafee have finally aknowledged this... after 3 days
https://kc.mcafee.com/corporate/index?page=content&id=KB66225
I am a sysadmin using the product and no I did not have meltdown as I manage to keep things up to date (well as up to date as I can given how old some of our hardware is)
Mcafee may be a bit of a hog on CPU around update time (ameliorated with later patchesand versions) but compared to sophos/symantec the admin interface is a milion times better and although Kaspersky have an OK one their support offering is a little too Russian for most people.
Still Mcafee ruined my friday and weekend as I ran round explaining why I was rolling back DATS on 10000 machines when there wasnt even an offical notification of a problem etc etc and then impinged on my beer time as I had to keep checking stuff all weekend for free.
Bad communication ruins an average AV with a good managment tool.
PS free avast and comodo at home of course.
The Engine IS updated along with the DATs. I administer McAfee via ePO so have some idea of how it works. The only way a person can be running engine 5100 with dat 5664 is if:
1. They're running unmanaged (i.e. no ePO) and have turned off automatic updating and are manually downloading the DAT only package from time to time and installing that; even if you're not paying your support contract you'd still get engine updates with the DAT updates; the SDat which includes the engine is freely downloadable. It'd be naughty, because you have to tick a box saying "honest I have a support agreement", but if you can get the DATs, you can get the engines.
or
2. They're running ePO and the administrator has disabled automatic updates to the engine, and done bog all about manually upgrading the engines.
Either way it does take some administrator muppetry to fall foul of this one. I was kacking my pants until I found it only affects the 5100 engine. To my mind it was a bit like discovering the problem only occurred with NT4.
To other posters above - 7.0, 7.1, 8.0i, 8.5i are NOT engines; they are versions of the AV application itself, so anyone banging on about using the "8.5i engine" or whatever knows bugger all. 8.5i initial install comes with 5100, but as soon as you update it you'll find it's on engine 5301.something.
Erm.. bit behind the times. Vista's much maligned UAC does pretty much EXACTLY what Ubuntu Linux does - creates a group of users with the right to elevate their rights to root/administrator [i]if they explicitly declare their intention to[/i]. The only difference really is that Ubuntu turns root into a user you don't actually log in as at all; UAC turns it into an ordinary account which has the ability to elevate itself by default.
I use both and the similarities between Ubuntu's su model and Vista/Windows 7's UAC are striking.
I can't believe people here are actually advocating having a computer on the wire sans ANY anti virus software. All I have to say is that I'm glad I probably wont have any of you as clients because dealing with that level of sillyness would drive me nuts. Hell I don't even a Mac on any network without installing ClamAV X on it. I know McAfee is crap as is Norton and these kinds of false positives are a pain in the ass. But that's no reason so spew out that level of hyperbole.
Anyway for those interested in something less expensive and with a significantly smaller footprint than either Norton or McAfee I use and recommend Avast, both the free personal and enterprise editions. Having struggled almost as much with AVG as the big two AV programs I can't realistically recommend it anymore.
I've read through the comments, and I don't actually see many (any?) incidents of people actually being affected.
I've used most of the major A/V brands and the only one's I'd use in an Enterprise are Trend and McAfee. Symantec is toilet, in my experience and AVG didn't do it's job - after removing it on one site, I put on McAfee and it found a whole bunch of crap (AVG was fully up-to-date)
As for 'lets just put Linux on', I don't think that's a particularly valid argument. I use Mac OS, Windows and Linux and think that they all have their place. On one site I run an NMS system (Nagios) on RedHat, MS Exchange, Terminal Server and some Macs for DTP/Web editing. Anyone who says that anything other than Windows is invincible is dreaming (wait until Linux has a majority share and the virus writers will be changing their focus). I haven't checked the Sendmail bug list for a while, but it wasn't short... The free bit of Linux doesn't include user re-training, deployment, support etc...
Linux maybe free, but, at the moment, I don't believe it's a viable desktop alternative (the only linuxish one is Mac OS - okay it's BSD, but near enough :-). There are just too many flavours knocking around for any consistency. That's why, partly, that the MS Windows/Office setup is often used. I also haven't got time as a sysadmin to check where Apache is putting it's files now, is it /var/www or /www or /var/html/www for server things, for example.
The primary issue I have with McAfee is that they're obviously yet another company that cut corners in critical areas (customer support, QA testing) to pad their bottom line.
Here's my experience with them, just to make a point:
- I disabled ActiveX on my machine for everything except trusted sites (Windows Update, the scum!)
- When I installed McAfee. It wouldn't run. I discovered it was because McAfee required ActiveX controls.
- I contacted McAfee multiple times through multiple channels (2 chats and more than a dozen e-mails, working with at least 6 different agents and a supervisor). Every time, the conversation went like this:
"Hello. I've disabled ActiveX for all but trusted sites. I've added mcafee.com and the McAfee executables to my Trusted Sites list, but McAfee still can't run. Can you tell me what else I need to do?"
"Please enable ActiveX on your system."
"No. That's not an acceptable answer. I'm willing to activate ActiveX for McAfee alone, but I'm not going to activate it system-wide."
"I understand. Here are the instructions for enabling ActiveX system-wide".
"No. I won't do that."
"I understand. Here are the instructions for enabling ActiveX system-wide".
"Wait a minute. I just want to know how to enable ActiveX for McAfee without enabling it for everything else!"
"I understand. Here are the instructions for enabling ActiveX system-wide".
*Sound of me switching to a new vendor*
In short, I found myself working with a "security" firm where no one in their support department could figure out why on Earth I'd disabled ActiveX. It made me less than confident in their abilities, to say the least.
Joe
I not only got affected but had to listen to some asshat screen reading tech from India tell me that McAfee couldn't go crazy and start deleting files under any circumstances. Then he told me to boot to safe mode and run a scan after I had already explained that I had slaved the drive on a known good machine and it had scanned clean with 2 AV programs.
"Erm.. bit behind the times. Vista's much maligned UAC does pretty much EXACTLY what Ubuntu Linux does"
Erm, not really. In linux, sudo requires you to type your password in order to do dangerous stuff. It forces users to let go of the mouse and type a password. This has a number of effects. The fact that a password is required should automatically trigger the recognition in even the stupidest of users that something "security related" is happening. That, and the fact that they have hadf to stop flailing with their mouse button for a second gives them time to hopefully understand what is going on, at least a little bit.
All Vista UAC does is reinforce the already far too ubiquitous behaviour pattern common to most Windows users where you just CLICK-CLICK-CLICK-CLICK until all the windows go away.
It achieves nothing.
I agree with you totally - but re-read my post: I was not having a go at McAfee (the company) for failing to solve the problem (I hope they were on to it), I was having a go at McAfee PR Department for failing in their remit.
Responding to the "it was a holiday" defence: Bullcrap. If you claim to be an international company selling world-wide, you are bound to have become aware that:
(1) Hardly anyone celebrates the 4th of July outside of the USA;
(2) Weekends happen on Saturday/Sunday only in Christian countries - quite a few countries have their weekend on the Thursday/Friday;
(3) above all, the world doesn't work on Pacific Mean Time, or whatever timezone the McAfee HQ is located.
As for the "it was an old engine" defence:
If the old engine was no longer supported, it should no longer be able to accept signature file updates. The fact that McAfee still allowed the new signatures to be used on the old "no longer supported" engines was STUPID. Either it's no longer supported and you no longer cater for it, or you cater for it and it is - by definition - supported.
In other words, *this event* was a fail along the entire line, from the production of an invalid signature file to the lack of response from the people who are supposed to be the public face of the company.
The UAC does require a password if you're not logged in as an administrator. Moreover, it does alert you to the fact that something is happening. I fear it's a compromise; people whinge enough about UAC as it is; can you imagine if they also had to enter a password.
It's a massive improvement over the ability under XP for malware to just install without you knowing anything is happening.
[quote]
If the old engine was no longer supported, it should no longer be able to accept signature file updates. The fact that McAfee still allowed the new signatures to be used on the old "no longer supported" engines was STUPID. Either it's no longer supported and you no longer cater for it, or you cater for it and it is - by definition - supported.
[/quote]
Heh... I tried AVG v7, and it refused to update its signatures, a big warning message popped up on the screen telling me I must upgrade to v8.
Why can't McAfee do the same? But then you'll get lusers blindly ignoring that window and saying nothing to their sysadmin...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
