McAfee Anti-Virus Causes Widespread File Damage

AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems. At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."

Help!

[vjmurphy]

I need virus protection from my virus protection!

Re:Help!

[spellraiser]

Okay - but after you get that, are you still safe?

NO!

You're going to need some virus protection from your virus protection from your virus protection to be absolutely safe.

Thankfully, I am offering those at very reasonable prices. Buy one now and receive a free fragment from the Eiffel tower as a value-added gift.

The real irony here....

[cbiltcliffe]

The real irony is that all the people who are too lazy/stupid/uneducated to update their anti-virus subscription were protected against this.....

Re:The real irony here....

[Syberghost]

Granted, I'm lazy, but I'm not dumb or uneducated, but I have no concept of an "anti-virus subscription".

Couldn't you have just looked at the pricing page for any of the major antivirus vendors, or any of the 163,000 hits on Google for "antivirus subscription" or 6.04 million for "anti-virus subscription" (the top hits of which are about the same) for this answer, instead of flaming the guy?

I mean, yes, you're lazy, but damn, man, it's just Google.

Re:The real irony here....

[ummit]

Are you a teenager?

Looks to me like he's a smug user of computing platforms that are actually, inherently, mostly secure.

...those paying for an anti-virus subscription being somehow incompetent.

It seems there are yet a few little boys who dare to say "The Emperor has no clothes" when confronted with the, yes, staggering incompetence with respect to security which is rampant within the mainstream PC world.

1. adopt a platform with no inherent security
2. become utterly dependent on it such that you can neither abandon it nor correct its inherent flaws
3. spend extra time and money on extra, after-the-fact "security" applications which, at best, give you a slight headstart in what's still a footrace between the white hats and the black hats (a race in which the black hats still seem to be holding their own)
4. put up with lost files and more lost time when the "security" software runs amok
5. to make yourself feel better while you're waiting for your backup tapes to read, belittle someone who has the audicity to wash his hands of your chosen platform's sorry problems.

Re:The real irony here....

[KarmaMB84]

There's very few options in a corporate or university environment who want to manage their virus scanners. Most of the "free" scanners dictate that you need to pay if you're in such an environment anyway.

Re:Help!

[xtracto]

What about a *nix firewall [muine.org]with antivirus software on it [f-prot.com]?

You only need that headless pentium 3 (even a pentium pro could make it!) that you are using to rest your feet ;-), plus you will be able to forget the burden of whatever "ANTI-*.* " software that wastes your precious resources.

Of course that is if you use Windows (for whatever reason, I also do it).

Re:Help!

[rikkards]

That's great but what if someone introduces a virus through other means i.e usb key, infected laptop, etc. Firewall won't help much internally

Solution:PXE boot Linux Thin/Thick Client Desktop.

[NZheretic]

Linux on the Desktop at work and worth it [com.com]:

Although they have chosen to deploy Linux using the traditional thick desktop/workstation model, they use a spare server that operates as an X11 application server. This is used on a regular basis by the helpdesk, IT support and a few Windows users that access both windows and remote X Linux. The rescue partition, that can be also network booted via PXE, is based on the Linux Terminal Server Project ( http://www.ltsp.org/ [ltsp.org] ). During an install or if a security viola

New school excuse

[Spy der Mann]

My antivirus ate my homework :(

Re:Help!

[Mistshadow2k4]

A common misconception. First of all, some viruses/malware can download straight into your computer while you're just online (the infamous Blaster comes to mind). So obviously you need a firewall. And some programs that are tagged "clean" by some sites can contain trojans aanyway. The only solution against the latter besides antivirus would be to never buy or download any program that didn't come with Windows - and Windows comes with practically nothing as it is.

The Risk

[eldavojohn]

I think it's funny how on McAfee's site [nai.com], they list the risk of the virus they are trying to identify:

Corporate User : Low
Home User : Low

Did they forget to include that the risk of installing McAfee Anti-Virus for any user : High?

Wait a minute, it is identifying some system files that Windows put on my machine! I guess the Mac & 'nix freaks are right, Windows really is a virus. I hope it's only a matter of time before my next virus definition assesses Internet Explorer & Windows Media Player as full blown Trojan viruses distributed as malware with my OS.

Re:The Risk

[Aspirator]

One of the commonly percieved risks of viruses is that
'they will delete your files'.

In one fell swoop it seems as though McAfee may have deleted more files
than all the viruses it has removed would have.

Re:The Risk

[Dare nMc]

>McAfee may have deleted more files
than all the viruses it has removed would have.

go figure, no big system admin has wanted automatic (witout testing) updates for some time, to their OS. I guess sys admins got lazy on testing virus scanner updates before rollouts.

I know I am not alone in turning off all runtime virus protection on my PC, because it has historically had more impact on system stabilty, and speed than most virii. (ok it seams the latest scanners on winXP may actually work...) Wouldn't sav

Re:The Risk

[stinky wizzleteats]

I guess sys admins got lazy on testing virus scanner updates before rollouts.

That's very funny. When a ubervirus thrashes a couple of corporate networks to the tune of a billion dollars apiece, we hear "Stupid admins - the patch was available - they weren't keeping up". Now it's "They should have tested before rolling them out." (paraphrased)

It appears, therefore, that using a system that is subject to viruses and security vulnerabilities on the scale of Windows is inherently untenable. We can't even define logically consistent expectations for the administrators of such systems. Can we stop using them now?

Re:The Risk

[digital photo]

More often than not, the choice to put AV software on systems wasn't a sysadmin choice, but a management/business choice. IE, cost reasons, CYA reasons, lower priority than say getting that next X million dollar project up and running, or some other reason which pre-empts AV stuff.

I don't use AV software on my systems at home, but that's a personal choice. Not due to laziness, but because other measures have been taken: strong firewalling, restricted software on desktops, strong desktop settings, regular backups, and sufficiently educating anyone who uses the computer of the dangers they can face, what online actions are risky, and to abide by the basic rules so as to avoid putting your data/computer at risk.

For half a decade, I've gone without AV software and have had all of my systems virii/adware/malware free. This isn't due to laziness, but diligence and preparation. This isn't due to OS fanatacism, but making a decision about what compromises to make between security and usability. I use WinXPpro, Linux, and MacOSX systems at home.

When people passively rely on external assistance, like AV software, something like this would eventually happen. People make mistakes. Companies make mistakes. And when you have a large install base, those mistakes can easily become big monstrous mistakes.

Right now, ALOT of sysadmins are probably sweating bullets getting systems back online. This isn't because they were lazy. This was because someone at another company screwed up and it impacted their infrastructure, which in turn impacts their business.

Make no mistake, people will get sued and lawyers will get involved. Think it was just the businesses and end users of the AV software that got screwed? What about the customers of the businesses? What about the home users who run their business off of their home computers? Yeah, there'll be some noise about this down the road, make no mistake.

*listens over the cube walls* I don't hear any cursing or screaming, so it hasn't happened here or the OS admins have done their homework over the weekend. In either case, this will be interesting to follow in the months to come.

Comical recovery instructions from McAfee

[Anonymous Coward]

Even better are McAfee's instructions for how to recover from the damage their product has done. The first option is to restore the files from quarantine, assuming your version of McAfee actually lets you do this (not all, including the corporate version, have this option). The second is to use Windows System Restore.

This probably would have worked great on my machine if it weren't for the fact that half of the files McAfee quarantined were *System Restore files*.

Apparently McAfee hasn't heard of a novel concept called "testing". (I like how they've posted a list on their website of the false positive files, now 7 pages long and still woefully incomplete; they ought to just admit it's going to take a random assortment of exes and dlls on any machine.)

Combine this with the fact that the default settings on a McAfee install are to quarantine without prompting, and IMHO McAfee is the most dangerous virus I've ever had on my machine.

Re:The Risk

[dc29A]

Wait a minute, it is identifying some system files that Windows put on my machine! I guess the Mac & 'nix freaks are right, Windows really is a virus. I hope it's only a matter of time before my next virus definition assesses Internet Explorer & Windows Media Player as full blown Trojan viruses distributed as malware with my OS.

With common sense like not running Windows as root, ditching IE, ditching WMP and not blindly installing every software you find (even if it has flashing (OMG YUR PC IS SLOW

Re:The Risk

[AndroidCat]

Don't worry, just install the new patched version of McAfee. I believe the internal name for this release is called Skynet.

Re:The Risk

[fuyu-no-neko]

I guess the Mac & 'nix freaks are right, Windows really is a virus.

But aren't viruses meant to be small and efficient? O.o

Good thing...

[Anonymous Coward]

Good thing Mcafee doesn't have liability, via contract, for this mess....

Does this mean...

[__aaclcg7560]

That Microsoft Anti-Virus will be deleting McAfee from the system? And, to be on the safe side, also Norton?

Re:Does this mean...

[Stephen Samuel]

Perhaps they were just trying to do a pre-emptive deletion of MS-AntiVirus and set the net too wide.
Oh well... At least it's a commercial package so, unlike Open Source, I have somebody I they can sue when something like this ......

WHAT???!!! EULA?? Yeah, but I didn' think... arrrrgh!

Re:Does this mean...

[rbochan]

...And, to be on the safe side, also Norton?

You'd hope that the sysadmin would be competent enough to do that.

Surprisingly, it didn't quarantine itself

[digitaldc]

If only McAfee had quarantined itself before this disaster, it would have worked perfectly!

Re:Surprisingly, it didn't quarantine itself

[btellier]

Actually, in their press release they have some of the filenames affected by the errant signature. Among them is:

- FrameworkService.exe

Which, if you take a look at your Task Manager, you will notice is:

  Directory of C:\Program Files\McAfee\Common Framework

09/27/2005 03:06 AM 102,463 FrameworkService.exe

Nortons AV did this to me once...

[craznar]

Scanned my Inbox file, and deleted it because there was a virus in it from before I installed Nortons AV.

However - like most AV software, you can put it straight back.

No biggy ..... however I turn off automatic scanning these days... just manually scan every so often.

Re:Nortons AV did this to me once...

[Nimey]

Were you using Mozilla, Netscape 6.x/7.x, or Thunderbird? I've been told of that problem on the first two and experienced it on the latter -- even though that installation of T-bird 1.5 had the option to let antivirus scanners remove individual infected attachments.

Re:Nortons AV did this to me once...

[HermanAB]

Yeah, McAffee did that to me once and I could not put the file back either. That was the last time I use McAffee...

There's gotta be a way to blame this on Bush...

[Anonymous Coward]

There's gotta be a way to blame this on Bush. Somehow he was responsible.

They asked for it

[voice_of_all_reason]

There's one action that is responsible for almost all computer-related problems -- crashes, virii, corruption -- and that's blindly running code without checking it out first (either yourself if you have the know-how, or waiting for others who do to test it out first).

Ouch....

[Araxen]

McAfee doesn't have the greatest rep as it is but this might be the last straw for them.

Not surprised

[QuantumPion]

This is a major problem with anti-virus software. Because of their blacklist model, they have to release definitions and updates very frequently. They have to release these updates as quickly as possible as well, or else their subscribers will be infected with these viruses before they get the updates. In addition, their software is very bloated and complicated, needing to be able to defend against a huge variety of attacks, both immidiate and obsolete. This results in a very error-likely situation. What the network security companies need to work on is an innovative way to effectively protect corporate and home networks without having to use dangerous bloatware.

Re:Not surprised

[MartijnL]

Well, Cisco's CSA (http://www.cisco.com/en/US/products/sw/secursw/ps 5057/index.html [cisco.com]) does the exact opposite: you tell it what is allowed to run and it blocks everything else. It also runs a signature analysis so when something that you hadn't configured yet tries to perform an attack it alerts the user. It can become quite a task however to properly configure and you still need user awareness to keep them from clicking "YES" everytime like they do with every other popup they face (the other option is that you manage everything but then you will get flooded with support calls).

Re:Not surprised

[Billosaur]

It can become quite a task however to properly configure and you still need user awareness to keep them from clicking "YES" everytime like they do with every other popup they face (the other option is that you manage everything but then you will get flooded with support calls).

This would seem to be a good place for the addition of some low-level AI, to learn usage and traffic patterns and be able to anticipate such things. It might even be made smart enough to detect suspicious or erroneous processes/traf

Re:Not surprised

[Monkelectric]

No ... McAfee is just irresponsible. Try another program like Panda or Trend or Avast. I personally think Panda is the best at catching viruses -- but its software is a bit buggy. Trend is a solid performer, and Avast seems to do an ok job but it screws up Visual Studio so I dont use it personally, but I recommend the free version to friends.

For what it's worth

[shoptroll]

My computer started rebooting randomly a week or so ago, and is something I've been trying to combat for a while. It would do it when idling or when I was in the middle of websurfing.

I find it interesting that once I disable Mcafee's on-access scanner the system stabilized itself and has been running without a problem for about a week now (I had seen it reboot about 3 times in one day).

Seeing this article makes me more suspicious of the scanner now.

Re:For what it's worth

[Stephen Samuel]

You might want to scan your hard drive for bad blocks.

Re:For what it's worth

[shoptroll]

That was my first guess... Seagate's SeaTools found nothing, same with CHKDSK in Windows Recovery console

Puzzling.

Re:For what it's worth

[High Hat]

Have you tried running memtest86?

This honestly sounds like a corrupt memory problem.

Other possibility is that you've hard-set the windows swapfile limit...

Re:For what it's worth

[shoptroll]

Memtest86 was run a month or so back, no problem found.

Swapfile limit is currently set to 3 gb on one drive, 3gb on another drive. 1 gb of RAM. I'm pretty sure this shouldn't be a problem based on everything I've read about the Windows swap file

Re:For what it's worth

[shoptroll]

I've been thinking about thermal issues but I've checked the internal monitoring software and everything looks normal. Also, I haven't been seeing reboots when playing games like UT2004 which will push my rig towards the limit.

I'm gonna re-enable the on-access scanning at the end of the week and see if the problem re-appears.

At last !

[alexhs]

At last a good AV software removing those virii-ridden bloatware from your computer :)

Why are people complaining ?

Second time in a month

[Malc]

This is the second time in a month, although much worse than the last one. On the 23rd Feb, my mum asked me about an issue where McAfee had just cleaned Firefox of a trojan: Exploit-MS06-006.gen [nai.com]. Turns out that it was a false-positive and it had needlessly truncated some files.

Problems with McAfee

[NetDanzr]

This is not the first problem with McAfee I've had this year. A few weeks ago, something started eating my system resources, pushing total CPU usage to 100%. Through trial and error I found that it was the McAfee virus scan. I found others with the same problem, which convinced me that for a change, the problem was not with the user. I ended up uninstalling McAfee and switching to AVG. Just in time, as I can see...

Deletes text files too

[psm321]

I had a TEXT file deleted by McAfee just a few days ago. The "virus" that it identified was a different one from the one in this article too. Unfortunately, in the version of VirusScan I have (came with Dell computer) there's practically no configurable options, so I have no way to set it to quarantine instead of delete.

Prompt

[_Shorty-dammit]

Exactly why you set that kind of software to prompt you for the action, if any, you'd like it to take. Get what you deserve.

Re:Prompt

[srw]

That might be fine for the more computer literate user, but... giving a clueless user the option to clean, delete, quarantine, or ignore is a recipe for disaster. Trust me. Yes, from experience.

Saw it coming (sort of)

[martyb]

Just last week, in response to: The Trouble With Software Upgrades [slashdot.org] I posted a question [slashdot.org] asking what do you do to protect yourself from automatic updates that go bad... but I got no responses. In light of the current situation, I'd really appreciate hearing some responses, here.

Re:Saw it coming (sort of)

[tomstdenis]

Rollback the OS.

First, don't have your homedir on your workstation. Then, don't do auto-updates on the file servers.

Then, for your workstations create images of the disks. Don't let users perform upgrades unless they assume the responsibility for the box. Next, test the update on a limited subset of boxes. If it works then roll it out. If by chance you screwed up rollback to images that are stable and perform the safer updates.

Generally this is trivial with a proper OS distribution like freebsd, openbs

Re:Saw it coming (sort of)

[simong]

I don't think there really is a way apart from having verifiable restorable backups of every system prior to patching. I was having a conversation along these lines this morning and the agreed solution was to have an identical test platform and install on that first, allow it to run long enough for any problems to arise and only then implement on a production system. That's the ultra-conservative approach but many years in financial services have shown that that's the only way of being certain.

Re:Saw it coming (sort of)

[xtracto]

what do you do to protect yourself from automatic updates that go bad...

Doh! Turn of automatic updates.

Hehe, kidding aside, seriously that is what I do. I do not do auto upgrades because I find it a bit disturbing that any of my systems installs something else which I have not seen what is it. Granted, sometimes I do not read the Microsoft KB12312412412 patches information but at least I just patch what I believe is worth patching.

However in a big network it may not be trivial to update manually. Although m

McAfee's response

[gEvil (beta)]

Ummm...Whoops?

Good catch

[blueZ3]

I dunno about the rest of that stuff, but the Adobe update manager is a virus in my opinion.

It seems to have "infected" all of Adobe's recent product install CDs. Once it "infects" your computer it displays a popup whenever you open an Adobe app. As far as I can tell, there's no way to shut this off in the latest versions. So I've paid $x00 dollars for Acrobat, and it comes with a virus.

Re:Good catch

[SillyKing]

I have removed Adobe Acrobat reader from my systems. In it's place, I use Foxit Reader (http://www.foxitsoftware.com/pdf/rd_intro.php [foxitsoftware.com]) for reading PDF files. It's a lot faster to load, and I have yet to come across a PDF it can't read.

For creating PDF files, I use PDFCreator (http://sourceforge.net/projects/pdfcreator [sourceforge.net]). It works like Adobe Distiller used to, you create your PDF files by printing to PDFCreator.

Re:Good catch

[Wiz]

You can use this piece of Adobe software:

http://www.adobe.com/support/downloads/detail.jsp? ftpID=2709 [adobe.com]

To create custom MSTs for Acrobat, which you can use to disable all of the annoying crap. Well, apart from the Yahoo search! I suggest also http://www.appdeploy.com/ [appdeploy.com] can be useful for finding ways to disable stuff in installers.

We lucked out

[PinternetGroper]

Our main system here downloads the DAT updates at 2 AM every day. As of Friday morning, it had downloaded the 4714 files, then downloaded the 4716's on Saturday morning, completely missing the 4715's. It appears we missed a bullet. Good luck to all the sysadmin's out there working on cleaning this up!

Where should users turn?

[babbling]

When the virus scanners act like viruses, what should users do? This isn't the first time a virus scanner has screwed up, and it probably won't be the last time, either.

Furthermore, a lot of virus scanners have an option to "auto-update". Imagine if an entire company had this option turned on.

Virus scanners have always been a bad solution to the problem of viruses. They don't fix the problem at its root. Instead of ensuring their operating system has no known security holes, users now rely on virus scanners to just catch everything that comes through. Any determined attacker could still just craft a custom virus to attack any host they desire. Since the virus scanner companies wouldn't have come across that particular virus, it wouldn't get picked up.

Would you fix the holes in a boat with sticky tape instead of checking that the boat doesn't have holes before you put it in the water?

I haven't had any problems

[myth24601]

I use McAfee and My system is working fi

Ye don't always get what ye pays for

[cgenman]

People percieve paid software to be superior to free alternatives because A: nothing could go wrong with paid software and B: if something did go wrong, obviously the company would indemnify / rectify / fix the problem.

Likewise, the perception is that the more expensive the software (and the bigger the box it comes in) the more protection you are afforded. And that the company won't suddenly decide to change direction / stop supporting the software / etc.

Yet time and time again this is shown not to be true. McAfee uninstalls arbitrary files on your computer (how'd that get through testing?) and just tells users to re-install from backup... exactly the kind of calamity the software is supposed to prevent. Part of WinNT5 was found to violate someone's patent, and anyone using that particular (admittedly rare) function had to pony up to the original patent holder or write a workaround.

As far as I can tell, the "little guys" software tends to be better in general than the big boys. Why? Because they're still trying. Before Norton was Symantec, they struggled to create an amazing toolkit of software tweaks that really did some great things. Now that their position is secure, they've hardly updated the suite to even work with XP, let alone taken advantage of the fixes and hacks that smaller houses have found. McAfee, once a nimble little company making a great little product, has been bloating for years. The more developers you add to a project, the less anyone knows about what the system is doing.

A free alternative that has been around for a long time:
AVG Antivirus [grisoft.com]
There are others. Please post 'em below.

McAfee Haiku?

[ursabear]

The files they are gone. It seems McAfee ate them. The backup saved us. or The files they are gone. It seems McAfee ate them. Go home from work now.

OOPS

[ROOK*CA]

"False positives aren't uncommon however, but this is something that should be caught during regression testing. "

Email from the Test Group to Product Marketing:
"Hey when did we announce an uninstaller product?"
Email from Product Marketing to Test Group:
"We didn't"
Email from the Test Group to Product Marketing:
"What are we supposed to do with this then?"
Email from Product Marketing to the Test Group:
"Just Ship the damn thing whatever it is, we're sick of you guys screwing up our ship dates, no

Don't run windows, it's bad ... 'kay?

[elronxenu]

This is yet another reason to not run windows. If you run windows, the system's so insecure that you have to buy third party applications to check it constantly. These third party applications have the ability to run rampant through your files, destroying critical data without oversight.

Seriously, who thought this was a good idea, to configure these programs to automatically delete system files? There is always a chance of a false positive - identification of a file which does not contain malware. Are vir

Ethereal too?

[OrangeDoor]

Just noticed the screenshot on the McAfee page for W95/CTX [nai.com]. It shows some dlls from the Ethereal program as being infected. Of course those files are in their complete list [nai.com] of affected files, which comes in a convenient easily accesible PDF file as all the most important documents on the web should. It's 7 pages long, but an amusing list to skim through.

Who uses Ethereal [ethereal.com] and McAfee? Just found that funny/ironic on some levels.

Thank God!

[DoctorPepper]

I don't use Windows! :-)

Feeling pretty good

[dtfinch]

I don't use antivirus software, at least for anything more than manual scanning, but for reasons other than this. Antivirus makes Windows slow and unstable, sort of like some malware does, except it does it all the time.

I don't get viruses and other malware, because I don't manually install viruses and other malware. People who do need antivirus software.

Software Wars

[Godji]

[deep bass voice]It's a world where companies wage a security suite war on other companies. The battlefield is your own desktop. Imagine Mysantec's antivirus attempting to delete Facamee's antivirus, before being both obliterated by Sicromoft's security solution still in beta. Wouldn't it be fun to watch as your CPU cycles get all pulled into the fight, with rampant defense software running around your RAM and filesystem, killing each other out, filling your desktop space, and celebrating victory with funny

Advice for corporate users

[futuresheep]

This is exactly why I force all my clients to update their DAT's from MY server, not McAfee's, and I push the updates out, the clients never pull them. Along with that, I always wait three to four days before pushing the updates out. Even if you don't use the full McAfee Epolicy Orchestrator, you can still configure the clients to point to an ftp server on your network for updates. Just like with MS patches, it's simply prudent to wait a few days just in case there's any issues like this that may arise.

I'm not excusing McAfee here, but there are ways that we, as admins can minimize the risk to our users and our network.

Re:Advice for corporate users

[futuresheep]

1) You can educate users as much as you want about how to avoid viruses, they'll still get them if they really try. They're users after all.
2) The number of viruses that actually are that serious a threat are next to zero. Have you ever bothered to look at the release files to see what the daily updates actually cover? If you did, did you bother checking what they were and the criticallity of the viruses listed? Do you know how many viruses are listed in the readme for the latest McAfee DAT?
3) Anyone that r

They are doing a great job!

[slashname3]

Actually it sounds like they are doing a great job. They finally targetted the biggest virus of them all, Windows. Maybe this is the start of something really good. Finally the Windows virus is being actively targetted.

A tool for media giants

[JasonEngel]

Comcast gives away McAfee AV for free to customers, so I tried it out. The only time it ever caught anything at all was a false-positive. Complete file system scans never ever turned up anything. However, if I opened a folder with a file in it called SetupDVDDecrypter_3.5.4.0.exe in it, McAfee would call it a virus and delete it. Didn't matter which version of the installer actually, it would delete it. Didn't matter if the AV program was configured to only quarantine suspect files, it would delete it. Didn't matter if I made an empty text file then renamed it to SetupDVDDecrypter_3.5.4.0.exe, McAfee AV would delete it. If I renamed the installer to something else, McAfee AV did nothing.

Pretty obvious to me that it was just waiting to find files that media companies didn't like people to have on their own private property so I'm guessing that they must have gotten McAfee to agree to do their dirty work for them and call stuff they don't like a virus and automatically delete the file regardless of settings.

But that's just my conspiracy theory.

Re:A tool for media giants

[jratcliffe]

Looks like there may be a reason for this behavior. That package hasn't been available from its creators for nearly a year, and it seems (as indicated by this site [72.14.203.104]) that there may be versions of the installer floating around that have had trojans attached to them...

Anti-virus as virus? Yeah, I knew that already.

[Whumpsnatz]

On an old WinME laptop, the only virus I ever had on it was Norton AntiVirus.

I worked on a consulting job two years ago, and they told me I could use my own PC. No problem - except that, when I got there, they wanted to check it for virii. In an XP world, I was running Windows ME. So they loaded up Norton on my machine, and ran it for about 3 hours.

Result? Nothing. No junk of any kind. Completely clean.

Why? It helped that I had the free version of Zone Alarm, and the firewall on my DSL router definitely helped, but I think the biggest reason I had no problems was

- Mozilla instead of IE
- Eudora instead of Outlook.

Completely clean, that is, except for the antivirus. That monster kept interrupting my work. It took a great deal of effort to get the beast out of my system.

Beware of Fridays

[Nom du Keyboard]

Always beware of any software updates released on a Friday. If there's a problem, much of the damage will be done before anyone returns on Monday.

I can imagine the meeting now...

[Obi-w00t]

[Team Leader]: So Steve is new here so, Bob, why don't you show him a simple virus definition for one of these low-priority viruses?
[Bob]: Sure. This virus is low-threat but can masquarade as numerous file names so why don't you just look for a common pattern and write a REGEXP function?
[Steve]: Sure.
[Bob]: You know how to write regular expressions, right?
[Steve]: Yeah, sure, the one's with the asterisks.
[Bob]: Erm, yeah. I'll leave you to it. Just send it to the database so it can get filed in the next update.
[Steve]: OK, see you later.
*Looks around nervously. Briefly glances at long list of file names then timidly enters:*

*.EXE

Re:who-can-you-trust?

[dc29A]

This is one of the major reasons I use open source software. Its hard to trust corporations who only tell you lies to preserve their public image.

Do you really think Open Source AV can't fsck up your PC if there are bugs in it? And let's be honest, how many people actually look at the source of programs (updates) they install? I am a programmer, and I never looked the code of an Open Source program I installed for the sake of "Let's make sure this update won't fsck up my PC". I look at the code because I am curious to see how they do certain things, or I want to change some annoying aspect of it.

Re:who-can-you-trust?

[freeweed]

let's be honest, how many people actually look at the source of programs (updates) they install? I am a programmer, and I never looked the code of an Open Source program I installed

The point of open source is not that you PERSONALLY can look at the source to find problems (although you can if you like).

The point is that thousands of other people can. And usually, no one's stopping them from reporting a problem if they do find one.

Admittedly, this leaves gaps (what if no one else looks?), but it works pretty damn well, for the most part.

Re:who-can-you-trust?

[MankyD]

What on earth did they lie about? They screwed up and they're trying to tell you how to fix it. This is not a commercial vs. oss debate - sheesh!

Re:who-can-you-trust?

[MustardMan]

Quiet you, we'll have no reasonable thoughts in THIS house!

Closed source is teh $at4n... go linux, w00t!

Re:Don't use anti-virus!

[Aranth Brainfire]

Yeah, but you can feel all superior and stuff if you have one that scans every day and can sincerely say that you have never ever gotten a virus onto your system.

Re:Don't use anti-virus!

[$calar]

I have never used anti-virus software and have never gotten a virus in my life. My main reason for not using anti-virus was because it hampered system performance. I really don't think it's that hard to avoid getting a virus, all you have to do is stay up to date with your operating system and don't open executable attachments (it would be even better if you just ignored emails that weren't from trusted sources). The only thing that bothers me are these zero day exploits that even anti-virus software can't

Re:Don't use anti-virus!

[rmadmin]

Just curious... if you don't have an antivirus scanner... how do you know that you've never had a virus before? There are viruses that are passive enough that even a skilled admin might not notice them. :)

Re:Don't use anti-virus!

[$calar]

I use Linux.

Announce.

[leuk_he]

For a announce you need mc-disaster. In annouces regually it found a virus, or sometime just announces the fact that there are dangerous viri on the web.

If it really found a virus is very well discusable. It gives a warning once in a while that some webpage might contain a virus, or some bounced message with an attachment might be a virus.

Anyway, mc-disaster is not the program that saves me time keeping my system clean. It only costs me time. In the short time i ran it in the past it costed me more time th

Re:Don't use anti-virus!

[PFI_Optix]

I haven't had a virus on my XP system in four years, including during my dial-up days.

If you keep your system updated, use a firewall, and just generally understand how the typical virus/worm/trojan works, you're 99.9% protected. However, there's always the possibility that someone will get clever enough to get through that, so I use AVG just to be on the safe side.

Re:Don't use anti-virus!

[Tibor the Hun]

That's wonderful news sir. You've just won yourself an invitation to come to my place of work and train 200 40+ year olds to do the same.
Wow, that'll save us tons of cash!

Re:Don't use anti-virus!

[PFI_Optix]

Apparently, it is.

I've used it at home for a little over four years and worked with it for three years as an administrator. I have NEVER had a virus on any XP system I was responsible for.

In fact, the only virus I've ever had a problem with was an infected Windows 2000 domain controller that was SUPPOSED to be managed by corporate IT. They hadn't updated it in well over a year and wouldn't let me touch it until it started crashing (and those geniuses had it as the exchange server as well...again, I couldn't change that).

In both cases, I didn't go to extreme measures to secure the systems. I used automatic updates, both a standalone firewall and Windows Firewall, and antivirus (AVG Free at home, Symantec Corporate at work). That, and I educated my users on what NOT to open from their e-mail.

A good way to teach your users not to open strange attachments is to give them a dummy one that will just let you know who opened the file. I arranged with management to do this one day...send out a trojan-like e-mail with a script that would write a file with the username in it to one of the network shares and see who opened it.

The next day I unplugged one of the network switches for fifteen minutes at the beginning of the day, told them it was because some people had opened "virus e-mails" (management knew the truth) and then plugged it back in. I talked to the people who had opened the "virus" e-mails and gave them an in-depth training session on why it's a bad thing to open every attachment you get on e-mail. From then on, they wouldn't touch anything that was even remotely suspicious.

Three years, nearly 100 users, and ZERO penetration on my systems. It's not rocket science.

Re:Don't use anti-virus!

[st1d]

What, were you out of batteries for your cattle prod? :)

Re:Don't use anti-virus!

[JazzCrazed]

Not to mention that you won't know whether or not your computer has a virus if you don't scan it with some sort of antivirus software.

Re:Don't use anti-virus!

[xtracto]

If you keep your system updated, use a firewall, and just generally understand how the typical virus/worm/trojan works,

There was a time when antivirus software was *really* useful. When viruses where hidden in boot sectors and they used technologically saavy tactics to duplicate.

Nowadays the deffiniton of viruses are mostly worms and trojans. Worms are defeated by using a firewall (I have an openbsd firewall standalone pentium pro machine), trojans are defeated not opening those OMG_BRITNEY_TITTS.JPG.EXE fi

Re:Don't use anti-virus!

[MankyD]

Actually... they do "magically propagate" when flaws are found in things like Windows SAMBA sharing or Apache's web server (or any server program that you run for that matter.)

Re:Don't use anti-virus!

[TubeSteak]

Wouldn't that make it a worm?

Worm = no user interaction
Virus = user interaction

Hence... virii don't "magically propagate"

Re:Don't use anti-virus!

[MankyD]

Ok, true, a worm. That doesn't change the fact that an infection is possible and that av software works to quarantine it.

Re:Don't use anti-virus!

[$calar]

Those are called worms, not viruses. Besides, anti-virus is only as good as the latest definitions. If you have auto updates enabled on whatever operating system you use, you should be fine. Additionally, a good firewall goes a long way against these types of exploits.

Same as with safety belts

[Opportunist]

Every once in a blue moon, some poor person dies because he or she didn't get out of the burning car because of the belt. Then someone will stand up and say "See? I don't use them and if they didn't, they'd live as well. I drive carefully, I don't get into accidents, so I don't need them!"

The problem is, you never know. It's not only foolishness that gets a trojan onto your system. They come with presumably legit software, even from reputable companies. An infected driver CD is all it takes. Shareware CDs or other CDs slapped on magazines, do you think they have a lot of time to make just perfectly sure the programs are clean? A lot of shareware comes bundled with adware, do you read all those EULAs? And do you think they tell the full truth? Can you read through the legalese?

I won't get into system bugs and other exploits.

So yes, you don't really need safety belts. But it sure feels a bit more secure with them.

the difference

[Ender Ryan]

The difference being, seatbelts have saved my life, but I've never used AV software and have (almost) never had a virus. I don't connect windows boxes directly to the Internets, don't use IE, and just generally don't install anything that I don't know enough about to feel it's safe.

IMO, AV software is malware itself. It interferes with the normal operation of the system in order to "protect" it. The simple fact is, users should never execute code that might be malicious, and the system shouldn't execut

Re:Same as with safety belts

[Stavr0]

Every once in a blue moon, some poor person dies because he or she didn't get out of the burning car because of the belt. Then someone will stand up and say "See? I don't use them and if they didn't, they'd live as well. I drive carefully, I don't get into accidents, so I don't need them!"

No. No no no. This would be similar to say, an airbag deploying (i.e. exploding in your face) when you turn on the radio.

• A security system activates erroneously, there is no real threat present (turn on the radio).

Re:Well...

[MustardMan]

... by Anonymous Coward on Monday March 13, @09:07AM (#14906906)
All I can say is 'wait 'til monday.'

Heh, now that's funny.

Re:hijackthis

[maotx]

I've never had a problem with McAfee and hijackthis. Also, 4715 isn't even showing up in our records under the ePolicy Orchestrator. Everyone is either at 4716, or if they haven't connected, 4714.

Re:CTX undo file

[stry_cat]

Who in their right mind is going to download and run a script off of an unknown website? I'm sure you're trying to help, but no one should do this. Otherwise they'll need more than just McAfee to fix their computer.