McAfee Retracts Lowball Bug Damage Estimate 233
bennyboy64 writes "McAfee has changed its official response [warning: interstitial] on how many enterprise customers were affected by a bug that caused havoc on computers globally. It originally stated the bug affected 'less than half of 1 per cent' of enterprise customers. Now McAfee's blog states it was a 'small percentage' of enterprise customers. ZDNet is running a poll and opinion piece on whether McAfee should compensate customers. ZDNet notes a supermarket giant in Australia that had to close down its stores as they were affected by the bug, causing a loss of thousands of dollars."
Re:XP SP3 (Score:3, Informative)
You should also add to this the statistic of how many corporations use their own distribution server (middleman). Even if clients poll daily, the corporation as a whole may only deliver updates weekly or may stagger updates to ensure they are tested in the wild before pushing them out to corporate clients.
Not only this, but many Administrators manually review virus' before they are cleaned. I have caught a few false positives by doing manual checks.
Re:I wonder (Score:1, Informative)
Exactly what I was thinking (Score:3, Informative)
McAfee must have had a really good sales guy to convince a Project manager that the POS machines needed AV, either that or who ever developed the POS machines didn't decide to secure them with Enhanced Write Filter, SteadyState, DeepFreeze or some other disk write protection so every time the machine is rebooted it loses all its write cache.
Even though it is Windows, there is absolutely no need for AV when the application is so limited.
Damage Limitation (Score:3, Informative)
"McAfee Interwebs Secrutiny has detected that your outgoing mail to customerservices@mcafee.com, subject "You f**king idiotic t**tballs of a son of a ****** in the ******** with a hatstand!!!!" has been detected as Offensive Spam and will be deleted. Thank you for Trusting in McAfee! [TM]"
On a more serious note, I ran into a few small shops that were badly hit, but most of the people I know who work in the enterprise have a time delay before the updates hit the machines, which is usually a hangover from the last time $av_vendor bollocksed up an update.
Personally, I'm still a believer in most AV's being worse that the viruses themselves, and don't run any on my windows boxes - I don't think I've used a single one that hasn't fucked up at some point. Most of my colleagues feel the same way (and, IMHO, by the time it's hit your filesystem and you have that 20% chance of the AV detecting it, it's already too late anyway) and the only reason we run it at work is because of compliance issues... that and the majority of machines being a poorly patched IE6. Yay!
Re:Getting real about things here (Score:1, Informative)
How is this also the IT departments fault? This bug was in a virus definition file (DAT file) not a application update. Do you expect offline lab testing of every singe virus definition file that is released? Do you realize that there is a new definition file released at least once a day and sometimes up to 3 per day? If you have the time to test each one in a lab great. But who's fault is it when while you are "testing" in the lab a new worm spreads through your corporate network?
We use McAfee in our environment (6000 PC's) and were not affected due to running version 8.5 of the software, apparently only 8.7 clients had the issue. Just to recap the bad DAT file was released 4/21 at 6 AM PST, in our environment we look for and pickup DAT files every hour and update the clients automatically on a staggered schedule. By the time we were made aware of the issue via a email from our McAfee rep. (4/21 9AM) 2500 of our PC's already had the bad dat file, if we would have been impacted by the bug we would have been screwed.
I do agree that McAfee has quite a bit of explaining to do and also will nee provide some type of compensation for companies that were impacted by their screw-up.
Re:XP SP3 (Score:3, Informative)
Microsoft Forefront is what I'd suggest.
what it did to my 11'000 computers (Score:4, Informative)
we have 11K computers
only XP SP3 computers were impacted
whether running Virus Scan 8.7 or 8.5
but in fact less than 100 computers were impacted,
1% compared to our total
one thing that helped
was employees had started to leave after work when update propagated
and they shutdown computer when they leave
it could have been a nightmare
we were very lucky
Re:Getting real about things here (Score:5, Informative)
As a matter of fact I do expect that. I have designed and set up processes for patch management, software distribution and similar testing for large enterprise environments for years. I have done so everywhere from very large financial institutions to health-care and government. The fact that you need to test daily does not change any principal of what I have said. For any enterprise not to have a dedicated lab to do exactly this kind of testing, or ever worse, not to to use it is sheer and utter incompetence.
In no case should an automated update for an environment ever be released into production without testing. Even Microsoft gets this point and allows you to disable automatic patching to ensure that proper testing can be conducted. I'm not trying to sound harsh, but in all seriousness if you can't learn why testing /every/ production change is necessary from this debacle, than you do not belong in enterprise management. It really is that simple.
Not Windows' fault, but still its problem... (Score:4, Informative)
( Title after the VirtualDUB developer's excellent post entitled "Just because it is not your fault does not mean it is not your problem"; http://www.virtualdub.org/blog/pivot/entry.php?id=245 [virtualdub.org] )
Here's the thing.. it's not Windows' fault that some random program deletes svchost.exe , just as it isn't Windows' fault that any app or user can delete ntldr (e.g. a badly designed uninstaller).
But it -is- a Windows problem because without those, it won't start up. So why is Windows even allowing these files to be deleted?
I can't delete by hiberfil.sys even though all it is, is pre-allocated space for the hibernation functionality. If I deleted it, nothing would be lost, and upon hibernation it could re-allocate the required space or tell the user the drive is too full and they're SOL. But no - I simply can't delete it. But I -can- delete vital system files.
So, no.. it's not Windows' fault that McAfee's virus scanner deleted the file. It -is- Windows' problem that they -can- in the first place.
I realize that sometimes there may be a need for a 3rd party application to modify a system file - however rare - but then provide this through a proper mechanism that backs up the original and deletes/replaces on reboot only, with the option to deny the change on boot-up. ( System Restore points only go so far as you'll need the Windows CD/DVD in order to get to the restore utility if you can't boot into Windows anymore. It's also an overly complex solution to the simple problem of renaming files on bootup. )
Sorry. PCI Rears its ugly head again. (Score:5, Informative)
Even though it is Windows, there is absolutely no technical need for AV when the application is so limited.
Fixed that. I am afraid that the Payment Card Industry (PCI) differs from your opinion.* In their infinite wisdom**, PCI has decreed that ALL computers need to be running AV. After, all, if it is good for the desktop, it must be good for the servers, right? And since a virus can be spread from anywhere to anywhere, all computers need to have their own protection.
I know it seems silly, but many of the PCI Audit Drones actually believe this. I spent hours trying to convince an auditor that we did not need AV on a Linux server that cannot accept email and has no internet connection. If the PCI Audit Drone finds a computer without AV, you fail the PCI Audit. If you fail the Audit, you get marked as failing on a public web site. If you fail enough times, you lose your ability to accept credit cards. So the need to have AV on a POS is there, it is just not a technical need.
*Reality
**For very, very small values of infinite
Re:XP SP3 (Score:2, Informative)