McAfee Anti-Virus Causes Widespread File Damage 353
AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems.
At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."
Help! (Score:5, Funny)
Re:Help! (Score:5, Funny)
NO!
You're going to need some virus protection from your virus protection from your virus protection to be absolutely safe.
Thankfully, I am offering those at very reasonable prices. Buy one now and receive a free fragment from the Eiffel tower as a value-added gift.
The real irony here.... (Score:5, Insightful)
Re:The real irony here.... (Score:3, Insightful)
Couldn't you have just looked at the pricing page for any of the major antivirus vendors, or any of the 163,000 hits on Google for "antivirus subscription" or 6.04 million for "anti-virus subscription" (the top hits of which are about the same) for this answer, instead of flaming the guy?
I mean, yes, you're lazy, but damn, man, it's just Google.
Re:The real irony here.... (Score:4, Insightful)
Looks to me like he's a smug user of computing platforms that are actually, inherently, mostly secure.
It seems there are yet a few little boys who dare to say "The Emperor has no clothes" when confronted with the, yes, staggering incompetence with respect to security which is rampant within the mainstream PC world.
Re:The real irony here.... (Score:3, Informative)
Re:Help! (Score:5, Informative)
You only need that headless pentium 3 (even a pentium pro could make it!) that you are using to rest your feet
Of course that is if you use Windows (for whatever reason, I also do it).
Re:Help! (Score:4, Insightful)
Solution:PXE boot Linux Thin/Thick Client Desktop. (Score:3, Interesting)
New school excuse (Score:5, Funny)
Re:Help! (Score:2)
The Risk (Score:5, Insightful)
Did they forget to include that the risk of installing McAfee Anti-Virus for any user : High?
Wait a minute, it is identifying some system files that Windows put on my machine! I guess the Mac & 'nix freaks are right, Windows really is a virus. I hope it's only a matter of time before my next virus definition assesses Internet Explorer & Windows Media Player as full blown Trojan viruses distributed as malware with my OS.
Re:The Risk (Score:5, Insightful)
'they will delete your files'.
In one fell swoop it seems as though McAfee may have deleted more files
than all the viruses it has removed would have.
Re:The Risk (Score:3, Insightful)
than all the viruses it has removed would have.
go figure, no big system admin has wanted automatic (witout testing) updates for some time, to their OS. I guess sys admins got lazy on testing virus scanner updates before rollouts.
I know I am not alone in turning off all runtime virus protection on my PC, because it has historically had more impact on system stabilty, and speed than most virii. (ok it seams the latest scanners on winXP may actually work...) Wouldn't save me from this problem, except my system scans only occur weekly, so may be luckly my weekly scan didn't occur (I do have nightly complete backups from backuppc.sourceforge.net [slashdot.org] ).
Re:The Risk (Score:4, Insightful)
That's very funny. When a ubervirus thrashes a couple of corporate networks to the tune of a billion dollars apiece, we hear "Stupid admins - the patch was available - they weren't keeping up". Now it's "They should have tested before rolling them out." (paraphrased)
It appears, therefore, that using a system that is subject to viruses and security vulnerabilities on the scale of Windows is inherently untenable. We can't even define logically consistent expectations for the administrators of such systems. Can we stop using them now?
Re:The Risk (Score:4, Interesting)
I don't use AV software on my systems at home, but that's a personal choice. Not due to laziness, but because other measures have been taken: strong firewalling, restricted software on desktops, strong desktop settings, regular backups, and sufficiently educating anyone who uses the computer of the dangers they can face, what online actions are risky, and to abide by the basic rules so as to avoid putting your data/computer at risk.
For half a decade, I've gone without AV software and have had all of my systems virii/adware/malware free. This isn't due to laziness, but diligence and preparation. This isn't due to OS fanatacism, but making a decision about what compromises to make between security and usability. I use WinXPpro, Linux, and MacOSX systems at home.
When people passively rely on external assistance, like AV software, something like this would eventually happen. People make mistakes. Companies make mistakes. And when you have a large install base, those mistakes can easily become big monstrous mistakes.
Right now, ALOT of sysadmins are probably sweating bullets getting systems back online. This isn't because they were lazy. This was because someone at another company screwed up and it impacted their infrastructure, which in turn impacts their business.
Make no mistake, people will get sued and lawyers will get involved. Think it was just the businesses and end users of the AV software that got screwed? What about the customers of the businesses? What about the home users who run their business off of their home computers? Yeah, there'll be some noise about this down the road, make no mistake.
*listens over the cube walls* I don't hear any cursing or screaming, so it hasn't happened here or the OS admins have done their homework over the weekend. In either case, this will be interesting to follow in the months to come.
Comical recovery instructions from McAfee (Score:5, Informative)
This probably would have worked great on my machine if it weren't for the fact that half of the files McAfee quarantined were *System Restore files*.
Apparently McAfee hasn't heard of a novel concept called "testing". (I like how they've posted a list on their website of the false positive files, now 7 pages long and still woefully incomplete; they ought to just admit it's going to take a random assortment of exes and dlls on any machine.)
Combine this with the fact that the default settings on a McAfee install are to quarantine without prompting, and IMHO McAfee is the most dangerous virus I've ever had on my machine.
Re:The Risk (Score:2)
With common sense like not running Windows as root, ditching IE, ditching WMP and not blindly installing every software you find (even if it has flashing (OMG YUR PC IS SLOW GIGGLEHURTZ!!!oneone!!!) you don't need anti-malware on Windows.
Re:The Risk (Score:2, Funny)
Re:The Risk (Score:4, Funny)
But aren't viruses meant to be small and efficient? O.o
Good thing... (Score:3, Interesting)
Does this mean... (Score:5, Funny)
Re:Does this mean... (Score:2)
Oh well... At least it's a commercial package so, unlike Open Source, I have somebody I they can sue when something like this
WHAT???!!! EULA?? Yeah, but I didn' think... arrrrgh!
Re:Does this mean... (Score:3, Funny)
You'd hope that the sysadmin would be competent enough to do that.
Surprisingly, it didn't quarantine itself (Score:5, Funny)
Re:Surprisingly, it didn't quarantine itself (Score:3, Informative)
- FrameworkService.exe
Which, if you take a look at your Task Manager, you will notice is:
Directory of C:\Program Files\McAfee\Common Framework
09/27/2005 03:06 AM 102,463 FrameworkService.exe
Nortons AV did this to me once... (Score:2, Interesting)
However - like most AV software, you can put it straight back.
No biggy
Re:Nortons AV did this to me once... (Score:2)
Re:Nortons AV did this to me once... (Score:2)
There's gotta be a way to blame this on Bush... (Score:2, Funny)
They asked for it (Score:2)
Ouch.... (Score:3, Interesting)
Not surprised (Score:5, Interesting)
Re:Not surprised (Score:4, Interesting)
Re:Not surprised (Score:2)
This would seem to be a good place for the addition of some low-level AI, to learn usage and traffic patterns and be able to anticipate such things. It might even be made smart enough to detect suspicious or erroneous processes/traffic and alert the sys admin so action could be taken. It would then "learn" from the response and be able to become more autonomous as time passed.
Re:Not surprised (Score:2)
For what it's worth (Score:4, Interesting)
I find it interesting that once I disable Mcafee's on-access scanner the system stabilized itself and has been running without a problem for about a week now (I had seen it reboot about 3 times in one day).
Seeing this article makes me more suspicious of the scanner now.
Re:For what it's worth (Score:2)
Re:For what it's worth (Score:2)
Puzzling.
Re:For what it's worth (Score:2, Insightful)
This honestly sounds like a corrupt memory problem.
Other possibility is that you've hard-set the windows swapfile limit...
Re:For what it's worth (Score:2)
Swapfile limit is currently set to 3 gb on one drive, 3gb on another drive. 1 gb of RAM. I'm pretty sure this shouldn't be a problem based on everything I've read about the Windows swap file
Re:For what it's worth (Score:2)
I'm gonna re-enable the on-access scanning at the end of the week and see if the problem re-appears.
At last ! (Score:3, Funny)
Why are people complaining ?
Second time in a month (Score:2)
Problems with McAfee (Score:2)
Deletes text files too (Score:2, Funny)
Prompt (Score:2)
Re:Prompt (Score:2)
Saw it coming (sort of) (Score:5, Interesting)
Just last week, in response to: The Trouble With Software Upgrades [slashdot.org] I posted a question [slashdot.org] asking what do you do to protect yourself from automatic updates that go bad... but I got no responses. In light of the current situation, I'd really appreciate hearing some responses, here.
Re:Saw it coming (sort of) (Score:2)
First, don't have your homedir on your workstation. Then, don't do auto-updates on the file servers.
Then, for your workstations create images of the disks. Don't let users perform upgrades unless they assume the responsibility for the box. Next, test the update on a limited subset of boxes. If it works then roll it out. If by chance you screwed up rollback to images that are stable and perform the safer updates.
Generally this is trivial with a proper OS distribution like freebsd, openbsd, Gentoo, etc.
Tom
Re:Saw it coming (sort of) (Score:5, Insightful)
Re:Saw it coming (sort of) (Score:2)
Doh! Turn of automatic updates.
Hehe, kidding aside, seriously that is what I do. I do not do auto upgrades because I find it a bit disturbing that any of my systems installs something else which I have not seen what is it. Granted, sometimes I do not read the Microsoft KB12312412412 patches information but at least I just patch what I believe is worth patching.
However in a big network it may not be trivial to update manually. Although maybe sysadmins should have a script that allow them to distribute and apply the patches after they have reviewed them. If that is not possible then as somebody else wrote, System Restore is your friend or even DAT tapes!
ps. with your PIN number in your ATM Machine
McAfee's response (Score:3, Funny)
Good catch (Score:5, Interesting)
It seems to have "infected" all of Adobe's recent product install CDs. Once it "infects" your computer it displays a popup whenever you open an Adobe app. As far as I can tell, there's no way to shut this off in the latest versions. So I've paid $x00 dollars for Acrobat, and it comes with a virus.
Re:Good catch (Score:3, Informative)
For creating PDF files, I use PDFCreator (http://sourceforge.net/projects/pdfcreator [sourceforge.net]). It works like Adobe Distiller used to, you create your PDF files by printing to PDFCreator.
Re:Good catch (Score:3, Informative)
http://www.adobe.com/support/downloads/detail.jsp
To create custom MSTs for Acrobat, which you can use to disable all of the annoying crap. Well, apart from the Yahoo search! I suggest also http://www.appdeploy.com/ [appdeploy.com] can be useful for finding ways to disable stuff in installers.
We lucked out (Score:3, Interesting)
Where should users turn? (Score:5, Insightful)
Furthermore, a lot of virus scanners have an option to "auto-update". Imagine if an entire company had this option turned on.
Virus scanners have always been a bad solution to the problem of viruses. They don't fix the problem at its root. Instead of ensuring their operating system has no known security holes, users now rely on virus scanners to just catch everything that comes through. Any determined attacker could still just craft a custom virus to attack any host they desire. Since the virus scanner companies wouldn't have come across that particular virus, it wouldn't get picked up.
Would you fix the holes in a boat with sticky tape instead of checking that the boat doesn't have holes before you put it in the water?
I haven't had any problems (Score:5, Funny)
Ye don't always get what ye pays for (Score:5, Insightful)
Likewise, the perception is that the more expensive the software (and the bigger the box it comes in) the more protection you are afforded. And that the company won't suddenly decide to change direction / stop supporting the software / etc.
Yet time and time again this is shown not to be true. McAfee uninstalls arbitrary files on your computer (how'd that get through testing?) and just tells users to re-install from backup... exactly the kind of calamity the software is supposed to prevent. Part of WinNT5 was found to violate someone's patent, and anyone using that particular (admittedly rare) function had to pony up to the original patent holder or write a workaround.
As far as I can tell, the "little guys" software tends to be better in general than the big boys. Why? Because they're still trying. Before Norton was Symantec, they struggled to create an amazing toolkit of software tweaks that really did some great things. Now that their position is secure, they've hardly updated the suite to even work with XP, let alone taken advantage of the fixes and hacks that smaller houses have found. McAfee, once a nimble little company making a great little product, has been bloating for years. The more developers you add to a project, the less anyone knows about what the system is doing.
A free alternative that has been around for a long time:
AVG Antivirus [grisoft.com]
There are others. Please post 'em below.
McAfee Haiku? (Score:3, Funny)
OOPS (Score:2)
Email from the Test Group to Product Marketing:
"Hey when did we announce an uninstaller product?"
Email from Product Marketing to Test Group:
"We didn't"
Email from the Test Group to Product Marketing:
"What are we supposed to do with this then?"
Email from Product Marketing to the Test Group:
"Just Ship the damn thing whatever it is, we're sick of you guys screwing up our ship dates, now go away"
Don't run windows, it's bad ... 'kay? (Score:2)
Seriously, who thought this was a good idea, to configure these programs to automatically delete system files? There is always a chance of a false positive - identification of a file which does not contain malware. Are viruses so common in the windows world that it's not worth a human's time to confirm detection before files are altered?
And why, oh why, is it necessary to maintain huge lists of virus signatures? If windows kept a list of the correct md5sums of the system files it would become a trivial task to verify the integrity of those files. One would not need a daily update of virus signatures. Can I cynically suggest that the need for constant update gives the anti-virus companies a permanent revenue stream? And what does Microsoft get out of the flood of windows viruses?
Here's a way that Microsoft could design windows to be virus-resistant: designate certain files (system DLLs, EXEs etc) as change-limited. Provide an API into the kernel to permit those files to be changed by windows update software (only when the replacement file is signed by a trusted key). Maintain a file containing the md5sums of all change-limited files. This file would be modifiable only by the kernel.
In this scenario any virus wouldn't get a chance to corrupt system files because it wouldn't have a correctly signed replacement. And even if it did get to corrupt a system file, it would be trivially detected because the md5sum of the corrupted file wouldn't match the expected md5sum. In order for an infection to occur and be undetected the virus would need to work around the kernel file change API and alter both system file(s) and the md5sums file.
This scheme can be implemented for vendor software too. Windows needs some kind of database of installed software. Does it not have one already? (checks system clock: yep, it's 2006). Red Hat had RPM and the installed software database since 1995. That's 11 years ago, and Red Hat were probably not the first to hit upon the idea of a centralised list of all software installed on a computer.
Ethereal too? (Score:2, Insightful)
Who uses Ethereal [ethereal.com] and McAfee? Just found that funny/ironic on some levels.
Thank God! (Score:2)
Feeling pretty good (Score:2)
I don't get viruses and other malware, because I don't manually install viruses and other malware. People who do need antivirus software.
Software Wars (Score:2, Funny)
[special effects]
In the ensuing destruction and chaos, nothing remains alive but two things: the memory of your once existing data, and an unidentified hideous sneaky polar bird determined to show you of an alternate dimension of reliability and freedom...
[epic music]
Coming soon, on your desktop: RealityArts presents: THE SOFTWARE WARS, EPISODE 442.75
[/deep bass voice]
Advice for corporate users (Score:3, Informative)
I'm not excusing McAfee here, but there are ways that we, as admins can minimize the risk to our users and our network.
Re:Advice for corporate users (Score:3, Insightful)
2) The number of viruses that actually are that serious a threat are next to zero. Have you ever bothered to look at the release files to see what the daily updates actually cover? If you did, did you bother checking what they were and the criticallity of the viruses listed? Do you know how many viruses are listed in the readme for the latest McAfee DAT?
3) Anyone that relies soley on a single AV solution is a fool anyway. Virus protection should be layered on any network and is on mine. AV software on the desktop should be the last stop. We use postfix+spamassassin+amavisd to scan mail before it hits our mail server. Our firewall scans anything incoming before it gets to the desktop. Our desktop software is only there as a last bastion and does it's job well, because there's not much that gets there. None of the systems are perfect on their own, as a team, they work very well.
So do I feel safe? Yes, I haven't had a virus issue inside my network for years. I see shitloads of them getting cleaned when I look at my logfiles though. Does it bother me that I wait a three or four days to deploy DAT files? Not at all, because it's not the only way I protect my users.
They are doing a great job! (Score:3, Funny)
A tool for media giants (Score:5, Interesting)
Pretty obvious to me that it was just waiting to find files that media companies didn't like people to have on their own private property so I'm guessing that they must have gotten McAfee to agree to do their dirty work for them and call stuff they don't like a virus and automatically delete the file regardless of settings.
But that's just my conspiracy theory.
Re:A tool for media giants (Score:4, Informative)
Anti-virus as virus? Yeah, I knew that already. (Score:5, Interesting)
I worked on a consulting job two years ago, and they told me I could use my own PC. No problem - except that, when I got there, they wanted to check it for virii. In an XP world, I was running Windows ME. So they loaded up Norton on my machine, and ran it for about 3 hours.
Result? Nothing. No junk of any kind. Completely clean.
Why? It helped that I had the free version of Zone Alarm, and the firewall on my DSL router definitely helped, but I think the biggest reason I had no problems was
- Mozilla instead of IE
- Eudora instead of Outlook.
Completely clean, that is, except for the antivirus. That monster kept interrupting my work. It took a great deal of effort to get the beast out of my system.
Beware of Fridays (Score:3, Insightful)
I can imagine the meeting now... (Score:4, Funny)
[Bob]: Sure. This virus is low-threat but can masquarade as numerous file names so why don't you just look for a common pattern and write a REGEXP function?
[Steve]: Sure.
[Bob]: You know how to write regular expressions, right?
[Steve]: Yeah, sure, the one's with the asterisks.
[Bob]: Erm, yeah. I'll leave you to it. Just send it to the database so it can get filed in the next update.
[Steve]: OK, see you later.
*Looks around nervously. Briefly glances at long list of file names then timidly enters:*
*.EXE
Re:who-can-you-trust? (Score:5, Insightful)
Do you really think Open Source AV can't fsck up your PC if there are bugs in it? And let's be honest, how many people actually look at the source of programs (updates) they install? I am a programmer, and I never looked the code of an Open Source program I installed for the sake of "Let's make sure this update won't fsck up my PC". I look at the code because I am curious to see how they do certain things, or I want to change some annoying aspect of it.
Re:who-can-you-trust? (Score:4, Informative)
The point of open source is not that you PERSONALLY can look at the source to find problems (although you can if you like).
The point is that thousands of other people can. And usually, no one's stopping them from reporting a problem if they do find one.
Admittedly, this leaves gaps (what if no one else looks?), but it works pretty damn well, for the most part.
Re:who-can-you-trust? (Score:3, Informative)
Re:who-can-you-trust? (Score:5, Funny)
Closed source is teh $at4n... go linux, w00t!
Re:Don't use anti-virus! (Score:2)
Re:Don't use anti-virus! (Score:2)
Re:Don't use anti-virus! (Score:2)
Re:Don't use anti-virus! (Score:2)
Announce. (Score:2)
If it really found a virus is very well discusable. It gives a warning once in a while that some webpage might contain a virus, or some bounced message with an attachment might be a virus.
Anyway, mc-disaster is not the program that saves me time keeping my system clean. It only costs me time. In the short time i ran it in the past it costed me more time than all the combined viursses i have seen. (not that many)
Re:Don't use anti-virus! (Score:4, Interesting)
If you keep your system updated, use a firewall, and just generally understand how the typical virus/worm/trojan works, you're 99.9% protected. However, there's always the possibility that someone will get clever enough to get through that, so I use AVG just to be on the safe side.
Re:Don't use anti-virus! (Score:3, Insightful)
Wow, that'll save us tons of cash!
Re:Don't use anti-virus! (Score:5, Insightful)
I've used it at home for a little over four years and worked with it for three years as an administrator. I have NEVER had a virus on any XP system I was responsible for.
In fact, the only virus I've ever had a problem with was an infected Windows 2000 domain controller that was SUPPOSED to be managed by corporate IT. They hadn't updated it in well over a year and wouldn't let me touch it until it started crashing (and those geniuses had it as the exchange server as well...again, I couldn't change that).
In both cases, I didn't go to extreme measures to secure the systems. I used automatic updates, both a standalone firewall and Windows Firewall, and antivirus (AVG Free at home, Symantec Corporate at work). That, and I educated my users on what NOT to open from their e-mail.
A good way to teach your users not to open strange attachments is to give them a dummy one that will just let you know who opened the file. I arranged with management to do this one day...send out a trojan-like e-mail with a script that would write a file with the username in it to one of the network shares and see who opened it.
The next day I unplugged one of the network switches for fifteen minutes at the beginning of the day, told them it was because some people had opened "virus e-mails" (management knew the truth) and then plugged it back in. I talked to the people who had opened the "virus" e-mails and gave them an in-depth training session on why it's a bad thing to open every attachment you get on e-mail. From then on, they wouldn't touch anything that was even remotely suspicious.
Three years, nearly 100 users, and ZERO penetration on my systems. It's not rocket science.
Re:Don't use anti-virus! (Score:4, Funny)
Re:Don't use anti-virus! (Score:3, Insightful)
Re:Don't use anti-virus! (Score:2)
There was a time when antivirus software was *really* useful. When viruses where hidden in boot sectors and they used technologically saavy tactics to duplicate.
Nowadays the deffiniton of viruses are mostly worms and trojans. Worms are defeated by using a firewall (I have an openbsd firewall standalone pentium pro machine), trojans are defeated not opening those OMG_BRITNEY_TITTS.JPG.EXE files.
I still miss the good old day virsuses, I found cool when my computer said i was "Stoned", hehe, or when the freaking ball started bouncing trhough the screen... but I always find it fascinating the methods used by the viruses, I even once created a virus (the darn thing just beeped the buzzer when an infected file was launched... after some time I found my Win3.11 was unusable as it got infected =-S).
I started to lose respect of viruses when the so called Word Macro viruses started, from my point of view that was not a virus...
Re:Don't use anti-virus! (Score:3, Informative)
Re:Don't use anti-virus! (Score:2)
Worm = no user interaction
Virus = user interaction
Hence... virii don't "magically propagate"
Re:Don't use anti-virus! (Score:2)
Re:Don't use anti-virus! (Score:2)
Same as with safety belts (Score:5, Insightful)
The problem is, you never know. It's not only foolishness that gets a trojan onto your system. They come with presumably legit software, even from reputable companies. An infected driver CD is all it takes. Shareware CDs or other CDs slapped on magazines, do you think they have a lot of time to make just perfectly sure the programs are clean? A lot of shareware comes bundled with adware, do you read all those EULAs? And do you think they tell the full truth? Can you read through the legalese?
I won't get into system bugs and other exploits.
So yes, you don't really need safety belts. But it sure feels a bit more secure with them.
the difference (Score:2)
IMO, AV software is malware itself. It interferes with the normal operation of the system in order to "protect" it. The simple fact is, users should never execute code that might be malicious, and the system shouldn't execute any arbitrary code.
AV software just lulls people into a false sense of security. Plain and simple, it doesn't even work. Most of the virus-infected windows machines I've seen have had up-to-date copies of a major AV package. It's the users, and the general lack of proper security of the systems -- well, that's a very simplistic view.
Honestly, and obviously, I don't know what the answer is. AV software, in its current form, is simply not it though. Trusted computing? Perhaps if TC was designed around users' needs, instead of greedy vendors.
Re:Same as with safety belts (Score:2)
No. No no no. This would be similar to say, an airbag deploying (i.e. exploding in your face) when you turn on the radio.
Re:Well... (Score:3, Funny)
All I can say is 'wait 'til monday.'
Heh, now that's funny.
Re:hijackthis (Score:2)
Re:CTX undo file (Score:5, Insightful)