A faulty antivirus update from McAfee Inc. that mistakenly identified hundreds of programs as a Windows virus has resulted in some companies accidentally deleting significant amounts of data from affected computers.
The McAfee update (DAT 4715) released on Friday was designed to protect computers against the W95/CTX virus. But because of a programming error, the update also incorrectly identified renamed and quarantined hundreds of legitimate executables including popular ones such as excel.exe, lsetup.exe, uninstall.exe, shutdown.exe and reg.exe.
For companies that had configured their McAfee antivirus program to automatically delete bad files, the error resulted in the loss of hundreds, and in some cases even thousands, of files on systems in which the update had been installed, said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center (ISC) in Bethesda, Md.
McAfee released a new patch (DAT 4716) updating the earlier one, five hours later. But any company that had been unlucky enough to install and run DAT 4715 would have experienced significant problems, Ullrich said.
"A lot depended on how you had McAfee configured on your system," he said. "If you had it configured to basically quarantine bad files you were OK because in this case it wasn't too hard to recover the quarantined files," he said. "But if you had it delete them then it became a lot harder" to recover lost files, he said. SANS received reports from "dozens" of companies reporting incorrectly quarantined or deleted files, he added.
Joe Telafici, director of operations at McAfee's AVERT Labs, said the problem was the result of a "subtle logic flaw" that was quickly identified and corrected.
The error resulted in at least 290 files being incorrectly identified, he said, adding that the company is still looking to see if more files are affected.
Since releasing the updated antivirus signature, McAfee has made a tool available for its enterprise customers via its support organization. The tool can help companies identify and restore files that were mistakenly quarantined by DAT 1475, Telafici said. McAfee also plans to make it available as a download on its Web site soon.
McAfee's antivirus product for consumers and small business users already supports a feature that lets those users automatically restore quarantined files, Telafici said. The company is working on a similar tool that will help companies identify and restore some of the files that they may have deleted, he added.
"We are looking at a relatively small percentage of our customer base," that was impacted, Telafici said. "But it is a large problem for those who were impacted."
The McAfee incident highlights the need for companies to configure their antivirus software so that it just quarantines suspicious software instead of deleting it outright, Ullrich said. It also underscores the need for companies to have good backup and restore policies in place to deal with such accidental losses of data, he said.
"Having your [antivirus] software go bad is just one of the ways by which you can lose data," he said.
McAfee isn't the first company to run into a problem with its antivirus software. Earlier this year, Microsoft Corp.'s antispyware beta software mistakenly flagged Symantec Corp. Norton antivirus product as a Trojan program. And last year, a Trend Micro Inc. software update caused CPU usage to increase dramatically on machines on which it was installed.