McAfee antivirus update wreaks havoc

McAfee antivirus update wreaks havoc

A faulty antivirus update from McAfee Inc. that mistakenly identified hundreds of programs as a Windows virus has resulted in some companies accidentally deleting significant amounts of data from affected computers.

The McAfee update (DAT 4715) released on Friday was designed to protect computers against the W95/CTX virus. But because of a programming error, the update also incorrectly identified renamed and quarantined hundreds of legitimate executables including popular ones such as excel.exe, lsetup.exe, uninstall.exe, shutdown.exe and reg.exe.

For companies that had configured their McAfee antivirus program to automatically delete bad files, the error resulted in the loss of hundreds, and in some cases even thousands, of files on systems in which the update had been installed, said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center (ISC) in Bethesda, Md.

McAfee released a new patch (DAT 4716) updating the earlier one, five hours later. But any company that had been unlucky enough to install and run DAT 4715 would have experienced significant problems, Ullrich said.

"A lot depended on how you had McAfee configured on your system," he said. "If you had it configured to basically quarantine bad files you were OK because in this case it wasn't too hard to recover the quarantined files," he said. "But if you had it delete them then it became a lot harder" to recover lost files, he said. SANS received reports from "dozens" of companies reporting incorrectly quarantined or deleted files, he added.

Joe Telafici, director of operations at McAfee's AVERT Labs, said the problem was the result of a "subtle logic flaw" that was quickly identified and corrected.

The error resulted in at least 290 files being incorrectly identified, he said, adding that the company is still looking to see if more files are affected.

Since releasing the updated antivirus signature, McAfee has made a tool available for its enterprise customers via its support organization. The tool can help companies identify and restore files that were mistakenly quarantined by DAT 1475, Telafici said. McAfee also plans to make it available as a download on its Web site soon.

McAfee's antivirus product for consumers and small business users already supports a feature that lets those users automatically restore quarantined files, Telafici said. The company is working on a similar tool that will help companies identify and restore some of the files that they may have deleted, he added.

"We are looking at a relatively small percentage of our customer base," that was impacted, Telafici said. "But it is a large problem for those who were impacted."

The McAfee incident highlights the need for companies to configure their antivirus software so that it just quarantines suspicious software instead of deleting it outright, Ullrich said. It also underscores the need for companies to have good backup and restore policies in place to deal with such accidental losses of data, he said.

"Having your [antivirus] software go bad is just one of the ways by which you can lose data," he said.

McAfee isn't the first company to run into a problem with its antivirus software. Earlier this year, Microsoft Corp.'s antispyware beta software mistakenly flagged Symantec Corp. Norton antivirus product as a Trojan program. And last year, a Trend Micro Inc. software update caused CPU usage to increase dramatically on machines on which it was installed.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.



The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments