A flawed antivirus update from McAfee Inc. sent enterprise administrators scrambling Wednesday as the new signatures quarantined a crucial Windows system file, crippling an unknown number of Windows XP computers, according to messages on the company’s support forum.
The forum has since gone offline.
McAfee confirmed it had pushed the faulty update to users Wednesday.
“McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21,” said company spokesman Joris Evers in an e-mail reply to questions from Computerworld (U.S.). “The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2:00 P.M. GMT+1 (6:00 A.M. Pacific).”
McAfee later told IDG News Service that just a small fraction of its corporate customers — less than 0.5 percent — were affected by the glitch, which caused some Windows XP Service Pack 3 systems to crash and reboot repeatedly.
By the end of the day, the antivirus vendor still couldn’t say exactly what caused the problem. “We’re investigating how it was possible some customers were impacted and some not,” Evers said via instant message. One common factor amongst the victims of the glitch, however, is that they’d enabled a feature called “Scan Processes on Enable” in McAfee VirusScan software.
Added in version 8.7 of the product, this feature lets McAfee’s malware scanner check processes in the computer’s memory when it starts up. According to Evers, it is currently not enabled by default. However, some versions of VirusScan did ship with it enabled. McAfee’s instructions for repairing affected computers can be found here.
According to users on McAfee’s support forum, the update flagged Windows’ “svchost.exe” file, a generic host process for services that run from other DLLs (dynamic link libraries).
“HOW THE F*** do they put a DAT out that kills a *VITAL* system process?” asked Jeff Gerard on one thread. “This is goddamn ridiculous,” added Gerard, who identified himself as a senior security administrator with Wawanesa Mutual Insurance Company of Winnipeg. “Great work McAfee! GRRRRRRRRRRR.”
As of 3:30 p.m. ET, McAfee’s support forum was offline, with a message reading “The McAfee Community is experiencing unusually large traffic which may cause slow page loads. We apologize for any inconvenience this may cause.”
Both users and McAfee said that the flawed update had crippled Windows XP Service Pack 3 (SP3) machines, but not PCs running Vista or Windows 7 .
“Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3,” acknowledged Evers.
Affected PCs have displayed a shutdown error or blue error screen, then gone into an endless cycle of rebooting, users claimed.
McAfee reacted by warning users not to download the update if they haven’t already, and by posting recovery instructions and a signature update to suppress the defective one seeded to users earlier.
“Apply the EXTRA.DAT to all potentially affected systems as soon as possible,” the company recommended. “For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.” Unfortunately, those instructions and the suppression EXTRA.DAT update file are not currently available, again because McAfee’s support site has gone dark.
Instead, users can reach the instructions and EXTRA.DAT file from elsewhere on McAfee’s site .
“The faulty update has been removed from McAfee download servers for corporate users, preventing any further impact on those customers,” Evers said. “We are not aware of significant impact on consumer customers and believe we have significantly limited such occurrence.”
The company has yet to produce an updated signature definition file to replace the one that crippled computers. A month ago, a BitDefender update clobbered 64-bit Windows machines. In 2005, Trend Micro Inc. released a flawed signature update that slowed PCs to a crawl, and McAfee is far from the first antivirus vendor to ship a flawed signature update. In May 2007, a Symantec Corp. definition file crippled thousands of Chinese computers when the software mistook two critical Windows .dll files for malware.
McAfee is working on helping customers affected by the rogue update, said Evers.
“McAfee apologizes for any inconvenience to our customers,” he added.
With files from Robert McMillan