Forgot your password?
typodupeerror

McAfee Anti-Virus Causes Widespread File Damage 353

Posted by Roblimo
from the who-can-you-trust? dept.
AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems. At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."
This discussion has been archived. No new comments can be posted.

McAfee Anti-Virus Causes Widespread File Damage

Comments Filter:
  • Good thing... (Score:3, Interesting)

    by Anonymous Coward on Monday March 13, 2006 @10:04AM (#14906886)
    Good thing Mcafee doesn't have liability, via contract, for this mess....

  • Well... (Score:1, Interesting)

    by Anonymous Coward on Monday March 13, 2006 @10:07AM (#14906906)
    All I can say is 'wait 'til monday.'

    I wouldn't be surprised if this fuckup is a fatal blow to McAfee.
  • by craznar (710808) on Monday March 13, 2006 @10:10AM (#14906927) Homepage
    Scanned my Inbox file, and deleted it because there was a virus in it from before I installed Nortons AV.

    However - like most AV software, you can put it straight back.

    No biggy ..... however I turn off automatic scanning these days... just manually scan every so often.
  • by PFI_Optix (936301) on Monday March 13, 2006 @10:14AM (#14906958) Journal
    I haven't had a virus on my XP system in four years, including during my dial-up days.

    If you keep your system updated, use a firewall, and just generally understand how the typical virus/worm/trojan works, you're 99.9% protected. However, there's always the possibility that someone will get clever enough to get through that, so I use AVG just to be on the safe side.
  • Ouch.... (Score:3, Interesting)

    by Araxen (561411) on Monday March 13, 2006 @10:14AM (#14906959)
    McAfee doesn't have the greatest rep as it is but this might be the last straw for them.
  • Not surprised (Score:5, Interesting)

    by QuantumPion (805098) on Monday March 13, 2006 @10:14AM (#14906961)
    This is a major problem with anti-virus software. Because of their blacklist model, they have to release definitions and updates very frequently. They have to release these updates as quickly as possible as well, or else their subscribers will be infected with these viruses before they get the updates. In addition, their software is very bloated and complicated, needing to be able to defend against a huge variety of attacks, both immidiate and obsolete. This results in a very error-likely situation. What the network security companies need to work on is an innovative way to effectively protect corporate and home networks without having to use dangerous bloatware.
  • For what it's worth (Score:4, Interesting)

    by shoptroll (544006) on Monday March 13, 2006 @10:15AM (#14906966)
    My computer started rebooting randomly a week or so ago, and is something I've been trying to combat for a while. It would do it when idling or when I was in the middle of websurfing.

    I find it interesting that once I disable Mcafee's on-access scanner the system stabilized itself and has been running without a problem for about a week now (I had seen it reboot about 3 times in one day).

    Seeing this article makes me more suspicious of the scanner now.
  • by martyb (196687) on Monday March 13, 2006 @10:21AM (#14907020)

    Just last week, in response to: The Trouble With Software Upgrades [slashdot.org] I posted a question [slashdot.org] asking what do you do to protect yourself from automatic updates that go bad... but I got no responses. In light of the current situation, I'd really appreciate hearing some responses, here.

  • Good catch (Score:5, Interesting)

    by blueZ3 (744446) on Monday March 13, 2006 @10:24AM (#14907048) Homepage
    I dunno about the rest of that stuff, but the Adobe update manager is a virus in my opinion.

    It seems to have "infected" all of Adobe's recent product install CDs. Once it "infects" your computer it displays a popup whenever you open an Adobe app. As far as I can tell, there's no way to shut this off in the latest versions. So I've paid $x00 dollars for Acrobat, and it comes with a virus.
  • We lucked out (Score:3, Interesting)

    by PinternetGroper (595689) on Monday March 13, 2006 @10:25AM (#14907052)
    Our main system here downloads the DAT updates at 2 AM every day. As of Friday morning, it had downloaded the 4714 files, then downloaded the 4716's on Saturday morning, completely missing the 4715's. It appears we missed a bullet. Good luck to all the sysadmin's out there working on cleaning this up!
  • Re:Not surprised (Score:4, Interesting)

    by MartijnL (785261) on Monday March 13, 2006 @10:31AM (#14907100)
    Well, Cisco's CSA (http://www.cisco.com/en/US/products/sw/secursw/ps 5057/index.html [cisco.com]) does the exact opposite: you tell it what is allowed to run and it blocks everything else. It also runs a signature analysis so when something that you hadn't configured yet tries to perform an attack it alerts the user. It can become quite a task however to properly configure and you still need user awareness to keep them from clicking "YES" everytime like they do with every other popup they face (the other option is that you manage everything but then you will get flooded with support calls).

  • GoBack and Ghost (Score:2, Interesting)

    by samalone (707709) on Monday March 13, 2006 @11:31AM (#14907662) Homepage

    Well, recently I installed two Symantec products that _claim_ to be able to restore the system to a previous state. I haven't had the opportunity to really test either one of them yet, but I do feel a bit safer.

    The first product is Norton GoBack, which reserves a certain percentage of hard disk space to maintain an undo history for your hard drive. Theoretically, if you have a bad software install or update, you can simply revert your hard disk to its state before the update. There might be issues with user documents created in that time getting reverted as well, but as long as you were careful you should be able to copy those files to another disk, revert the disk with the problem, and copy the files back. (There may also be built-in support for excluding certain files from being reverted -- I haven't checked.) You'd also need to notice the problem before GoBack's undo buffer got full and started forgetting things.

    The second product is Symantec Ghost, which is a backup and disk cloning utility. You can set up Ghost to perform an incremental backup before any software installation. I have mine set up to backup the system disk to another drive before each install. At my company we use EMC Retrospect for network backups, but Retrospect is not really good for restoring a system disk to a bootable state. From what I've heard, Ghost should be able to do this smoothly.

  • by JasonEngel (757582) on Monday March 13, 2006 @12:01PM (#14907968)
    Comcast gives away McAfee AV for free to customers, so I tried it out. The only time it ever caught anything at all was a false-positive. Complete file system scans never ever turned up anything. However, if I opened a folder with a file in it called SetupDVDDecrypter_3.5.4.0.exe in it, McAfee would call it a virus and delete it. Didn't matter which version of the installer actually, it would delete it. Didn't matter if the AV program was configured to only quarantine suspect files, it would delete it. Didn't matter if I made an empty text file then renamed it to SetupDVDDecrypter_3.5.4.0.exe, McAfee AV would delete it. If I renamed the installer to something else, McAfee AV did nothing.

    Pretty obvious to me that it was just waiting to find files that media companies didn't like people to have on their own private property so I'm guessing that they must have gotten McAfee to agree to do their dirty work for them and call stuff they don't like a virus and automatically delete the file regardless of settings.

    But that's just my conspiracy theory.
  • by Whumpsnatz (451594) on Monday March 13, 2006 @12:10PM (#14908050)
    On an old WinME laptop, the only virus I ever had on it was Norton AntiVirus.

    I worked on a consulting job two years ago, and they told me I could use my own PC. No problem - except that, when I got there, they wanted to check it for virii. In an XP world, I was running Windows ME. So they loaded up Norton on my machine, and ran it for about 3 hours.

    Result? Nothing. No junk of any kind. Completely clean.

    Why? It helped that I had the free version of Zone Alarm, and the firewall on my DSL router definitely helped, but I think the biggest reason I had no problems was

    - Mozilla instead of IE
    - Eudora instead of Outlook.

    Completely clean, that is, except for the antivirus. That monster kept interrupting my work. It took a great deal of effort to get the beast out of my system.
  • Re:The Risk (Score:2, Interesting)

    by noone42 (546873) on Monday March 13, 2006 @12:33PM (#14908265)
    One of the things that nobody's saying here is that the default behavior for McAfee is to move the files into a quarantine directory, not to delete them. The user would have to change the settings for that to happen. Admittedly, it's still messed up for the program to delete essential files, but I think it's good policy to quarantine first in case something like this happens.

    That being said... On Saturday I went to do some work in Flash MX and got a message that it was missing a DLL file and I had to reinstall. No big deal, I must have botched something, so I reinstalled. While I was doing that, I went to get my bills together in Excel and got the message that Excel was no longer installed. My first reaction was that I had some kind of virus or trojan, so I ran a full system virus scan. It took me three hours of panic to realize that something like 40 .exe files and another 80 .dll files had been quarantined. VirusScan provides no way to restore quarantined files, so you have to pick through the scan log to find out where they originally lived and put them back yourself. I was wondering if this would come out in the news or if I just had a screwed up system. Thank god it's getting some press and McAfee had to fix it, I've been fighting my virus checker all weekend and it was getting pretty tiresome.
  • by cbiltcliffe (186293) on Monday March 13, 2006 @02:17PM (#14909244) Homepage Journal
    What an arrogant jackass. I didn't think it was possible for a nose to get so far out of joint, but I've been proven wrong. To answer your questions:
    Name me one unlazy, smart, or educated person that pays for an anti-virus subscription?
    Anybody who actually has functional anti-virus software that they've paid for, but doesn't just go to Best Buy and buy NAV 2006 to replace their NAV 2005, which doesn't work anymore. Anybody who bought a brand name system with the 90-day NAV or McAfee trial version, but didn't just go to Best Buy and buy the new box version. I've got plenty of customers who've bought subscription updates after their initial purchase expired.
    Enlighten me. How much does something like that cost?
    http://ca.mcafee.com/root/package.asp?pkgid=100 [mcafee.com]
    From McAfee, $42.99 (CAD) for the first year, $36.84 for a renewal.
    http://www.symantec.com/home_homeoffice/products/v irus_protection/nav2006/index.html [symantec.com]
    From Symantec, $29.99US for 1 year renewal, $59.99 for 2 years.
    How much of my time does it take to run it?
    Depends how big of a piece of shit your computer is, and whether you're intelligent enough to figure out how to use their web store.
    What does it give me?
    Errr...a subscription to their anti-virus software?
    Is this parallel to health insurance for my computer? So I only have to pay a copay of $25 or so for an in-office visit?
    No, it gives you updated virus definitions for your computer's immune system. You don't have to pay anything as long as you're not a moron and open every email attachment or install every free dialer program promising FR33 pR0N!
    It doesn't guarantee you won't get sick any more than health insurance guarantees you won't get sick.
    Granted, I'm lazy, but I'm not dumb or uneducated, but I have no concept of an "anti-virus subscription".
    Then you're completely out of touch with the computer world, and shouldn't be allowed to use one.

    From your other post:
    My point was that I don't use any computers that need such a thing or to my knowledge, there are even subscription offerings for anti-virus subscriptions.
    Currently, I run OS X, Linux, and Solaris, and I have never known anybody that has needed an anti-virus subscription for them.
    Am I missing out on the fun?
    So you run a few systems that aren't known for viruses. Big, hairy-assed deal. If you're even remotely competent in the computer field, you'll know that Windows (remember? 90% of desktops run this crap?) needs anti-virus software, unless in very capable hands. Intentionally choosing to ignore this fact and cop a holier-than-thou attitude just makes you seems like a moronic jackass, which won't win your OS of choice any followers. Not knowing that you can get an anti-virus subscription is marginally excusable, if you don't run Windows, but feigning ignorance of anti-virus software in general, as you really seem to be doing, just makes you look like an incompetent boob.

    One more thing: Since you seem incapable of wrapping your pitiful excuse for a brain around this:
    ...who are too lazy/stupid/uneducated to update...
    I'll expand it for you: ...who are too lazy and/or stupid and/or uneducated to update...

    Just because you're lazy (admitted by you), doesn't mean you're also stupid and uneducated, and I never claimed that it did.
    For your case, though, I should have added an extra adjective: asshole.
    Because you certainly seem to be one of those.
  • Re:The Risk (Score:4, Interesting)

    by digital photo (635872) on Monday March 13, 2006 @03:01PM (#14909667) Homepage Journal
    More often than not, the choice to put AV software on systems wasn't a sysadmin choice, but a management/business choice. IE, cost reasons, CYA reasons, lower priority than say getting that next X million dollar project up and running, or some other reason which pre-empts AV stuff.

    I don't use AV software on my systems at home, but that's a personal choice. Not due to laziness, but because other measures have been taken: strong firewalling, restricted software on desktops, strong desktop settings, regular backups, and sufficiently educating anyone who uses the computer of the dangers they can face, what online actions are risky, and to abide by the basic rules so as to avoid putting your data/computer at risk.

    For half a decade, I've gone without AV software and have had all of my systems virii/adware/malware free. This isn't due to laziness, but diligence and preparation. This isn't due to OS fanatacism, but making a decision about what compromises to make between security and usability. I use WinXPpro, Linux, and MacOSX systems at home.

    When people passively rely on external assistance, like AV software, something like this would eventually happen. People make mistakes. Companies make mistakes. And when you have a large install base, those mistakes can easily become big monstrous mistakes.

    Right now, ALOT of sysadmins are probably sweating bullets getting systems back online. This isn't because they were lazy. This was because someone at another company screwed up and it impacted their infrastructure, which in turn impacts their business.

    Make no mistake, people will get sued and lawyers will get involved. Think it was just the businesses and end users of the AV software that got screwed? What about the customers of the businesses? What about the home users who run their business off of their home computers? Yeah, there'll be some noise about this down the road, make no mistake.

    *listens over the cube walls* I don't hear any cursing or screaming, so it hasn't happened here or the OS admins have done their homework over the weekend. In either case, this will be interesting to follow in the months to come.
  • by Anonymous Coward on Monday March 13, 2006 @03:24PM (#14909890)
    Combine this with the fact that the default settings on a McAfee install are to quarantine without prompting, and IMHO McAfee is the most dangerous virus I've ever had on my machine.

    My university distributes VirusScan Enterprise 8 to all students, and I was quite shocked to discover the lack of a "Warn me and do nothing" option. When I a virus is detected, I can set it to "Delete files automatically" "Clean files automatically" "Move files to a folder" or "Deny access to files"... What happens when I want to do none of the above?
  • by NZheretic (23872) on Monday March 13, 2006 @07:47PM (#14912012) Homepage Journal
    Linux on the Desktop at work and worth it [com.com]:
    Although they have chosen to deploy Linux using the traditional thick desktop/workstation model, they use a spare server that operates as an X11 application server. This is used on a regular basis by the helpdesk, IT support and a few Windows users that access both windows and remote X Linux. The rescue partition, that can be also network booted via PXE, is based on the Linux Terminal Server Project ( http://www.ltsp.org/ [ltsp.org] ). During an install or if a security violation is detected, the user of the desktop is booted into Linux thin client, and can access all their files though the Application server. Forensic examination, repairs and installs can take place in the background while the person uses the thin client.
    The open eleven steps to telecommuting [blogspot.com]
    4) Install a DHCP demon on the local server to allocate local IP addresses, DNS and gateway settings. If the desktops are network boot capable then install TFTP to remotely boot and use Knoppix via PXE and the network [knoppix.net]. If the desktop OS is constantly crashing, or is infected by malware, the user can select PXE/network boot via the BIOS, and boot into Knoppix. The user can then be instructed over the phone to enable the ssh server to allow remote scan,repair and reimaging of the desktop partitions. The user can use the Knoppix desktop to continue working with full access to files while the the remote administrator fixes/reimages the drive in the background.( Consider hiring someone who knows how to customise Knoppix or another live Linux system for your setup )

Those who can, do; those who can't, simulate.

Working...