Forgot your password?
typodupeerror

McAfee Anti-Virus Causes Widespread File Damage 353

Posted by Roblimo
from the who-can-you-trust? dept.
AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems. At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."
This discussion has been archived. No new comments can be posted.

McAfee Anti-Virus Causes Widespread File Damage

Comments Filter:
  • The Risk (Score:5, Insightful)

    by eldavojohn (898314) * <eldavojohn&gmail,com> on Monday March 13, 2006 @10:04AM (#14906882) Journal
    I think it's funny how on McAfee's site [nai.com], they list the risk of the virus they are trying to identify:
    Corporate User : Low
    Home User : Low
    Did they forget to include that the risk of installing McAfee Anti-Virus for any user : High?

    Wait a minute, it is identifying some system files that Windows put on my machine! I guess the Mac & 'nix freaks are right, Windows really is a virus. I hope it's only a matter of time before my next virus definition assesses Internet Explorer & Windows Media Player as full blown Trojan viruses distributed as malware with my OS.
  • by dc29A (636871) on Monday March 13, 2006 @10:10AM (#14906931)
    This is one of the major reasons I use open source software. Its hard to trust corporations who only tell you lies to preserve their public image.

    Do you really think Open Source AV can't fsck up your PC if there are bugs in it? And let's be honest, how many people actually look at the source of programs (updates) they install? I am a programmer, and I never looked the code of an Open Source program I installed for the sake of "Let's make sure this update won't fsck up my PC". I look at the code because I am curious to see how they do certain things, or I want to change some annoying aspect of it.
  • Re:The Risk (Score:5, Insightful)

    by Aspirator (862748) on Monday March 13, 2006 @10:14AM (#14906956)
    One of the commonly percieved risks of viruses is that
    'they will delete your files'.

    In one fell swoop it seems as though McAfee may have deleted more files
    than all the viruses it has removed would have.
  • Re:The Risk (Score:3, Insightful)

    by Dare nMc (468959) on Monday March 13, 2006 @10:25AM (#14907054)
    >McAfee may have deleted more files
    than all the viruses it has removed would have.


    go figure, no big system admin has wanted automatic (witout testing) updates for some time, to their OS. I guess sys admins got lazy on testing virus scanner updates before rollouts.

    I know I am not alone in turning off all runtime virus protection on my PC, because it has historically had more impact on system stabilty, and speed than most virii. (ok it seams the latest scanners on winXP may actually work...) Wouldn't save me from this problem, except my system scans only occur weekly, so may be luckly my weekly scan didn't occur (I do have nightly complete backups from backuppc.sourceforge.net [slashdot.org] ).
  • by Opportunist (166417) on Monday March 13, 2006 @10:27AM (#14907070)
    Every once in a blue moon, some poor person dies because he or she didn't get out of the burning car because of the belt. Then someone will stand up and say "See? I don't use them and if they didn't, they'd live as well. I drive carefully, I don't get into accidents, so I don't need them!"

    The problem is, you never know. It's not only foolishness that gets a trojan onto your system. They come with presumably legit software, even from reputable companies. An infected driver CD is all it takes. Shareware CDs or other CDs slapped on magazines, do you think they have a lot of time to make just perfectly sure the programs are clean? A lot of shareware comes bundled with adware, do you read all those EULAs? And do you think they tell the full truth? Can you read through the legalese?

    I won't get into system bugs and other exploits.

    So yes, you don't really need safety belts. But it sure feels a bit more secure with them.
  • by babbling (952366) on Monday March 13, 2006 @10:28AM (#14907080)
    When the virus scanners act like viruses, what should users do? This isn't the first time a virus scanner has screwed up, and it probably won't be the last time, either.

    Furthermore, a lot of virus scanners have an option to "auto-update". Imagine if an entire company had this option turned on.

    Virus scanners have always been a bad solution to the problem of viruses. They don't fix the problem at its root. Instead of ensuring their operating system has no known security holes, users now rely on virus scanners to just catch everything that comes through. Any determined attacker could still just craft a custom virus to attack any host they desire. Since the virus scanner companies wouldn't have come across that particular virus, it wouldn't get picked up.

    Would you fix the holes in a boat with sticky tape instead of checking that the boat doesn't have holes before you put it in the water?
  • by Tibor the Hun (143056) on Monday March 13, 2006 @10:35AM (#14907147)
    That's wonderful news sir. You've just won yourself an invitation to come to my place of work and train 200 40+ year olds to do the same.
    Wow, that'll save us tons of cash!
  • by cgenman (325138) on Monday March 13, 2006 @10:37AM (#14907158) Homepage
    People percieve paid software to be superior to free alternatives because A: nothing could go wrong with paid software and B: if something did go wrong, obviously the company would indemnify / rectify / fix the problem.

    Likewise, the perception is that the more expensive the software (and the bigger the box it comes in) the more protection you are afforded. And that the company won't suddenly decide to change direction / stop supporting the software / etc.

    Yet time and time again this is shown not to be true. McAfee uninstalls arbitrary files on your computer (how'd that get through testing?) and just tells users to re-install from backup... exactly the kind of calamity the software is supposed to prevent. Part of WinNT5 was found to violate someone's patent, and anyone using that particular (admittedly rare) function had to pony up to the original patent holder or write a workaround.

    As far as I can tell, the "little guys" software tends to be better in general than the big boys. Why? Because they're still trying. Before Norton was Symantec, they struggled to create an amazing toolkit of software tweaks that really did some great things. Now that their position is secure, they've hardly updated the suite to even work with XP, let alone taken advantage of the fixes and hacks that smaller houses have found. McAfee, once a nimble little company making a great little product, has been bloating for years. The more developers you add to a project, the less anyone knows about what the system is doing.

    A free alternative that has been around for a long time:
    AVG Antivirus [grisoft.com]
    There are others. Please post 'em below.
  • by cbiltcliffe (186293) on Monday March 13, 2006 @10:38AM (#14907166) Homepage Journal
    The real irony is that all the people who are too lazy/stupid/uneducated to update their anti-virus subscription were protected against this.....
  • by simong (32944) on Monday March 13, 2006 @10:49AM (#14907284) Homepage
    I don't think there really is a way apart from having verifiable restorable backups of every system prior to patching. I was having a conversation along these lines this morning and the agreed solution was to have an identical test platform and install on that first, allow it to run long enough for any problems to arise and only then implement on a production system. That's the ultra-conservative approach but many years in financial services have shown that that's the only way of being certain.
  • by JazzCrazed (862074) on Monday March 13, 2006 @10:56AM (#14907354) Homepage
    Not to mention that you won't know whether or not your computer has a virus if you don't scan it with some sort of antivirus software.
  • by High Hat (618572) on Monday March 13, 2006 @11:00AM (#14907384)
    Have you tried running memtest86?

    This honestly sounds like a corrupt memory problem.

    Other possibility is that you've hard-set the windows swapfile limit...

  • Ethereal too? (Score:2, Insightful)

    by OrangeDoor (936298) on Monday March 13, 2006 @11:03AM (#14907421) Journal
    Just noticed the screenshot on the McAfee page for W95/CTX [nai.com]. It shows some dlls from the Ethereal program as being infected. Of course those files are in their complete list [nai.com] of affected files, which comes in a convenient easily accesible PDF file as all the most important documents on the web should. It's 7 pages long, but an amusing list to skim through.

    Who uses Ethereal [ethereal.com] and McAfee? Just found that funny/ironic on some levels.
  • Re:The Risk (Score:2, Insightful)

    by justthinkit (954982) <floyd@just-think-it.com> on Monday March 13, 2006 @11:35AM (#14907699) Homepage Journal
    Score one for AVG (http://free.grisoft.com/ [grisoft.com]). Much as I liked McAfee (back in Win98 days), I stopped using it due to (1) huge memory footprint, (2) onerous yearly fees.
  • by PFI_Optix (936301) on Monday March 13, 2006 @11:38AM (#14907726) Journal
    Apparently, it is.

    I've used it at home for a little over four years and worked with it for three years as an administrator. I have NEVER had a virus on any XP system I was responsible for.

    In fact, the only virus I've ever had a problem with was an infected Windows 2000 domain controller that was SUPPOSED to be managed by corporate IT. They hadn't updated it in well over a year and wouldn't let me touch it until it started crashing (and those geniuses had it as the exchange server as well...again, I couldn't change that).

    In both cases, I didn't go to extreme measures to secure the systems. I used automatic updates, both a standalone firewall and Windows Firewall, and antivirus (AVG Free at home, Symantec Corporate at work). That, and I educated my users on what NOT to open from their e-mail.

    A good way to teach your users not to open strange attachments is to give them a dummy one that will just let you know who opened the file. I arranged with management to do this one day...send out a trojan-like e-mail with a script that would write a file with the username in it to one of the network shares and see who opened it.

    The next day I unplugged one of the network switches for fifteen minutes at the beginning of the day, told them it was because some people had opened "virus e-mails" (management knew the truth) and then plugged it back in. I talked to the people who had opened the "virus" e-mails and gave them an in-depth training session on why it's a bad thing to open every attachment you get on e-mail. From then on, they wouldn't touch anything that was even remotely suspicious.

    Three years, nearly 100 users, and ZERO penetration on my systems. It's not rocket science.
  • Re:Help! (Score:4, Insightful)

    by rikkards (98006) on Monday March 13, 2006 @12:16PM (#14908115) Journal
    That's great but what if someone introduces a virus through other means i.e usb key, infected laptop, etc. Firewall won't help much internally
  • Beware of Fridays (Score:3, Insightful)

    by Nom du Keyboard (633989) on Monday March 13, 2006 @12:29PM (#14908240)
    Always beware of any software updates released on a Friday. If there's a problem, much of the damage will be done before anyone returns on Monday.
  • Re:Not surprised (Score:2, Insightful)

    by Anonymous Coward on Monday March 13, 2006 @12:36PM (#14908303)
    If they designed a product that actually worked they wouldn't be able to hammer their customers for a yearly subscription to update it.
  • by Slashcrap (869349) on Monday March 13, 2006 @12:52PM (#14908467)
    Along with that, I always wait three to four days before pushing the updates out.

    Doesn't it cost a lot to educate your users to not download viruses that are less than four days old?

    Why don't you just educate them to not download viruses at all? Then you could do without the Anti-virus. You pretty much are anyway.
  • by Slashcrap (869349) on Monday March 13, 2006 @12:59PM (#14908512)
    Do you really think Open Source AV can't fsck up your PC if there are bugs in it?

    Do you really think it's better to have your system trashed and pay for the privilege?
  • by Syberghost (10557) <syberghost@NOSpAm.syberghost.com> on Monday March 13, 2006 @01:04PM (#14908557) Homepage
    Granted, I'm lazy, but I'm not dumb or uneducated, but I have no concept of an "anti-virus subscription".

    Couldn't you have just looked at the pricing page for any of the major antivirus vendors, or any of the 163,000 hits on Google for "antivirus subscription" or 6.04 million for "anti-virus subscription" (the top hits of which are about the same) for this answer, instead of flaming the guy?

    I mean, yes, you're lazy, but damn, man, it's just Google.
  • Re:The Risk (Score:4, Insightful)

    by stinky wizzleteats (552063) on Monday March 13, 2006 @02:24PM (#14909299) Homepage Journal
    I guess sys admins got lazy on testing virus scanner updates before rollouts.

    That's very funny. When a ubervirus thrashes a couple of corporate networks to the tune of a billion dollars apiece, we hear "Stupid admins - the patch was available - they weren't keeping up". Now it's "They should have tested before rolling them out." (paraphrased)

    It appears, therefore, that using a system that is subject to viruses and security vulnerabilities on the scale of Windows is inherently untenable. We can't even define logically consistent expectations for the administrators of such systems. Can we stop using them now?
  • by futuresheep (531366) on Monday March 13, 2006 @04:37PM (#14910487) Journal
    1) You can educate users as much as you want about how to avoid viruses, they'll still get them if they really try. They're users after all.
    2) The number of viruses that actually are that serious a threat are next to zero. Have you ever bothered to look at the release files to see what the daily updates actually cover? If you did, did you bother checking what they were and the criticallity of the viruses listed? Do you know how many viruses are listed in the readme for the latest McAfee DAT?
    3) Anyone that relies soley on a single AV solution is a fool anyway. Virus protection should be layered on any network and is on mine. AV software on the desktop should be the last stop. We use postfix+spamassassin+amavisd to scan mail before it hits our mail server. Our firewall scans anything incoming before it gets to the desktop. Our desktop software is only there as a last bastion and does it's job well, because there's not much that gets there. None of the systems are perfect on their own, as a team, they work very well.

    So do I feel safe? Yes, I haven't had a virus issue inside my network for years. I see shitloads of them getting cleaned when I look at my logfiles though. Does it bother me that I wait a three or four days to deploy DAT files? Not at all, because it's not the only way I protect my users.
  • Re:CTX undo file (Score:5, Insightful)

    by stry_cat (558859) on Monday March 13, 2006 @04:38PM (#14910496) Journal
    Who in their right mind is going to download and run a script off of an unknown website? I'm sure you're trying to help, but no one should do this. Otherwise they'll need more than just McAfee to fix their computer.
  • by ummit (248909) <scs@eskimo.com> on Monday March 13, 2006 @07:31PM (#14911905) Homepage
    Are you a teenager?

    Looks to me like he's a smug user of computing platforms that are actually, inherently, mostly secure.

    ...those paying for an anti-virus subscription being somehow incompetent.

    It seems there are yet a few little boys who dare to say "The Emperor has no clothes" when confronted with the, yes, staggering incompetence with respect to security which is rampant within the mainstream PC world.

    1. adopt a platform with no inherent security
    2. become utterly dependent on it such that you can neither abandon it nor correct its inherent flaws
    3. spend extra time and money on extra, after-the-fact "security" applications which, at best, give you a slight headstart in what's still a footrace between the white hats and the black hats (a race in which the black hats still seem to be holding their own)
    4. put up with lost files and more lost time when the "security" software runs amok
    5. to make yourself feel better while you're waiting for your backup tapes to read, belittle someone who has the audicity to wash his hands of your chosen platform's sorry problems.

If you hype something and it succeeds, you're a genius -- it wasn't a hype. If you hype it and it fails, then it was just a hype. -- Neil Bogart

Working...