Forgot your password?
typodupeerror
Bug Windows IT

McAfee Kills SVCHost.exe, Sets Off Reboot Loops For Win XP, Win 2000 472

Posted by timothy
from the hope-you-were-using-antiantivirus-too dept.
Kohenkatz writes "A McAfee Update today (DAT 5958) incorrectly identifies svchost.exe, a critical Windows executable, as a virus and tries to remove it, causing endless reboot loops." Reader jswackh adds this terse description: "So far the fixes are sneakernet only. An IT person will have to touch all affected PCs. Reports say that it quarantines SVCHOST. [Affected computers] have no network access, and missing are taskbar/icons/etc. Basically non-functioning. Windows 7 seems to be unaffected." Updated 20100421 20:08 GMT by timothy: An anonymous reader points out this easy-to-follow fix for the McAfee flub.
This discussion has been archived. No new comments can be posted.

McAfee Kills SVCHost.exe, Sets Off Reboot Loops For Win XP, Win 2000

Comments Filter:
  • by BoRegardless (721219) on Wednesday April 21, 2010 @02:03PM (#31927352)
    When your Anti-Virus software bombs you out.
    • Heh, I've asked a vendor before how often this sort of thing happens to them (just to see how honest they are and maybe to send a message to whoever is listening).

      After all if a hacker/malware causes downtime less often than the vendor's screw-ups, why use the vendor's product? Safer to look for a vendor with a better track record even if they have more false negatives (especially with rare and/or ancient stuff).

      There are overheads and performance impacts to using such stuff, in addition to just the price t
      • by diverman (55324) on Wednesday April 21, 2010 @02:38PM (#31928188)

        I agree that it raises question as to why one should use them, but "down time" is not the biggest threat out there, if you wanna talk loss/cost. While one's time is valuable, I'm thinking that their bank account information, passwords, etc, might be slightly more valuable to them. Personally, I think good secure end-user practices is the best protection, I do think that a good A/V program is needed.

        So, while there is malware out there that is less harmful, more of the malware out there is much MORE harmful... if you disagree, please provide your financial account information, or contact me to transfer all funds to a secured off-shore account... maybe buy me a new car too! ;-)

        But seriously... this is really bad, and REALLY stupid. But having no protection for most users risks damaging them in ways worse than a few hours of time to manually fix their issue. And from a corporate perspective, loss of sensitive information is a BIG deal and can cost a LOT more. And that's just talking about data loss. Being part of a botnet to help facilitate financial fraud and other badness... that's also double plus ungood... and irresponsible to not take measures to help keep your computer from playing a part in those crimes.

        Anyway... I agree it raises question... but there more downside to malware than just downtime.

    • by Anonymous Coward on Wednesday April 21, 2010 @02:43PM (#31928304)

      My boss, who knows just enough about computers to get himself in trouble, is an idiot.

      A few days ago, he called me in to come look at his laptop. He said that his computer was infected and that the virus killed his email. After further inspection, I found out that he pressed "ctrl+alt+del" and brought up the Task Manager. He went through and ended all of the svchost.exe's that he could. When I asked him about it, here was his response:

      "I was closing all of those system virus hosts on my machine!"

      I hate my job sometimes.

  • by ZeroSerenity (923363) <gormac05@nospAM.yahoo.com> on Wednesday April 21, 2010 @02:05PM (#31927378) Homepage Journal
    It seems to be very willing to take the whole machine down. Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?
    • by jimicus (737525) on Wednesday April 21, 2010 @02:26PM (#31927892)

      It seems to be very willing to take the whole machine down.

      Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?

      I'm sure they did but the real question is not "did McAfee test it against Windows XP?". It's "did they test it against Windows XP with every single version of svchost.exe that Microsoft have ever released?" - the original version and every updated version in every patch and service pack to date?

      • by Joce640k (829181) on Wednesday April 21, 2010 @02:43PM (#31928326) Homepage

        A decent antivirus would have every critical Windows whitelisted just to avoid this sort of problem.

        This isn't some user-installed application, it's svchost.exe.

      • by mcmonkey (96054) on Wednesday April 21, 2010 @02:48PM (#31928478) Homepage

        I put this on my corporate IT.

        We have a corporate standard for XP on the desktop and Win 2003 for servers. Should only be those 2 versions of svchost.exe to test against.

        Right now my employer is losing $millions as systems are down proactively until the issue is resolved. Manufacturing and labeling systems run on Windows :)

        I know we test patches from Microsoft against the standard OS as well as the individual apps. As an application owner, I test the monthly patches from MS before applying in production.

        Virus definition updates are not provided for testing prior to release.

        Given how widespread this issue is, I think it would have been picked up in testing.

      • Re: (Score:3, Informative)

        by UnknowingFool (672806)
        Svchost has been around forever. It basically encapsulates other applications. Svchost handles many things from DCHP client to Windows Themes. The problem is that McAfee doesn't seem to discriminate between any of them in this case. Which would cripple any XP system today.
        • Re: (Score:3, Interesting)

          by value_added (719364)

          Svchost has been around forever. It basically encapsulates other applications. Svchost handles many things from DCHP client to Windows Themes. The problem is that McAfee doesn't seem to ...

          Encapsulation? No doubt that's a valid comment and one that's just as valid to describe, in a more general sense, how Microsoft designs things. On the other hand, I consider a weasel word that describes something that lacks transparency, isn't understandable, and is unnecessarily complex.

          If you think that's an over-the-

  • by uvsc_wolverine (692513) on Wednesday April 21, 2010 @02:05PM (#31927380) Homepage
    I work at a university where we use McAfee anti-virus as our corporate AV. Guess what I've been doing all morning?
  • This way running anti-virus is worse for an end user than no anti-virus.

    The cure becomes worse than the disease.

    At least being part of a spam-spewing botnet keeps the computer mostly functional.

  • by Wonko the Sane (25252) * on Wednesday April 21, 2010 @02:05PM (#31927386) Journal

    We've known for a long time but it's good that McAffee finally admitted it.

  • Sigh... (Score:4, Funny)

    by Anonymous Coward on Wednesday April 21, 2010 @02:07PM (#31927438)

    I would have gotten first post, but I was running windows with McAfee

    • Re: (Score:3, Informative)

      by CTalkobt (81900)
      The first post was posted at 2:03pm (in my timezone) .. yours was posted at 2:07 so all things considering, a 4 minute fix isn't too bad...
  • by sycodon (149926)

    What possible scenario allowed this CharlieFox past QA?

  • I don't see any indication of when this first went out.

    (My wife runs McAfee and launched an update around 3 AM PDT before hitting the sack...)

  • shutdown -a (Score:5, Informative)

    by bugs2squash (1132591) on Wednesday April 21, 2010 @02:14PM (#31927586)
    at a command prompt when the "windows will shut down in XX seconds" popup us on screen saved me. I'm still waiting for a mcafee update file to fix it properly.
    • Re: (Score:3, Informative)

      by cryogenix (811497)
      The updated dat is available now, an updated extra.dat was available earlier this morning. I was the one that posted it in the tech support forums. You could have however just disabled access protection and on access scan to keep it from scanning at all. Not a great solution but at least your machine works. If your svchost.exe got nuked, copy it back from the system32\dllcache folder.
  • I heard (Score:5, Funny)

    by Dunbal (464142) * on Wednesday April 21, 2010 @02:15PM (#31927604)

    Next they will be deleting a directory known to be full of malware called system32

  • by bezenek (958723) on Wednesday April 21, 2010 @02:15PM (#31927608) Journal
    My God! How can something like this possibly get by QA as a company the size of McAfee? Have they outsourced all of their QA to a team with no clue?

    -Todd
    • by jimicus (737525)

      Well, if their support is anything to go by, the answer to that is a resounding yes.

  • by thetoadwarrior (1268702) on Wednesday April 21, 2010 @02:16PM (#31927612) Homepage
    Two weeks ago it went and deleted two important for dev c++ and another program at my work. It was insistent they were viruses. I'm not sure how I could have received a virus since I get virtually no attachments and don't email anyone outside of work (ie no "fun" emails), I only visit the BBC, Netbean.org, Eclipse.org and a handful of other reputable sites because I rather goof off by writing my own code than doing nothing and I scan all my downloads before installing them.

    Sure maybe I got unlucky for the first time in like 3 years. Maybe someone used my computer while I was on holiday but I suspect not. I suspect it's related to this.
  • by buddyglass (925859) on Wednesday April 21, 2010 @02:18PM (#31927678)

    Seriously. They consume CPU. They stay resident and consume usable memory. They occasionally crash and/or cause other applications not to work. And, in this situation, they break Windows. I don't use AV and have had pretty much zero issues over the last 6 years of using Windows XP. All you need to do is:

    * Configure Windows update to run daily.

    * Don't use IE or Outlook.

    * Keep Windows Firewall active.

    * Don't connect directly to the internet- sit behind a router that's configured to be (mostly) invisible.

    * Don't run random things you get sent in email, on facebook, or that pop up unexpectedly while you're at a questionable website.

    * If you think something's amiss, boot into safe mode and use a non-resident tool like MBAM.

    • Re: (Score:3, Interesting)

      by ledow (319597)

      To be honest 2, 4 and 5 are perfectly adequate for a knowledgeable user and the rest provide little if any advantage. And they also happen to apply to all OS's and all versions of those OS's.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      You missed the obligatory:

      * Run Linux

    • Re: (Score:3, Insightful)

      by Spad (470073)

      That's not enough any more; even reputable websites can often be easily compromised either through SQL injection, XSS, compromised ad server or some other mechanism and apps like Adobe Reader, Office, Flash, Foxit Reader, Firefox, Java, VLC and more have all experienced serious vulnerabilities in recent months, which have often remained unpatched for long periods of time.

      I finally gave in and installed my home-licensed copy of Sophos (provided by my work) because there are too many factors outside of my con

    • I have an easy solution: buy a mac.

    • by blincoln (592401) on Wednesday April 21, 2010 @02:36PM (#31928154) Homepage Journal

      I used to believe something along those lines. Then my PC was infected with a worm when I plugged an mp3 player into the USB port. I'd bought the player new, factory-sealed, so it must have picked it up at the manufacturing plant. I disabled all autorun/autoplay after that, but I'm still wary enough that I run Avast to help avoid another similar situation.

      Also, none of the things you mention will detect/remove a rootkit if one does manage to make its way onto your PC. I cleaned one up off of a PC that belongs to my sister a few weeks ago, and that was a headache. I did a scan of the infected drive in an external USB case, and that got nearly all of the infected files taken care of, but because most virus scanners apparently don't scan the MBR of non-boot drives, the rootkit was still waiting there and I had to use the Windows recovery console to write a new MBR.

      As far as I can tell, her PC was infected through some variation of the "malicious PDF in a hidden IFRAME which belongs to an online advertisement" scenario, because she was already using Firefox exclusively. So maybe you should at least add "don't install Adobe Reader, or if you do, disable browser integration, update it daily, and set Firefox to download PDFs instead of opening them" and "install and use AdBlock Plus, and possibly NoScript" to your list.

      • by Anonymous Coward on Wednesday April 21, 2010 @03:52PM (#31929902)

        "I disabled all autorun/autoplay after that, but I'm still wary enough that I run Avast to help avoid another similar situation."

        Yes to disabling autorun. That's the vector for the only worm I've seen in 10 years of running XP in the way the previous post described (it came in on a USB flash drive). So, add to his list:

        * Disable autorun/autoplay correctly [us-cert.gov] (note: Microsoft's advice will NOT kill it off completely).

        * Run something lightweight like StartupMonitor [mlin.net] to catch programs that try to install things in the various startup locations (useful to control bloatware too)

        And something else I've done:

        * make a fake, read-only AUTORUN.INF directory on usb flash drives and other portable devices so that when a worm tries to write on there, the filename already exists and it fails. So far I've not seen any worms smart enough to look for pre-existing files and delete them before attempting overwriting, and by making it a directory with that name the deletion process is more complicated.

      • by jaavaaguru (261551) on Wednesday April 21, 2010 @04:20PM (#31930376) Homepage

        How about nothing is executable until you explicitly change the permissions, and nothing on removable media is executable. That way there is no accidental running of any programs.

        Autorun should have been killed when Windows 95 was still around. It's such an obvious security risk.

    • by djdanlib (732853)

      You forgot a couple things:
      1) Don't run as an admin account except for admin tasks.
      2) Keep your Adobe products up to date - including Flash and Reader. Someone else you trust might have been compromised and send you an infected PDF file.
      3) Allow Windows Update to install MRT and update it every time the monthly definitions update comes out.

      Running Windows Update daily won't really help you so much but I agree with the reasons you have for keeping it that way. Microsoft releases most patches on the 2nd Tuesd

    • Re: (Score:3, Insightful)

      by Culture20 (968837)
      Will you come to my workplace and enforce these rules (and the rules that others are responding with)? I see several desktops on my network downloading infected pdfs or trojans according to my SEP console. Thankfully these users aren't administrators, but the exploits are just a privilege escalation away from ownage.
  • by dmitriy (40004)

    C:\Program Files\Common Files\McAfee\Engine\avv*.dat
    Nuff said

  • Remember when Macafee was distributed on BBS's and it was actually pretty good...

    yeah...

    those days are long gone.

  • XP SP3, it's not exactly uncommon...

    • As a QA guy, I can tell you from experience at past companies (not the present one, thankfully) that some dimwitted middle manager was in a hurry to make a deadline. You get to pay for that.

  • My Experience (Score:5, Informative)

    by jibster (223164) on Wednesday April 21, 2010 @02:29PM (#31927994)
    I work at a major chip manufacturing plant. At 4.10 I was conferencing with another fab when all our PCs shutdown. 10 minutes later the place was in chaos. Now don't get me wrong the fab keeps going but my god the cost to the company of this. Say 10 sites world wide with 2-5k employees each the majority of which can't do any meaningful work. McAfee have a lot to answer for.
    • Re:My Experience (Score:4, Insightful)

      by ledow (319597) on Wednesday April 21, 2010 @02:45PM (#31928372) Homepage

      I think the people who have software that autodeploys updates to 20-50k employees without getting a say in the matter (i.e. testing, change management, etc.) have a lot more to answer for. When the software that supposed to *save* your productivity by preventing viruses ends up doing this to your sites, it's time to just throw it in the bin.

  • I bet that after seeing what McAfee can do when it screws up, they won't bitch about what ClamAV did [slashdot.org].

    (for those who need the summary: ClamAV pulled an update that caused it to shut itself down if it was version 0.94 or older after announcing ~6 months in advance that people needed to update, and kept filling log files with warnings to update. McAfee is breaking a Windows component that causes the entire computer to not function, with a less obvious warning, left for the reader to figure out. The hint is the

  • Based on what we're seeing and reports from the internet, McAfee 8.0 and 8.5 are unaffected by this problem, while versions 8.7 and 8.9 are. It's also XP specific. Still, that combination has to be a very large number of computers worldwide.

  • by Jayws (1613285)
    What I want to know is how does something like this happen? You would think McAfee takes their new patch and tests it to make sure that it doesn't cause this type of annoying issue. How does something like this slip through the cracks?
  • long enough for you to become utterly frustrated that there's no easily downloaded fix from McAfee.

  • Not only do they have to listen to people bitch (rightfully), but since they're likely running Windows XP + McAfee, they can't use their logging tools (meaning they have to do it by hand and then log later), can't get online updates when solutions are available etc.

  • Back when I used to run a pirated copy of Windows XP I used to get a particular virus all the time. What it did was mimic SVCHOST and use your computer, presumably as a botnet zombie. In some instances you would get a whole bunch of SVCHOST running. However the trouble was, one of those is a legit Windows service. Kill the right one, and you computer speeds up, kill the wrong one, and your computer grinds to a halt.

    It sure sounds like they were trying to target that virus (years too late) and killed the wro

  • by Drake4551 (1794812) on Wednesday April 21, 2010 @03:07PM (#31928958)
    Good thing I switched to Norton!
  • by wonkavader (605434) on Wednesday April 21, 2010 @03:11PM (#31929024)

    I've never liked SVCHOST.EXE anyhow. I'm glad it deletes it.

  • by Animats (122034) on Wednesday April 21, 2010 @03:18PM (#31929180) Homepage

    The story just hit ABC News, via the Associated Press: "McAfee Antivirus Program Goes Berserk, Reboots PCs" [go.com] There are stories on the Huffington Post and NextGov. The story just broke into mainstream news in the last hour. It just hit the New York Times.

    There's nothing on McAfee's home page about this yet. No items in their "News" or "Threat Center" or "Breaking Advisory" sections. There's supposedly a McAfee Knowledge Base article, "False positive detection of w32/wecorl.a in 5958 DAT" [mcafee.com], but their knowledge base site is overloaded. When it eventually loads, there's a download link to a patch. But there's nothing like an apology. All they say is "Problem: Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010."

    McAfee has botched their damage control. They should be out there apologizing. Meanwhile, you can watch McAfee stock drop. [yahoo.com]

  • I have to wonder... (Score:3, Informative)

    by Alioth (221270) <no@spam> on Wednesday April 21, 2010 @03:37PM (#31929630) Journal

    I have to wonder what controls the various AV companies have to prevent a malicious signature be inserted - for example, someone deliberately doing something like this (but hitting all versions of Windows).

    It's not just McAfee that's had this particular style of false-positive problem - Symantec also falsely identified a legitimate part of the Windows 2003 Server resource kit as malware. Fortunately in Symantec's case the damage was very limited.

  • by Haidon (1628521) on Wednesday April 21, 2010 @04:06PM (#31930146)
    It's days like this that make me glad I set our ePO server to wait a day to distribute new DATs. I've been considering an AV change, this seals it!
  • by Animats (122034) on Wednesday April 21, 2010 @05:50PM (#31932026) Homepage

    Computerworld reports [computerworld.com] that McAfee has reacted to user complaints by shutting down their support forum. [mcafee.com] The forum seems to be back up now. That was an extremely dumb move to pull after the story was already in the New York Times, Business Week, and on TV.

    Many frantic users in the forum. The big losers are the enterprise users who bought into McAfee's premium services, with automatic corporate-wide updating. There's no fully automatic, reliable fix yet for systems already damaged. In some cases, it's apparently necessary to bring in a new copy of "svchost.exe"; the one in quarantine is bad.

    This points up a major risk to US computer infrastructure. Any program with remote update is potentially capable of taking down vast numbers of systems. Ones like McAfee or Windows Update, which deploy updates to all targets simultaneously, can cause widespread damage quickly. Remote updating by vendors may need to be regulated, as a public policy issue.

How can you work when the system's so crowded?

Working...