McAfee Anti-Virus Causes Widespread File Damage

AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems. At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."

hijackthis

[Anonymous Coward]

Gotta love McAFee, they also delete hijackthis when I plug my USB key in.

Re:who-can-you-trust?

[MankyD]

What on earth did they lie about? They screwed up and they're trying to tell you how to fix it. This is not a commercial vs. oss debate - sheesh!

Re:Don't use anti-virus!

[MankyD]

Actually... they do "magically propagate" when flaws are found in things like Windows SAMBA sharing or Apache's web server (or any server program that you run for that matter.)

Re:Help!

[xtracto]

What about a *nix firewall [muine.org]with antivirus software on it [f-prot.com]?

You only need that headless pentium 3 (even a pentium pro could make it!) that you are using to rest your feet ;-), plus you will be able to forget the burden of whatever "ANTI-*.* " software that wastes your precious resources.

Of course that is if you use Windows (for whatever reason, I also do it).

CTX undo file

[n3m0-kn0z3]

I just got off McAfee tech support line. They have an undo script to unquarantine incorrectly identified files. Since the file is not publically available from their site, I have uploaded it here: ctxundo.zip [keepmyfile.com]

McAfee Plague

[ShadowNetworks]

This incident only goes to show that any file manipulation program (even the essentials like anti-virus and spy-ware/ad-ware removers) can have a profound effect on one's personal files. ALWAYS BACKUP. Even if you trust your media, you'll probably get attacked from within (hackers and now your own software).

Anyone remember Microsoft Anti-Spyware removing Norton? Anyone remember IRC commands such as "startkeylogger" booting systems from the internet running Symantec?

No one's perfect, even the software programmers. And as he laid down in a vicous wrath... the software they trusted most deleted their most precious files. Welcome to Monday everyone.

Advice for corporate users

[futuresheep]

This is exactly why I force all my clients to update their DAT's from MY server, not McAfee's, and I push the updates out, the clients never pull them. Along with that, I always wait three to four days before pushing the updates out. Even if you don't use the full McAfee Epolicy Orchestrator, you can still configure the clients to point to an ftp server on your network for updates. Just like with MS patches, it's simply prudent to wait a few days just in case there's any issues like this that may arise.

I'm not excusing McAfee here, but there are ways that we, as admins can minimize the risk to our users and our network.

Comical recovery instructions from McAfee

[Anonymous Coward]

Even better are McAfee's instructions for how to recover from the damage their product has done. The first option is to restore the files from quarantine, assuming your version of McAfee actually lets you do this (not all, including the corporate version, have this option). The second is to use Windows System Restore.

This probably would have worked great on my machine if it weren't for the fact that half of the files McAfee quarantined were *System Restore files*.

Apparently McAfee hasn't heard of a novel concept called "testing". (I like how they've posted a list on their website of the false positive files, now 7 pages long and still woefully incomplete; they ought to just admit it's going to take a random assortment of exes and dlls on any machine.)

Combine this with the fact that the default settings on a McAfee install are to quarantine without prompting, and IMHO McAfee is the most dangerous virus I've ever had on my machine.

Re:For what it's worth

[dkone]

Get AVG, it is free, small and stable. Norton and McAfee are both bloatware

Re:The real irony here....

[KarmaMB84]

There's very few options in a corporate or university environment who want to manage their virus scanners. Most of the "free" scanners dictate that you need to pay if you're in such an environment anyway.

Re:who-can-you-trust?

[freeweed]

let's be honest, how many people actually look at the source of programs (updates) they install? I am a programmer, and I never looked the code of an Open Source program I installed

The point of open source is not that you PERSONALLY can look at the source to find problems (although you can if you like).

The point is that thousands of other people can. And usually, no one's stopping them from reporting a problem if they do find one.

Admittedly, this leaves gaps (what if no one else looks?), but it works pretty damn well, for the most part.

Re:Good catch

[SillyKing]

I have removed Adobe Acrobat reader from my systems. In it's place, I use Foxit Reader (http://www.foxitsoftware.com/pdf/rd_intro.php [foxitsoftware.com]) for reading PDF files. It's a lot faster to load, and I have yet to come across a PDF it can't read.

For creating PDF files, I use PDFCreator (http://sourceforge.net/projects/pdfcreator [sourceforge.net]). It works like Adobe Distiller used to, you create your PDF files by printing to PDFCreator.

Re:Good catch

[Wiz]

You can use this piece of Adobe software:

http://www.adobe.com/support/downloads/detail.jsp? ftpID=2709 [adobe.com]

To create custom MSTs for Acrobat, which you can use to disable all of the annoying crap. Well, apart from the Yahoo search! I suggest also http://www.appdeploy.com/ [appdeploy.com] can be useful for finding ways to disable stuff in installers.

Re:Surprisingly, it didn't quarantine itself

[btellier]

Actually, in their press release they have some of the filenames affected by the errant signature. Among them is:

- FrameworkService.exe

Which, if you take a look at your Task Manager, you will notice is:

  Directory of C:\Program Files\McAfee\Common Framework

09/27/2005 03:06 AM 102,463 FrameworkService.exe

Re:A tool for media giants

[jratcliffe]

Looks like there may be a reason for this behavior. That package hasn't been available from its creators for nearly a year, and it seems (as indicated by this site [72.14.203.104]) that there may be versions of the installer floating around that have had trojans attached to them...