McAfee Anti-Virus Causes Widespread File Damage 353
AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems.
At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."
The Risk (Score:5, Insightful)
Did they forget to include that the risk of installing McAfee Anti-Virus for any user : High?
Wait a minute, it is identifying some system files that Windows put on my machine! I guess the Mac & 'nix freaks are right, Windows really is a virus. I hope it's only a matter of time before my next virus definition assesses Internet Explorer & Windows Media Player as full blown Trojan viruses distributed as malware with my OS.
Re:who-can-you-trust? (Score:5, Insightful)
Do you really think Open Source AV can't fsck up your PC if there are bugs in it? And let's be honest, how many people actually look at the source of programs (updates) they install? I am a programmer, and I never looked the code of an Open Source program I installed for the sake of "Let's make sure this update won't fsck up my PC". I look at the code because I am curious to see how they do certain things, or I want to change some annoying aspect of it.
Re:The Risk (Score:5, Insightful)
'they will delete your files'.
In one fell swoop it seems as though McAfee may have deleted more files
than all the viruses it has removed would have.
Re:The Risk (Score:3, Insightful)
than all the viruses it has removed would have.
go figure, no big system admin has wanted automatic (witout testing) updates for some time, to their OS. I guess sys admins got lazy on testing virus scanner updates before rollouts.
I know I am not alone in turning off all runtime virus protection on my PC, because it has historically had more impact on system stabilty, and speed than most virii. (ok it seams the latest scanners on winXP may actually work...) Wouldn't save me from this problem, except my system scans only occur weekly, so may be luckly my weekly scan didn't occur (I do have nightly complete backups from backuppc.sourceforge.net [slashdot.org] ).
Same as with safety belts (Score:5, Insightful)
The problem is, you never know. It's not only foolishness that gets a trojan onto your system. They come with presumably legit software, even from reputable companies. An infected driver CD is all it takes. Shareware CDs or other CDs slapped on magazines, do you think they have a lot of time to make just perfectly sure the programs are clean? A lot of shareware comes bundled with adware, do you read all those EULAs? And do you think they tell the full truth? Can you read through the legalese?
I won't get into system bugs and other exploits.
So yes, you don't really need safety belts. But it sure feels a bit more secure with them.
Where should users turn? (Score:5, Insightful)
Furthermore, a lot of virus scanners have an option to "auto-update". Imagine if an entire company had this option turned on.
Virus scanners have always been a bad solution to the problem of viruses. They don't fix the problem at its root. Instead of ensuring their operating system has no known security holes, users now rely on virus scanners to just catch everything that comes through. Any determined attacker could still just craft a custom virus to attack any host they desire. Since the virus scanner companies wouldn't have come across that particular virus, it wouldn't get picked up.
Would you fix the holes in a boat with sticky tape instead of checking that the boat doesn't have holes before you put it in the water?
Re:Don't use anti-virus! (Score:3, Insightful)
Wow, that'll save us tons of cash!
Ye don't always get what ye pays for (Score:5, Insightful)
Likewise, the perception is that the more expensive the software (and the bigger the box it comes in) the more protection you are afforded. And that the company won't suddenly decide to change direction / stop supporting the software / etc.
Yet time and time again this is shown not to be true. McAfee uninstalls arbitrary files on your computer (how'd that get through testing?) and just tells users to re-install from backup... exactly the kind of calamity the software is supposed to prevent. Part of WinNT5 was found to violate someone's patent, and anyone using that particular (admittedly rare) function had to pony up to the original patent holder or write a workaround.
As far as I can tell, the "little guys" software tends to be better in general than the big boys. Why? Because they're still trying. Before Norton was Symantec, they struggled to create an amazing toolkit of software tweaks that really did some great things. Now that their position is secure, they've hardly updated the suite to even work with XP, let alone taken advantage of the fixes and hacks that smaller houses have found. McAfee, once a nimble little company making a great little product, has been bloating for years. The more developers you add to a project, the less anyone knows about what the system is doing.
A free alternative that has been around for a long time:
AVG Antivirus [grisoft.com]
There are others. Please post 'em below.
The real irony here.... (Score:5, Insightful)
Re:Saw it coming (sort of) (Score:5, Insightful)
Re:Don't use anti-virus! (Score:3, Insightful)
Re:For what it's worth (Score:2, Insightful)
This honestly sounds like a corrupt memory problem.
Other possibility is that you've hard-set the windows swapfile limit...
Ethereal too? (Score:2, Insightful)
Who uses Ethereal [ethereal.com] and McAfee? Just found that funny/ironic on some levels.
Re:The Risk (Score:2, Insightful)
Re:Don't use anti-virus! (Score:5, Insightful)
I've used it at home for a little over four years and worked with it for three years as an administrator. I have NEVER had a virus on any XP system I was responsible for.
In fact, the only virus I've ever had a problem with was an infected Windows 2000 domain controller that was SUPPOSED to be managed by corporate IT. They hadn't updated it in well over a year and wouldn't let me touch it until it started crashing (and those geniuses had it as the exchange server as well...again, I couldn't change that).
In both cases, I didn't go to extreme measures to secure the systems. I used automatic updates, both a standalone firewall and Windows Firewall, and antivirus (AVG Free at home, Symantec Corporate at work). That, and I educated my users on what NOT to open from their e-mail.
A good way to teach your users not to open strange attachments is to give them a dummy one that will just let you know who opened the file. I arranged with management to do this one day...send out a trojan-like e-mail with a script that would write a file with the username in it to one of the network shares and see who opened it.
The next day I unplugged one of the network switches for fifteen minutes at the beginning of the day, told them it was because some people had opened "virus e-mails" (management knew the truth) and then plugged it back in. I talked to the people who had opened the "virus" e-mails and gave them an in-depth training session on why it's a bad thing to open every attachment you get on e-mail. From then on, they wouldn't touch anything that was even remotely suspicious.
Three years, nearly 100 users, and ZERO penetration on my systems. It's not rocket science.
Re:Help! (Score:4, Insightful)
Beware of Fridays (Score:3, Insightful)
Re:Not surprised (Score:2, Insightful)
Re:Advice for corporate users (Score:2, Insightful)
Doesn't it cost a lot to educate your users to not download viruses that are less than four days old?
Why don't you just educate them to not download viruses at all? Then you could do without the Anti-virus. You pretty much are anyway.
Re:who-can-you-trust? (Score:2, Insightful)
Do you really think it's better to have your system trashed and pay for the privilege?
Re:The real irony here.... (Score:3, Insightful)
Couldn't you have just looked at the pricing page for any of the major antivirus vendors, or any of the 163,000 hits on Google for "antivirus subscription" or 6.04 million for "anti-virus subscription" (the top hits of which are about the same) for this answer, instead of flaming the guy?
I mean, yes, you're lazy, but damn, man, it's just Google.
Re:The Risk (Score:4, Insightful)
That's very funny. When a ubervirus thrashes a couple of corporate networks to the tune of a billion dollars apiece, we hear "Stupid admins - the patch was available - they weren't keeping up". Now it's "They should have tested before rolling them out." (paraphrased)
It appears, therefore, that using a system that is subject to viruses and security vulnerabilities on the scale of Windows is inherently untenable. We can't even define logically consistent expectations for the administrators of such systems. Can we stop using them now?
Re:Advice for corporate users (Score:3, Insightful)
2) The number of viruses that actually are that serious a threat are next to zero. Have you ever bothered to look at the release files to see what the daily updates actually cover? If you did, did you bother checking what they were and the criticallity of the viruses listed? Do you know how many viruses are listed in the readme for the latest McAfee DAT?
3) Anyone that relies soley on a single AV solution is a fool anyway. Virus protection should be layered on any network and is on mine. AV software on the desktop should be the last stop. We use postfix+spamassassin+amavisd to scan mail before it hits our mail server. Our firewall scans anything incoming before it gets to the desktop. Our desktop software is only there as a last bastion and does it's job well, because there's not much that gets there. None of the systems are perfect on their own, as a team, they work very well.
So do I feel safe? Yes, I haven't had a virus issue inside my network for years. I see shitloads of them getting cleaned when I look at my logfiles though. Does it bother me that I wait a three or four days to deploy DAT files? Not at all, because it's not the only way I protect my users.
Re:CTX undo file (Score:5, Insightful)
Re:The real irony here.... (Score:4, Insightful)
Looks to me like he's a smug user of computing platforms that are actually, inherently, mostly secure.
It seems there are yet a few little boys who dare to say "The Emperor has no clothes" when confronted with the, yes, staggering incompetence with respect to security which is rampant within the mainstream PC world.