April 21, 2010

McAfee‘s anti-virus software is erroneously detecting legitimate Windows system files as malicious, causing reboot loops and serious stability problems for many Windows XP users, according to multiple reports.

The SANS Internet Storm Center has received dozens of reports from McAfee users who complained that a recent anti-virus update (DAT 5958) is causing Windows xP Service Pack 3 clients to be locked out. According to SANS incident handler Johannes Ulllrich, McAfee is flagging “svchost.exe” as malicious. Svchost is a common system process typically used by multiple legitimate programs on a Windows system (although malware does often inject itself into this process), so having an anti-virus program that flags the process as a threat could cause major problems on a host system, Ullrich said.

“The [reports] keep coming in,” Ullrich said. “Systems either get stuck in a reboot loop, or networking is no longer working.”

One symptom seems to be that McAfee reports that user systems are infected with W32.Wecorl.a. The anti-virus program’s attempts to destroy or quarantine that targeted process then forces the Windows machine into a reboot cycle.

McAfee’s own support forum is currently queuing up with a large number of users piping in with stories about how the incident is affecting their operations. That thread,which began at 9:54 a.m. today, has more than 27,000 views and 83 replies.

Stay tuned for more updates as available.

Update, 1:56 p.m. ET: McAfee released the following statement regarding this event. “McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21. The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2.00 PM GMT+1 (6am Pacific Time).

Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.

The faulty update has been removed from McAfee download servers for corporate users, preventing any further impact on those customers. We are not aware of significant impact on consumer customers and believe we have effectively limited such occurrence.

McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. McAfee apologizes for any inconvenience to our customers.”

Update, 3:51 p.m. ET: McAfee’s main support forum is down due to an “unusually large traffic.” McAfee has posted a separate thread here that includes a couple of workarounds for customers struggling to deal with this problem.


23 thoughts on “McAfee False Detection Locks Up Windows XP

  1. Patrick

    Non-corporate users sure are feeling the impact, and reporting problems regardless of what the statement says.

    I note inconsistency on their site regarding the period of time an Extra.Dat is supposed to function, also.

    http://service.mcafee.com/faqdocument.aspx?id=TS100335&lang=en_US
    Description

    EXTRA.DAT files are valid for 14 days, at which time they disable themselves. McAfee recommends that you keep your VirusScan up-to-date by downloading and installing the official daily updates.

    http://vil.nai.com/vil/systemhelpdocs/extradat.aspx
    Explanation of EXTRA.DAT Files

    EXTRA.DAT files are good for 30 days, at which time they disable themselves. It is recommended you keep your VirusScan up to date by downloading and installing the official daily updates.

  2. Al Huger

    As an AV vendor I see these things and think ‘but for the grace of God…’. We all want more aggressive detections to cope with rabidly propagating malware. FP’s like this are the downside of being more aggressive in detections.

    al

    1. Tom

      Back in 2005, I was burned by over 50 false positives (mainly commercial key loggers and RATs) using the then PC World Best Buy – CounterSpy. As a result, I lost faith in ALL anti-malware detections. Now, when one pops up, the first thing I do is call BS! Then, I analyze it at VirusTotal.com and finally report it to the vendor as a possible false positive. Guess what? In five years, I’m actually batting 1000.

      That said, my motto is now – Don’t Trust But Verify

      1. Mememargret

        Are you serious, or will I end up with problems after logging onto VirusTotal.com?

  3. Nice Job

    Sounds like someone needs to revist their change management and QA processes.

  4. Mike

    What REALLY irks me, is McAfee’s lack of notification on their website. Nothing is mentioned on the home page or their Threat Center page. In addition, I couldn’t find anything using their own search tool. I had to Google for any information on this issue.

  5. BrianKrebs Post author

    I can’t help but note that the very first ad to show up on this site is a Trend Micro spot. Ouch.

  6. wiredog

    <Burns&gt ;Unleash the HoundsLawyers! </Burns&gt ;

    1. wiredog

      Ah well, pity there’s not a ‘preview’ option.

  7. BattleChicken

    McAfee: The Antivirus that is worse than the problem it is designed to cure.

  8. Grant

    *cough*Change
    *cough*Management

    While I do feel really bad for the SMBs that can’t afford an IT staff to do everything they want – any Enterprise IT dept should _really_ be using the “Eval” branch…

  9. Sticky

    We’re talking about Windows XP SP 3 machines with no particular configuration.
    I mean, everyone blamed Microsoft for the failing updates some weeks ago (which were very limited and linked to a precise rootkit infections) but this is far beyond the acceptable rate for a huge company like Mcafee.

    As someone stated before, where the heck QA or testing is?

  10. Sheen

    Ohh my gosh! We’re using McAcfee VirusScan Enterprise 8.5.0.781 on all most 30+ workstation, huhuhuhuhuhuhu but so far we don’t have issue GMT +08:00

  11. Troy

    Ha ha, that was a joke, geez! Not too many IT guys out there get it?

    @Brian– keep up the great work!

    1. AlphaMack

      Maybe some of us get the joke, but there are people here who won’t get it without the sarcasm tag and will actually research into downloading AV 2010.

      Leave that kind of stuff over at Slashdot.

  12. aaarrggggg

    Oh..Well, maybe the whole building shutdown and sleepless admins is considered as not “significant impact on consumer customers”…My thanks to McAfee for giving me some more overtime.

  13. littlemopeep

    What if I haven’t had my laptop on since before 4/21? I was on vacation and I’m wondering, can I start it without Internet and do something that will prevent McAfee from doing damage? Sorry if this sounds stupid, but I’m one of the many who are not that educated on this kind of thing and sort of trust the people we paid to be up on it.

    Thanks.

  14. YeahRight

    Hmm, not significant to have to go touch each machine? I guess my conclusion is that it would also be insignificant if all the affected customers went with another vendor.

  15. Eya

    Is this the reason why whenever I try to watch a video/flash game my computer freezes?
    If so, do I follow the link listed above as well?

Comments are closed.