We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

McAfee antivirus update wreaks havoc

Mayhem caused by programming error

A faulty antivirus update from McAfee that mistakenly identified hundreds of programs as a Windows virus has resulted in some companies accidentally deleting significant amounts of data from affected computers.

The McAfee update DAT 4715, released on Friday, was designed to protect computers against the W95/CTX virus. But because of a programming error, the update also incorrectly identified, renamed and quarantined hundreds of legitimate executables – including popular ones such as excel.exe, lsetup.exe, uninstall.exe, shutdown.exe and reg.exe.

For companies that had configured their McAfee antivirus program to automatically delete bad files, the error resulted in the loss of hundreds – in some cases thousands – of files on systems in which the update had been installed, said Johannes Ullrich, chief technology officer at the Sans ISC (Internet Storm Center).

McAfee released a new patch, DAT 4716, updating the earlier one, five hours later. But any company that had been unlucky enough to install and run DAT 4715 would have experienced significant problems, Ullrich said.

"A lot depended on how you had McAfee configured on your system," he said. "If you had it configured to basically quarantine bad files you were okay, because in this case it wasn't too hard to recover the quarantined files. But if you had it delete them, then it became a lot harder."

SANS received reports from "dozens" of companies reporting incorrectly quarantined or deleted files, he added.

Joe Telafici, director of operations at McAfee's Avert Labs, said the problem was the result of a "subtle logic flaw" that was quickly identified and corrected.

The error resulted in at least 290 files being incorrectly identified, he said, adding that the company is still looking to see if more files are affected.

Since releasing the updated antivirus signature, McAfee has made a tool available for its enterprise customers via its support organisation. The tool can help companies identify and restore files that were mistakenly quarantined by DAT 1475, Telafici said. McAfee also plans to make it available as a download on its website soon.

McAfee's antivirus product for consumers and small-business users already supports a feature that lets those users automatically restore quarantined files, Telafici said. The company is working on a similar tool that will help companies identify and restore some of the files they may have deleted.

"We are looking at a relatively small percentage of our customer base [being affected]," Telafici said. "But it is a large problem for those who were impacted."

The McAfee incident highlights the need for companies to configure their antivirus software so that it merely quarantines suspicious software instead of deleting it outright, Ullrich said. It also underscores the need for companies to have good backup and restore policies in place to deal with such accidental losses of data.

"Having your [antivirus] software go bad is just one of the ways in which you can lose data," Ullrich said.

McAfee isn't the first company to run into a problem with its antivirus software. Earlier this year, Microsoft's antispyware beta mistakenly flagged Symantec's Norton antivirus product as a Trojan program. And last year, a Trend Micro software update caused CPU usage to increase dramatically on machines on which it was installed.

IDG UK Sites

Spotify launches on PS4 as Tidal arrives on Sonos: It's Tidal vs Spotify music streaming

IDG UK Sites

It's World Backup Day 2015! Don't wait another minute: back up now

IDG UK Sites

Get the free Adobe Comp CC iPad app for rapid layout design

IDG UK Sites

New 13-inch Retina MacBook Pro (early 2015, 2.7GHz) review: Just about the greatest upgrade any...