A faulty antivirus update from McAfee that mistakenly identified hundreds of programs as a Windows virus has resulted in some companies accidentally deleting significant amounts of data from affected computers.
The McAfee update DAT 4715, released on Friday, was designed to protect computers against the W95/CTX virus. But because of a programming error, the update also incorrectly identified, renamed and quarantined hundreds of legitimate executables – including popular ones such as excel.exe, lsetup.exe, uninstall.exe, shutdown.exe and reg.exe.
For companies that had configured their McAfee antivirus program to automatically delete bad files, the error resulted in the loss of hundreds – in some cases thousands – of files on systems in which the update had been installed, said Johannes Ullrich, chief technology officer at the Sans ISC (Internet Storm Center).
McAfee released a new patch, DAT 4716, updating the earlier one, five hours later. But any company that had been unlucky enough to install and run DAT 4715 would have experienced significant problems, Ullrich said.
"A lot depended on how you had McAfee configured on your system," he said. "If you had it configured to basically quarantine bad files you were okay, because in this case it wasn't too hard to recover the quarantined files. But if you had it delete them, then it became a lot harder."
SANS received reports from "dozens" of companies reporting incorrectly quarantined or deleted files, he added.
Joe Telafici, director of operations at McAfee's Avert Labs, said the problem was the result of a "subtle logic flaw" that was quickly identified and corrected.
The error resulted in at least 290 files being incorrectly identified, he said, adding that the company is still looking to see if more files are affected.
Since releasing the updated antivirus signature, McAfee has made a tool available for its enterprise customers via its support organisation. The tool can help companies identify and restore files that were mistakenly quarantined by DAT 1475, Telafici said. McAfee also plans to make it available as a download on its website soon.
McAfee's antivirus product for consumers and small-business users already supports a feature that lets those users automatically restore quarantined files, Telafici said. The company is working on a similar tool that will help companies identify and restore some of the files they may have deleted.
"We are looking at a relatively small percentage of our customer base [being affected]," Telafici said. "But it is a large problem for those who were impacted."
The McAfee incident highlights the need for companies to configure their antivirus software so that it merely quarantines suspicious software instead of deleting it outright, Ullrich said. It also underscores the need for companies to have good backup and restore policies in place to deal with such accidental losses of data.
"Having your [antivirus] software go bad is just one of the ways in which you can lose data," Ullrich said.
McAfee isn't the first company to run into a problem with its antivirus software. Earlier this year, Microsoft's antispyware beta mistakenly flagged Symantec's Norton antivirus product as a Trojan program. And last year, a Trend Micro software update caused CPU usage to increase dramatically on machines on which it was installed.