A flawed McAfee antivirus update sent enterprise administrators scrambling yesterday as the new signatures quarantined a crucial Windows system file, crippling an unknown number of Windows XP computers, according to messages on the company's support forum.
McAfee confirmed it had pushed the faulty update to users. "McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21," said company spokesman Joris Evers. "The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2:00 P.M. GMT+1 (6:00 A.M. Pacific)."
According to users on McAfee's support forum, the update flagged Windows' "svchost.exe" file, a generic host process for services that run from other DLLs (dynamic link libraries).
Both users and McAfee said that the flawed update had crippled Windows XP Service Pack 3 (SP3) machines, but not PCs running Vista or Windows 7. "Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3," acknowledged Evers.
Affected PCs have displayed a shutdown error or blue error screen, then gone into an endless cycle of rebooting, users claimed.
McAfee reacted by warning users not to download the update if they haven't already, and by posting recovery instructions and a signature update to suppress the defective one seeded to users earlier. "Apply the EXTRA.DAT to all potentially affected systems as soon as possible," the company recommended. "For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine." Unfortunately, those instructions and the suppression EXTRA.DAT update file are not currently available, again because McAfee's support site has gone dark.
Instead, users can reach the instructions and EXTRA.DAT file from elsewhere on McAfee's site .
"The faulty update has been removed from McAfee download servers for corporate users, preventing any further impact on those customers," Evers said. "We are not aware of significant impact on consumer customers and believe we have significantly limited such occurrence."
McAfee is working on helping customers affected by the rogue update, said Evers. "McAfee apologises for any inconvenience to our customers," he added.
Mel Morris, CEO of internet security company Prevx said the flawed McAfee update was the result of increasing sophistication of malware writers and warned that the problem continue to escalate. "Criminals are essentially either hijacking or mimicking core Operating System components by giving malware the same name as many of these components. This not only makes it much harder for research labs to spot attacks, but also increases the chances of a false positive whereby something is wrongly identified as a piece of malware.
"In the pressure to act quickly and get a cure out, vendors will inadvertently remove critical OS components and disable millions of PCs in one go. What many of these vendors need is technology that can more effectively identify these types of malware attacks by tracking them in real time and automating the process of detection,” he said.