McAfee Update Flags Hundreds of Innocuous Programs
Anti-virus giant McAfee acknowledged late last week that a recent update to a number of its software products went terribly awry, causing them to flag hundreds of legitimate third-party programs as hostile and prompting users to delete or quarantine them.
The files identified by McAfee as malicious included excel.exe (Microsoft Excel) and gtb2k1033.exe (Google Toolbar installer), as well as programs that run Macromedia Flash Player, Sun's Java application and Adobe update manager.
The erroneous flags even apply to updaterui.exe, McAfee's own update program. The full list of programs errantly marked as bad is here in PDF format, although McAfee only lists the ".exe" files affected, not the names of the software packages.
McAfee flagged the harmless files as "W95/CTX," and obscure Windows 95 virus that McAfee first identified in 2004. McAfee says this problem appeared in updates for VirusScan Enterprise 8.0i, 7.1 and 7.0; Managed VirusScan 4.0 and 3.5; Virus Scan Online 11 and 10; Linux Shield; and VirusScan 7.03 (consumer).
The SANS Internet Storm Center has a decent writeup on the problem, which includes a snippet from a reader who had some 700 files quarantined on more than 100 computers.
The faulty virus-definitions update was pushed out Friday morning. McAfee released a repaired update file around 6:30 p.m. ET.
Batches of so-called "false positives" like this latest round from McAfee are more common than you might think among the anti-virus vendors. TrendMicro had a problem with an update file last April that completely swamped the processing power of the machines running it, effectively shutting down some major corporate e-mail gateways. News.com quotes McAfee's director of operations saying the company is forced to do an emergency update about every three months because of faulty definitions releases.
While I certainly don't want to make light of a situation that is no doubt very serious, especially for people who are cleaning up this mess, I found McAfee's solution for such customers interesting: "Users who have moved detected files to quarantine should restore them to their original location. Windows users who have had files deleted should restore files from backup or use System Restore."
Most anti-virus vendors urge users to delete past restore points when cleaning up real virus or worm infections. This is because those nasties can get backed up along with the rest of the user's settings and files, meaning they could be brought back to life if the user restores the backup snapshot.
Here's hoping the companies and individuals who were just forced to restore their systems didn't also have to grapple with restored real virus infection.
The comments to this entry are closed.