McAfee Apologizes for Killing Windows
April 20th marked one of the most unhappy days in McAfee history, because virus definition update — version 5958 — gave a “false positive” identification of the infamous critical Windows process “svchost.exe”. Short version? McAfee thought it was a virus, and Windows ends up not booting up. Here’s the remedy, the aftermath, and the official word from McAfee.
First, a little background: The McAfee problem arises as the security software company prepares to launch a new partner program in early May 2010. McAfee’s latest channel chief — Alex Thurber — is a Cisco Systems veteran, so channel programs are in his DNA. Also, McAfee has committed to keeping the best portions of the MX Logic partner program amid the new McAfee partner program launch. (McAfee acquired MX Logic last year.)
So, that’s the big picture on McAfee’s channel strategy. It sounds promising. And we hope to hear more from Thurber during a potential meeting the week of 26.
Now, the Bad News
But at least for this week, some VARs were dealing with a somewhat annoying McAfee software glitch. If your customers are running Windows XP Service Pack 3 and have installed the 5958 definitions, svchost.exe will get deleted. Poof. Suddenly, your customers have a non-functioning Windows machine. What’s worse, Windows is set to reboot on a failure of svchost.exe, basically putting machines into an endless-reboot making it hard to repair.
One site worthly of note, ArsTechnica, said McAfee’s site “collapsed under the load” and as such, official McAfee support forums weren’t accessible. They did however, quote McAfee’s SOS before the site came to a halt:
“Boot the system into safe mode
Drop the attached extra.dat in c:/program files/common files/mcafee/engine
Reboot into normal mode
Rebooting into Windows normal mode type “shutdown /a” in the run line this aborts the automatic shutdown.
This will allow them to apply the exclusion.”
Make sure to run the command as Admin, otherwise it wont work.
We contacted our own official McAfee sources, and they had the following to say:
McAfee is aware that a number of customers have incurred a false positive error due to this release. We believe that this incident has impacted less than one half of one percent of our enterprise accounts globally and a fraction of that within the consumer base–home users of products such as McAfee VirusScan Plus, McAfee Internet Security Suite and McAfee Total Protection. That said, if you’re one of those impacted, this is a significant event for you and we understand that.
Our initial investigation indicates that the error can result in moderate to significant issues on systems running Windows XP Service Pack 3…The faulty update was removed from all McAfee download servers within hours, preventing any further impact on customers.
McAfee teams are working with the highest priority to support impacted customers. We have also worked swiftly and released an updated virus definition file (5959) within a few hours and are providing our customers detailed guidance on how to repair any impacted systems.
While it sounds like McAfee’s got it cool and under control with an apologetic attitude, it does seem like they’re underplaying it slightly. “less than one half of one percent of our enterprise accounts” with a “fraction” of consumer base hit? What ‘fraction’ or numbers total to their ‘100%’ exactly? This blogger knows that despite Windows 7’s warm reception, there still hasn’t been a total migration yet. Migration in the Enterprise arena is also a mixed bag. Admittedly, the amount of McAfee users explicitly using Windows XP SP3 might be a metaphorical handful, but a ‘fraction’ seems like marginalizing the problem if McAfee’s own support site went down.
But what are the implications beyond the obvious downtime? Is this a one-time, minor setback for McAfee or the sign of a larger challenge? Were you affected?
Sign up for The VAR Guy’s Newsletter; Webcasts and Resource Center; and via RSS; Facebook; Identi.ca; Twitter and VARtweet.
My wife works for a large hospital / university. She told me that it was odd walking around the office yesterday with no one at their computers. They were all down. The email below talks around 8,000 computers just at this location. Here is the email sent out. I am lead to believe that most are now working again today.
At 11 a.m. today, 4/21, McAfee, our VirusScan vendor, released an update to its customers that improperly identified a critical component of Windows as having a virus.
XXIT, along with the majority of McAfee’s customers worldwide, automatically propagates these virus definitions to their client PCs.
Roughly 8,000 CoreImage PCs randomly distributed across the Health System automatically received the virus scan update and are now experiencing repetitive reboots. These computers are not functioning at this time and will be offline until the problem is fixed.
IT has stopped the virus scan update and is currently working on ways to restore the affected machines. This is challenging due to the nature of the file that is being flagged (improperly) as having the virus.
If your computer is still operational, it is fine and will not experience this problem.
NOTE: The CoreImage computers do not have a virus, but McAfee VirusScan incorrectly believes they do.
There will be more updates as they become available from Microsoft, McAfee and IT.