Saturday, April 24, 2010

Broken McAfee DAT update cripples Windows workstations

Broken McAfee DAT update cripples Windows workstations


McAfee pushed out a virus definition update, 5958, at 06:00 PDT that causes false positive identification of the critical Windows system file svchost.exe. Machines running Windows XP Service Pack 3 using the 5958 definitions will delete the file, causing many key Windows services to fail to start. The Windows file is being mistakenly detected as W32/wecorl.a. Failure to start svchost.exe causes Windows to automatically reboot, hindering repair efforts.

At the time of writing, McAfee's support forum appears to have either gone offline or collapsed under the load, making threads about the issue inaccessbile. Before going offline, the company advised the following measures:
  1. Boot the system into safe mode
  2. Drop the attached extra.dat in c:/program files/common files/mcafee/engine
  3. Reboot into normal mode
Rebooting into Windows normal mode type “shutdown /a” in the run line this aborts the automatic shutdown.
This will allow them to apply the exclusion.
The shutdown command must be run as an Administrator; regular users aren't able to abort shutdowns in progress.

The broken DAT should now be purged from the McAfee's distribution network (Akamai expected the purge to be completed by 09:45 PDT), and an updated version, 5959, was made available at around 10:15 PDT.

This updated version is identical to 5958, with the problem definition removed.

At this point, anyone who hasn't been bitten by the problem should be safe. That may be little consolation to the estimated tens of thousands of computers damaged already. With unconfirmed (Update: now confirmed) reports that big customers like Intel have been hit by the problem, that number is set to grow.

This is not the first time a virus scanner has caused such a problem; a month ago, BitDefender had a similar issue, though the McAfee issue seems a little easier to repair. Just as with the BitDefender issue, this is something that would be trivially detected with even basic QA, which makes the regularity of such problems perplexing.

Users in our Windows Technical Mojo forum are discussing the issue along with some possible fixes.

Update: Official solutions from McAfee

- wong chee tat :)

No comments: