Author Topic: Here we go again with false positive antivirus actions bricking computers (Read 23758 times)

mouser · « **on:** April 21, 2010, 03:17 PM »

Honestly when are these antivirus companies going to learn that this behavior is unacceptable? You can't go around deleting people's core system files because your 1 day old untested new virus signatures "think" they found something suspicious. Give me a break! How many times do we have to keep having this discussion?

McAfee pushed out a virus definition update, 5958, at 14:00 PDT that causes false positive identification of the critical Windows system file svchost.exe. Machines running Windows XP Service Pack 3 using the 5958 definitions will delete the file, causing many key Windows services to fail to start. The Windows file is being mistakenly detected as W32/wecorl.a. Failure to start svchost.exe causes Windows to automatically reboot, hindering repair efforts.

http://arstechnica.c...ows-workstations.ars

Screenshot - 4_21_2010 , 3_17_39 PM_thumb.png

JavaJones · « **Reply #1 on:** April 21, 2010, 03:20 PM »

Holy crap, that's a nasty one. I think also at fault here is the default behavior being delete, and lack of any white list or safeguards. I mean come on, one would think that with an easily identifiable core system file it would first attempt to *clean*, and then failing that, it would warn the user and *leave the file intact*. Better to have a core system file infected but intact so that other tools could attempt cleanup than delete the file and possibly thwart attempts at repair.

- Oshyan

rjbull · « **Reply #2 on:** April 21, 2010, 03:48 PM »

They get away with it because "security" and "health and safety" are all-purpose justifications for anything.

wraith808 · « **Reply #3 on:** April 21, 2010, 03:51 PM »

And this is the reason that a lot of people don't trust AV software- because the cure can be worse than the disease. I'm more than a little bit upset with AVG that it deletes my NSIS files whenever they are found.

IainB · « **Reply #4 on:** April 21, 2010, 10:26 PM »

@JavaJones: Yes. When I migrated from Avast! to WSE (MS Windows Security Essentials) I followed the advice of someone on the DC forum and changed the default settings to "Quarantine" action, rather than let the thing delete according to its previous default rules.

I therefore concur with your comment:

"...I think also at fault here is the default behavior being delete, and lack of any white list or safeguards..."

bgd77 · « **Reply #5 on:** April 22, 2010, 03:03 AM »

I wonder if/how do they test their updates.

Just as with the BitDefender issue, this is something that would be trivially detected with even basic QA, which makes the regularity of such problems perplexing.

Does this mean they do not have QA? I can't believe this. I am pretty sure they lost a lot of customers/money because of this problems.

Does this issue appear on some particular XP SP3 configurations? Or it is a general issue?

lanux128 · « **Reply #6 on:** April 22, 2010, 04:45 AM »

one word - McAfee..

bgd77 · « **Reply #7 on:** April 22, 2010, 04:54 AM »

Ok, I understood. I thought it was more than that... In this case, shame on them.

40hz · « **Reply #8 on:** April 22, 2010, 08:29 AM »

I haven't looked at McAfee since a time in the mid-90's when an overnight update brought two floors worth of PCs to their knees performance-wise - and the client decided it was all my fault because I originally spec'ed the systems.

And here I thought I was maybe carrying a grudge because I've considered McAfee To be undependable ever since.

J-Mac · « **Reply #9 on:** April 22, 2010, 03:04 PM »

This is completely inexcusable. How can a supposedly major computer security software company, one that probably has more of its products pre-installed on systems world-wide than any other developer, possibly allow such a bug to be released to an unsuspecting public?

How can a virus definitions update that removes svchost.exe - a well-known vital Windows core system file - not realize it? Surely some testing would have been done by even the most careless developer!?!

This reinforces my resolve to never touch a McAfee product with someone else's hand, let alone mine!

This is why I have NOD32 configured to NEVER clean any suspected infection. I have all settings so that they quarantine and notify me. Never "clean", which simply means DELETE. These flaming idiots can't recognize a false positive? I'd like to say that I am not surprised, but this one surprises me. Damn!

Jim

Darwin · « **Reply #10 on:** April 22, 2010, 03:37 PM »

Blurs the line between the guys writing the virii and the security companies...

mwb1100 · « **Reply #11 on:** April 22, 2010, 03:52 PM »

Here's my patent-pending idea for AV companies to help solve at least some of these problems... never automatically delete any file properly signed by Microsoft. You might even want to make it difficult to allow the user to initiate a delete operation on such a file. Maybe have malware detected in such a file initiate a report to your tech support - either the user's computer is totally owned by malware, the malware detection has a significant flaw, or Microsoft has screwed something up royally.

Any of these 3 situations warrants careful consideration of the proper next steps, not just a blind delete (or even quarantine, in my opinion).

Innuendo · « **Reply #12 on:** April 23, 2010, 10:34 AM »

Honestly when are ~~these antivirus companies~~ people who install McAfee products going to learn that this behavior is unacceptable?
-mouser (April 21, 2010, 03:17 PM)

There you go, Mouser. Fixed that for you.

Number99 · « **Reply #13 on:** April 23, 2010, 10:51 AM »

Honestly when are ~~these antivirus companies~~ people who install McAfee products going to learn that this behavior is unacceptable?
-mouser (April 21, 2010, 03:17 PM)

There you go, Mouser. Fixed that for you.
-Innuendo (April 23, 2010, 10:34 AM)

rxantos · « **Reply #14 on:** April 26, 2010, 11:07 AM »

Why not simply require each executable to be digitally signed?
And whats the point of having an anti-virus that will act as a virus itself?

mouser · « **Reply #15 on:** April 26, 2010, 11:22 AM »

And whats the point of having an anti-virus that will act as a virus itself?

maybe we need a new kind of software utility:
"AntiVirus Watchdog"

it's job is to watch over all anti-virus program activity and kill the antivirus if it gives a false alarm.

nudone · « **Reply #16 on:** April 26, 2010, 11:33 AM »

right, so that would be an AntiAntiVirus? or maybe an Anti²Virus?

i see a whole new industry dedicated to this threat 10 years from now.

mouser · « **Reply #17 on:** April 26, 2010, 11:37 AM »

bgd77 · « **Reply #18 on:** April 27, 2010, 01:21 AM »

Why not simply require each executable to be digitally signed?
-rxantos (April 26, 2010, 11:07 AM)

You mean, as it happens for Symbian OSes?

I don't think it is a great idea. It would mean that every freeware application would need to be signed and I don't think that a lot of the developers would have the money to do this. I think this is one of the advantages of Windows, being able to create your little, useful application at home, run it, and then being able to distribute it around the world, on other Windows OSes where (hopefully) it will work.

Deozaan · « **Reply #19 on:** April 27, 2010, 01:35 AM »

Maybe Microsoft will sue McAfee now. That ought to get their attention!

timowers · « **Reply #20 on:** May 08, 2010, 06:14 PM »

This is what happens with mickey mouse personal 'anti-virus' software. With professional anti-virus programs this has never/will never happen.
It's a shame home users never get to experience this.

J-Mac · « **Reply #21 on:** May 08, 2010, 09:20 PM »

This is what happens with mickey mouse personal 'anti-virus' software. With professional anti-virus programs this has never/will never happen.
It's a shame home users never get to experience this.
-timowers (May 08, 2010, 06:14 PM)

Uhhh... the McAfee screw up DID affect "professional" users; the false positives occurred in Enterprise versions; very few home users were affected.

Jim

timowers · « **Reply #22 on:** May 09, 2010, 08:13 AM »

the McAfee screw up DID affect "professional" users

Reading again I should have worded my post slightly differently. As you say in caps, 'DID' because whatever the edition type, both home and professional users know McAfee can no longer be considered a reliable solution. Any business worth its salt will never deploy a new version without having trialled it in a sandbox box environment for at least a month first. Then, after deployment all definition updates would never be pushed out as they come in, rather deployed to a red test network first, then once proven the Admin would allow deployment. These false positives should then be caught before doing any harm. Most FP's have an understandable, underlying reason but for Mcafee to bang out these FP's without undergoing a basic degree of QA first is unacceptable.
There is really only one solution in the Enterprise arena that has a reliable and proven track record, which is why when McAfee contracts are up for renewal, they aren't, and are jumping ship ASAP.

cyberdiva · « **Reply #23 on:** May 09, 2010, 09:37 AM »

Reading again I should have worded my post slightly differently. As you say in caps, 'DID' because whatever the edition type, both home and professional users know McAfee can no longer be considered a reliable solution. Any business worth its salt will never deploy a new version without having trialled it in a sandbox box environment for at least a month first.
-timowers (May 09, 2010, 08:13 AM)

I agree that companies should be more careful than McAfee apparently was this time, but I'm not sure how your statement above relates to the McAfee debacle in question. McAfee wasn't putting out a new version of the software but simply new definitions, something they do every day. Yes, they screwed up big time, but it had nothing to do with a new version of the software. And, as Jim has already pointed out, your statement about "mickey mouse personal 'anti-virus' software" also seems off target.

J-Mac · « **Reply #24 on:** May 09, 2010, 11:19 AM »

Tim,

I understand that companies should - and hopefully most do - test all new software/versions before rolling them out to the client boxes, however we are talking about virus definition files here. It is not reasonable to expect any IT dept. to test every virus def. update as they are often released several times daily. Heck, some companies - like Eset which I use - send out definition files hourly and even more frequently if needed!

I do agree that McAfee is remiss in not having tested the subject release a bit more thoroughly before foisting it on their (former??) customers.

Thanks!

Jim