#332256 - 21/04/2010 15:50
McAfee killing OS
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
... in this very moment, it seems that latest McAfee DAT file is corrupt and trying to quarantine system files of Windows XP boxes. We are currently being hit in Rome, Paris, and New York. Has anybody heard of this?
My gf netbook has been hit as well. I am going crazy to bypass mcAfee and uninstall it, but it is preventing system services to start at boot, and safe mode is proving uncapable to uninistall it. I am still working on this but was hoping somebody here had any info on this.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#332259 - 21/04/2010 16:02
Re: McAfee killing OS
[Re: Taym]
|
old hand
Registered: 09/01/2002
Posts: 702
Loc: Tacoma,WA
|
Uninstall it manually. Virus Protection is the number #1 waste of money on software out there. It causes more problem than it solves and just slows your system down. Just keep your system up to date and don't install software unless you know it's from a legit source. Sorry to be blunt but I have never seen Anti-Virus software be useful except in the case of users who install everything they see on the Internet and in that case it didn't really help either.
|
Top
|
|
|
|
#332260 - 21/04/2010 16:17
Re: McAfee killing OS
[Re: siberia37]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
Just got the company e-mail about it here, seems it thinks SVCHOST.exe is a virus. Cute.
Guess this will be keeping a lot of IT folks busy today.
|
Top
|
|
|
|
#332261 - 21/04/2010 16:18
Re: McAfee killing OS
[Re: Taym]
|
pooh-bah
Registered: 06/04/2005
Posts: 2026
Loc: Seattle transplant
|
We were just discussing Revo Uninstaller in another thread. Have you tried it?
_________________________
10101311 (20GB- backup empeg) 10101466 (2x60GB, Eutronix/GreenLights Blue) (Stolen!)
|
Top
|
|
|
|
#332262 - 21/04/2010 16:33
Re: McAfee killing OS
[Re: Robotic]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
I think if he could get far enough to use that, there wouldn't be much of a problem. Besides, for McAfee, I use the removal tool they provide. I was going to link to it, but the page won't load. I suspect there are quite a few people headed there at the moment... *edit* Nevermind, just loaded (after about a minute). Here it is.
Edited by Dignan (21/04/2010 16:33)
_________________________
Matt
|
Top
|
|
|
|
#332265 - 21/04/2010 16:47
Re: McAfee killing OS
[Re: Dignan]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
Wow, I don't want to say that McAfee is outright lying, but their letter to Engadget seems to be, at the very least, a case of putting their head in the sand. They make it sound like "two or three consumers might have been affected, and even in those cases it's only a minor inconvenience." All my clients can at least be happy that I'd convinced them to ditch McAfee.
_________________________
Matt
|
Top
|
|
|
|
#332266 - 21/04/2010 17:00
Re: McAfee killing OS
[Re: Dignan]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
Sorry for the third post. I thought this might be useful.
_________________________
Matt
|
Top
|
|
|
|
#332268 - 21/04/2010 17:11
Re: McAfee killing OS
[Re: Dignan]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
Wow, I don't want to say that McAfee is outright lying, but their letter to Engadget seems to be, at the very least, a case of putting their head in the sand. They make it sound like "two or three consumers might have been affected, and even in those cases it's only a minor inconvenience." All my clients can at least be happy that I'd convinced them to ditch McAfee. If 30,000+ installations isn't significant then they must be doing very well for themselves
|
Top
|
|
|
|
#332269 - 21/04/2010 17:15
Re: McAfee killing OS
[Re: siberia37]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
Uninstall it manually. Virus Protection is the number #1 waste of money on software out there. It causes more problem than it solves and just slows your system down. Just keep your system up to date and don't install software unless you know it's from a legit source. Sorry to be blunt but I have never seen Anti-Virus software be useful except in the case of users who install everything they see on the Internet and in that case it didn't really help either. And you think that this would work with non IT users in an office or at home? Whilst you may be able to train your users to not randomly click on anything that gets sent to them, you can't do much about the security flaws in their browser or email client. If you're just against spending money on it then use MSE.
|
Top
|
|
|
|
#332277 - 21/04/2010 18:05
Re: McAfee killing OS
[Re: tman]
|
pooh-bah
Registered: 06/04/2005
Posts: 2026
Loc: Seattle transplant
|
I'd love to see what the rate of change for downloads of MSE and other security software will be for this week.
_________________________
10101311 (20GB- backup empeg) 10101466 (2x60GB, Eutronix/GreenLights Blue) (Stolen!)
|
Top
|
|
|
|
#332279 - 21/04/2010 18:16
Re: McAfee killing OS
[Re: Robotic]
|
carpal tunnel
Registered: 30/04/2000
Posts: 3810
|
I'm trying to decide if this is "proof" that anti-virus software is evil, or whether it's just "proof" that automatic updates, hot off the presses, are evil and you'd do better to wait a few days.
|
Top
|
|
|
|
#332280 - 21/04/2010 18:22
Re: McAfee killing OS
[Re: DWallach]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
I'm trying to decide if this is "proof" that anti-virus software is evil, or whether it's just "proof" that automatic updates, hot off the presses, are evil and you'd do better to wait a few days. I don't think anti-virus is inherently bad. The problem is it's impossible to train the average computer user to change their behavior, which is the #1 way to protect against infection. The other problem is that the worst virus I'm seeing around these days, "Antispyware XP 2010" and its variants, isn't seen by any of the major AV programs. The only one I know of is Malwarebytes.
_________________________
Matt
|
Top
|
|
|
|
#332281 - 21/04/2010 18:47
Re: McAfee killing OS
[Re: siberia37]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Virus Protection is the number #1 waste of money on software out there. It causes more problem than it solves and just slows your system down. If you limit "Virus Protection" to McAfee and Norton/Symantec, I'd agree. There are other antivirus applications, though, that don't suck as hard as they do.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#332285 - 21/04/2010 19:50
Re: McAfee killing OS
[Re: tman]
|
carpal tunnel
Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
|
If 30,000+ installations isn't significant then they must be doing very well for themselves smile Whoa! And I thought Sony shot themselves in the foot with their rootkit fiasco. I think 30,000 may be just the tip of the iceberg. I Googled "McAfee svchost.exe" a minute ago and got 291,000 hits. Having had McAfee once about five years ago (hey it was free with some TurboTax software, I didn't know any better) I know not to ever let McAfee or Norton anywhere near my computer again. This debacle just reinforces that opinion. I use AVG Pro 9.x and am liking it very much. Their support is first rate and the program itself is very transparent. I do not see any noticeable change in performance whether or not it is enabled. tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"
|
Top
|
|
|
|
#332288 - 21/04/2010 19:53
Re: McAfee killing OS
[Re: tanstaafl.]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
This is definitely up there as far as enterprise blunders. The last one I can remember that impacted a lot of people was VMWare 3.5 deciding it was expired and shutting down countless production servers. http://www.vmhero.com/2008/08/12/esx-product-has-expired/
|
Top
|
|
|
|
#332289 - 21/04/2010 20:04
Re: McAfee killing OS
[Re: siberia37]
|
pooh-bah
Registered: 09/08/2000
Posts: 2091
Loc: Edinburgh, Scotland
|
Virus Protection is the number #1 waste of money on software out there. It causes more problem than it solves and just slows your system down. Just keep your system up to date and don't install software unless you know it's from a legit source. Sorry to be blunt but I have never seen Anti-Virus software be useful except in the case of users who install everything they see on the Internet and in that case it didn't really help either ABSOLUTELY NOT! One of the biggest costs to many of my clients - all of whom are in the Fortune 50 - is indirectly because of home users with broadband (as well as corporates with sketchy policies) not keeping AV up to date. It doesn't matter if you are a skilled techy or know nothing about IT, do the rest of the world a favour and: Patch Use AV - ideally at perimeter and desktop, and ideally use heuristic as well as signature based scanning Use firewalls - ideally hardware and software Blacklist / whitelist sites and connections Otherwise you are very likely to be part of the problem. Admittedly the problem helps keep me running a team of over 400 people full time globally, but I'd rather have them all doing interesting things rather than helping agencies with nonsense like botnet closedowns, relay shutdowns and cutting off malware and warez storage. </rant> Just use good AV, and configure it well! Very simple, and reasonably effective in conjunction with other layers of defence.
_________________________
Rory MkIIa, blue lit buttons, memory upgrade, 1Tb in Subaru Forester STi MkII, 240Gb in Mark Lord dock MkII, 80Gb SSD in dock
|
Top
|
|
|
|
#332291 - 21/04/2010 20:09
Re: McAfee killing OS
[Re: drakino]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
Bad AV signatures causing false positives isn't new unfortunately and it isn't restricted to McAfee either. In the last few years, I've seen other AV products do similar things. Kaspersky, Trend Micro, ESET and AVG are all ones which I could find with a quick search. Not running any AV at all is still worse IMO.
|
Top
|
|
|
|
#332292 - 21/04/2010 20:14
Re: McAfee killing OS
[Re: frog51]
|
carpal tunnel
Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
|
Virus free for over 15 years running Windows on multiple computers. No AV. Also no MS mail apps on personal systems. Yes to both router-based and client-based firewalls (in and out).
To people who aren't me, I only recommend free AV software, since it's usually better than commercial solutions. Not as invasive and generally much faster (itself and the fact it also doesn't slow down the rest of your system).
|
Top
|
|
|
|
#332295 - 21/04/2010 20:29
Re: McAfee killing OS
[Re: hybrid8]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
To people who aren't me, I only recommend free AV software, since it's usually better than commercial solutions. Not as invasive and generally much faster (itself and the fact it also doesn't slow down the rest of your system). Or you could just pick non sucky commercial AV packages like NOD32. If you want something free then I generally recommend MSE now.
|
Top
|
|
|
|
#332297 - 21/04/2010 20:40
Re: McAfee killing OS
[Re: frog51]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Just use good AV, and configure it well! Very simple, and reasonably effective in conjunction with other layers of defence. I'd argue that simply not using IE is more effective than AV software. I've only had one notable infection at work, and it was due to accidentally ("accidentally"?) visiting dicks.com instead of dickssportinggoods.com and having IE, um, get what was happening on the site happen to it, too. Also not being a spaz. I have one user for whom my AV management interface shows as many prevented infections as everyone else put together. Perhaps twice as many as everyone else.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#332299 - 21/04/2010 20:43
Re: McAfee killing OS
[Re: frog51]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
but I'd rather have them all doing interesting things rather than helping agencies with nonsense like botnet closedowns, relay shutdowns and cutting off malware and warez storage. I was amazed at how quickly systems can be taken over after seeing it first hand. I was helping to set up a new ISP in the early months of 1999, and was working on a new server running some Linux distribution. I completed the base install pretty late on a Friday, and decided to call it a day. I forgot I had it directly connected to the T1 connection, and by Monday the box had been taken over, and the FBI was calling me. I worked with them to pull log files off, and sure enough, the initial intrusion happened only a few hours after I had left. Whoever did it didn't cover their tracks well, and was using the box to then attack some college system on the east coast.
|
Top
|
|
|
|
#332300 - 21/04/2010 20:48
Re: McAfee killing OS
[Re: wfaulk]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
I'd argue that simply not using IE is more effective than AV software. IE is only part of it. Flash would be another gaping security hole across most browsers, and one that can hit people going to legitimate sites too. Flash banner ads can (and do) frequently carry malware payloads that the site owners aren't even aware of. This is how most peoples MMO accounts are being hacked, with some recent nasty code even defeating the Vasco authenticators. It managed to sniff the code the user was typing in, and sent it real time to the hackers who were standing by to log in before the code was invalid.
|
Top
|
|
|
|
#332309 - 21/04/2010 22:58
Re: McAfee killing OS
[Re: drakino]
|
carpal tunnel
Registered: 30/04/2000
Posts: 3810
|
Generally I agree that AV on the host isn't terribly effective. AV in an email server makes a whole lot of sense. I also like the Google warning that you're visiting an evil web site.
|
Top
|
|
|
|
#332310 - 21/04/2010 23:40
Re: McAfee killing OS
[Re: drakino]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
I worked with them to pull log files off, and sure enough, the initial intrusion happened only a few hours after I had left. A few hours? If it was an unpatched Windows box then it'd be rooted within minutes. Whoever did it didn't cover their tracks well, and was using the box to then attack some college system on the east coast. Most of the people doing this don't appear to be particularly sophisticated. They're running prebuilt tools provided by somebody else to scan, break in and then install crap. Once they've done that, they generally move on to the next system. I used to administer some honeypots and it'd be fairly quiet then suddenly you'd get a large number of attack attempts because somebody somewhere released a new tool.
|
Top
|
|
|
|
#332311 - 22/04/2010 00:09
Re: McAfee killing OS
[Re: wfaulk]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
Also not being a spaz. I have one user for whom my AV management interface shows as many prevented infections as everyone else put together. Perhaps twice as many as everyone else. Exactly. Like I said before, antivirus is meaningless if the user does not practice good behavior. I simply don't believe that any AV software will catch all infections, and it's up to the user to not be foolish. I have one family I do work for that has two teenage children. I've often said that a good 25% of my business comes from the crap that teenage boys do on their parents computers (don't think about that too much). I've been to their house three times for three different computers due to viruses. This last time I insisted that they had to switch to Chrome, use MSE, and described the kind of virus warnings they can trust. All that said, I think AV software is good for catching the stuff that falls through.
_________________________
Matt
|
Top
|
|
|
|
#332313 - 22/04/2010 08:35
Re: McAfee killing OS
[Re: Dignan]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Ok,
We are containing / solving the issue.
Yes, DAT 5958 is faulty and is producing false positive, specifically for service.exe.
Should anybody need help, I'll post here the solution we are adopting, even step by step if you need. We are simply reverting manually, one machine at the time, to 5857 . Which is not easy as not all machines allow you to logon easily. Meanwhile, McAfee has released 5959 which seems to work.
It seems to me that McAfee is, in their official statements so far, minimizing the problem. In our three main locations, NY, Rome, Paris, we were badly hit. Yesterday it was no fan at all. I know for sure that other organizations in Paris have been badly hit. I know for sure other organizations in Rome are being badly hit. We are talking about hundreds of workstations, here, only for us. I don't know where McAfee data is coming from...
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#332314 - 22/04/2010 08:52
Re: McAfee killing OS
[Re: siberia37]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Virus Protection is the number #1 waste of money on software out there. It causes more problem than it solves and just slows your system down. Just keep your system up to date and don't install software unless you know it's from a legit source. We are a University. In our campuses we have thousands of users of all kinds. The "don't install software unless you know it's from a legit source" just, simply, does not work. I don't mind McAfee. It works well in corp evironment, it works well with AD and is properly designed. Also, corporate versions don't have the awful GUI of the consumer versions, and it is surprisingly light. In general. it is by far more beneficial than damaging. By far. But, hopefully, they are going to change their statements about what happened yesterday; or, I'll start to dislike them a bit. This was a major issue. Major. They paralized us for one day.
Edited by taym (22/04/2010 08:52)
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
#332315 - 22/04/2010 11:02
Re: McAfee killing OS
[Re: Taym]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12341
Loc: Sterling, VA
|
I don't mind McAfee. It works well in corp evironment Yeah, whenever I bash Norton and McAfee I'm always bashing their home consumer versions. Norton's corporate version is extremely stripped down and doesn't impact performance from what I've experienced. The consumer and corporate versions of these products have to have been developed by completely separate teams at those companies. They're nothing like each other. The consumer version of Norton is awful bloatware, and in most cases I've seen it makes the computer far worse off than if it weren't on there at all.
_________________________
Matt
|
Top
|
|
|
|
#332317 - 22/04/2010 11:37
Re: McAfee killing OS
[Re: drakino]
|
carpal tunnel
Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
|
Just got the company e-mail about it here, seems it thinks SVCHOST.exe is a virus. Cute.
Guess this will be keeping a lot of IT folks busy today. Can you say Deja vu? Check out the date on this post... tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"
|
Top
|
|
|
|
#332318 - 22/04/2010 11:40
Re: McAfee killing OS
[Re: Dignan]
|
carpal tunnel
Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
|
Yeah, whenever I bash Norton and McAfee I'm always bashing their home consumer versions. [...] The consumer and corporate versions of these products have to have been developed by completely separate teams at those companies. They're Agreed. I always assumed the the end-user terrible GUI itself is for real developed by some other team that that developing the core application. It really looks like the GUI adds up all the slowness of McAfee. Things may have changed in the mean time and I don't want to sound extreme, but I tried it two years ago and I honestly found it unusable, literally. My experience is that when idle, cpu usage between a machine with corp McAfee and without ir is quite identical. If you desable the on-access scan, also normal operations are just as fast in both machines. If, instead, you enable on-access scan, then you experience some general minor responsiveness, but such difference is less and less perceivable as you move to faster processors. It also seems to me, but I have not tested it extensively, that multi-core processors make the difference unperceivable most times. Provided it does not decide no service is allowed to run because they are viruses, of course. In that case, pretty much everything, from loggin on to copying files to/from a usb key, takes such a long time. An infinitely long time: you just can't do those things . Guys, what a nightmare.
_________________________
= Taym = MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg
|
Top
|
|
|
|
|
|