McAfee killing OS

... in this very moment, it seems that latest McAfee DAT file is corrupt and trying to quarantine system files of Windows XP boxes. We are currently being hit in Rome, Paris, and New York. Has anybody heard of this?

My gf netbook has been hit as well. I am going crazy to bypass mcAfee and uninstall it, but it is preventing system services to start at boot, and safe mode is proving uncapable to uninistall it. I am still working on this but was hoping somebody here had any info on this.

Uninstall it manually. Virus Protection is the number #1 waste of money on software out there. It causes more problem than it solves and just slows your system down. Just keep your system up to date and don't install software unless you know it's from a legit source. Sorry to be blunt but I have never seen Anti-Virus software be useful except in the case of users who install everything they see on the Internet and in that case it didn't really help either.

Just got the company e-mail about it here, seems it thinks SVCHOST.exe is a virus. Cute.

Guess this will be keeping a lot of IT folks busy today.

We were just discussing Revo Uninstaller in another thread. Have you tried it?

I think if he could get far enough to use that, there wouldn't be much of a problem.

Besides, for McAfee, I use the removal tool they provide. I was going to link to it, but the page won't load. I suspect there are quite a few people headed there at the moment...

*edit*
Nevermind, just loaded (after about a minute). Here it is.

Wow, I don't want to say that McAfee is outright lying, but their letter to Engadget seems to be, at the very least, a case of putting their head in the sand.

They make it sound like "two or three consumers might have been affected, and even in those cases it's only a minor inconvenience."

All my clients can at least be happy that I'd convinced them to ditch McAfee.

Sorry for the third post. I thought this might be useful.

If 30,000+ installations isn't significant then they must be doing very well for themselves

And you think that this would work with non IT users in an office or at home? Whilst you may be able to train your users to not randomly click on anything that gets sent to them, you can't do much about the security flaws in their browser or email client.

If you're just against spending money on it then use MSE.

I'd love to see what the rate of change for downloads of MSE and other security software will be for this week.

I'm trying to decide if this is "proof" that anti-virus software is evil, or whether it's just "proof" that automatic updates, hot off the presses, are evil and you'd do better to wait a few days.

I don't think anti-virus is inherently bad. The problem is it's impossible to train the average computer user to change their behavior, which is the #1 way to protect against infection.

The other problem is that the worst virus I'm seeing around these days, "Antispyware XP 2010" and its variants, isn't seen by any of the major AV programs. The only one I know of is Malwarebytes.

If you limit "Virus Protection" to McAfee and Norton/Symantec, I'd agree. There are other antivirus applications, though, that don't suck as hard as they do.

Whoa! And I thought Sony shot themselves in the foot with their rootkit fiasco.

I think 30,000 may be just the tip of the iceberg. I Googled "McAfee svchost.exe" a minute ago and got 291,000 hits.

Having had McAfee once about five years ago (hey it was free with some TurboTax software, I didn't know any better) I know not to ever let McAfee or Norton anywhere near my computer again. This debacle just reinforces that opinion.

I use AVG Pro 9.x and am liking it very much. Their support is first rate and the program itself is very transparent. I do not see any noticeable change in performance whether or not it is enabled.

tanstaafl.

This is definitely up there as far as enterprise blunders. The last one I can remember that impacted a lot of people was VMWare 3.5 deciding it was expired and shutting down countless production servers.

http://www.vmhero.com/2008/08/12/esx-product-has-expired/

ABSOLUTELY NOT!

One of the biggest costs to many of my clients - all of whom are in the Fortune 50 - is indirectly because of home users with broadband (as well as corporates with sketchy policies) not keeping AV up to date. It doesn't matter if you are a skilled techy or know nothing about IT, do the rest of the world a favour and:

Patch
Use AV - ideally at perimeter and desktop, and ideally use heuristic as well as signature based scanning
Use firewalls - ideally hardware and software
Blacklist / whitelist sites and connections

Otherwise you are very likely to be part of the problem. Admittedly the problem helps keep me running a team of over 400 people full time globally, but I'd rather have them all doing interesting things rather than helping agencies with nonsense like botnet closedowns, relay shutdowns and cutting off malware and warez storage.

</rant>

Just use good AV, and configure it well! Very simple, and reasonably effective in conjunction with other layers of defence.

Bad AV signatures causing false positives isn't new unfortunately and it isn't restricted to McAfee either. In the last few years, I've seen other AV products do similar things. Kaspersky, Trend Micro, ESET and AVG are all ones which I could find with a quick search.

Not running any AV at all is still worse IMO.

Virus free for over 15 years running Windows on multiple computers. No AV. Also no MS mail apps on personal systems. Yes to both router-based and client-based firewalls (in and out).

To people who aren't me, I only recommend free AV software, since it's usually better than commercial solutions. Not as invasive and generally much faster (itself and the fact it also doesn't slow down the rest of your system).

Or you could just pick non sucky commercial AV packages like NOD32. If you want something free then I generally recommend MSE now.

I'd argue that simply not using IE is more effective than AV software.

I've only had one notable infection at work, and it was due to accidentally ("accidentally"?) visiting dicks.com instead of dickssportinggoods.com and having IE, um, get what was happening on the site happen to it, too.

Also not being a spaz. I have one user for whom my AV management interface shows as many prevented infections as everyone else put together. Perhaps twice as many as everyone else.

I was amazed at how quickly systems can be taken over after seeing it first hand. I was helping to set up a new ISP in the early months of 1999, and was working on a new server running some Linux distribution. I completed the base install pretty late on a Friday, and decided to call it a day. I forgot I had it directly connected to the T1 connection, and by Monday the box had been taken over, and the FBI was calling me. I worked with them to pull log files off, and sure enough, the initial intrusion happened only a few hours after I had left. Whoever did it didn't cover their tracks well, and was using the box to then attack some college system on the east coast.

IE is only part of it. Flash would be another gaping security hole across most browsers, and one that can hit people going to legitimate sites too. Flash banner ads can (and do) frequently carry malware payloads that the site owners aren't even aware of. This is how most peoples MMO accounts are being hacked, with some recent nasty code even defeating the Vasco authenticators. It managed to sniff the code the user was typing in, and sent it real time to the hackers who were standing by to log in before the code was invalid.

Generally I agree that AV on the host isn't terribly effective. AV in an email server makes a whole lot of sense. I also like the Google warning that you're visiting an evil web site.

A few hours? If it was an unpatched Windows box then it'd be rooted within minutes.


Most of the people doing this don't appear to be particularly sophisticated. They're running prebuilt tools provided by somebody else to scan, break in and then install crap. Once they've done that, they generally move on to the next system. I used to administer some honeypots and it'd be fairly quiet then suddenly you'd get a large number of attack attempts because somebody somewhere released a new tool.

Exactly. Like I said before, antivirus is meaningless if the user does not practice good behavior. I simply don't believe that any AV software will catch all infections, and it's up to the user to not be foolish.

I have one family I do work for that has two teenage children. I've often said that a good 25% of my business comes from the crap that teenage boys do on their parents computers (don't think about that too much).

I've been to their house three times for three different computers due to viruses. This last time I insisted that they had to switch to Chrome, use MSE, and described the kind of virus warnings they can trust.

All that said, I think AV software is good for catching the stuff that falls through.

Ok,

We are containing / solving the issue.

Yes, DAT 5958 is faulty and is producing false positive, specifically for service.exe.

Should anybody need help, I'll post here the solution we are adopting, even step by step if you need. We are simply reverting manually, one machine at the time, to 5857 . Which is not easy as not all machines allow you to logon easily.
Meanwhile, McAfee has released 5959 which seems to work.

It seems to me that McAfee is, in their official statements so far, minimizing the problem. In our three main locations, NY, Rome, Paris, we were badly hit. Yesterday it was no fan at all.
I know for sure that other organizations in Paris have been badly hit. I know for sure other organizations in Rome are being badly hit. We are talking about hundreds of workstations, here, only for us. I don't know where McAfee data is coming from...

We are a University. In our campuses we have thousands of users of all kinds. The "don't install software unless you know it's from a legit source" just, simply, does not work.

I don't mind McAfee. It works well in corp evironment, it works well with AD and is properly designed. Also, corporate versions don't have the awful GUI of the consumer versions, and it is surprisingly light. In general. it is by far more beneficial than damaging. By far.
But, hopefully, they are going to change their statements about what happened yesterday; or, I'll start to dislike them a bit. This was a major issue. Major. They paralized us for one day.

Yeah, whenever I bash Norton and McAfee I'm always bashing their home consumer versions. Norton's corporate version is extremely stripped down and doesn't impact performance from what I've experienced. The consumer and corporate versions of these products have to have been developed by completely separate teams at those companies. They're nothing like each other.

The consumer version of Norton is awful bloatware, and in most cases I've seen it makes the computer far worse off than if it weren't on there at all.

Can you say Deja vu? Check out the date on this post...

tanstaafl.

Agreed. I always assumed the the end-user terrible GUI itself is for real developed by some other team that that developing the core application. It really looks like the GUI adds up all the slowness of McAfee. Things may have changed in the mean time and I don't want to sound extreme, but I tried it two years ago and I honestly found it unusable, literally.

My experience is that when idle, cpu usage between a machine with corp McAfee and without ir is quite identical. If you desable the on-access scan, also normal operations are just as fast in both machines. If, instead, you enable on-access scan, then you experience some general minor responsiveness, but such difference is less and less perceivable as you move to faster processors. It also seems to me, but I have not tested it extensively, that multi-core processors make the difference unperceivable most times.

Provided it does not decide no service is allowed to run because they are viruses, of course. In that case, pretty much everything, from loggin on to copying files to/from a usb key, takes such a long time. An infinitely long time: you just can't do those things .
Guys, what a nightmare.

The corporate versions are only as good as the IT person who sets them up. At my previous job, the local IT people configured Norton well, protecting the systems while also not impacting performance of work related tasks. Then someone up the chain at another location decided to take over and the systems slowed to a crawl.

McAfee at my current place of employment works ok for the most part, but I have had to disable it a few times when it silently would do something to a new program install and cause it to fail.

That one looks legitimate. There are plenty of viruses that try and infect SVCHOST, due to it being a required OS file. It's responsible for running many services on a Windows machine, both Microsoft and 3rd party ones.


It all depends on what is being done on the system. Processors have generally been fast enough for a while to mask the CPU performance impact of on access scanning. Hard drives however haven't kept up speed wise, and multi core processors can just make the situation worse with many more processes trying to perform IO running in parallel. Generally, on access scanning of a machine that is compiling code will add a very noticeable amount of overhead to the task, especially if the link step consumes most of the memory on the machine leaving none for the windows cache.

True. I meant, more precisely, standard office usage(Internet browsing, Word Processing, average Excel usage, sometimes advanced, rarely very advanced, Power point usage, of all levels, Email)

I got off pretty easy on this. While my employer does use McAfee (about 80K installs), and I know several of our sites around the world were hit with this, I didn't hear a single reported case at my site (~500 installs).

We switched from Norton to McAfee last year, and before I never would have thought I would miss Norton. The performance we see "on the front lines" for McAfee is horrible. We have had far more outbreaks that required manual cleaning. But since we're not the ones signing the checks we just do what we're told. :S

For the records, I am 15 years virus free on my Windows based machines without an antivirus, using IE daily since IE4 as my main browser, and using Outlook as a mail client for the last 10 years.

And, never seen any BSOD on Windows Server boxes since Windows NT4, in the last 10 years.

And, an uptime of more than 2 years on a Windows Server machine not connected to the internet and not needing any update-> reboot.

It's quite easy to disprove popular believes with single examples. Neither the former nor the latter are relevant, IMO, to prove anything, if not apparently support the arguments of this or that system's fan.

I am not saying that this is the case. I am instead saying that IMO the best way to protect oneself from viruses Is to keep ones machines as updated as possible, and yesterday's McAfee issues, statistically, does not change that. Of course, if such a disaster happened again one may decide do drop McAfee and opt for some other product.

Otherwise, as to my personal experiences above with IE, OL, AV Software, DSOD, Uptime, etc... I must have been extremely, extremely lucky so far.

For a minute there I thought you were still using IE4 and was about to ask if you were crazy


BSODs are generally caused by bad drivers or bad hardware but Windows takes the blame for it.


If it is a standalone machine that nothing else connects to then sure, leave it unpatched but if other machines do connect to it even if it isn't on the internet then you should patch it.

Some people would agree I am, but for other reasons


Ditto.


It was little irresponsible, but not so much. It was a file server shared by four people for non critical content. I'had meant to put it down for years and never did, to the point that its uptime became object of fun; eventually we relocated and transportation would last longer than any UPS available around would. So, I had to power ir down.

Windows shouldn't blue screen because of a bad call in a printer driver. Thankfully Microsoft felt the same way, and moved printer drivers out of ring 0 in 2000. Slowly, they are moving more and more out of ring 0. I've seen a number of times my machine would have BSODed in XP, but not in 7 due to video drivers moving what they can down into user space.

Yeah. Back in the old NT 3 days, most of the subsystems were actually outside of the kernel and in userspace. NT 4 moved a bunch of subsystems into the kernel to improve performance.

The Intel graphics driver for my laptop is really flakey and does crash quite often. I see the little balloon popup to say that something went wrong but it recovered. It must leave the hardware in an odd state however as its not quite right afterwards.

It all depends on how paranoid and or caring corporate is. Some just turn on all the features in an "I can't be blamed for being too safe." mode of thinking.

As long as we're wagging dicks, I'm 15 years Windows-free, and because I'm a Linux user, I don't even have to provide technical (or virus cleaning) support for friends or family!

... and without a tool to inform you, how would you know you were virus free?

Just kidding of course. I think it's completely normal to go 15 years on Windows without encountering a virus: If you never install any software from strange sources, never surf to any strange web sites, and never open HTML emails or emails with attachments, then there'd be no way to catch any viruses.

There have been a large number of remote Windows exploits. If you add "behind a firewall" to that list, then maybe.

Right.

And keep your Windows up-to-date. The last major remote exploit was years ago when Blaster got out. Most exploits since then have not really been exploited in the wild to a significant extent. Probably because big business and education learned to actually update there Windows installation, most were not doing it back then.

Indeed. I mean really, who goes to http://wellsfargo.com anyhow? Just thinking back to the rash of IIS exploits that lead to malware being sent from very legitimate sites to their visitors that happened a number of years ago.

https://www.wellsfargo.com/

One of the Windows machines I mention is actually a web server open to the internet, and it actually offers more services and therefore open ports than just the 80. Of course it is also behind a firewall that only allows access to designated ports.
In any case, it is not a maybe, it's a fact.

I am not - and was not - showing off . I think it is perfectly normal, as others said. My point was instead that saying that Windows/OSX/Linux machines are "unsafe" or "unrealiable", or that IE/Firefox/Safari is, or that Outlook is, are simply extremely generic statements, generic to the point that they have very little meaning in reality. The ones above are all mature products, and they are all beyond the stage where you can simply say "that's bad, this is good".

One may point out weaknesses and stregths of the above software; one may discuss on versions, updates, speed to release updates, user behavior, plug-ins, popularity, amount of known bugs and hypotetical unknown ones, methods to estimates them, the good and the bad of open and closed source, and what not. Similarly, the fact that I or Bruno were virus-free for 15 years without an antivirus also does not prove anything accurate in terms of "safety", as one may argue that this or that piece of software is or is not properly designed to remain safe in the hands of the average user rather than the enthusiast or the professional, discuss ad infinitum on who "average" users actually are, and what not...
To simply find out that all those elements create a more complex reality that the one depicted by the "This is bad, that is good" approach. On the contrary, those elements will make this or that product change its safety/security position versus competitors depending on time, type of user base, version, design features, etc. I think the rest is just "religion war".

As a side note, guys, to me no matter how perfect a logo is, how credible and clever the wording is, an email asking me to reply with my password(s) is just phishing. I delete it without even thinking; I have just no doubt. But, I know extremely well educated and brilliant academic professionals who simply plainly believe what they read and give out their personal data and credit card number! While I find it more and more shocking as the internet becomes part of the popular culture and everyone's daily life, it still just happens, _regularly_. This alone tells a lot in terms of psychology or human beings, where they put their trust; it also makes NO software really "safe" unless you stop allowing software to run on it, just like no car really is unless you stop driving it; and of course this will always penalize the most popular software versus the most elithist for the simple reason that the most popular will be used by the brilliant professionals who really believe their bank needs their passwords and PINs and CC# in an email message.

No Disturbance in the Force I sense, of course.

This really says it all:



Good article, Ed Bott.

Ouch. Leaving out XP SP3 in their testing??

Ahh, here we go, a more modern example of a "strange" site not to visit to avoid malware.

US Treasury site hacked to distribute malware