McAfee Does It Again

It was about noon today when the first reports started coming in.  Several people reported seeing a message on their screen from McAfee VirusScan indicating that their machine was infected with a virus.  Then, their machines shutdown.  As I was looking over the shoulder of one of my SAs, I saw the same thing happen to his machine.  VirusScan claimed to have detected the W32/wecorl.a virus showing a message similar to this:

The file C:WINDOWS\system32\svchost.exe contains the W32/Wecorl.a Virus.
Undetermined clean error, OAS denied access and continued.
Detected using Scan engine version 5400.1158 DAT version 5958.0000.

My first reaction was that we were suffering a worm outbreak.  However, after a couple of minutes it became clear that this was not malware, but badware.  The 5958 DAT released by McAfee today incorrectly detected the svchost.exe file on Windows systems as a virus and then proceeded to delete/quarantine it.  We took several actions immediately:

• We added an exclusion for the svchost.exe file and pushed it out to all PCs
• We deleted the 5958 DAT from the ePO software repository
• We stopped the automated download of DAT files from McAfee
• We disabled the automatic push of DAT files to client machines

The svchost.exe file is very important for the proper operation of Windows and PCs cannot function properly without it.  Luckily, we only had a handful of systems that were impacted before we could prevent further damage.  Repairing the problem required physically visiting each system with a USB thumb drive to replace the deleted file.  Being a small company, this was not a huge issue for us.  However, large enterprises have been severely impacted with losses mounting as IT staff physically go to each machine to undo the damage.

McAfee VirusScan is one of the most widely used anti-virus products in the world.  This is not because it is particularly good at malware detection and removal, but because of its superior management tools.  I have used McAfee products for many years and can attest that this is not the first time McAfee has had such an incident.  In fact, just a few months ago we had to update the code on our web sites because McAfee VirusScan falsely alerted our visitors that we had malware on our site.  Below is a list of links documenting recent instances of false positive detections from McAfee:

This list only covers the last couple of years and only the major false positives that caused enough problems to be reported.  I for one am getting tired of dealing with these incidents.  I expect more from a major security vendor such as McAfee.  Given the number of issues they have had over the years, it is clear that they need to improve their QA processes.  Right now I am more concerned about the next update from McAfee than I am about a malware infection.  And that is not a good thing for McAfee as I will definitely be evaluating other vendors when it comes time to renew our subscription.