Welcome Guest.   Make a donation to an author on the site April 24, 2014, 06:17:59 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2013! Download dozens of custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1] 2 Next   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Here we go again with false positive antivirus actions bricking computers  (Read 6830 times)
mouser
First Author
Administrator
*****
Posts: 32,699



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« on: April 21, 2010, 03:17:32 PM »

Honestly when are these antivirus companies going to learn that this behavior is unacceptable?  You can't go around deleting people's core system files because your 1 day old untested new virus signatures "think" they found something suspicious.  Give me a break! How many times do we have to keep having this discussion?

Quote
McAfee pushed out a virus definition update, 5958, at 14:00 PDT that causes false positive identification of the critical Windows system file svchost.exe. Machines running Windows XP Service Pack 3 using the 5958 definitions will delete the file, causing many key Windows services to fail to start. The Windows file is being mistakenly detected as W32/wecorl.a. Failure to start svchost.exe causes Windows to automatically reboot, hindering repair efforts.


Logged
JavaJones
Review 2.0 Designer
Charter Member
***
Posts: 2,514



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #1 on: April 21, 2010, 03:20:09 PM »

Holy crap, that's a nasty one. I think also at fault here is the default behavior being delete, and lack of any white list or safeguards. I mean come on, one would think that with an easily identifiable core system file it would first attempt to *clean*, and then failing that, it would warn the user and *leave the file intact*. Better to have a core system file infected but intact so that other tools could attempt cleanup than delete the file and possibly thwart attempts at repair.

- Oshyan
Logged

The New Adventures of Oshyan Greene - A life in pictures...
rjbull
Charter Member
***
Posts: 2,701

View Profile Give some DonationCredits to this forum member
« Reply #2 on: April 21, 2010, 03:48:01 PM »

They get away with it because "security" and "health and safety" are all-purpose justifications for anything.
Logged
wraith808
Supporting Member
**
Posts: 5,815



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: April 21, 2010, 03:51:20 PM »

And this is the reason that a lot of people don't trust AV software- because the cure can be worse than the disease.  I'm more than a little bit upset with AVG that it deletes my NSIS files whenever they are found.
Logged

IainB
Supporting Member
**
Posts: 4,288


Slartibartfarst

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #4 on: April 21, 2010, 10:26:50 PM »

@JavaJones: Yes. When I migrated from Avast! to WSE (MS Windows Security Essentials) I followed the advice of someone on the DC forum and changed the default settings to "Quarantine" action, rather than let the thing delete according to its previous default rules.

I therefore concur with your comment:
Quote
"...I think also at fault here is the default behavior being delete, and lack of any white list or safeguards..."
Logged
bgd77
Supporting Member
**
Posts: 203


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #5 on: April 22, 2010, 03:03:40 AM »

I wonder if/how do they test their updates.

Quote
Just as with the BitDefender issue, this is something that would be trivially detected with even basic QA, which makes the regularity of such problems perplexing.

Does this mean they do not have QA? I can't believe this. I am pretty sure they lost a lot of customers/money because of this problems.

Does this issue appear on some particular XP SP3 configurations? Or it is a general issue?
Logged
lanux128
Global Moderator
*****
Posts: 6,048



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #6 on: April 22, 2010, 04:45:09 AM »

one word - McAfee.. Roll Eyes
Logged

bgd77
Supporting Member
**
Posts: 203


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #7 on: April 22, 2010, 04:54:42 AM »

Ok, I understood. I thought it was more than that... In this case, shame on them.
Logged
40hz
Supporting Member
**
Posts: 9,871



A'Tuin

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: April 22, 2010, 08:29:08 AM »

I haven't looked at McAfee since a time in the mid-90's when an overnight update brought two floors worth of PCs to their knees performance-wise - and the client decided it was all my fault because I originally spec'ed the systems.

And here I thought I was maybe carrying a grudge because I've considered McAfee To be undependable ever since.
Logged

Don't you see? It's turtles all the way down!
J-Mac
Supporting Member
**
Posts: 2,809


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #9 on: April 22, 2010, 03:04:01 PM »

This is completely inexcusable. How can a supposedly major computer security software company, one that probably has more of its products pre-installed on systems world-wide than any other developer, possibly allow such a bug to be released to an unsuspecting public?

How can a virus definitions update that removes svchost.exe - a well-known vital Windows core system file - not realize it? Surely some testing would have been done by even the most careless developer!?!

This reinforces my resolve to never touch a McAfee product with someone else's hand, let alone mine!

This is why I have NOD32 configured to NEVER clean any suspected infection. I have all settings so that they quarantine and notify me. Never "clean", which simply means DELETE. These flaming idiots can't recognize a false positive? I'd like to say that I am not surprised, but this one surprises me. Damn!

Jim
Logged

J-Mac
Darwin
Charter Member
***
Posts: 6,979



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #10 on: April 22, 2010, 03:37:20 PM »

Blurs the line between the guys writing the virii and the security companies...
Logged

"Some people have a way with words, other people,... oh... have not way" - Steve Martin
mwb1100
Supporting Member
**
Posts: 1,230


View Profile Give some DonationCredits to this forum member
« Reply #11 on: April 22, 2010, 03:52:53 PM »

Here's my patent-pending idea for AV companies to help solve at least some of these problems... never automatically delete any file properly signed by Microsoft.  You might even want to make it difficult to allow the user to initiate a delete operation on such a file.  Maybe have malware detected in such a file initiate a report to your tech support - either the user's computer is totally owned by malware, the malware detection has a significant flaw, or Microsoft has screwed something up royally.

Any of these 3 situations warrants careful consideration of the proper next steps, not just a blind delete (or even quarantine, in my opinion).
Logged
Innuendo
Charter Member
***
Posts: 1,856

View Profile Give some DonationCredits to this forum member
« Reply #12 on: April 23, 2010, 10:34:06 AM »

Honestly when are these antivirus companies people who install McAfee products going to learn that this behavior is unacceptable?

There you go, Mouser. Fixed that for you.  cheesy
Logged
Number99
Supporting Member
**
Posts: 16


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #13 on: April 23, 2010, 10:51:50 AM »

Honestly when are these antivirus companies people who install McAfee products going to learn that this behavior is unacceptable?

There you go, Mouser. Fixed that for you.  cheesy

 Thmbsup
Logged
rxantos
Supporting Member
**
Posts: 98


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #14 on: April 26, 2010, 11:07:31 AM »

Why not simply require each executable to be digitally signed?
And whats the point of having an anti-virus that will act as a virus itself?

Logged
mouser
First Author
Administrator
*****
Posts: 32,699



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #15 on: April 26, 2010, 11:22:34 AM »

Quote
And whats the point of having an anti-virus that will act as a virus itself?

 Grin Grin Grin maybe we need a new kind of software utility:
"AntiVirus Watchdog"

it's job is to watch over all anti-virus program activity and kill the antivirus if it gives a false alarm.
Logged
nudone
Cody's Creator
Columnist
***
Posts: 4,116



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #16 on: April 26, 2010, 11:33:40 AM »

right, so that would be an AntiAntiVirus? or maybe an Anti2Virus?

i see a whole new industry dedicated to this threat 10 years from now.  smiley
Logged
mouser
First Author
Administrator
*****
Posts: 32,699



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #17 on: April 26, 2010, 11:37:53 AM »

 Grin
Logged
bgd77
Supporting Member
**
Posts: 203


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #18 on: April 27, 2010, 01:21:06 AM »

Why not simply require each executable to be digitally signed?

You mean, as it happens for Symbian OSes?

I don't think it is a great idea. It would mean that every freeware application would need to be signed and I don't think that a lot of the developers would have the money to do this. I think this is one of the advantages of Windows, being able to create your little, useful application at home, run it, and then being able to distribute it around the world, on other Windows OSes where (hopefully) it will work.
Logged
Deozaan
Charter Member
***
Posts: 6,090



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #19 on: April 27, 2010, 01:35:01 AM »

Maybe Microsoft will sue McAfee now. That ought to get their attention!
Logged

timowers
Participant
*
Posts: 2

View Profile Give some DonationCredits to this forum member
« Reply #20 on: May 08, 2010, 06:14:45 PM »

This is what happens with mickey mouse personal 'anti-virus' software. With professional anti-virus programs this has never/will never happen.
It's a shame home users never get to experience this.
Logged
J-Mac
Supporting Member
**
Posts: 2,809


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #21 on: May 08, 2010, 09:20:01 PM »

This is what happens with mickey mouse personal 'anti-virus' software. With professional anti-virus programs this has never/will never happen.
It's a shame home users never get to experience this.

Uhhh...  the McAfee screw up DID affect "professional" users; the false positives occurred in Enterprise versions; very few home users were affected.

Jim
Logged

J-Mac
timowers
Participant
*
Posts: 2

View Profile Give some DonationCredits to this forum member
« Reply #22 on: May 09, 2010, 08:13:34 AM »

Quote
the McAfee screw up DID affect "professional" users

Reading again I should have worded my post slightly differently. As you say in caps, 'DID' because whatever the edition type, both home and professional users know McAfee can no longer be considered a reliable solution. Any business worth its salt will never deploy a new version without having trialled it in a sandbox box environment for at least a month first. Then, after deployment all definition updates would never be pushed out as they come in, rather deployed to a red test network first, then once proven the Admin would allow deployment. These false positives should then be caught before doing any harm. Most FP's have an understandable, underlying reason but for Mcafee to bang out these FP's without undergoing a basic degree of QA first is unacceptable.
There is really only one solution in the Enterprise arena that has a reliable and proven track record, which is why when McAfee contracts are up for renewal, they aren't, and are jumping ship ASAP.

Logged
cyberdiva
Supporting Member
**
Posts: 887


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #23 on: May 09, 2010, 09:37:47 AM »

Reading again I should have worded my post slightly differently. As you say in caps, 'DID' because whatever the edition type, both home and professional users know McAfee can no longer be considered a reliable solution. Any business worth its salt will never deploy a new version without having trialled it in a sandbox box environment for at least a month first.
I agree that companies should be more careful than McAfee apparently was this time, but I'm not sure how your statement above relates to the McAfee debacle in question.  McAfee wasn't putting out a new version of the software but simply new definitions, something they do every day.  Yes, they screwed up big time, but it had nothing to do with a new version of the software.  And, as Jim has already pointed out, your statement about "mickey mouse personal 'anti-virus' software" also seems off target.
« Last Edit: May 09, 2010, 09:40:32 AM by cyberdiva » Logged
J-Mac
Supporting Member
**
Posts: 2,809


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #24 on: May 09, 2010, 11:19:56 AM »

Tim,

I understand that companies should - and hopefully most do - test all new software/versions before rolling them out to the client boxes, however we are talking about virus definition files here. It is not reasonable to expect any IT dept. to test every virus def. update as they are often released several times daily. Heck, some companies - like Eset which I use - send out definition files hourly and even more frequently if needed!

I do agree that McAfee is remiss in not having tested the subject release a bit more thoroughly before foisting it on their (former??) customers.

Thanks!

Jim
Logged

J-Mac
Pages: [1] 2 Next   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.055s | Server load: 0.02 ]