topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 9:18 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Here we go again with false positive antivirus actions bricking computers  (Read 22002 times)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Honestly when are these antivirus companies going to learn that this behavior is unacceptable?  You can't go around deleting people's core system files because your 1 day old untested new virus signatures "think" they found something suspicious.  Give me a break! How many times do we have to keep having this discussion?

McAfee pushed out a virus definition update, 5958, at 14:00 PDT that causes false positive identification of the critical Windows system file svchost.exe. Machines running Windows XP Service Pack 3 using the 5958 definitions will delete the file, causing many key Windows services to fail to start. The Windows file is being mistakenly detected as W32/wecorl.a. Failure to start svchost.exe causes Windows to automatically reboot, hindering repair efforts.



JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,739
    • View Profile
    • Donate to Member
Holy crap, that's a nasty one. I think also at fault here is the default behavior being delete, and lack of any white list or safeguards. I mean come on, one would think that with an easily identifiable core system file it would first attempt to *clean*, and then failing that, it would warn the user and *leave the file intact*. Better to have a core system file infected but intact so that other tools could attempt cleanup than delete the file and possibly thwart attempts at repair.

- Oshyan

rjbull

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 3,199
    • View Profile
    • Donate to Member
They get away with it because "security" and "health and safety" are all-purpose justifications for anything.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
And this is the reason that a lot of people don't trust AV software- because the cure can be worse than the disease.  I'm more than a little bit upset with AVG that it deletes my NSIS files whenever they are found.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
@JavaJones: Yes. When I migrated from Avast! to WSE (MS Windows Security Essentials) I followed the advice of someone on the DC forum and changed the default settings to "Quarantine" action, rather than let the thing delete according to its previous default rules.

I therefore concur with your comment:
"...I think also at fault here is the default behavior being delete, and lack of any white list or safeguards..."

bgd77

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 203
    • View Profile
    • Donate to Member
I wonder if/how do they test their updates.

Just as with the BitDefender issue, this is something that would be trivially detected with even basic QA, which makes the regularity of such problems perplexing.

Does this mean they do not have QA? I can't believe this. I am pretty sure they lost a lot of customers/money because of this problems.

Does this issue appear on some particular XP SP3 configurations? Or it is a general issue?

lanux128

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 6,277
    • View Profile
    • Donate to Member
one word - McAfee.. ::)

bgd77

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 203
    • View Profile
    • Donate to Member
Ok, I understood. I thought it was more than that... In this case, shame on them.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
I haven't looked at McAfee since a time in the mid-90's when an overnight update brought two floors worth of PCs to their knees performance-wise - and the client decided it was all my fault because I originally spec'ed the systems.

And here I thought I was maybe carrying a grudge because I've considered McAfee To be undependable ever since.

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
This is completely inexcusable. How can a supposedly major computer security software company, one that probably has more of its products pre-installed on systems world-wide than any other developer, possibly allow such a bug to be released to an unsuspecting public?

How can a virus definitions update that removes svchost.exe - a well-known vital Windows core system file - not realize it? Surely some testing would have been done by even the most careless developer!?!

This reinforces my resolve to never touch a McAfee product with someone else's hand, let alone mine!

This is why I have NOD32 configured to NEVER clean any suspected infection. I have all settings so that they quarantine and notify me. Never "clean", which simply means DELETE. These flaming idiots can't recognize a false positive? I'd like to say that I am not surprised, but this one surprises me. Damn!

Jim

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
Blurs the line between the guys writing the virii and the security companies...

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Here's my patent-pending idea for AV companies to help solve at least some of these problems... never automatically delete any file properly signed by Microsoft.  You might even want to make it difficult to allow the user to initiate a delete operation on such a file.  Maybe have malware detected in such a file initiate a report to your tech support - either the user's computer is totally owned by malware, the malware detection has a significant flaw, or Microsoft has screwed something up royally.

Any of these 3 situations warrants careful consideration of the proper next steps, not just a blind delete (or even quarantine, in my opinion).

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Honestly when are these antivirus companies people who install McAfee products going to learn that this behavior is unacceptable?

There you go, Mouser. Fixed that for you.  :D

Number99

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 16
    • View Profile
    • Donate to Member
Honestly when are these antivirus companies people who install McAfee products going to learn that this behavior is unacceptable?

There you go, Mouser. Fixed that for you.  :D

 :Thmbsup:

rxantos

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 116
    • View Profile
    • Donate to Member
Why not simply require each executable to be digitally signed?
And whats the point of having an anti-virus that will act as a virus itself?


mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
And whats the point of having an anti-virus that will act as a virus itself?

 ;D ;D ;D maybe we need a new kind of software utility:
"AntiVirus Watchdog"

it's job is to watch over all anti-virus program activity and kill the antivirus if it gives a false alarm.

nudone

  • Cody's Creator
  • Columnist
  • Joined in 2005
  • ***
  • Posts: 4,119
    • View Profile
    • Donate to Member
right, so that would be an AntiAntiVirus? or maybe an Anti2Virus?

i see a whole new industry dedicated to this threat 10 years from now.  :)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member

bgd77

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 203
    • View Profile
    • Donate to Member
Why not simply require each executable to be digitally signed?

You mean, as it happens for Symbian OSes?

I don't think it is a great idea. It would mean that every freeware application would need to be signed and I don't think that a lot of the developers would have the money to do this. I think this is one of the advantages of Windows, being able to create your little, useful application at home, run it, and then being able to distribute it around the world, on other Windows OSes where (hopefully) it will work.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Maybe Microsoft will sue McAfee now. That ought to get their attention!

timowers

  • Participant
  • Joined in 2006
  • *
  • default avatar
  • Posts: 2
    • View Profile
    • Donate to Member
This is what happens with mickey mouse personal 'anti-virus' software. With professional anti-virus programs this has never/will never happen.
It's a shame home users never get to experience this.

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
This is what happens with mickey mouse personal 'anti-virus' software. With professional anti-virus programs this has never/will never happen.
It's a shame home users never get to experience this.

Uhhh...  the McAfee screw up DID affect "professional" users; the false positives occurred in Enterprise versions; very few home users were affected.

Jim

timowers

  • Participant
  • Joined in 2006
  • *
  • default avatar
  • Posts: 2
    • View Profile
    • Donate to Member
the McAfee screw up DID affect "professional" users

Reading again I should have worded my post slightly differently. As you say in caps, 'DID' because whatever the edition type, both home and professional users know McAfee can no longer be considered a reliable solution. Any business worth its salt will never deploy a new version without having trialled it in a sandbox box environment for at least a month first. Then, after deployment all definition updates would never be pushed out as they come in, rather deployed to a red test network first, then once proven the Admin would allow deployment. These false positives should then be caught before doing any harm. Most FP's have an understandable, underlying reason but for Mcafee to bang out these FP's without undergoing a basic degree of QA first is unacceptable.
There is really only one solution in the Enterprise arena that has a reliable and proven track record, which is why when McAfee contracts are up for renewal, they aren't, and are jumping ship ASAP.


cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,041
    • View Profile
    • Donate to Member
Reading again I should have worded my post slightly differently. As you say in caps, 'DID' because whatever the edition type, both home and professional users know McAfee can no longer be considered a reliable solution. Any business worth its salt will never deploy a new version without having trialled it in a sandbox box environment for at least a month first.
I agree that companies should be more careful than McAfee apparently was this time, but I'm not sure how your statement above relates to the McAfee debacle in question.  McAfee wasn't putting out a new version of the software but simply new definitions, something they do every day.  Yes, they screwed up big time, but it had nothing to do with a new version of the software.  And, as Jim has already pointed out, your statement about "mickey mouse personal 'anti-virus' software" also seems off target.
« Last Edit: May 09, 2010, 09:40 AM by cyberdiva »

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Tim,

I understand that companies should - and hopefully most do - test all new software/versions before rolling them out to the client boxes, however we are talking about virus definition files here. It is not reasonable to expect any IT dept. to test every virus def. update as they are often released several times daily. Heck, some companies - like Eset which I use - send out definition files hourly and even more frequently if needed!

I do agree that McAfee is remiss in not having tested the subject release a bit more thoroughly before foisting it on their (former??) customers.

Thanks!

Jim