A recent McAfee service pack led to systems being rendered unbootable, according to posts on the security giant's support forums. The mandatory service pack for McAfee's corporate Virus scanning product, VSE 8.7, was designed to address minor security bugs but instead tagged windows system files as malware. The software update …
im installing that very product into a company with over 50 computers and 0% tolerance for downtime !!!!!
i would really really really like to know more about what files were flagged up !!!
Fail and the SysAdmin
The people who made the biggest booboo were the sysAdmins who rolled it out without properly testing it on their builds first.
Ychafi ( as we say up here in Wales ) is more like it!
Paris - definitely ychafi.
I think its time that as an IT community, we explained to users that AV is bad
I've always had more problems with AV products that they've solved. I'd especially never put A/V on a server! (Unless it is a file server). What are people doing having access to upload stuff to your server anyway? Its like IE7 "secure mode" with win 2008. If you have server admins browsing for porn on your servers, then you have bigger security problems than malicious web pages. You only get viruses from two things: porn and warez. End of story. Block those sites from your corporate network.
AV slows down machines, incorrectly deletes files, installs itself into all the same hooks that viruses themselves use, and if you follow good defense rules elsewhere, then it is a non-issue (again except for end-user machines and file servers).
I'm tired of walking into a company, finding that A/V is the biggest performance problem with a server, and being thrown out like I'm raving mad. And stupid rules like PCI mandate this stuff.
The age of A/V is coming to an end. There are way more viruses being produced each year than researchers to defend them, and they are overwhelmed, and obviously making mistakes. Blacklisting has reached its limit: white-listing, lock-down, sandboxes, and secure OS design are the way forward. It will just take Luddites 10 more years to realize that.
"tagged windows system files as malware"
<insert obligatory 'just doing its job' comment here>
Absolutely agree. I've managed 15 years of regular and heavy Internet use without the aid of Antivirus software. Compared to what I've seen on some friends systems running AV, it is
like having the next processor up, more memory and a faster disk. All it takes is a decent
firewall and browser settings that default to paranoid. Trusted sites can be assigned more
relaxed settings. Only download executables from trusted sources, and even then don't go
for anything that hasn't been around for at least a week - let someone else's Virus scan do the job for you! An email client that only does text mode is also a good idea.
Some elementary precautions is all it takes to wave goodbye to the virus writers, the antvirus writers and their silly little war. Get with it and get the performance you paid for.
Identifying Windows files as Malware
Well, at least McAfee have admitted that mistakes were made which is more than certain other software houses will do when things go wrong...
My initial reaction to this story was to post a comment that said something like:
"but Windows IS malware, what's wrong?"
However, I soon realised that Windows fans would get a little hot under the collar from such obvious flame baiting. I then thought that this might be better:
"Did the error message recommend installing Linux to repair the problem?". Then I realised that McAfee would never recommend such a sensible course of action - simply because they don't make software for Linux and would be shooting themselves in the foot.
I have now decided to go down a different track entirely:
"Did the errors merely ask the system administrators to contact... um ...the system administrators to arrange to get the malware removed?"
Paris - because I'd give her a malicious "code" injection. She wouldn't end up with Malware though. There might also be a DoS for other users while her "sockets" were undergoing sustained usage.
Lets not give out the bad AV advise
Yes, AV has its issue, and yes sometimes there are false positives, but to completely remove AV from your Servers and Systems is pretty bone headed and bad advice.
AV protects against known bad programs, viruses and malware. Leaving your systems without AV or updating your AV lowers the bar for a potential attacker. Does it defend against all threats? No, definitely not, but it protects against a good number of threats. Perhaps you need to look at a different vendor then if you can't create exceptions, or do not scan directories which will help speed up machines, and you should be testing your patches or updates in a test environment before mass deployment.
The statement, you only get viruses from two things porn and warez is about as incompetent of a state I've heard in awhile. Thumb drives, remove-able media, visiting websites (non porn). http://securitylabs.websense.com/content/alertsRSS.xml
Brent if you are in charge of security for your company... which company is it again???
Why do people still buy this nonsense?
Why do people still waste money on AV? It has been shown that the vast majority of Windows malware is entirely missed by these nonsense products. The only REAL solutions are either NOT to "run" Windows, or to prevent promiscuous connection to the interweb.
have corporate users not yet realised that Windows is dead as a business tool?
Is it so hard?
Just whitelist the files that render a computer operative.. if they are infected then have a new process that manually informs the company and the user, maybe disables networking so it can't spread.
There are some files you just don't want it to mess with willy-nilly...
@ Chris Hunter
Does you company not have a web presence? Perhaps the company you work for is one of the few that doesn't have to go visit websites on the web, or put in orders and get information from the web. In that case, sure get rid of AV, lock everyone down to the desktop with no web browser, disable usb, and cd-rom drives, get rid of e-mail.
If you don't have AV, how are you finding out if unwanted software or programs are getting on your desktops and workstations? Its all about the layered security approach!
The good ole, we have a firewall, we are protected non-sense.
Please don't misinterpret what I said...
A/V is probably a necessary evil on corporate workstations, file servers, and email servers. You need to control all entry points, and thumb drives are one of them. But on your web servers, databases, etc, these machines should have a dozen levels of security in between them and any end user. A/V is more of a liability on a web server than an asset, as this incident shows.
Lastly I'd like to add that even on corporate workstations, A/V should mainly be seen as a defense against thumb drives, since they can't be controlled by network policy. You should already be blocking known spammers, porn and warez websites, bit torrent, etc. So those should not be entry points anyway. If they are, you're doing something wrong.
"It has been shown that the vast majority of Windows malware is entirely missed by these nonsense products" - citation needed!
Also, Windows is a useless, leaky sack of crap but saying it's dead as a business tool is kinda optimistic. I mean, I'll drink to that, but a lot of people still need to run it for a lot of reasons and it'll take years for that to change one way or the other. This platform is well locked in, stuck under some lumbering dinosaurs of business systems that don't look like they're thinking of moving any time soon.
"have corporate users not yet realised that Windows is dead as a business tool?"
Hilarious. Back to the real world and like it or not Windows is used heavily as a business tool by people and does the job perfectly well for many (most?) of them. Corporate users don't care what is running on their machine, just that it is easy to use and does the job they require...
Another vote for no AV.
Block exe's at the corporate firewall and keep your OS patched. Any malware that isn't due to web browsing or email attachments is going to be zero-day anyhow and the AV software will be useless.
As for thumb drives -- users shouldn't be able to run exe's that you don't approve.
AV useless on Windows?
Thanks for giving the heads up to the ones that hack yet "unknown" security holes to inject viruses into unprotected windows machine's, unless those people are mythological or something, and I'm just imagining it :P Of course I kid, those professional hackers already know there's a lot of people who don't believe in AV to keep their (windows) servers partially safer.
Every time I hear of the perfect security solution to use, there's always some security hole that's found that takes the machine over completely.
Plus, an updated av, while not protecting one from unknown security issues, do cover all the already known ones. And from personal experience, just because there is protection from AV from a certain virus/script/whatever doesn't mean that exploit isn't still being used, or at least attempted. I keep hearing of old viruses showing up after waiting to find another computer that was unpatched, or didn't have an AV watching for it to show up.
Not using AV in windows just because it can't protect from everything is like saying I'm not going to go to the doctor if I'm really sick because they can't make me immortal :P
And yes, we all know if we used something other than windows we could throw the AV away, but unfortunately because MS was such a nice company for so long, every good program maker writes only for Windows still. Such is the situation we live in, it's no need to insult users, it's not like their decision's are causing the world to end or are harming baby seals.
Also, just porn and warez is the statement of those who have very limited experience, or just like to ignore the fact, that not all of it happens at the corporation. Many more times corporations get hacked because of laptops people go home with, and flash drives. You can't keep people from their porn and warez at home (who the F* does warez anymore anyway, what is this the 90's, usually it's porn and misspelled web sites leading to exploits, welcome to the new millennium?), and portable memory make very good vessels for trojans (flash, cd-r, dvd-r, etc.) :P The best viruses are the ones that do nothing noticeable, and use very little resources, and tend to be seen by no AV anyway (like a botnet-ed machine). But that, at least, has been the way things have been since windows first went onto the internet and needed AV all the time. But back then people were still too busy bowing to MS as their future provider of great bells and whistles :P
But hey, what do I know... :-P Just that if you have a system you think doesn't need an AV, it probably doesn't need to be running windows either, 2 birds, one stone :) Unless the computer that is using windows has no memory input devices of any kind, and has no network connection, it needs an AV or it's just on borrowed time. Getting a virus is bad luck, not something you can plan against.
Just a side, mcafee and norton haven't been that useful for a while as any serious virus writer will target them first to get around. AVG is actually catching up at being worked around by viruses, good for them to have that kind of recognition, but bad that now they are getting less secure. By working around I mean, going into the OS below the AV's view, or infecting the AV itself and using it to do all the dirty work. The easiest thing if you use windows is to accept it will get infected somehow eventually, or if you're lucky it will break first :P Then get on with your life enjoying the fact you at least have what pretty much is a super computer at your fingertips :P lol Because computer's are so fast now, just on chance, there is a higher likelihood of more computers having silent infections and/or are parts of botnets, but so far it seems to have been pretty much windows only.
Someday we'll go back to the day where hackers have to sniff info from the network to get their goods, instead of being able to go right onto the server and do whatever they want. But for now Windows makes everything easy ;P
@Brent Gardner> You only get viruses from two things: porn and warez.
Absolute rubbish - you can become infected, for one example, by potentially *any* website these days. Ever heard of XSS? I hope to god you're not responsible for security at your work.
@ Brent Gardner
Wow mate, you're such a troll .. but I'll bite.
Firstly, you don't speak for the IT community one bit, much less the security community, so get off your high horse.
If you honestly think that the only way to get infected is to surf porn and warez, then you are living in 1995, or have no clue about modern computer security, and threat distribution methods. I'm tired of educating trolls like you.
If you want to prove it to yourself, by all means, come to blackhat or defcon, and do some banking online with no AV or security software installed. Oh you wont? i didn't think so.
Maybe the reason you get looked at like you're raving mad when you suggest people run servers without any security software, is because you are. PCI mandates that people take a look at security, and have SOMETHING in place, and up to date, together with a firewall that is turned on.
Oh, you haven't read that either huh? Just assuming again.
If AV companies were stupid enough to just play the reactive catch up game in order to stop malware, they would all have gone out of business because years ago.. oh wait, they havent? You mean that when a business sees a new type of threat or attack, it produces new technology in order to be more efficient and proactive? you mean the money you pay actually goes to research new security techniques?
I'd suggest educating yourself about malware in 2009, rather than assuming what you thought you knew from 10 years ago is still relevant, and giving people bad advice on public boards, and as a proffessional (I assume this is what you claim you are when walking into "a company").
Im no Mcafee apologist, and not fully QA checking a major patch on a long awaited "known to have issues" version of their client is just wrong, but it happens to everyone now and again. Software test cases cannot possibly cover every scenario.
Shit happens, move on, but don't berate the entire security industries from a "conspiracy" pulpit because you think they're all out to get you...
A simple woman who never left her village used to tell me this: my boy, you should never start a flaming war with Windows lovers on a patching Tuesday or whenever there`s an anti virus update snafu because this is when their sense of humor is at its lowest. The only time I did not follow her advice I got burned awfully.
Listen to Brent
I think Brent's point was you shouldn't need anti-malware on a server because it shouldn't be possible for any malware to get in there, period. If you allow the lusers to run untrusted binaries all over the place, then no AV is going to save you. If you do not allow such nonsense, then you don't need no steenkin' AV in the first place. OK, your lusers will probably want to have some admin rights on their machines, and LARTs are not always deployable, so you'd probably want to slap a nice AV on end-user machines -that'll teach them-, and maybe on a couple fileservers to avoid spreading, if they're lazily administered or if you can't control all the entry points, but that's it. No untrusted binary should be able to make its way on anything else*. And that bloody well includes world-facing servers.
I recently re-read a dreamer's ramblings about that:
Not the most recent stuff but still very true.
*Unlike Brent, I don't feel like mail server should need AV. They should only see plain text anyway. Attachments should be avoided, and if absolutely needed should be rerouted to a fileserver.
"You only get viruses from two things: porn and warez."
Horseshit! I'm not going to talk about your technical abilities, but to sit there and say that particular line is absolute horseshit. Only people who think that is the complete truth are those who thump bibles. 'Nuff said.
McAfee is a pile of S****
My brother was hit by this very problem! He turned up at my flat at 11pm saying he had a big meeting the next day and McAfee had f*cked his laptop.
Was a bit of a git to sort, but once we pulled McAfee all was well.
The only experience of McAfee I've had is when it screws something up. Must be the worst AV product there is.
I stick with avast
Deja Vu all over again
Hasn't MacAfee done this already? I seem to recall a few years ago they made exactly the same blunder. Another fun one was some years ago when MacAfee did some mischief and resulted in us having to remove and rejoin nearly all of our systems to the domain again. It's a shame too, because they have one of the more comprehensive suites and polished interfaces. Of course the company I now work for uses Symantec exclusively, which has many issues of its own.
I think I'll stick to Avast on my Windows boxes. No issues with them yet. Apparently in some respects you get the inverse of what you pay for.
perhaps this is an area of risk that linux can help out with
Can't help thinking that this might be the stick that might consider some sysadmins to break the Windows deployment camel's back. Damage due to virus activity (which now has to include problems caused by antivirus activity) has to be added to a Windows deployment TCO and weighed against the Linux TCO.
Not running antivirus on servers means that you can guarantee that not only cannot malicious payloads be moved to these servers, but also that malicious activity cannot originate on these servers. The enhanced security modes on IE can reduce the risk of the latter, however the former is still a problem. How do you audit against these things? Is there an accepted diligence process?
I wouldn't be surprised if a significant proportion of malware activity happens as a result of (if not deliberately caused by) a user with administrative privileges. Back in the days of NT4, I was handed domain user control of a sizeable industrial network as a young pimply eighteen year old to do some admin tasks. I turned auditing on my user in order to cover my own arse if things went poop :)
you have to admit
rendering a computer un-bootable makes its about as secure as it can be. Good job McAfee, sounds like the perfect product, stopping virus propagation in its tracks :)
One must wonder how this can happen when MS digitally signs critical system executables. It's not hard to embed MS's public key in your product and trust files with a valid signature from their key.
Something modifies the MS system file? Signature isn't valid anymore.
Admittedly this is imperfect, not least because MS (for some bizarre reason) doesn't sign all its executable files. However, you can certainly blacklist any signed executable replaced with an unsigned executable, or any signed executable with an invalid signature.
This should dramatically reduce the false positive rate, too, particularly with critical system executables.
workstations, A/V should mainly be seen as a defense against thumb drives, since they can't be controlled by network policy. You should already be blocking known spammers, porn and warez websites, bit torrent, etc. So those should not be entry points anyway. If they are, you're doing something wrong.
Oh my god how wrong can you be !!!!
just disable it in the bios and protect the registry and change usbstor from 3 to 4
That can be done Via a GPO which hang on 1 second ... ITS A NETWORK POLICY !!!!
gah i understand what your trying to say but your wrong
we manage multiple companies remotley which means we cant lock things down at all.
and then ontop of that they dont browse porn there and they dont download warez
But they get shit loads of bugs trying to get in via email but we use groupshield which is a AV product that stops at least 300 odd trojans a day
then we have AV on all the machines and still bugs get on ... (facebook private email etc )
please explain should i go to the director and say lets get rid of all your protection you dont need it !
bloody hell your daft !
IT? icon cause thats the bloody boat your sitting in !
Shooting their own foot...
It's my sad experience that testing is often the first casualty of the 'current economic crisis', in fact that's why I'm sat here drinking coffee reading El Reg and posting this right now rather than reviewing SoRs and writing test scripts =O/
I have no idea what the situation at McAfee is like but I'd like to bet that some of their offices are considerably emptier than they were this time last year...
5 days to find out there was a problem?!!!
The software update was issued on 27 May and pulled on 2 June, after problems occurred.
You're telling me it took 5 days before it was apparent something wasn't right?? It SHOULD have been about 24 hours!
5 days to find there was a problem...
The patch in question had already been through the limited release process for a month, it was the "last best hope" for anyone who had been forced into deploying vse 8.7 (as this sucks and is buggy as hell without it)
It was in itself a wonderfull patch and made my test machines very very happy ( around 30-40% resource reduction) but there are people out there who had already deployed vse 8.7 wholesale and have been screaming for this patch for the last 5 months. ( Not people who had experienced deploying VSE 8.5 without patch 1 as this was almost as bad)
Macfee released the patch as a MANDATORY patch for vse 8.7 and as the problem was not something that would be expected from an app patch but rather a DAT or engine update no one seemed to have any issues with it.
The complaint that people tied in to Mcafee have is that they pulled the patch but then did not contact their customers to advise there was an issue. Taking a week to advise your customers that your software could trash their systems when your customers are running thousands of workstations each is a joke.
The Mcafee KB release they then put up advised you to keep the patch ON if you had already released it and just advise Mcafee when/if everything went titsup.
Mcafee lost all goodwill with corporate admins, massive FAIL
On a lighter note having seen Mcafee/Symantec/Kaspersky and Sophos, mcafee still have the best management system, wouldn't use them on my home pc though.
Avast like everyone else
How to run a Windows desktop without AV
Anecdotal evidence only, but me and most of my mates have been running XP like this for years without getting infected:
@Toastan and all others running not running AV
Yes, running at reduced privileges is best practice and will help to reduce the possibility to get infected, HOWEVER this isn't a catch all and shouldn't be relied on as a means not to get hacked or infected.
I guess my question to you Toastan would be, how do you know you have been infected? If it is a small malware with a low imprint, or something that runs in memory, you'd never know without AV or something to detect it, unless you are constantly doing forensics on your system and memory.
Running at reduced rights does offer protection, but if someone gets a foot hold on your system with the rights as you, there are many many ways to elevate privileges.
Don't get me wrong, AV is not as useful as it once was, but security needs to be implemented in a layered approach if you are wanting to do it right.
As for white-listing apps. Good idea, and most AV vendors are starting to include some kind of white listing, issue there is having enough staff to constantly be updating the hash tables as updates and new software versions are released. What if my white-listed app has a buffer overflow or remote code execution vulnerability?
Until everyone starts writing secure code, and validating input, there will also be a exploit code and viruses.
This patch will kill your Lotus Notes
Have a few people who can't use Lotus Notes because the SP1 makes LN crash.
Pretty sad that they only offer a WORK AROUND and not a newer patch to patch the faulty patch.