A beserker update to CA eTrust anti-virus software created all sorts of confusion on Wednesday. The 33.3.7051 update labeled a large number of binaries (.DLL and .exe files) - including some components of eTrust itself - as infected with something called StdWin32. These files were sent off to quarantine, resulting in disabled …
eTrust hates Cygwin????
The organisation I work for runs eTrust (currently 8.1.637.0). After a the recent upgrade, Cygwin runs a like a dog, so slow that its almost unusable. Since I rely on Cygwin for some of my systems and software admin, eTrust has now moved closer to the top of my shit list. Last month it quarantined some of the Cygwin DLLs. Does CA have something against Cygwin?
This would be why ...
... I always retain user oversight of actions by such tools, when I even bother to use them; honestly, I run XP daily and I think the last time I was infected with anything was about three years ago when I foolishly attached an acquaintance's external hard drive to my own machine under Windows rather than scanning it from secure environment first. I've found that using Firefox with NoScript and only permitting scripting to run on sites that absolutely need it (and even then marking all ad domains and similar as globally untrusted) has kept my machine clean. I periodically run a full scan from a standalone AV tool with recent signatures to be sure but I found that permanently installed products, especially those using on-access scanning and auto-action were more trouble than they were worth.
It's too bad eTrust didn't quaratine itself before running amok with other apps. That's twice in five weeks an update has ruined my morning. I've already got the renewal for eTrust in process and am upgrading to ITM (includes PestPatrol); what have I done?!?
And I was wearing my El Reg T-Shirt
That's *my* blog.. and the funny thing is that I was wearing my El Reg T-shirt from the Cash & Carrion shop today. Coincidence? Conspiracy? Or just another CA cockup?
Is it really such a hard idea?
Please, kill me
"The dodgy update falsely tagged important Windows system files as potentially malign before dispatching them into quarantine."
As the unfortunate owner of a Vista Home Basic system, I'm seriously thinking about installing this software.
Shouldn't this strap line read...
CA auto-immune eats itself!
On a serious note, feel 4 u sys admin's today! respect...
One positive - One Hurumph
It seems pretty impressive that they have admitted the fault in fairly strong language. Quite rare in such circles, even when its your corporate customers you've messed up.
One the other hand is "remediation" even a word, even in America. It appears to be the classic American trick of rolling a word through all the grammatical forms until it loses all sense. Recovery would work, mediation might half work, remedial fits quite well but remediation. Presumably the act of carrying out remedial work - but is it English.
Thanks a bunch
Hmm this happened to us today. It went through quarantining files from vmware, roxio, software I'd written, Windows, Open Office etc.
Looking at the files it ate.. it seemed totally random. I don't think it was "targetting" anything in particular.
Serendipitously I happened to be in early in the morning at our place because we are migrating some of our clients off CA to a rival product, so I managed to catch it before it trashed everything.
@BobK - remember that you can exclude certain files and directories from your scanning, that's worth having a try if you have persistent problems.
Thats just cost CA another potential customer
We are advising a large user on this technology. The user has 1000 PC's all 24/7 and could not stomach this sort of self inflicted problem caused by software you actually pay for.
It's bad enough that U$oft doesn't understand the meaning of the word LATER after it's updates that need a re-boot.
Sorry CA you are off the list.
Seems I got off lightly.
It only hit 7 PCs and 99% of the detections I saw were in Incredibuild's ModuleCache folder, an eminently deletable local cache of of DLLs and EXEs from other machines. (mostly related to Visual Studio). One machine only lost network and CDrom drive access after a few .sys files got renamed. Some of the others on that blog weren't so lucky.
Maybe its Lupus?
I'll get my coat and cane....
Maybe it's time I should go back to AVG Free
It's not any better and it might trash innocent files as well but at least I don't have to pay for that.
This totally destroyed us
This totally destroyed us. eTrust blew away 750 files on a production siebel cluster. I couldn't even unquarantine the files since even eTrust AV was damaged and wouldn't start. It blew away our backup server too, so made restores impossible until the backup was fixed. I wasn't able to get a clear idea of what servers were affected because I couldn't get the central threat management console to start.
Possibly the worst work day of my life. Absolute madness. The only way my day could have been worse would have to involve gunfire.
CA salesmen are pretty slick. They always weasel their past me to get to management and treat them to whatever and push some unpolished product on us. Hopefully, the lesson is learned.
I've hated CA since the 90's when I had to work with ArcServe, so I'm not terribly surprised.
No reason for this to happen
Simple testing of the signature files on in a test environment would stop this stupidity. It is ridiculous that CA, AVG and McAffee have had these problems of late.