McAfee Scrambles to Contain Virus Definition Gaffe

March 13, 2006

By Ryan Naraine, eWeek,1759,1937154,00.asp?kc=EWRSS03129TX1K0000614

Anti-virus vendor McAfee is scrambling to contain the damage from a faulty definition update that incorrectly flagged hundreds of legitimate software programs as W95/CTX, a low-risk Windows 95 virus that was first detected in 2004.

The erroneous .DAT file (4715) was shipped late on March 10 with definitions for a wide range of new malware threats, but when the update was installed, it quarantined or deleted several widely deployed applications, including Microsoft Excel, Macromedia Flash Player, Adobe Update Manager and the Google Toolbar Installer.

Santa Clara, Calif.-based McAfee acknowledged the gaffe and quickly shipped a new virus pattern file (4716), but for some users the damage was already done.

In a notice posted online, McAfee said the 4715 DAT files caused problems for customers running its VirusScan Enterprise, Managed VirusScan, VirusScan Online, LinuxShield and VirusScan (consumer) products.

The incorrect detections did not occur with McAfee's OAS (On Access Scanner), nor with gateway or e-mail scanners.

McAfee officials said the files that were incorrectly flagged as a virus were renamed as filename.exe.vir. However, instead of simply quarantining the supposed threat, McAfee said the point product's secondary action can result in the file being deleted.

"[The] correct W95/CTX detections are reported as W95/CTX.6886 or W95/CTX.10853," company officials said.

Johannes Ullrich, chief research officer at the SANS ISC (Internet Storm Center), said his outfit has received reports of major damage in some corporate settings. "We've fielded reports about hundreds of files quarantined or deleted on hundreds of computers. If you had your anti-virus set to quarantine detections, you can restore those files, but it's a huge task," Ullrich said in an interview with eWEEK.


main page ATTRITION feedback