McAfee Scrambles to Contain Virus Definition Gaffe

March 13, 2006

By Ryan Naraine, eWeek,1759,1937154,00.asp?kc=EWRSS03129TX1K0000614

Anti-virus vendor McAfee is scrambling to contain the damage from a faulty definition update that incorrectly flagged hundreds of legitimate software programs as W95/CTX, a low-risk Windows 95 virus that was first detected in 2004.

The erroneous .DAT file (4715) was shipped late on March 10 with definitions for a wide range of new malware threats, but when the update was installed, it quarantined or deleted several widely deployed applications, including Microsoft Excel, Macromedia Flash Player, Adobe Update Manager and the Google Toolbar Installer.

Santa Clara, Calif.-based McAfee acknowledged the gaffe and quickly shipped a new virus pattern file (4716), but for some users the damage was already done.

In a notice posted online, McAfee said the 4715 DAT files caused problems for customers running its VirusScan Enterprise, Managed VirusScan, VirusScan Online, LinuxShield and VirusScan (consumer) products.

The incorrect detections did not occur with McAfee's OAS (On Access Scanner), nor with gateway or e-mail scanners.

McAfee officials said the files that were incorrectly flagged as a virus were renamed as filename.exe.vir. However, instead of simply quarantining the supposed threat, McAfee said the point product's secondary action can result in the file being deleted.

"[The] correct W95/CTX detections are reported as W95/CTX.6886 or W95/CTX.10853," company officials said.

Johannes Ullrich, chief research officer at the SANS ISC (Internet Storm Center), said his outfit has received reports of major damage in some corporate settings. "We've fielded reports about hundreds of files quarantined or deleted on hundreds of computers. If you had your anti-virus set to quarantine detections, you can restore those files, but it's a huge task," Ullrich said in an interview with eWEEK.

"It's difficult to gauge how many businesses were affected, but in some cases we know that some administrators had problems affecting thousands of systems. It was rather severe because it deleted these widely used programs," Ullrich said.

In a statement released to eWEEK, a spokesperson for McAfee said the company's AVERT (Anti Virus Emergency Response Team) has been working "around the clock" since Friday to help customers assess the degree of impact and restore the files where possible.

She said Managed VirusScan and VirusScan Online have quarantine viewers that allow for restoration of quarantined files.

For VirusScan Enterprise customers, the spokesperson confirmed that the ability to remotely restore files does not exist in the product.

The company has released a stand-alone tool that restores quarantined files for VirusScan Enterprise users. The tool, which is only available for non-East-Asian operating systems, can be deployed via ePO (ePolicy Orchestrator), McAfee's system security management product.

The spokesperson said the AVERT unit is working on a recovery tool for users of Chinese, Japanese and Korean operating systems. "AVERT is also looking into whether we can create an Undelete tool for those customers who had their secondary action set to Delete," she added.

main page ATTRITION feedback