An antivirus update meant to thwart an attack on Windows PCs ended up doing more harm than good for some Windows XP users, McAfee acknowledges. The faulty update, which caused some to experience the Blue Screen of Death, forced administrators around the country to shut down their systems as McAfee worked on a fix. Here's what to do if you have downloaded the file.
A McAfee antivirus update has caused some Windows XP users to
experience the notorious Blue Screen of Death,
disrupting computer networks around the country.
state police as well as local municipal, police and fire departments in Lexington
reported being affected by the problem. Additionally, several emergency
rooms in hospitals in
Rhode Island reported problems
and were turning away nontrauma patients
during the day as they addressed the situation.
According to McAfee, the situation was caused by a file meant
to address a new threat affecting PCs running Windows XP Service Pack 3.
"Researchers worked diligently to address this threat that attacks
critical Windows system executables and buries itself deep into a computer's
memory," McAfee spokesperson Joris Evers said in a statement April 21.
"The research team created detection and removal to address this threat.
The remediation passed our quality testing and was released with the 5958 virus
definition file at 2.00 PM GMT+1
(6am Pacific Time) on Wednesday, April 21."
Some of those who downloaded
experienced a Blue Screen or DCOM
error, followed by shutdown messages, McAfee acknowledged. According to Evers,
companies that kept a feature called "Scan Processes on Enable" in
McAfee VirusScan Enterprise disabled-which it is by default-were not affected.
The update mistakenly identifies the Windows system file svchost.exe as
malware. To address the issue, McAfee released an updated virus definition
file (5959) and made instructions on how to mitigate the situation available here.
"The faulty update was quickly removed from all McAfee download
servers, preventing any further impact on customers ... We are investigating how
the incorrect detection made it into our DAT files and will take measures to
prevent this from reoccurring," Evers said.
A user forum was abuzz with
April 21 about the issue, prompting McAfee to warn users not to
download the update if they hadn't already. As a workaround, those who have
downloaded the file can apply an EXTRA.DAT the company developed (available here
at the bottom
of the page) to suppress the detection.
"For systems that have already encountered this issue, start the
computer in Safe Mode and apply the EXTRA.DAT," McAfee recommended.
"After applying the EXTRA.DAT, restore the affected files from
The company also advised users to apply the EXTRA.DAT before restoring the
svchost.exe if the bad update has deleted or quarantined svchost.exe on a