Buggy McAfee Security Update Takes Down Windows XP Machines

 
 
By Brian Prince  |  Posted 2010-04-21
 
 
 

A McAfee antivirus update has caused some Windows XP users to experience the notorious Blue Screen of Death, disrupting computer networks around the country.

According to Kentucky.com, Kentucky state police as well as local municipal, police and fire departments in Lexington reported being affected by the problem. Additionally, several emergency rooms in hospitals in Rhode Island reported problems and were turning away nontrauma patients during the day as they addressed the situation.

According to McAfee, the situation was caused by a file meant to address a new threat affecting PCs running Windows XP Service Pack 3.

"Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer's memory," McAfee spokesperson Joris Evers said in a statement April 21. "The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2.00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21."

Some of those who downloaded the update experienced a Blue Screen or DCOM error, followed by shutdown messages, McAfee acknowledged. According to Evers, companies that kept a feature called "Scan Processes on Enable" in McAfee VirusScan Enterprise disabled-which it is by default-were not affected.

The update mistakenly identifies the Windows system file svchost.exe as malware. To address the issue, McAfee released an updated virus definition file (5959) and made instructions on how to mitigate the situation available here.

"The faulty update was quickly removed from all McAfee download servers, preventing any further impact on customers ... We are investigating how the incorrect detection made it into our DAT files and will take measures to prevent this from reoccurring," Evers said.

A user forum was abuzz with complaints April 21 about the issue, prompting McAfee to warn users not to download the update if they hadn't already. As a workaround, those who have downloaded the file can apply an EXTRA.DAT the company developed (available here at the bottom of the page) to suppress the detection.

"For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT," McAfee recommended. "After applying the EXTRA.DAT, restore the affected files from Quarantine."

The company also advised users to apply the EXTRA.DAT before restoring the svchost.exe if the bad update has deleted or quarantined svchost.exe on a machine.

Rocket Fuel