Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

McAfee Kills SVCHost.exe, Sets Off Reboot Loops For Win XP, Win 2000

timothy posted more than 4 years ago | from the hope-you-were-using-antiantivirus-too dept.

Bug 472

Kohenkatz writes "A McAfee Update today (DAT 5958) incorrectly identifies svchost.exe, a critical Windows executable, as a virus and tries to remove it, causing endless reboot loops." Reader jswackh adds this terse description: "So far the fixes are sneakernet only. An IT person will have to touch all affected PCs. Reports say that it quarantines SVCHOST. [Affected computers] have no network access, and missing are taskbar/icons/etc. Basically non-functioning. Windows 7 seems to be unaffected." Updated 20100421 20:08 GMT by timothy: An anonymous reader points out this easy-to-follow fix for the McAfee flub.

cancel ×

472 comments

Sorry! There are no comments related to the filter you selected.

Wonder what microsoft paid for this? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31927330)

Should help windows 7.

Hello 4/20 (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31927350)

Way to go!

Why Worry about Malware-Viruses... (4, Funny)

BoRegardless (721219) | more than 4 years ago | (#31927352)

When your Anti-Virus software bombs you out.

Re:Why Worry about Malware-Viruses... (1)

coasterfan (1155915) | more than 4 years ago | (#31927416)

I have DAT file 5958 on my system and it works fine. While I've blamed McAfee for problems in the past, I don't think this one is as cut and dried as it's being made out to be.

Re:Why Worry about Malware-Viruses... (1)

grumpyman (849537) | more than 4 years ago | (#31927576)

Do you use XP/2000?

Re:Why Worry about Malware-Viruses... (0)

Anonymous Coward | more than 4 years ago | (#31927802)

What OS? Links report only XP/SP3 appear to be affected. Is that your setup?

Re:Why Worry about Malware-Viruses... (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31927680)

From the "Getting beaten in independent tests by free AV" department.

Sometimes the cure is worse than the disease (1)

TheLink (130905) | more than 4 years ago | (#31927796)

Heh, I've asked a vendor before how often this sort of thing happens to them (just to see how honest they are and maybe to send a message to whoever is listening).

After all if a hacker/malware causes downtime less often than the vendor's screw-ups, why use the vendor's product? Safer to look for a vendor with a better track record even if they have more false negatives (especially with rare and/or ancient stuff).

There are overheads and performance impacts to using such stuff, in addition to just the price tag (and subscription fees etc). I suspect there's malware out there that's less harmful than running McAfee or Symantec ;).

Re:Sometimes the cure is worse than the disease (1)

Kvasio (127200) | more than 4 years ago | (#31927948)

Safer to look for a vendor with a better track record even if they have more false negatives (especially with rare and/or ancient stuff).

Don't you underestimate the power of Dark Avenger [wikipedia.org]

Re:Sometimes the cure is worse than the disease (1)

TheLink (130905) | more than 4 years ago | (#31928262)

Don't underestimate the impact of AV or IPS software going nuts.

Don't forget that AV software costs you ALL the time when it's installed in "real time" scanning mode.

More downside to malware than just downtime. (4, Informative)

diverman (55324) | more than 4 years ago | (#31928188)

I agree that it raises question as to why one should use them, but "down time" is not the biggest threat out there, if you wanna talk loss/cost. While one's time is valuable, I'm thinking that their bank account information, passwords, etc, might be slightly more valuable to them. Personally, I think good secure end-user practices is the best protection, I do think that a good A/V program is needed.

So, while there is malware out there that is less harmful, more of the malware out there is much MORE harmful... if you disagree, please provide your financial account information, or contact me to transfer all funds to a secured off-shore account... maybe buy me a new car too! ;-)

But seriously... this is really bad, and REALLY stupid. But having no protection for most users risks damaging them in ways worse than a few hours of time to manually fix their issue. And from a corporate perspective, loss of sensitive information is a BIG deal and can cost a LOT more. And that's just talking about data loss. Being part of a botnet to help facilitate financial fraud and other badness... that's also double plus ungood... and irresponsible to not take measures to help keep your computer from playing a part in those crimes.

Anyway... I agree it raises question... but there more downside to malware than just downtime.

Black Wednesday (0)

Anonymous Coward | more than 4 years ago | (#31927370)

Not a good day to be a sysadmin... Good luck out there guys.

Re:Black Wednesday (1)

ircmaxell (1117387) | more than 4 years ago | (#31927392)

Unless as a sysadmin you chose another product other than McAfee (I personally use Symantec)...

Re:Black Wednesday (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31927486)

You could also choose Linux instead of Windows.

Re:Black Wednesday (4, Interesting)

ircmaxell (1117387) | more than 4 years ago | (#31927530)

True, but business needs dictate software requirements. So that decision is out of my hands (but believe me, I'd LOVE to run an office full of Linux computers)...

Re:Black Wednesday (1, Informative)

GNious (953874) | more than 4 years ago | (#31928106)

True, but business needs dictate software requirements. So that decision is out of my hands (but believe me, I'd LOVE to run an office full of Linux computers)...

Interesting.
We're forced to use Windows on Dell laptops, though I can see no business needs for it, nor any technical requirements (SaaS suites are used, and our various applications are almost all running on some Unix derivative). Our Exec team are all using OSX, showing that non-techies are quite able to do their business without Windows. Even then, there is no way in hell we'll get away from Windows, and almost as little chance we'd get away from Dell even if everyone in Internal IT hates Dell.

Re:Black Wednesday (4, Insightful)

Anonymous Coward | more than 4 years ago | (#31927580)

Or you can go back to pencil and paper. Much more cost effective than Linux.

Re:Black Wednesday (0, Troll)

mikek2 (562884) | more than 4 years ago | (#31927640)

My linux laptop & I have been walking around on cloud 9 all day.

For a program so hard to turn off (4, Insightful)

ZeroSerenity (923363) | more than 4 years ago | (#31927378)

It seems to be very willing to take the whole machine down. Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?

Re:For a program so hard to turn off (3, Interesting)

jimicus (737525) | more than 4 years ago | (#31927892)

It seems to be very willing to take the whole machine down.

Speaking of which, did anyone at McAfee even bother to test this dat on a Windows XP machine?

I'm sure they did but the real question is not "did McAfee test it against Windows XP?". It's "did they test it against Windows XP with every single version of svchost.exe that Microsoft have ever released?" - the original version and every updated version in every patch and service pack to date?

Re:For a program so hard to turn off (1)

ZeroSerenity (923363) | more than 4 years ago | (#31928230)

You bring up a valid point. But as SVCHost is nothing more than an encapsulator you would think the program would be smart enough to go in and figure out what's been attached to it and remove that paticular problem?

Guess what I've been doing all morning? (5, Funny)

uvsc_wolverine (692513) | more than 4 years ago | (#31927380)

I work at a university where we use McAfee anti-virus as our corporate AV. Guess what I've been doing all morning?

Re:Guess what I've been doing all morning? (5, Funny)

2names (531755) | more than 4 years ago | (#31927532)

Um, hiding in the bathroom like I have been doing?

Seriously, though, we got hit hard with this. I don't mind fixing the problem, what pisses me off is that we didn't want McAfee in here in the first place but Corporate HQ forced it on us.

Re:Guess what I've been doing all morning? (3, Insightful)

Spazztastic (814296) | more than 4 years ago | (#31927870)

Seriously, though, we got hit hard with this.

I'm trying to avoid having this happen. I just called our guy who manages the AV server (among other things) and sent him this. He was skeptical, but wasn't opposed to rolling back the server to using 5957 for now until more builds on this story. My system hasn't updated to 5958 yet, even though the AV server was set to deploy that. Let's hope for the best...

Re:Guess what I've been doing all morning? (5, Informative)

2names (531755) | more than 4 years ago | (#31928068)

Every system that we had that was XP SP3 that got updated to the 5958 DAT file became useless. We are now forced to visit each machine and manually fix it. Rubbish.

Re:Guess what I've been doing all morning? (5, Funny)

oldspewey (1303305) | more than 4 years ago | (#31927536)

Reading Slashdot?

Re:Guess what I've been doing all morning? (1, Funny)

Anonymous Coward | more than 4 years ago | (#31927564)

wanking furiously?

Re:Guess what I've been doing all morning? (1)

Hatta (162192) | more than 4 years ago | (#31927622)

Updating your resume?

Re:Guess what I've been doing all morning? (5, Insightful)

JamesP (688957) | more than 4 years ago | (#31927788)

Funny that one of the 'false reasons' against Open Source is liability

So are you going to sue the bastards for lost time and productivity?? You should.

Re:Guess what I've been doing all morning? (1)

poena.dare (306891) | more than 4 years ago | (#31927952)

Crap! I wish more of my clients used McAfee!

Re:Guess what I've been doing all morning? (3, Interesting)

steveg (55825) | more than 4 years ago | (#31928208)

Me too. I just handle my department, thank the gods. I've got two labs that are native Windows -- one with 7 machines and one 15 machine lab. These are hardware oriented labs that have vendor provided software that won't run under emulation.

The other 4 labs run Ubuntu, with VMWare, non-persistent VMs for any activities that absolutely require Windows.

My Windows only labs are in a constant reboot cycle (well, before I shut them down), the rest don't even realize there's anything going on. :) Since tomorrow is Lab day for those two labs, I'm hoping McAfee gets the problem fixed before then. If not, I'll disable boot scan until they do.

Re:Guess what I've been doing all morning? (0)

Anonymous Coward | more than 4 years ago | (#31928278)

Guess what I've been doing all morning?

Reading slashdot?

I smell a class action suit (0)

nicolas.kassis (875270) | more than 4 years ago | (#31927382)

oh this isn't going to end well for old Mc

antivirus... poison for cure (1)

wvmarle (1070040) | more than 4 years ago | (#31927384)

This way running anti-virus is worse for an end user than no anti-virus.

The cure becomes worse than the disease.

At least being part of a spam-spewing botnet keeps the computer mostly functional.

Re:antivirus... poison for cure (4, Insightful)

timster (32400) | more than 4 years ago | (#31927462)

Well, with McAfee, the cure has been worse than the disease for over a decade now. But the cure is easier to explain to management.

Re:antivirus... poison for cure (0)

Anonymous Coward | more than 4 years ago | (#31927844)

We've got 10,000 systems affected nationwide right now. This machine seems to have escaped the McAfee update by not having been rebooted in over a week, and NT admins have been kind enough to turn off McAfee for those of us who can actually stay on their desktop without being shut down every 60 seconds.

Re:antivirus... poison for cure (0)

Anonymous Coward | more than 4 years ago | (#31928200)

preventative chemo therapy!

Windows is a virus (4, Funny)

Wonko the Sane (25252) | more than 4 years ago | (#31927386)

We've known for a long time but it's good that McAffee finally admitted it.

Insted of plugging and endless stream of holes... (0)

Anonymous Coward | more than 4 years ago | (#31927394)

...and constantly keeping up with malware/virii/trojans/etc with software like this, maybe just have a better operating system that is designed to only execute code you trust?

Re:Insted of plugging and endless stream of holes. (0)

Anonymous Coward | more than 4 years ago | (#31927650)

Which one is that?

Re:Insted of plugging and endless stream of holes. (1)

bakawolf (1362361) | more than 4 years ago | (#31927780)

Its installed in firmware in free (or nearly free) devices near you! Its called...Rock.

Double ouch. (1)

ground.zero.612 (1563557) | more than 4 years ago | (#31927396)

2003 called, it wants it's OS back. Oh, and the garbage called too, it wants McAfee.

Ok, so yes there are going to be a bunch of legacy systems that will need to run WinXP for the next 10 years. Do they need to be on the net? If so, for the love of _insert_favorite_deity_or_atheistic_views_here_ can you please not use McAfee or Norton anti-virus products?

Re:Double ouch. (4, Interesting)

Jeng (926980) | more than 4 years ago | (#31927606)

My big question is why is Norton and McAfee still so popular in the corporate world?

I understand that the OEM's preload McAfee or Norton because they are paid to, but the corporate world is paying big money for these out-dated anti-virus programs.

There are much better anti-virus providers out there such as Avast, Kaspersky, Nod32 and others.

Re:Double ouch. (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31927754)

My big question is why is Norton and McAfee still so popular in the corporate world?

I understand that the OEM's preload McAfee or Norton because they are paid to, but the corporate world is paying big money for these out-dated anti-virus programs.

There are much better anti-virus providers out there such as Avast, Kaspersky, Nod32 and others.

AV-Comparatives' last testing round ranked Norton as the best product on the market. But hey, why not use "also-ran" software in your corporate infrastructure? You've already failed by using Windows, might as well go whole-hog.

Re:Double ouch. (2, Interesting)

Jeng (926980) | more than 4 years ago | (#31928098)

A quick google on the subject brings up many other testing that ranks norton below the ones I mentioned.

So it would all boil down to whom you believe, who is the least beholden to their advertisers?

And Norton and McAfe spend TONS on advertising.

Re:Double ouch. (1)

TheLink (130905) | more than 4 years ago | (#31928144)

> AV-Comparatives' last testing round ranked Norton as the best product on the market

But do they take into account the false positive track record?

That's a relevant point here. I believe Norton/Symantec have also had similar high-impact false positives.

If Antivirus software "A" detects fewer viruses than Norton but only misses out the rare and old ones (e.g. from the DOS era), has been around for years and had zero high impact false positives, I'd prefer it to Norton even if Norton has the lowest false negative rate (highest detection).

I'd prefer it if O/S bunch made more progress towards better sandboxing[1] technologies.

Currently users and AV software regularly have to figure out whether something is malware or not - this is like solving the halting problem without seeing the source code, and without knowing the complete inputs.

[1] I've made some suggestions, they're not exactly easy to implement but easier than solving the halting problem ;).

Re:Double ouch. (1)

jimicus (737525) | more than 4 years ago | (#31928182)

Most AV companies have a range of products which are frequently entirely unrelated to each other.

Symantec have Norton (terrible), Symantec Enterprise (actually not too bad, although it's being obsoleted in favour of Endpoint Protection) and Symantec Endpoint Protection (which requires a Windows server even though it's a Java application which installs Tomcat and Apache in order to operate).

McAfee have a home product, an enterprise product and a "serviced" product (fairly standard managed AV product only you don't have to set up your own management server because they run it themselves).

Can't speak for others but quite often by the time you've whittled your requirements down you often find that your application choices are a lot more limited than a first glance would suggest.

Re:Double ouch. (5, Informative)

Jazz-Masta (240659) | more than 4 years ago | (#31928246)

Norton, McAfee and Trend Micro have very solid products that allow for remote management, deployment, updates, forced scans, etc.

Avast (which I use at home) does not have all of these features yet. I can tell you that when dealing with hundreds of machines, having that dashboard for antivirus saves many hours of time. You can run more frequent scans on problem machines, or allow more/less freedom with the click of a button. Many of the products also have URL blocking (by category), email attachment filtering through Exchange plugins, etc. One feature I like about Trend Micro is the "behaviour" plugin, which flags anything out of the ordinary - such as accessing files, programs, or drives that they haven't before.

Corporate networks also typically have edge firewalls that will catch many of the malware infested URLs, email attachments, etc that cause problems. For many businesses 200+ computers, the Windows-installed Anti-virus software is actually the last line of defense. Often times the loss of productivity of a couple viruses getting through isn't worth the extra $$ invested in more products or a "better" product with less management features.

Licencing is also a plus. While Norton, McAfeee and Trend Micro are expensive initially, additional licences for a large number of computers and renewal licences each year actually make it less expensive than others such as Avast and Panda.

This just confirms my feeling... (0, Redundant)

OiBoy (22100) | more than 4 years ago | (#31927410)

I've always said that Windows was a virus.

Trolltalk is back, bitches! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31927424)

8==C=O=C=K=S=L=A=P==D~~ [slashdot.org]

People Still Use McAfee? (0)

Anonymous Coward | more than 4 years ago | (#31927428)

I know I quit several year ago for my Windows Boxes, mostly because the quality of the software was not up to what was paid for it. It looks like that trend has continued.

 

Sigh... (4, Funny)

Anonymous Coward | more than 4 years ago | (#31927438)

I would have gotten first post, but I was running windows with McAfee

Fool me twice.... (1)

get quad (917331) | more than 4 years ago | (#31927440)

Seems not too long ago McAfee was deleting important files....and people kept using it. Here we go again. Can I get a lol?

QA (1)

sycodon (149926) | more than 4 years ago | (#31927458)

What possible scenario allowed this CharlieFox past QA?

its crap-ware (0, Flamebait)

Macd275 (1447077) | more than 4 years ago | (#31927468)

HA HA HA HA HA HA HA.
McAfee is crap AV software same with Symantec.

A little releif? (0)

Anonymous Coward | more than 4 years ago | (#31927476)

Thank goodness I thought it was a re-incarnaion of W32/Wecorl.. I'm glad it's only my protection suite.. wait what. =(

Any idea when this was pushed out? (1)

Ungrounded Lightning (62228) | more than 4 years ago | (#31927522)

I don't see any indication of when this first went out.

(My wife runs McAfee and launched an update around 3 AM PDT before hitting the sack...)

Good thing I auto-update on Fridays! (0)

Anonymous Coward | more than 4 years ago | (#31927526)

So uh, anyone know how to disable McAfee completely? Never caught anything for me but false positives anyway.

I have two days...

Re:Good thing I auto-update on Fridays! (1)

Khyber (864651) | more than 4 years ago | (#31927814)

"So uh, anyone know how to disable McAfee completely?"

Wipe Windows completely and reinstall from a fresh disc without all the crapware added.

Re:Good thing I auto-update on Fridays! (1)

bakawolf (1362361) | more than 4 years ago | (#31927840)

Re:Good thing I auto-update on Fridays! (0)

Anonymous Coward | more than 4 years ago | (#31928118)

"McAfee Enterprise software detected.
Cannot continue. Please contact McAfee Technical Support."

Dunno what enterprise means; I put on what they gave me in college, but I'm graduated now.

I'd rather not do a full wipe for this =/

Has anyone considered this is very similiar... (0)

Anonymous Coward | more than 4 years ago | (#31927560)

...to the MS update fiasco recently?
Maybe it's not McAfee's fault - maybe it's only quarantining svchost.exe on machines where svchost.exe if infected...

shutdown -a (4, Informative)

bugs2squash (1132591) | more than 4 years ago | (#31927586)

at a command prompt when the "windows will shut down in XX seconds" popup us on screen saved me. I'm still waiting for a mcafee update file to fix it properly.

Also unaffected (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31927590)

Some are running a version of Windows 7 called Windows Vista, and it's also unaffected. Which is not surprising because it's pretty much the same thing with greenish wallpaper.

Fix here (oblig) (0)

Anonymous Coward | more than 4 years ago | (#31927594)

I heard (4, Funny)

Dunbal (464142) | more than 4 years ago | (#31927604)

Next they will be deleting a directory known to be full of malware called system32

Doesn't McAfee Do Testing On Releases? (2, Interesting)

bezenek (958723) | more than 4 years ago | (#31927608)

My God! How can something like this possibly get by QA as a company the size of McAfee? Have they outsourced all of their QA to a team with no clue?

-Todd

Re:Doesn't McAfee Do Testing On Releases? (1)

jimicus (737525) | more than 4 years ago | (#31928216)

Well, if their support is anything to go by, the answer to that is a resounding yes.

McAfee recently screwed me over (2, Interesting)

thetoadwarrior (1268702) | more than 4 years ago | (#31927612)

Two weeks ago it went and deleted two important for dev c++ and another program at my work. It was insistent they were viruses. I'm not sure how I could have received a virus since I get virtually no attachments and don't email anyone outside of work (ie no "fun" emails), I only visit the BBC, Netbean.org, Eclipse.org and a handful of other reputable sites because I rather goof off by writing my own code than doing nothing and I scan all my downloads before installing them.

Sure maybe I got unlucky for the first time in like 3 years. Maybe someone used my computer while I was on holiday but I suspect not. I suspect it's related to this.

Re:McAfee recently screwed me over (4, Informative)

zonky (1153039) | more than 4 years ago | (#31928122)

There is no such thing as a reputable site on the internet.
Some sites use ad networks, which have happily served malware.
Other sites are run by clueless admins and left vulnerable to commodity exploits.

Drive by Downloads exist, and a risk everywhere.

virus scanners are the devil (5, Informative)

buddyglass (925859) | more than 4 years ago | (#31927678)

Seriously. They consume CPU. They stay resident and consume usable memory. They occasionally crash and/or cause other applications not to work. And, in this situation, they break Windows. I don't use AV and have had pretty much zero issues over the last 6 years of using Windows XP. All you need to do is:

* Configure Windows update to run daily.

* Don't use IE or Outlook.

* Keep Windows Firewall active.

* Don't connect directly to the internet- sit behind a router that's configured to be (mostly) invisible.

* Don't run random things you get sent in email, on facebook, or that pop up unexpectedly while you're at a questionable website.

* If you think something's amiss, boot into safe mode and use a non-resident tool like MBAM.

Re:virus scanners are the devil (2, Interesting)

ledow (319597) | more than 4 years ago | (#31927792)

To be honest 2, 4 and 5 are perfectly adequate for a knowledgeable user and the rest provide little if any advantage. And they also happen to apply to all OS's and all versions of those OS's.

Re:virus scanners are the devil (2, Funny)

Anonymous Coward | more than 4 years ago | (#31928022)

You missed the obligatory:

* Run Linux

Re:virus scanners are the devil (2, Insightful)

Spad (470073) | more than 4 years ago | (#31928044)

That's not enough any more; even reputable websites can often be easily compromised either through SQL injection, XSS, compromised ad server or some other mechanism and apps like Adobe Reader, Office, Flash, Foxit Reader, Firefox, Java, VLC and more have all experienced serious vulnerabilities in recent months, which have often remained unpatched for long periods of time.

I finally gave in and installed my home-licensed copy of Sophos (provided by my work) because there are too many factors outside of my control these days and short of isolating my PC from all external data sources there's no way to be sure and I'd rather have a backup in case I miss something.

Re:virus scanners are the devil (1)

ducomputergeek (595742) | more than 4 years ago | (#31928142)

I have an easy solution: buy a mac.

Re:virus scanners are the devil (5, Informative)

blincoln (592401) | more than 4 years ago | (#31928154)

I used to believe something along those lines. Then my PC was infected with a worm when I plugged an mp3 player into the USB port. I'd bought the player new, factory-sealed, so it must have picked it up at the manufacturing plant. I disabled all autorun/autoplay after that, but I'm still wary enough that I run Avast to help avoid another similar situation.

Also, none of the things you mention will detect/remove a rootkit if one does manage to make its way onto your PC. I cleaned one up off of a PC that belongs to my sister a few weeks ago, and that was a headache. I did a scan of the infected drive in an external USB case, and that got nearly all of the infected files taken care of, but because most virus scanners apparently don't scan the MBR of non-boot drives, the rootkit was still waiting there and I had to use the Windows recovery console to write a new MBR.

As far as I can tell, her PC was infected through some variation of the "malicious PDF in a hidden IFRAME which belongs to an online advertisement" scenario, because she was already using Firefox exclusively. So maybe you should at least add "don't install Adobe Reader, or if you do, disable browser integration, update it daily, and set Firefox to download PDFs instead of opening them" and "install and use AdBlock Plus, and possibly NoScript" to your list.

Re:virus scanners are the devil (1)

djdanlib (732853) | more than 4 years ago | (#31928254)

You forgot a couple things:
1) Don't run as an admin account except for admin tasks.
2) Keep your Adobe products up to date - including Flash and Reader. Someone else you trust might have been compromised and send you an infected PDF file.
3) Allow Windows Update to install MRT and update it every time the monthly definitions update comes out.

Running Windows Update daily won't really help you so much but I agree with the reasons you have for keeping it that way. Microsoft releases most patches on the 2nd Tuesday of every month. There is an occasional out-of-band patch.

Unfortunately, drive-by downloads have been sneaking into banner advertisements on legitimate websites, and those criminals are getting crafty. So, not using A/V is pretty much leaving the door wide open. I've been hit with one in the past 2 weeks (which exploited a 0day in Firefox that was patched very shortly thereafter) that still ran in safe mode and disabled Task manager, Regedit, and MBAM - I had to repeatedly press Ctrl+Alt+Del to find out its PID while task manager would flash on and off my screen thanks to this malware, and eventually got the whole PID and used taskkill to slay it. THEN I was able to run MBAM. Good thing I had the PID column enabled... Would not have expected that kind of thing from a reputable news website!

Virus scanners are typically worse than most of the viruses they are designed to prevent, I agree, but I'll take $antivirus_software with all of its on-access scanning disabled over having to deal with malware like that any day.

Sysadmin Running Protection Pilot (1)

jamesyouwish (1738816) | more than 4 years ago | (#31927692)

I am a a sysadmin running protection pilot from mcafee for my entire office. Were most machines are running XP SP3. My engine version is 5919.0000 and I have yet to see the issue with 72% of my desktops up to date. I currently run Win7 with NOD. Hope all goes well.

For non-Windows-expert family tech-support types (1)

timothy (36799) | more than 4 years ago | (#31927756)

So if / when my dad calls to complain that his Windows machine is broken (I think he runs XP, or perhaps it's the other way around), what should I tell him besides "Hmm. My Ubuntu machines are all fine, and the Mac doesn't seem to be affected ..."

In other words, what's the simple bullet-point list of steps to fix this, for simple folk at home? (Can include visiting neighbors with a thumb drive to download fixes ...)

timothy

Re:For non-Windows-expert family tech-support type (4, Informative)

DjMd (541962) | more than 4 years ago | (#31927912)

http://isc.sans.org/diary.html?storyid=8656 [sans.org]
Basically it looks like command line

shutdown -a (to stop the autorestart)

Put SVChost.exe back in place (out of the quarantine )

and disable McAfee...

Re:For non-Windows-expert family tech-support type (1)

petermgreen (876956) | more than 4 years ago | (#31928006)

From a comment on TFA

"One fix is to delete the bad DAT file the client at "C:\Program Files\Common Files\McAfee\Engine". Delete any av*.dat. Then reboot and the old DAT should be grabbed."

Re:For non-Windows-expert family tech-support type (1)

aicrules (819392) | more than 4 years ago | (#31928032)

Step 1: Disable McAfee entirely. If you can't because of how affected the computer is, copy the svchost.exe from C:\windows\system32\dllcache up to directly in system32 and then start the DCOM service and others that failed to start because of this. Then disable McAfee entirely.

Step 2: Reboot and uninstall McAfee.

They're on the right track (0)

Anonymous Coward | more than 4 years ago | (#31927764)

A few more refinements to McAffee, and it will simply identify the entirety of Windows as a virus. Then it'll promptly replace it with Ubuntu. They can call it "McAffee: Richard Stallman Edition".

DAT (1)

dmitriy (40004) | more than 4 years ago | (#31927766)

C:\Program Files\Common Files\McAfee\Engine\avv*.dat
Nuff said

Remember when.... (1)

Jackie_Chan_Fan (730745) | more than 4 years ago | (#31927770)

Remember when Macafee was distributed on BBS's and it was actually pretty good...

yeah...

those days are long gone.

If you stayed late, you're out of date! (1)

klashn (1323433) | more than 4 years ago | (#31927782)

If you stayed late yesterday and got your update for yesterday's dat, at least you won't be affected with the millions of people that were affected when they powered up their systems this morning. By now, they would have disabled automatic DAT update and you'll get to skip this caustic update. I guess it pays to stay late, or at least arrive late to work! :p

Fix it....go to best buy, get flash drives.... (1)

jswackh (743230) | more than 4 years ago | (#31927822)

You will need another/previous .dat file for McAfee named extra.dat 1. Reboot machine into safe mode (WITH networking) 2. User needs to log into machine (or someone with admin rights logs in) 3. Plug in USB drive 4. Go to CMD window 5. CD to USB Drive (root) 6. Execute this command ‘extra.bat” 7. Click “tools” and then “unlock interface” 8. enter your admin password if needed. 9. Double click “Quarantine Manager Policy” 10. Click “Manager” tab 11. Find latest infection of “W32\Wecorl.a” 12. Right click on infection, click “Restore” 13. Click “Yes” 14. You should get message “All items restored” 15. Reboot – CTRL – ALT – DEL 16. Click “Shutdown” and then “Restart” extra.bat: copy extra.dat "c:\program files\common files\mcafee\engine" "c:\program files\mcafee\virusscan enterprise\mcconsol.exe" If you get an error about file in use while restoring svchost.exe, go to "safe mode command prompt only", and rename c:\windows\system32\svchost.exe to svchost.old, then you can start at step one and it will let you restore from quarantine

Re:Fix it....go to best buy, get flash drives.... (1)

thsths (31372) | more than 4 years ago | (#31928156)

And you have exactly 60 seconds to do that? :-)

Windows 7 unaffected (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31927828)

"Basically non-functioning. Windows 7 seems to be unaffected."

Only because Windows 7 wasn't functioning in the first place.

Mcafee (0)

Anonymous Coward | more than 4 years ago | (#31927836)

It's official... Windows is a virus!!!

So they don't do any QA at all then? (1)

nedlohs (1335013) | more than 4 years ago | (#31927866)

XP SP3, it's not exactly uncommon...

Finally (0, Redundant)

hduff (570443) | more than 4 years ago | (#31927986)

Finally, a virus scanner that correctly identifies Windows as the virus.

My Experience (5, Informative)

jibster (223164) | more than 4 years ago | (#31927994)

I work at a major chip manufacturing plant. At 4.10 I was conferencing with another fab when all our PCs shutdown. 10 minutes later the place was in chaos. Now don't get me wrong the fab keeps going but my god the cost to the company of this. Say 10 sites world wide with 2-5k employees each the majority of which can't do any meaningful work. McAfee have a lot to answer for.

Re:My Experience (0, Troll)

gzipped_tar (1151931) | more than 4 years ago | (#31928272)

So what, your corporation's legal hounds are going to launch lawsuits against McAfee? Since you USAers honor the EULA (with those DISCLAIMER texts) more than the Constitution, good luck with that.

Too bad it wasn't ClamAV this time. (1)

Orbijx (1208864) | more than 4 years ago | (#31928146)

I bet that after seeing what McAfee can do when it screws up, they won't bitch about what ClamAV did [slashdot.org] .

(for those who need the summary: ClamAV pulled an update that caused it to shut itself down if it was version 0.94 or older after announcing ~6 months in advance that people needed to update, and kept filling log files with warnings to update. McAfee is breaking a Windows component that causes the entire computer to not function, with a less obvious warning, left for the reader to figure out. The hint is the first word in the previous sentence.)

Some versions of McAfee, not others (1)

proxima (165692) | more than 4 years ago | (#31928150)

Based on what we're seeing and reports from the internet, McAfee 8.0 and 8.5 are unaffected by this problem, while versions 8.7 and 8.9 are. It's also XP specific. Still, that combination has to be a very large number of computers worldwide.

Oh, I don't need virus protection... (0, Redundant)

TheSpoom (715771) | more than 4 years ago | (#31928152)

I run Linux. [xkcd.com]

*rides off into the sunset*

How does this happen? (2, Insightful)

Jayws (1613285) | more than 4 years ago | (#31928228)

What I want to know is how does something like this happen? You would think McAfee takes their new patch and tests it to make sure that it doesn't cause this type of annoying issue. How does something like this slip through the cracks?

Next Up! Norton to ID McAfee as a Virus! (1)

Mekkah (1651935) | more than 4 years ago | (#31928236)

Next Up! Norton to ID McAfee as a Virus!

Running "shutdown -a" will stop the reboot (1)

gestalt_n_pepper (991155) | more than 4 years ago | (#31928240)

long enough for you to become utterly frustrated that there's no easily downloaded fix from McAfee.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?