McAfee mistakenly detects legitimate Windows system files as malicious in false positive nightmare

News by Dan Raywood

McAfee was hit by a false positive problem late yesterday as it classified a Windows update as malware, causing XP users' computers to crash.

McAfee was hit by a false positive problem late yesterday as it classified a Windows update as malware, causing XP users' computers to crash.

The vendor released a signature definition file (known as a ‘DAT') that contained a bug that caused a number of computers running Windows XP to appear to be infected with malware.

The problem was identified by CITES security that warned of a ‘potential virus outbreak' as a service interruption yesterday. It claimed that it was ‘monitoring a potential virus outbreak on Windows XP' and that ‘machines are currently reporting infections with wecorl.a or DCOM Server process restarted'.

It later claimed that the problem was ‘tentatively identified as a false positive and we are going to be working with McAfee to identify a solution'. Later it reported that ‘the offending update has been removed and an extra.dat file has been prepared by McAfee that prevents this false positive'.

The update file was named ‘svchost.exe', a generic host process for services that run from other dynamic link libraries. Security blogger Brian Krebs pointed to SANS incident handler Johannes Ullrich, who claimed that McAfee is flagging ‘svchost.exe' as malicious.

He said that Svchost is a common system process typically used by multiple legitimate programs on a Windows system (although malware does often inject itself into this process), so having an anti-virus program that flags the process as a threat could cause major problems on a host system.

Krebs said: “One symptom seems to be that McAfee reports that user systems are infected with W32.Wecorl.a. The anti-virus program attempts to destroy or quarantine that targeted process then forces the Windows machine into a reboot cycle.”

Writing in an update, Michael Corn, chief privacy and security officer office for the of the CIO at the University of Illinois, whose campus anti-virus vendor is McAfee, confirmed that computers affected by the buggy DAT may reboot frequently or report the virus W32/Wecorl.a was found.

He said: “If you are experiencing any of these symptoms you are probably seeing the impact of this buggy DAT. McAfee has released a new and corrected DAT and the buggy DAT has been replaced in the campus DAT repositories by Cites Security.”

McAfee initially responded with a statement, which said: “McAfee is aware that a number of corporate customers may have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21. McAfee is working to address the problem with continuous customer communication and a new signature update. McAfee apologises for any inconvenience to our customers.”

Barry McPherson, executive vice president of worldwide technical support at McAfee, claimed that it believed that the incident impacted less than one half of one per cent of its enterprise accounts globally, and a fraction of that would impact its consumer users.

He said: “Our initial investigation indicates that the error can result in moderate to significant issues on systems running Windows XP Service Pack 3.The immediate impact on corporate users was lessened for corporations who kept a feature called ‘Scan Processes on Enable' in McAfee VirusScan Enterprise disabled, as it is by default, though those customers could also be impacted when running an on demand scan.”

He confirmed that the faulty update was removed from all McAfee download servers within hours, preventing any further impact on customers. He also said that McAfee teams are working with the highest priority to support impacted customers.

He said: “We have also worked swiftly and released an updated virus definition file (5959) within a few hours and are providing our customers detailed guidance on how to repair any impacted systems.”

He later posted a follow-up, claiming that the ‘update file clearly did more harm than good'. He said: “There was a legitimate threat and we wanted to protect our customers, as we have done successfully thousands and thousands of times before. But in trying to do so, we created negative and unintended consequences for some very important people. Many of you.

“Having talked to literally hundreds of my colleagues around the world and emailed thousands to try and find the best way to correct these issues, let me say this has not been my favourite day. Not for me, or for McAfee. Not by a long shot.

“Mistakes happen. No excuses. The nearly 7,000 employees of McAfee are focused right now on two things, in this order. First, help our customers who have been affected by this issue get back to business as usual. And second, once that is done, make sure we put the processes in place so this never happens again."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews