In association with heise online

22 April 2010, 12:00

McAfee signature update takes down Windows systems

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

McAfee Logo A flawed signature update (DAT 5958) from McAfee yesterday (Wednesday) caused the system file svchost.exe to be identified and quarantined as the virus W32/Wecorl.a under Windows XP SP3. This resulted in affected systems rebooting (30 second countdown) and then entering an endless boot loop, repeatedly restarting.

According to McAfee's user forum, large numbers of businesses are affected. To resolve the problem, the vendor is advising users to download an updated signature (DAT 5959) on an unaffected computer, copy it to a USB drive, restart the affected computer in safe mode with network support (press F8 while booting) and connect the USB drive. Double-clicking on the file 5959xdat.exe will then install the new signature. In most cases, users will then need to restore the svchost.exe file. McAfee has provided instructions for doing so.

Alternatively, the file extra.dat (direct download) can be used to prevent the flawed signature from disabling the system. Users should copy this file onto a USB drive, copy it from there into the c:\Program Files\Common Files\McAfee\Engine folder on the affected system (in safe mode) and restart the computer. Here again, svchost.exe will need to be manually restored or retrieved from quarantine.

These fixes involve a fair bit work for administrators, as it is not possible to resolve the problem from a central management console. On large networks this is likely to result in a few late nights. McAfee has also released an automated solution in the form of an executable file (direct download).

McAfee has a function for intercepting false positives, but this only works for files on the hard drive – the problem here, according to McAfee, is that the false positive is triggered by the memory scan, which can't be intercepted.

As an interesting side note, McAfee's bug added an extra dose of realism to a disaster exercise being held by one Iowa community, when the emergency centre computers and communications systems failed. The teams were forced to fall back on old radio systems.

As past stories from The H show, McAfee is not alone among anti-virus vendors in causing disruption through issuing a flawed update.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-983693
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit