14 DAY TRIAL // A service pack-like update for McAfee's VirusScan Enterprise 8.7i, which has been in the making for several months, was pulled from download on June 2, after it caused problems to customers. False positives on some system files, which were detected as W32/Generic.worm.aa and deleted, left computers unbootable.
Various McAfee customers gathered in the support forum to express their discontent with the faulty VSE 8.7i Patch 1, which was released on May 27. "First they release a buggy 8.7i, then they wait half a year before they release the first patch and now the patch itself has been pulled? Do they actually know themselves how ridiculous this looks?," one of the users wrote.
Since there was no official statement released by the company at the time, users started looking for mitigation solutions themselves. After several uninstallation instructions were posted, which proved more or less applicable to some administrators, someone coded and published a VBScript with the ability to remove the patch from affected computers remotely.
An unfortunate admin noted that he had the update deployed to 2,500 computers. Even apparently unaffected users complained about the state of uncertainty and lack of communication from the company, not knowing whether to remove the patch or not. Eventually, McAfee instructed users who deployed the buggy update to keep it in place, in light of a new fix being issued in an upcoming DAT file.
In a later statement, McAfee noted that the issue did not affect a large number of customers. "McAfee removed Patch 1 for McAfee VirusScan Enterprise 8.7i from its download servers out of precaution after a potential issue with the update was discovered. A very small number of customers reported trouble with the patch on a limited number of computers," the company said.
In a knowledge base article published on June 8, it is noted that, "McAfee has isolated the cause of the issue and has addressed this as part of the incremental 5639 DAT files released on Sunday, 7 June 2009 and later." The company also pointed out that, "If you have not yet deployed Patch 1 to your environment, wait until Patch 1 has been reposted."
False positives of this sort are not uncommon in the AV world, but, when they involve critical system files, they can prove very stressful for customers. Back in September 2008, a faulty definition update from Trend Micro left many European consumers with unstable computers after several Windows Vista and XP components were tagged as malicious. A month later, in November, buggy updates from AVG left non-English Windows XP computers unable to boot after they wrongfully deleted user32.dll.
McAfee is not at its first incident of this sort. Back in October 2008, the 5409 DAT files caused the deletion of conime.exe (Windows Vista console IME), which was falsely detected as the PWS-LegMir Trojan. Earlier, in August, another faulty update from the company tagged a Microsoft Office Live Meeting plug-in as malware.