14 DAY TRIAL // A malware definitions update pushed by antivirus giant McAfee to its customers yesterday contained a buggy detection routine that caused millions of computers to go into a reboot loop. The severe system instability issue resulted from erroneous blocking of the critical svchost.exe file on computers running Windows XP SP3.
The problematic update, identified as the 5958 DAT, detected the svchost.exe file on Win XP SP3 systems as being infected with new variants in the Wecorl family of malware. According to Microsoft, svchost.exe is a vital Windows system file in charge of loading services that run from DLLs.
McAfee released a corrected update, DAT 5959, hours after the bogus definition went out. However, the fix has to be deployed to affected systems manually in Safe Mode, a nightmare for IT staff in large enterprises with thousands of computers. Additionally, if the svchost.exe file has been deleted or quarantined, it must be restored from backup locations. The procedure is described in more detail in a McAfee knowledge base article associated with this incident.
The obvious question is why an update affecting such an important file made it through the Quality Assurance (QA) process, which normally involves scanning a known clean set of files, containing system ones. "McAfee's DATs use techniques to avoid scanning and causing false positives on Microsoft files in the majority [of] situations, for example if this was a simple scan of the file as it was accessed on the file system these would have prevented the false positive. Because this was a memory scan of the running process that then caused a subsequent scan of the file on disk these mitigation techniques were unfortunately circumnavigated," the company explains.
But McAfee is certainly no stranger to false positive incidents. In June 2009, the company withdrew a service pack-like patch for its VirusScan Enterprise 8.7i product, after it deleted several system files and left thousands of computers unbootable. Also, the 5409 DAT update released on October 20, 2008 incorrectly detected the Windows Vista console IME component as being infected with the PWS-LegMir trojan, while in August of the same year, a plug-in for the Microsoft Office Live Meeting was erroneously tagged as malicious and blocked.
That being said, McAfee is not the only AV company to crash their customers' computers via buggy definitions. Just last month, Romanian antivirus vendor BitDefender pushed an update to their x64 customers, which quarantined every executable run on the affected systems, including critical ones. ESET, AVG, Trend Micro and Symantec also had their share of messing with Windows components in the past.
The 5959 DAT issued by McAfee to address this problem can be downloaded from here.