Security vendor McAfee has published a fix for the definitions update that triggered a false positive and rendered XP SP3 systems unusable.
The definitions update, labeled as "5958 virus definition file" was released at 2.00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21. This update incorrectly detects svchost.exe as malware. Problems resulting from this include:
- Continuous reboots
- Missing taskbar
- Loss in internet connectivity
In the past 24 hours, McAfee identified a new threat that impacts Windows PCs. Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer’s memory.
The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2.00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21.
McAfee is aware that a number of customers have incurred a false positive error due to this release. We believe that this incident has impacted less than one half of one percent of our enterprise accounts globally and a fraction of that within the consumer base–home users of products such as McAfee VirusScan Plus, McAfee Internet Security Suite and McAfee Total Protection. That said, if you’re one of those impacted, this is a significant event for you and we understand that.
Our initial investigation indicates that the error can result in moderate to significant issues on systems running Windows XP Service Pack 3.The immediate impact on corporate users was lessened for corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, though those customers could also be impacted when running an on demand scan.
The faulty update was removed from all McAfee download servers within hours, preventing any further impact on customers.
McAfee teams are working with the highest priority to support impacted customers. We have also worked swiftly and released an updated virus definition file (5959) within a few hours and are providing our customers detailed guidance on how to repair any impacted systems.
An apology is all well and good, but the fact that yet again we see that a security vendor can push updates to customers that can disable PCs shows that there's a serious problem with how these firms go about testing updates before letting them free into the wild. The impact that this problem will have had on affected users is great, and represents greater disruption that most malware would present.
If these firms want the trust of being able to push updates to systems that can potentially cripple systems, we as customers need far greater transparency as to what testing is done on definitions before they are released.