McAfee antivirus update damages NT 4.0

Read on to find out how to stop the antivirus update messing with your master boot record. Windows 2000 users are not affected.

A number of Windows NT 4.0 users who updated Network Associate's McAfee VirusScan/Netshield 4.0.2 using the 4120/4110 SuperDat utility were greeted with an ominous error message upon rebooting: "Operating System Not Found."

The 4120/4110 SuperDat upgrade had in fact damaged the Master Boot Record (MBR) of the NTFS partition. The MBR contains information that, among other things, tells the computer where to find the operating system when it starts up. In one worst-case scenario made very real, System Administrator Craig Hackl reports distributing the 4120/4110 upgrade to 130 workstations on a Windows NT network and having to reinstall the OS on every PC.

Network Associates subsequently pulled the 4120/4110 SuperDAT file from the McAfee Web site and posted this notice: "The 4109 DAT and 4120/4109 SuperDAT packages have been reinstated while a compatibility issue regarding VirusScan v4.0.2 on Windows NTFS is investigated. More information will be posted as it is available."

Network Associates builds its virus scanning utilities from three technologies: the product executable (in this case, version 4.0.2), the scan engine (4.1.20) and the antivirus definition, or DAT, library (4110). McAfee's SuperDAT utility updates the scan engine and the DAT at the same time.

According to Robbie Wisdom, McAfee director of product management, problems with the 4120/4110 upgrade arose when a file-locking component was shifted from the scan engine to the product executable. This was done in order to allow other Network Associates and McAfee products to perform antivirus updates without requiring a reboot.

The 4.0.2 executable, which did not do file locking, was replaced in March 2000 by version 4.5, which does. Consequently, the 4120/4110 SuperDAT upgrade was compiled assuming that the product executable would handle the file locking chores. As McAfee Product Manager Alan Johansen points out, the file locking conflict affects only VirusScan/NetShield 4.0.2 Windows NT users who selected the scanning option, "Scan MBR on shut down".

In that case, with no file locking in place, the scan.dat, name.dat and clean.dat files would get out of synchronization with each other during the SuperDAT update process. The end result could be a corrupted MBR. This issue occurred only if the update was conducted via the SuperDAT utility.

The 4120/4111 SuperDAT utility currently posted on the McAfee Web site resolves the file-locking issue with VirusScan/NetShield 4.0.2. Network Associates also recommends that all VirusScan/NetShield users upgrade to the latest version, the 4.5 program executable, as soon as possible.

Testers at KeyLabs were able to verify the latest fixes. We installed NetShield version 4.0.2 on an NTFS-formatted Windows NT Workstation 4.0 and upgraded to 4120/4111 without any problems. We also installed VirusScan 4.0.3a and the SuperDat 4120/4111 upgrade and again encountered no hiccups with the OS or the MBR. Our tests also verified that the problem doesn't affect Windows 2000.

McAfee's Alan Johansen emphasizes that even if the MBR is damaged, programs and data on the hard disk should be safe. Reinstalling the operating system will restore the MBR. McAfee technicians have also had some success restoring the MBR by invoking the repair process on the Microsoft NT installation CD. McAfee will post a standalone fix for customers with damaged NTFS master boot records. For more information, Network Associates customer support can be reached at 001 (972) 308-9960.

We all know the importance of vigorous virus protection, but with automatic library updating, users can become complacent about how up-to-date their software truly is.

A month ago, Bugnet reported that Windows 95/98 systems running VirusScan software could hang because of a version mismatch between scan engine 4.0.02 and DAT file 4102. At the time, McAfee AVERT Labs senior director Vincent Gullotto recommended that users update their scan engines and program executables -- not just the virus definition files—on a quarterly basis. Good advice then and now.

Take me to the Virus Workshop

Take me to ZDNet Enterprise

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.