Re: McAfee Update Kills More Than Viruses (NewsFactor)

Technophobe wrote:
> NewsFactor - A recent virus-definition update from security firm McAfee
> incorrectly flagged several applications as viruses, even removing the
> core Microsoft Excel executable from some users' computers.
>
=========
I assume this is where he clipped to his convenience:
http://www.toptechnews.com/story.xh...id=03100339UWZJ

<snip>
Files that became quarantined or deleted included core Microsoft Office
executables like excel.exe and graph.exe. A file related to Adobe
Update Manager also was moved to a different folder for quarantine, and
renamed.

While the problem might sound severe, it had limited impact because the
error occurred only when a user initiated a manual scan. Those who had
set the antivirus updates to run during idle time or in the background
were not affected.
</snip>

"Duh_OZ" <ozzy.kopec@gmail.com> wrote in message
news:1142292492.044750.151440@i39g2000cwa.googlegroups.com...
> Technophobe wrote:
> > NewsFactor - A recent virus-definition update from security firm
McAfee
> > incorrectly flagged several applications as viruses, even removing
the
> > core Microsoft Excel executable from some users' computers.
> >
> =========
> I assume this is where he clipped to his convenience:
> http://www.toptechnews.com/story.xh...id=03100339UWZJ
>
> <snip>
> Files that became quarantined or deleted included core Microsoft
Office
> executables like excel.exe and graph.exe. A file related to Adobe
> Update Manager also was moved to a different folder for quarantine,
and
> renamed.
>
> While the problem might sound severe, it had limited impact because
the
> error occurred only when a user initiated a manual scan. Those who had
> set the antivirus updates to run during idle time or in the background
> were not affected.
> </snip>
>

This problem says something about McAfee's quality control doesn't it?
They never tried running the update on a number of systems before
releasing it "to the wild"?

Chas.

From: "* * Chas" <dnafutz@aol.spam.com>


| This problem says something about McAfee's quality control doesn't it?
| They never tried running the update on a number of systems before
| releasing it "to the wild"?
|
| Chas.
|

No it doesn't say anything about McAfee's quality control. *ALL* the AV vendors have at one
time or another had False Positive declarations. Avast still incorrectly indicates Trend
Micro's Sysclean utility is infected with the VBS/RedLof andnot too long ago Microft anti
spyware was declaring NAV as spyware and corrupting its installation.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:FrERf.28648$_f4.16483@trnddc03...
> From: "* * Chas" <dnafutz@aol.spam.com>
>
> | This problem says something about McAfee's quality control doesn't
it?
> | They never tried running the update on a number of systems before
> | releasing it "to the wild"?
> |
> | Chas.
>
> No it doesn't say anything about McAfee's quality control. *ALL* the
AV vendors have at one
> time or another had False Positive declarations. Avast still
incorrectly indicates Trend
> Micro's Sysclean utility is infected with the VBS/RedLof andnot too
long ago Microft anti
> spyware was declaring NAV as spyware and corrupting its installation.
> --
> Dave

Over the past 10+ years I've had the occasional False Positive from at
least half of the 15 or so AV product that I've used. But they only
flagged 1 or 2 files. From the articles that I've read about the McAfee
update problem, it looks like some folks will have to reinstall a few
programs like MS Excel if the False Positive files were deleted:

"Ben Ames, IDG News Service
Tuesday, March 14, 2006

Executives at McAfee are adding new testing procedures after thousands
of customers downloaded faulty software last week.

Instead of identifying only malicious worms and viruses, the software
flagged many popular programs as threats. That prompted users to delete
utility files from software such as Adobe Update Manager, Google Toolbar
Installer, Macromedia Flash Player, and Microsoft Excel."

"No Automatic Fix
Still, private users who mistakenly deleted beneficial software will
have to fix their own computers. There is no software patch that will
automatically restore the deleted programs; users will need to manually
replace them from backup files.

In contrast, the company will help its enterprise customers recover,
since they face a more complex problem of managing computers for many
people in an organization. "It will be a little more difficult for
enterprise customers, so we've developed a tool that will attempt to put
the files back again," he says.

On its Web site, McAfee wrote, "Since this incident occurred, AVERT
staff have been working around the clock directly with impacted
customers to help them assess the degree of impact and restore the files
where possible.""

http://www.pcworld.com/news/article/0,aid,125073,00.asp

This isn't McAfee's first major screw up:

"By John Leyden
Published Tuesday 7th September 2004 16:00 GMT

An Australian software developer has been left fuming after the latest
virus definition update from McAfee caused his package to be wrongly
identified as a Trojan horse programme.

The false positive meant that ISPWizard, an internet setup program
wizard, was labelled as the BackDoor-AKZ Trojan by users running the
latest update of McAfee's AV software. As a result, ISPWizard is being
unceremoniously ripped from users' systems. This means that many people
are unable to connect to their ISPs because the software that they need
has been automatically deleted by McAfee.

McAfee's cock-up dates from 1 September [2004] when it released an
antivirus DAT (signature file) update. It has yet to rectify its
mistake."

http://www.theregister.co.uk/2004/0...ee_false_alarm/

I don't want to get into a ****ing contest with you because I respect
your opinions and info from your many responses but....

How difficult is it to test run AV updates on a number of systems before
releasing them?

My company is in the process of switching our enterprise management
software from AIX Unix with PC terminal emulation to Win Server 2003.
Yersterday I spoke with our head geek about enterprise level AV (he
knows very little about malware) and he had just renued our current
license... OH S**T!

Switching from Unix to a Windows OS is going to make our system much
more vunlerable malware. We have over 100 users and I work on commision.
I'm concerned about the relaibility our AV software because it could
directly affect my income!

Chas.

From: "* * Chas" <dnafutz@aol.spam.com>

|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:FrERf.28648$_f4.16483@trnddc03...
>> From: "* * Chas" <dnafutz@aol.spam.com>
>>
|>> This problem says something about McAfee's quality control doesn't
| it?
|>> They never tried running the update on a number of systems before
|>> releasing it "to the wild"?
|>>
|>> Chas.
>>
>> No it doesn't say anything about McAfee's quality control. *ALL* the
| AV vendors have at one
>> time or another had False Positive declarations. Avast still
| incorrectly indicates Trend
>> Micro's Sysclean utility is infected with the VBS/RedLof andnot too
| long ago Microft anti
>> spyware was declaring NAV as spyware and corrupting its installation.
>> --
>> Dave
|
| Over the past 10+ years I've had the occasional False Positive from at
| least half of the 15 or so AV product that I've used. But they only
| flagged 1 or 2 files. From the articles that I've read about the McAfee
| update problem, it looks like some folks will have to reinstall a few
| programs like MS Excel if the False Positive files were deleted:
|
| "Ben Ames, IDG News Service
| Tuesday, March 14, 2006
|
| Executives at McAfee are adding new testing procedures after thousands
| of customers downloaded faulty software last week.
|
| Instead of identifying only malicious worms and viruses, the software
| flagged many popular programs as threats. That prompted users to delete
| utility files from software such as Adobe Update Manager, Google Toolbar
| Installer, Macromedia Flash Player, and Microsoft Excel."
|
| "No Automatic Fix
| Still, private users who mistakenly deleted beneficial software will
| have to fix their own computers. There is no software patch that will
| automatically restore the deleted programs; users will need to manually
| replace them from backup files.
|
| In contrast, the company will help its enterprise customers recover,
| since they face a more complex problem of managing computers for many
| people in an organization. "It will be a little more difficult for
| enterprise customers, so we've developed a tool that will attempt to put
| the files back again," he says.
|
| On its Web site, McAfee wrote, "Since this incident occurred, AVERT
| staff have been working around the clock directly with impacted
| customers to help them assess the degree of impact and restore the files
| where possible.""
|
| http://www.pcworld.com/news/article/0,aid,125073,00.asp
|
| This isn't McAfee's first major screw up:
|
| "By John Leyden
| Published Tuesday 7th September 2004 16:00 GMT
|
| An Australian software developer has been left fuming after the latest
| virus definition update from McAfee caused his package to be wrongly
| identified as a Trojan horse programme.
|
| The false positive meant that ISPWizard, an internet setup program
| wizard, was labelled as the BackDoor-AKZ Trojan by users running the
| latest update of McAfee's AV software. As a result, ISPWizard is being
| unceremoniously ripped from users' systems. This means that many people
| are unable to connect to their ISPs because the software that they need
| has been automatically deleted by McAfee.
|
| McAfee's cock-up dates from 1 September [2004] when it released an
| antivirus DAT (signature file) update. It has yet to rectify its
| mistake."
|
| http://www.theregister.co.uk/2004/0...ee_false_alarm/
|
| I don't want to get into a ****ing contest with you because I respect
| your opinions and info from your many responses but....
|
| How difficult is it to test run AV updates on a number of systems before
| releasing them?
|
| My company is in the process of switching our enterprise management
| software from AIX Unix with PC terminal emulation to Win Server 2003.
| Yersterday I spoke with our head geek about enterprise level AV (he
| knows very little about malware) and he had just renued our current
| license... OH S**T!
|
| Switching from Unix to a Windows OS is going to make our system much
| more vunlerable malware. We have over 100 users and I work on commision.
| I'm concerned about the relaibility our AV software because it could
| directly affect my income!
|
| Chas.
|

I am not saying it isn't a major f**kup. I am sure, if I was to dig a little, I could find
similar examples of screwups from almost all AV vendors.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On Wed, 15 Mar 2006 19:00:22 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>I am not saying it isn't a major f**kup. I am sure, if I was to dig a little, I could find
>similar examples of screwups from almost all AV vendors.

Agreed. The problem lies in the retroactive nature of antivirus
solutions. AV vendors are hampered not by their ability to add
detection for new threats - but to put the detection through
sufficient QA so this type of thing doesn't happen. The balance of
response time 'v' testing is a tedious one. A fudge up for sure... but
all AV'ers have been guilty of this in the past and will continue to
be in the future.

--
Regards,
Ian Kenefick
http://www.ik-cs.com

From: "Ian Kenefick" <ian_kenefick@eircom.net>

| On Wed, 15 Mar 2006 19:00:22 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:
|
>> I am not saying it isn't a major f**kup. I am sure, if I was to dig a little, I could
>> find similar examples of screwups from almost all AV vendors.
|
| Agreed. The problem lies in the retroactive nature of antivirus
| solutions. AV vendors are hampered not by their ability to add
| detection for new threats - but to put the detection through
| sufficient QA so this type of thing doesn't happen. The balance of
| response time 'v' testing is a tedious one. A fudge up for sure... but
| all AV'ers have been guilty of this in the past and will continue to
| be in the future.
|

Thanx to Derek, I understand there is a False Positive in the Ad-aware Def 198.

"Ad-aware is seeing the following Registry key as W32.Trojan.Downloader:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG

That's a rather *LARGE* and potentially nasty false positive. That's the tracing control for
Windows Firewall.."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm