{"id":740,"date":"2010-04-25T08:15:24","date_gmt":"2010-04-25T08:15:24","guid":{"rendered":"http:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/"},"modified":"2010-04-25T08:15:24","modified_gmt":"2010-04-25T08:15:24","slug":"mcafee-false-positive","status":"publish","type":"post","link":"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/","title":{"rendered":"McAfee False Positive"},"content":{"rendered":"

You may or may not of heard about the massive mistake McAfee made last week.<\/p>\n

On Wednesday 25th April they released a virus definition file (5958 \u2013 April 21st) that incorrectly identified svchost.exe as a threat and deleted it on systems running Windows XP SP3.<\/p>\n

Svchost is used for launching services (full description here<\/a>) and any individual instance can run a group of services. This means its a pretty critical process! <\/p>\n

Unfortunately for us a large chunk of our client base is running McAfee anti-virus software, the others run Trend Micro.<\/p>\n

We knew something wasn\u2019t quite right when we received several calls all around the same time with similar symptoms. However, while the symptoms were similar they weren\u2019t identical so initially we didn\u2019t quite know what was going on. Unfortunately the one thing they did have in common was a loss of network connectivity which meant we couldn\u2019t fully diagnose the issue.<\/p>\n

Later that day McAfee issued a notice<\/a>, an updated definition file and details of how to fix the issue.<\/p>\n

Basically we had to, <\/p>\n

\n

Boot into safe mode<\/p>\n

Add an EXTRA.dat to the c:\\program files\\commonfiles\\mcafee\\engine <\/strong>folder (or just run the 5959 Super DAT which is quicker) <\/p>\n

Recover a copy of svchost from the service pack cache c:\\windows\\ServicePackFiles\\i386\\<\/strong> or if not present, C:\\WINDOWS\\system32\\dllcache\\<\/b><\/p>\n

Restart the computer<\/p>\n<\/blockquote>\n

 <\/p>\n

McAfee released an automated tool for this the following day (It\u2019s in this KB article<\/a>) <\/p>\n

A simple enough fix to but as I said earlier every PC we\u2019d seen with this issue had no network connectivity.<\/p>\n

This meant we potentially <\/strong>had to physically visit ever single PC we look after.<\/p>\n

I say potentially because this only impacts running Windows XP SP3, we do have some clients running Vista or Windows 7. But most of our clients still currently run Windows XP. Also VirusScan 8.7 systems were harder hit. Some of the PCs were still running 8.5.<\/p>\n

Still, for some people it would be every PC they own<\/p>\n

Now regardless of the size of your company ask yourself some questions.<\/p>\n

How long would it take you to spend 5-10 minutes on every PC you look after? <\/p>\n

Did you factor travel time into that?<\/p>\n

Who do you make a priority when everyone is offline? <\/p>\n

Fortunately we got a little lucky<\/p>\n

We configure the McAfee products to fetch updates from the global McAfee update site every hour. Any servers on site will then check for and get updated every hour<\/p>\n

PCs check every 2-3 hours but we also put a random delay on this. The main reason is so that on larger sites we don\u2019t want lots of PCs all generating network traffic at the same time. By putting in the random offset it\u2019s staggered through the day. So this is in combination with the fact McAfee actually got the DAT update out the same day meant that lots of PCs never actually received the faulty update.<\/p>\n

That said. We still had a LOT of work to do. <\/p>\n

We visited as many sites as we physically could over a two day period and some other sites that had some tech savvy people on site we managed to go through it on the phone with them. <\/p>\n

I also had to cancel other appointments which I hate doing and some other promises I made were a little strained.<\/p>\n

I\u2019m sure we\u2019ll still be dealing with issues at the start of next week<\/p>\n

Obviously for our contract customers this was all at our expense. <\/p>\n

I can\u2019t even begin to think what this will cost McAfee as customers start to move away at their next renewal period.<\/p>\n

McAfee have an FAQ here<\/a> as well as a couple of<\/a> blog post apologies<\/a>.<\/p>\n

As you can imagine there has been a lot of commentary on this and other vendors are jumping in to take advantage.  <\/p>\n

http:\/\/www.pcmag.com\/article2\/0,2817,2363018,00.asp<\/a><\/p>\n

http:\/\/www.betanews.com\/article\/One-very-false-positive-McAfee-in-full-damage-control-mode\/1272040662<\/a><\/p>\n

http:\/\/blogs.zdnet.com\/Bott\/?p=2031<\/a><\/p>\n

Especially since it turned out this down to poor quality testing.<\/p>\n

As the IT world always seems to throw odd coincidences, on Friday i got an email inviting me to the McAfee stand at the InfoSec exhibition next week \u2013 I imagine that stand is either going to be very busy\u2026\u2026or very empty<\/p>\n

This scenario is truly a management nightmare \u2013 an automated update that renders a PC unusable that can only be repair by hand. On top of this we\u2019re going to have our own PR exercise to sort out.<\/p>\n

All our end-users see is a broken PC. It\u2019s our responsibility to keep them up and running and while we still fixed the problem. They\u2019ll still be asking US<\/strong> questions as to why it <\/p>\n

For new installations we moved away from McAfee long ago (there are other McAfee posts on this blog)<\/p>\n

Our existing customers have been using McAfee for a variety of reasons but when the renewals come up we\u2019ll be making a concerted effort to get them away. <\/p>\n","protected":false},"excerpt":{"rendered":"

You may or may not of heard about the massive mistake McAfee made last week. On Wednesday 25th April they released a virus definition file (5958 \u2013 April 21st) that incorrectly identified svchost.exe as a threat and deleted it on systems running Windows XP SP3. Svchost is used for launching services (full description here) and<\/p>\n

<\/span>Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[25,78],"tags":[],"class_list":["post-740","post","type-post","status-publish","format-standard","hentry","category-mcafee","category-trend-micro"],"yoast_head":"\nMcAfee False Positive - Andy's Techie Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"McAfee False Positive - Andy's Techie Blog\" \/>\n<meta property=\"og:description\" content=\"You may or may not of heard about the massive mistake McAfee made last week. On Wednesday 25th April they released a virus definition file (5958 \u2013 April 21st) that incorrectly identified svchost.exe as a threat and deleted it on systems running Windows XP SP3. Svchost is used for launching services (full description here) andRead More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/\" \/>\n<meta property=\"og:site_name\" content=\"Andy's Techie Blog\" \/>\n<meta property=\"article:published_time\" content=\"2010-04-25T08:15:24+00:00\" \/>\n<meta name=\"author\" content=\"Andy Parkes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Andy Parkes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/\",\"url\":\"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/\",\"name\":\"McAfee False Positive - Andy's Techie Blog\",\"isPartOf\":{\"@id\":\"https:\/\/andyparkes.co.uk\/blog\/#website\"},\"datePublished\":\"2010-04-25T08:15:24+00:00\",\"dateModified\":\"2010-04-25T08:15:24+00:00\",\"author\":{\"@id\":\"https:\/\/andyparkes.co.uk\/blog\/#\/schema\/person\/3534e8ac6b1bec765cd061feff56679d\"},\"breadcrumb\":{\"@id\":\"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/andyparkes.co.uk\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"McAfee False Positive\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/andyparkes.co.uk\/blog\/#website\",\"url\":\"https:\/\/andyparkes.co.uk\/blog\/\",\"name\":\"Andy's Techie Blog\",\"description\":\"Professional Geek\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/andyparkes.co.uk\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/andyparkes.co.uk\/blog\/#\/schema\/person\/3534e8ac6b1bec765cd061feff56679d\",\"name\":\"Andy Parkes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/andyparkes.co.uk\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3824cbf53df51d7ca5cf809b6ad81a157fbfff2292e36ab8666f04ddad06bfcc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3824cbf53df51d7ca5cf809b6ad81a157fbfff2292e36ab8666f04ddad06bfcc?s=96&d=mm&r=g\",\"caption\":\"Andy Parkes\"},\"description\":\"Andy Parkes is Technical Director at Coventry based IT support company IBIT Solutions. Formerly, coordinator of AMITPRO and Microsoft Partner Area Lead for 2012-2013. He also isn't a fan of describing himself in the third person.\",\"sameAs\":[\"http:\/\/www.andyparkes.co.uk\/blog\"],\"url\":\"https:\/\/andyparkes.co.uk\/blog\/index.php\/author\/andyparkes\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"McAfee False Positive - Andy's Techie Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/","og_locale":"en_US","og_type":"article","og_title":"McAfee False Positive - Andy's Techie Blog","og_description":"You may or may not of heard about the massive mistake McAfee made last week. On Wednesday 25th April they released a virus definition file (5958 \u2013 April 21st) that incorrectly identified svchost.exe as a threat and deleted it on systems running Windows XP SP3. Svchost is used for launching services (full description here) andRead More","og_url":"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/","og_site_name":"Andy's Techie Blog","article_published_time":"2010-04-25T08:15:24+00:00","author":"Andy Parkes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Andy Parkes","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/","url":"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/","name":"McAfee False Positive - Andy's Techie Blog","isPartOf":{"@id":"https:\/\/andyparkes.co.uk\/blog\/#website"},"datePublished":"2010-04-25T08:15:24+00:00","dateModified":"2010-04-25T08:15:24+00:00","author":{"@id":"https:\/\/andyparkes.co.uk\/blog\/#\/schema\/person\/3534e8ac6b1bec765cd061feff56679d"},"breadcrumb":{"@id":"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/andyparkes.co.uk\/blog\/index.php\/2010\/04\/25\/mcafee-false-positive\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/andyparkes.co.uk\/blog\/"},{"@type":"ListItem","position":2,"name":"McAfee False Positive"}]},{"@type":"WebSite","@id":"https:\/\/andyparkes.co.uk\/blog\/#website","url":"https:\/\/andyparkes.co.uk\/blog\/","name":"Andy's Techie Blog","description":"Professional Geek","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/andyparkes.co.uk\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/andyparkes.co.uk\/blog\/#\/schema\/person\/3534e8ac6b1bec765cd061feff56679d","name":"Andy Parkes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/andyparkes.co.uk\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/3824cbf53df51d7ca5cf809b6ad81a157fbfff2292e36ab8666f04ddad06bfcc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3824cbf53df51d7ca5cf809b6ad81a157fbfff2292e36ab8666f04ddad06bfcc?s=96&d=mm&r=g","caption":"Andy Parkes"},"description":"Andy Parkes is Technical Director at Coventry based IT support company IBIT Solutions. Formerly, coordinator of AMITPRO and Microsoft Partner Area Lead for 2012-2013. He also isn't a fan of describing himself in the third person.","sameAs":["http:\/\/www.andyparkes.co.uk\/blog"],"url":"https:\/\/andyparkes.co.uk\/blog\/index.php\/author\/andyparkes\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pmvJ6-bW","jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/andyparkes.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts\/740","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andyparkes.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andyparkes.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andyparkes.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/andyparkes.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=740"}],"version-history":[{"count":0,"href":"https:\/\/andyparkes.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts\/740\/revisions"}],"wp:attachment":[{"href":"https:\/\/andyparkes.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=740"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andyparkes.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=740"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andyparkes.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=740"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}