Mcaffee UPDATE **FALSE POSITIVE on critical system file!

FYI***

At work(gov't) today computers started logging off and rebooting. At first, I looked up and saw "logging off" and I hadn't even touched the keyboard. It rebooted and said svchost.exe is deemed virus and instead of deleting, shuts down within a minute, and reboots in endless cycle. If you have Mcafee and your computer starts rebooting, its because Mcafee has identified a critical system file as a virus. Our IT Director has contacted Mcafee and they have responded with a "yeah, we have a problem with our daily update and we are working on it, but it could be the end of the day before something is sent out." Good thing I switched my AV last year.

**update**12:50pm
From my IT Director:
"The apparent Virus attack this morning is actually not a virus attack at all. McAfee sent out a virus update this morning that has ACCIDENTALLY tagged the SVCHOST file on computers as being a virus. They are aware that they have created this issue and will be sending out the updated virus data file shortly. (This will be one of those news stories tonight) In the meantime, we are shutting down our Virus update server until the issue is resolved. Thanks for your patience."

 

If you get the chance upload the suspected file to http://www.virustotal.com/

 

There is no virus. Mcafee is their own worst enemy.

 

AVG 8.0 found over 25.000 false positives on my notebook once , an update fixed the problem , that was an interesting day on NBR.

http://forum.notebookreview.com/showthread.php?t=243556&highlight=100.000

 

More news : http://news.google.com/news/more?pz=1&cf=all&ned=us&topic=t&ncl=dF-mD-IJBI581TMz1yJ2qM7NXHQTM

One another valid reason not to use Mcafee.

 

I think symantec's gonna get a bunch of corporate converts.

The consumer product isn't affected, thank goodness. Imagine if that was affected....:S

 

They failed so hard.

 

That's quite unacceptable. Never really been a McAffee fan.

 

I spent ALL DAY AT WORK today fixing this problem. I had it figured out around noon EST so I think I was ahead of the curve. McAfee released an iso with a script that fixes the problem, but before that I was fixing it by adding an exception DAT to the McAfee definitions folder and then reintroducing svchost.exe either from an internal backup directory or by using a copy from another XP SP3 Pro machine.

Let me tell you, work was WILD today because of this. We're calling it the Great McAfee Disaster of 2010!

 

Now you guys see why McAfee is the first thing I uninstall on any new computer I buy for myself or I'm asked by someone else to set up. To think that some people INTENTIONALLY install McAfee on their computers and even pay for it just blows my mind!

 

This was a pretty big deal today, one that McAfee will pay for I hope. I stopped using their software six years ago, and I'm glad I did.

What is really funny about this though is that it shows that McAfee probably did not even test their update before releasing it.

 

I work in the IS department at the local children hospital and last year we moved from using Norton to Sophos and Sophos is a pretty good AV suite.

 

Here is follow up:

http://www.computerworld.com/s/article/9175896/Flawed_McAfee_update_paralyzes_corporate_PCs

 

My laptop (Sony BX-760) is experiencing many of the symptoms (no task bar, no internet connection and many other funkiness) of this update.

I was able to download the patch on my iMac and bluetooth it to the BX-760 BUT I can't boot the Sony in safe mode to install the patch.

I'm thinking of using Revo to uninstall McAfee. Does anyone know if this will rectify the situation???

Any other suggestions?

Thanks!!!

 

The fix should be burned onto a disk. I don't think it will do anything on your laptop if you transferred it there, it's an image file. Can you link me the patch you are using?


Otherwise, you need to somehow turn McAfee off and replace the svchost.exe file in your C:/windows/system32 directory with a clean copy from another Win XP SP3 computer. Copy and paste will be broken, so you might need to use a ubuntu live cd or something to transfer the file into the correct folder.

 

The patch that I was going to use is at:

http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe

However I've done the following since posting:

1/ fully uninstalled McAfee using Revo. Once the application was gone I was able to boot the computer in safe mode and the svchost.exe file in the system32 directory was also gone.
2/ spent gobs of time waiting for and speaking with McAfee level 1 tech support. They were unable to fix the problem so it has been escalated and I'm waiting for a tech support call which is scheduled for 5-8am PDT today...I'm not hopeful that the call is forthcoming; cynicism is this case is warranted.

I'm unsure where to get a clean copy of svchost.exe but I believe that I could transfer one via a flash drive from my iMac to the XP laptop. If anyone can point me to that file I'll owe you a 6-pack

Cheers again,
David

 

It is amazing what a shot of French Roast will do...

I just realized that the file that I downloaded (SDAT5958_EM.exe) included a new svchost.exe file for the system32 folder so I installed it in safe mode and I believe that I'm back in business.

The only obvious visual issue that I've noticed is the quick launch part of the task bar has vanished...perhaps a bit more leaded java will help me discover how to revive it...

Now I'll need to noodle whether I want to download McAfee again...

 

It is a conspiracy since, so far, only XP systems were being affected, and not a single Vista or W7 system has been reported

cheers ...

 

That's because, according to a leaked internal memo, they didn't test XP during their QA, considering XP is still the de facto corporate OS, it's quite a careless decision by them.

 

FWIW, I received the following generous offer from McAfee yesterday; very unsure if I'm going to take them up on it or not:

Important Message from McAfee

Dear David,

According to our records, you recently contacted McAfee Customer Support regarding the faulty update to your PC security software. We are very sorry for the inconvenience this may have caused. We value our loyal customers, so we are offering an extension of your current McAfee product subscription for an additional 2 years, free of charge. In addition, if you incurred expenses with a 3rd party to fix your PC as a result of the faulty update, we are offering to reimburse reasonable expenses in satisfaction of this matter.

To apply for a subscription extension and/or expense reimbursement, simply complete the form by clicking here. Please note that all information collected will be completely confidential. After you complete the form, please print or save the confirmation page for reference.

Our commitment to safeguarding your PCs from hackers and cybercriminals remains steadfast. We value you as a customer and are determined to provide you with the highest levels of security.

Thank you,

The McAfee Team