Thousands of PC Windows XP down: McAfee signed a fiasco

Due to a file update insufficiently tested, thousands of computers running Windows XP SP3 have been subjected to reboot loop. Over 1000 stores an Australian distributor have been impacted. McAfee apologized.

Wednesday, April 21, McAfee was updating its virus signature database. Very quickly the publisher was informed by its users a malfunction. Involved a false positive introduced by the update and led the VirusScan anti-virus engine (from version 8.7) to consider a system file (svchost.exe) as malicious.

According to McAfee and businesses affected by the bug, only computers running Windows XP SP3 have been affected. However, given the nature of the fault (a reboot loop machines) and the market share of Windows XP in the enterprise, potential victims are numerous.

McAfee was first treated her image by minimizing the incident

However, in a message first published April 21 on his blog, McAfee says that few customers are impacted (less than 1%). Returns the field are themselves much less optimistic. Steve Shillingford, a consultant, told InformationWeek have been approached by a multinational company with 50,000 posts were victims of the bug in McAfee.

The site ZDNet Australia reported the closure of stores in the chain Cole where 10% of the terminals of the outlets had to be extinguished. In 1100 and what are the Australian distributor stores that have been affected.

Associated Press reported similar failures in one third of U.S. hospitals in the state of Rhode Island. In Kentucky, it is the embedded computer terminals in police cars that broke down.

Many accounts of companies whose positions were not available

On Twitter, ComputerWorld notes that numerous messages of frustration have been posted by users of McAfee anti-virus. Although he denied the extent of the incident, the publisher has not been idle. He has developed a tool that automatically correcting signature database and restore the file "svchost.exe" quarantined.

As for the cause of these failures, it is due to an error in the quality assurance (QA) at McAfee. The anomaly should in principle be detected during the test phases and thus before the DAT file is distributed to users.

McAfee, who apologized on his blog, hiding behind a recent change in its QA environment. To prevent such incident from happening again, the technical support manager, Barry McPherson, McAfee ensures that current implementation of new protocols in its testing process.

A flaw in the testing and Windows XP SP3 uncontrolled

A confidential document given to ZDNet.com by an anonymous source said that two of the protocol procedures were not followed ("Standard Peer Review" and "Risk Assessmet"). In addition, test configurations have been neglected, especially VirusScan 8.7 on Windows XP SP3.

In the columns of ComputerWorld, John Pescatore, analyst at Gartner security, is also involved a major anomaly in the testing process of the editor, but also surprised that the svchost.exe file has been deleted or made quarantine without the display of warning messages on the posts.

Another cause of this incident is the speed of the publishers to distribute new signatures, speed is also a selling point. In addition to solutions such as Enterprise Policy Orchestrator (EPO) McAfee, new versions of the signatures are immediately deployed. The aim is to reduce the period of exposure to attack.

But if the speed can help reduce the risks in a complex environment like a business, it can also cause side-effects and lead to false positives with catastrophic consequences. As for OS updates, testing before deployment is a preliminary step.

Source: ZDNET