Home > Uncategorized > The McAfeepocalypse

The McAfeepocalypse

April 21, 2010

Around 9am I got to looking at a user’s machine which was being particularly obstinate.  Nothing was working right – network access, file management, device connection, even login.  A virus, I thought, and set about trying to figure out which one and how to counter it.

And thus was our whole day consumed, as one computer after another bit the dust.  Classrooms cracked up, offices went offline, and faculty computers freaked out.  Not all machines, just some of them.  It was too widespread to be from a specific website; this had the mark of network distribution on it.  It acted oddly for a virus, though, disabling the network cards and USB device drivers.  Seldom does a virus cut off its own means of spreading.

Turned out it was network-distributed though.  The campus virus-ninja came to investigate and found that svchost.exe (a vital Windows file) had been “zeroed out”, which meant it was just an empty file name with nothing in it.

Our network admin Pete Juvinall and our brilliant student tech Nick Friedel found out that the nefarious program in question was… (drumroll please) McAfee AntiVirus.  That’s right, the program meant to protect the machine was damaging the machine.  It’s a digital auto-immune disease; the latest .dat file mis-identified XPsp3 svchost.exe as a virus.

Pete was interviewed by AP and just got called by CBS Nightly News, so he’s famous.  (MrsDoF says; “I bet he’d rather be rich.”) And here’s the thing: McAfee’s website, all the tech websites and forums were useless on this fast-breaking crisis.  Nick and Pete found the answers on Twitter.

I hope Twitter can find a way to monetize its operations, because it is quickly becoming a global nervous system.  A flu outbreak?  The CDC can track it on Twitter.  Terrorist attack?  Get advance information on exactly what kind of attack to coordinate the response.  Earthquake?  Tweets actually move faster than S- and P- waves.  Blackouts, food poisoning, apple Danish just out of the bakery oven, you name it, Twitter moves information about it.  It can even help a network administrator in the MidWest become the celebrity hero of a… um, anti-virus attack.

NOTES:

  • Read that AP article for some idea of the mayhem this caused in law enforcement, medicine, etc.

  • Nick said he’d post his fix procedure on his website in the next hour or so. 
  • Briefly, the procedure is as follows: start up in safe mode, rename mcshield.exe to something else.  Copy a good svchost.exe into your \windows\system32 directory.  Restart.  Start up McAfee Antivirus Console and either roll back or forward to get off .dat 5958.  Restore the name of mcshield.exe and restart.  It’s a miracle!
  • Oh, and McAfee?  Best you lay low for a while.  We’re not happy with you.
Categories: Uncategorized
  1. Jim
    April 21, 2010 at 18:14 | #1

    I consider McAfee and Norton both to be a virus. I have had nothing but headaches out of both these programs. Uninstalling either one completely is almost impossible. At work, where I have no choice but to use Windows, I use Avira or Avast. I have had good results with both. At home I use Linux, Linux Mint to be specific, and have far fewer headaches to deal with.

  2. April 21, 2010 at 19:05 | #2

    Not being all that used to dealing with Windows, I was mystified at how often vital files like DLLs would just disappear. The only time they do that on Posix systems is when some administrator accidentally torches one. On reflection, I think this sort of thing must happen rather often.

  3. April 21, 2010 at 22:49 | #3

    Nice work on the recovery George, but I guess I should throw some congrats to Pete and Nick.

    I laugh reading this because we have Symantec at work and are actually moving to McAffe as if that will solve all of our problems. I’m betting that the sales dudes at McAffe assured us of that. But really it just shows that the big behemoth companies are their own worst enemy. As they morph into a dinosaur they lose more of the critical feedback loop and become slow to change. These are issues that open source software tends to be free of.

    I use ClamWin for any windows system. Its free and open source, fast, doesn’t bog down the system at all, catches all or any viruses that appear, and just works. No bells and whistles, just a clean system!

  4. April 22, 2010 at 07:32 | #4

    @Jim: Yeppers, I use Linux at home too.  It’s kind of like a little vacation after using Windows all day at work.

    @Cujo359: You are right that McAfee and Norton probably mess up legitimate files all the time.  But with, what, a quarter-million files in a typical Windows installation? it probably only manifests as gradual degradation in Windows performance, maybe an extra warning message or two in a workday.  Yesterday it just happened to mess up a file that really crippled the system.

    @webs: Congrats to Pete and Nick indeed!  They took the problem from “something is wrong with svchost” to “here’s what’s actually wrong and the procedure to fix it”.  That’s the most important transition in solving any problem.

    I’d love to hear the conversation between your system directors and the McAfee people today. Heh.  Do you suppose it will occur to them that the fundamental problem isn’t the A/V software?

    FWIW, I’ve been using Microsoft Security Essentials on my 7 machines and it seems to run very well.  I’d be surprised if it weren’t a monopolistic advantage.

  5. April 22, 2010 at 07:51 | #5

    I highly doubt that will ever occur to them. And if it does I’m sure they will rationalize it in a way where they can easily dismiss it. Because we have already been sold on McAffe and are moving to it. So at this point those that made the decision would never be able to cut their losses and swallow their pride.

  6. April 23, 2010 at 19:58 | #6

    McAfee.  Argh.  I think McAfee was the one that torched my registry a while back.  Haven’t had a moment’s trouble since getting rid of it and running Avast instead.

    Congrats to you, Pete, Nick, and Twitter!

Comments are closed.