Wednesday, April 21, 2010

McAfee "false positive" locks up many corporate users; other vendors have had false positive problems

Peter Svensson of the AP has an important story today about a bad update from McAfee that reportedly caused corporate customers (but apparently not home users) to identify a harmless Windows file as a virus, causing some computers to get caught in repeated reboot cycles. Some hospitals and police departments were reportedly disrupted. The AP link is here.


McAfee has posted instructions on a file called “False positive detection of W32/Wecorl.a in 5958 DAT” on KB68780, here.

There is a detailed technical story on PCWorld by Tom Bradley, “Recovering from the flawed McAfee update”  here.

The affected file was apparently svchost.exe. However, corporate customers who left “Scan Processes on Enable" in McAfee VirusScan Enterprise disabled, as it is by default, were not affected, according to mcAfee.

According to the AP story, other false positives have occurred with other companies, sometimes with consequences. In March 2010 antivirus software Bitdefender locked up computers of some Windows users.

Update: April 23

Today, McAfee started its scheduled scan on an older Inspiron laptop (XP Pro), stalled, and flashed a yellow box warning me that I needed to check for updates to fix the problem noted above. Apparently I had never installed the bad update.  After the check, the manual scan ran normally.

No comments: