The issue began on Wednesday around 9:00 a.m. ET when the security giant pushed out a new virus definition file to PCs running McAfee VirusScan Enterprise. In the release, a legitimate Windows operating system file called "svchost.exe" had somehow been falsely classified as a virus called "W32/Wecorl.a." The faulty update caused computers running Windows XP Service Pack 3 to display a false positive error message or a blue screen and to repeatedly reboot.
Every affected computer will need to be manually fixed, Amrit Williams, chief technology officer at security management solutions vendor BigFix told SCMagazineUS.com on Thursday. The worst-case scenario is that affected organizations will have to re-image each affected PC or reinstall the Windows operating system, which could take up to a full day to get the machine back up and running normally.
In the best case scenario, organizations can boot affected machines into Windows safe mode and try to replace the corrupted file, Williams said. This option, which requires some technical skill and may not necessarily be effective, would take approximately an hour per machine, on average.
Anti-virus companies have tight controls to ensure that new signature packs do not cause false positives – but in this case something went wrong, Peter Schlampp, VP of marketing and product management at network monitoring firm Solera Networks told SCMagazineUS.com on Monday.
Williams, who worked as an engineer within the security division at McAfee, said it would have been “extremely easy” to catch the false positive error with even the most basic testing.
“There was either a malicious act to make this happen or some negligence that occurred,” he said. “Either way, this is a complete failure of McAfee's quality control process.”
For organizations that were impacted, this is a very expensive and time-intensive problem, Schlampp said.
In a blog post Wednesday, Barry McPherson, McAfee's executive vice president of worldwide support and customer service, said the incident “impacted less than one half of one percent of our enterprise accounts globally and a fraction of that within the consumer base–home users of products.” Published reports place the actual number of impacted PCs in the hundreds of thousands, or possibly millions.
McPherson acknowledged that the impact to those affected is “significant” and said McAfee employees are now working to help affected customers and ensure a similar incident does not happen in the future.
“We sincerely apologize for the inconvenience this has caused our customers,” he said.
Many of those affected were not sympathetic. One individual using the name of "Toby DeDog" commented on McPherson's blog post that, “Your ‘protection' is far worse than any virus you're supposed to protect us against.”