April 22, 2010, 1:07 PM — Nothing ruins an IT administrator's day faster than a software update from a security vendor wreaking havoc on the computer systems it is intended to protect. That is exactly the predicament faced by many IT administrators today when a flawed McAfee update rendered Windows XP PC's essentially useless.
Joris Evers, a McAfee spokesperson, e-mailed a statement explaining "In the past 24 hours, McAfee identified a new threat that impacts Windows PCs. Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer's memory."
Evers continued "The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2:00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21."
Not long after that, reports began to surface that Windows PC's--primarily Windows XP SP3 PC's--were experiencing significant issues, including constant rebooting or the ever-popular BSOD (blue screen of death) system crash.
A number of customers experienced a false positive resulting in the ensuing chaos. The 5958 virus definitions apparently detect svchost.exe--a core system file on Windows PC's--as a malware threat. According to the McAfee statement, though, "corporations who kept a feature called "Scan Processes on Enable" in McAfee VirusScan Enterprise disabled, as it is by default, were not affected."
McAfee responded by quickly pulling the faulty update from the McAfee servers. An emergency extra.dat file was made available in the McAfee forums to address the issue, but the forums site was so overwhelmed with customer backlash that it was eventually taken offline. A corrected virus definition file--5959--is now available, and McAfee has posted instructions to recover affected systems.
Evers summed up with an apology to affected customers and the following mea culpa "We are investigating how the incorrect detection made it into our DAT files and will take measures to prevent this from reoccurring."
Identifying Affected Systems
Obviously, if your Windows XP SP3 system is displaying a BSOD or constantly rebooting you have some pretty strong evidence that the system was impacted by the faulty McAfee detection of the W32/wecorl.a virus.