f13.net

http://www.cnn.com/2010/TECH/04/22/cnet.mcafee.antivirus.bug/index.html?iref=allsearch

This is my rant post. I have been fixing fucking XP boxes for two days now, I work as desktop support for the U of Mich. They should buy me a bottle. Who else here was fucked by the Mc?

I bet it was a pissed off McAfee employee on the way out, how else does SVCHOST get fuckin' flagged as a virus?

Maybe others have different experiences, but I've always found McAfee to be a pile of crap.  I dumped it way back in my college days when it was the only package NOT to find my roommate's virus that was spreading over our home LAN. My corporate and educational experiences with it since then haven't been any better.

It destroyed my entire office. People's desktops have been rebooting since yesterday morning.

It's really the day the virus known as antivirus is seen for what it is.

McAfee gave people's computers the AIDS.  :awesome_for_real:

Actually inspired by Stewart's rant on FOX, it's really more computer Lupus.

Now I am kinda glad I got rid of McAfee two years ago...

Yeah, we've been bitching about it in Useless Conversation.

We got lucky in that our department wasn't hit that hard, but I was already exhausted from finishing moving the day before, and I was dressed up for a panel I did in the morning.  I don't normally move about so frequently, much less in heels.  My legs are killing me today and I think I overdid it since my old wrist injury is hurting for the first time in years.

Once I knew how to fix it, things weren't too bad.  But when I had half a dozen machines around me all giving the same symptoms of a hack, I didn't have a lot of time to research it.

Also, I'm glad I've been trying MSSE on my personal machine.  I would have been completely in the dark otherwise.

Oh man.  I swapped out McAfee on my XP machine two days ago. Dodged one. there.

McAfee is on my "do not install" list because of the fucking destroy your computer's ability to function shit their trial version does when it is close to expiring. I have spent close to an hour on the phone with customers who can't connect to the internet because of that shit multiple times trying to get them back online. Had one girl where it screwed her computer up so badly that fucking safe mode wouldn't let her do some stuff.

I got the email from McAfee- checked the server and we hadn't installed the broken version. I'd spent all night killing a single motherboard, so am glad I didn't need to kill another 300 PC's the next day.

McAfee has, along with any Symantec product, long been on my "don't install this software"-list.

McAfee : Oops, our bad (http://siblog.mcafee.com/support/an-update-on-false-positive-remediation/).

I imagine they have to be moderating the comments there pretty heavily...

How long did it take them to put anything up in a visible place?  This is the heartfelt apology we get?  "Some of you may have been impacted"?

Fuck McAfee.

Allow me :

Well, I'm officially buying Kaspersky on Monday...

All of our other offices were hit by it. Thankfully, due to the fact that our automatic update server hadn't been properly grabbing updates for a few days, we actually avoided the kerfluffle at my office, and I was able to apply the hotfix before anyone was affected.

Still cleaning up whats left of the 8,000 affected computers. I'm getting fucked up tonight!

This is a good summary of how poorly McAfee has handled this situation:

http://blogs.zdnet.com/Bott/?p=2031

It's still true right now that there's only a small link off to the right on the home page that even hints at the problem. Otherwise, it's "business as usual" for the company.

Which is what pissed me off more than that they allowed it to happen.  The fix for something of this magnitude should be front-page in bold.  You could still miss that tiny text when looking at their homepage.

If you rearrange the letters of McAfee VirusScan, you get "sue vaccine farms", which is probably what should happen next.

I LOLed.

The damage done by this McAfee stupidity is probably more than the damage that would have been done by all of the possible viruses in its definitions combined hitting a corporate network over the same period of time.

I wonder how many customers are going to say to call Dell or HP up and say "If you don't unbundle McAfee from these computers I will find another vendor who will"?

Very few, because we (as a species) seem to enjoy complaining about issues to our friends, family and co-workers more than we can ever be bothered to actually do anything about those same issues.

Hey, I resemble that remark!

Since this was the Enterprise version, for that to happen the person with the final say-so would have to decide to dump McAfee.  I imagine some departments will, others won't.  The more it impacted their bottom line though, the higher the chances.

For a university setting like a couple of us?  It'll play a factor, but I can guarantee they don't care much that we were inconvenienced.

I am just glad my university switched to Symantec.  Not that it's much better, but at least I was able to be productive this week.

I'd stick with McAfee before using Symantec. ;D

I've honestly always hated McAfee.  I had a similar problem back in 1997 due to some conflict it had on my system, and was put off from ever using their products again.  I used to administer Symantec products and never had any issues, albeit that was back in the 1999-2002 time frame.  The corporate editions I run now don't seem as bloated and horrible as people make them out to be, but my network is quite small at home ;-)

My college ITS mandates that students have it. They tried to tell me the other day it had to be installed on my personal laptop in order to access the campus network. I pretty much pulled rank at that point and said that if that's how they wanted it, we were going to have a nice big meeting about whether that was really the policy. Turns out that it's not the policy! My problem solved. Too bad for the poor students.

svchost.exe?

Really?  They quarantined THAT?!?!

Does a full scan after the update not trigger the problem?  Our policy (at least on the product I support) is to test new dat updates on a single pc before they are centrally deployed, so I'm kinda confused why other large enterprises would be caught out by something like this, unless it doesn't immediately take effect even on a full scan.

McAfee Offers to Pay for PC Repairs After Bad Update (http://news.yahoo.com/s/livescience/20100427/sc_livescience/mcafeeofferstopayforpcrepairsafterbadupdate;_ylt=AmH2YzalJFNP13ADQTtL1oWs0NUE;_ylu=X3oDMTFpMXJrZzI2BHBvcwMzOARzZWMDYWNjb3JkaW9uX21vc3RfcG9wdWxhcgRzbGsDbWNhZmVlb2ZmZXJz)

In the 1990s I wrote about these things for Australia's equivalent of PC Magazine. Norton/Symantec, McAfee and most other well-known antivirus programs were giant piles of annoying bloatware back then, and remain so.

I've always used F-Prot, an excellent antivirus program that simply finds and removes and protects against viruses. Sixteen years of no bloat and no problems: http://www.f-prot.com

I use Kaspersky. The ONLY problem I've had with it was a single update that listed my Mozy configuration files as a potential security risk and quarantined it. Which fucked Mozy for like two weeks until I yanked it and reinstalled it. They fixed it within 24 hours, but my configuration was already hosed.

 :mob:

Nothing good to say about that one.  The best thing it ever did was detect its own installer as malware and delete it.

hmm what do you use?  I haven't had any issues with Kaspersky

I use AVG at home.  Admittedly I only have experience with the "enterprise" mode of Kaspersky that slaves every machine to a central server and won't let you set your own exclusions or recover quarantined files.  Its propensity to flag just about ANY executable not on your whitelist as malware and quarantine it without prompting you makes this mode... frustrating.

ahh I have the personal/home/whatever version and it doesn't have the issues that you describe in my experience.

Currently have AVG because it came installed on my laptop.

But before that I used 'not downloading/opening obvious malware and updating windows occasionally ffs'. Got to say, NDOM&UWOFFS worked just fine for years.

I'm not convinced AV software is either necessary or effective in stopping viruses tbh.


I'm edgy and controversial you see.

In a multi-user environment?  It makes a huge difference.  In such an environment where you can't control a good number of the machines?  A life-saver.

Scan on create or modify is fine. Scan on access is not. Everyone uses scan on access, and I can't figure out why. All it does is slow the machine to a crawl for little additional protection.

Thank you!  I haven't heard a good argument yet for it.  Or those giant deep scans they do after boot-up that slow you to a crawl for 30m.  Sorry guys, if a virus is a boot-up virus it's ALREADY loaded by the time the AV program starts it's deep scan...

If you're not scanning on execute you might as well not be scanning at all.

EDIT: Of course if you're in an environment with no network shares or whatever you don't need it, but you can get into a heap of trouble pretty quickly accessing files on a windows share somewhere without on-access scanning.

Explain this. Please explain to me how a virus can get into an enterprise if all desktops are running scan on create or modify.

Then, explain to me how it isn't an extreme edge case.

Finally, explain how scanning on modify/create is equivalent to not scanning at all.

Or files on a CD you brought in from home, or that are already on someone's system but were only added to your AV's virus database yesterday. For home users, scanning everything all the time doesn't make much sense, but I imagine most revenue from AV comes from corporate licenses and in a large, corporate network, it sort of makes sense to be as aniseptic as possible.

Case in point, my school has used two different solutions to force students to install AV before connecting to the interwebs (one from Cisco, one from Bradford). Neither one has actually stopped me from connecting to the interwebs without AV.

Thumb drive. Guest laptop from a vendor. CD from home as ezrast mentions. There are a *lot* of paths. And if you're not scanning on access, any file run from a source like that can be executed and get itself into memory without being scanned. And then you're fucked.

EDIT: Guest machines and stuff users tote around on their thumb drives between home and work are the most common source of infections in enterprises AFAIK.

if the virus is executed from a thumb drive or CD drive, doesn't it have to install itself somewhere to be able to survive a reboot?  One would hope that the heuristics on whatever AV protection you're running will check memory when it cleans the new copy of itself it made.

Most enterprises disable thumb drive reading these days, but that aside, you can't spread the virus and it will be picked up in a regular daily scan. Again, I'm not seeing a problem when compared with the HUGE delay and slowdown associated with tunneling your entire I/O through a virus scanner.

And, of course, the idea of scanning on modify/create is equivalent to not scanning at all is complete hyperbole.

Typically once a halfway-competent virus is running in memory, it will interfere with the virus software on the machine - I've seen this a number of times.
The virus not spreading beyond the one machine it infects is usually little comfort to the user who just got their machine nuked, or the IT guy who gets stuck spending hours rebuilding it. Plus there's always the risk that important data on that machine is destroyed or compromised in the process.

As long as your virus software doesn't suck (I am looking at you Symantec) for the vast majority of users the performance hit will not be noticeable. Yes, you don't want it to be running for people running certain operations that use a million little files and the like, but the more sterile the environment the better otherwise. We're running Sophos in-house now and the performance problems we saw with Symantec have completely vanished.

Unless they run the virus off of the thumb drive, in which only on execute checks would find it.

And typically, 75% of viruses in the wild go right through the antivirus initially, since there are no definitions because the AV people are forever playing catch-up in a fast moving system. It's really just a false sense of security.

Who carries thumb drives around to large numbers of machines in your enterprise? Other than sysadmins, who if are all competent actually scan them.

Also, doesn't modern AV software automatically scan any usb drives that are plugged in anyway?

I've never found virus software that doesn't suck. Symantec and Mcaffee are the two I've used professionally, and those two are the largest in the business, so you might as well translate that sentence into "As long as you aren't using industry standard antivurus software, the vast majority of users will not find the performance hit noticeable" which again is a ridiculous statement.

No user should ever, EVER have important data on their desktop. Ever. It should be on some type of shared drive that is backed up (and scanned!) periodically. Come on. You know this. I know this. Everyone knows this. Users have to be cajoled into following it, but it's simple risk management / disaster recovery stuff. The same goes for having a fast destop imaging procedure. Getting hit with a virus (that can't be removed) or one that trashes someone's machine, and having to do a standard flatten and reinstall, should take no more than 3 hours. Tops. Ideally, you should be able to netboot or stick a ghost/baremetal CD into the drive and restore from there.

Sure, in a perfect world. I know how dumb my users are, though, so I'm going to leave that on-access scanning running.  :oh_i_see:

I'm going to stand by the statement that your average finance/sales/marketing type user isn't going to notice the little amount of overhead that our current AV solution (Sophos) takes on a modern machine. Most of them didn't even notice it from Symantec, which is much more bloated and intrusive by comparison. Yes, some guy checking 10,000 little files into or out of source control is going to have something legitimate to bitch about.

EDIT: It boils down to a philosophy issue, our company takes a 'don't trust the user/full lockdown' approach to this particular issue.

EDIT 2: If I could talk them into not trusting users with thumb drives or local admin rights, we could probably lighten up on this a little more, but...

/me waves.

What magical mystery world do you live in where all notebooks/ laptops have wireless access all the time to save things to the network?  Because our salespeople, builders and Realtors sure don't have that luxury.

Uh, a cubicle office? Where if people need to do work from home on their laptops or something, they VPN in and can access shared drives?

What happens if their laptop gets dropped? All their data is gone? Yeech.

Next time you're at a stranger's house or one without utilities or on a construction site, let me know how that VPN goes.

Yes, they lose the data if they drop them. Yes, it happens. This is why they also have thumb drives.   I'm just happy some of the other office folks managed to talk the execs out of buying iPads for all of the field personnel.  That would have worked out JUST GREAT.

Time to get a phone tethering option!

But seriously, yours is a edge case, there are far, far more offices with stationary personnel.

Mine is an edge case in an industry that helped bring the economy to its knees ;D.   I'm not sure if big commercial sites put up wireless connections or if they use 3g for their stuff.   I can't imagine biologists or anyone else working outside does the same.

I work with Neurosurgeons and some of the smartest people you'll ever meet. I still have to try to recover data off laptops because "their whole life is on there". Ok, maybe they aren't the smartest people you'll ever meet :)

The thumb drive is an awesome little backup tool. When I can't get my users to backup to their shared drives, or have too much data for there, I have them thumb it/USB hard drive it. I also warn them that the little bastards can die at any moment and to not put "your entire life on them".

For virus scanning, I personally don't use it at home, and have never been burned. It's bullshit.

Anti-Virus software isn't for 90% of the people on this board.  It's for the 70% of the population that still looks at them as magic boxes and falls for basic shit like links that say www.disney.com but go to goatse.cx.   These are the majority of your users and you KNOW this.

Aw, your www.disney.com link actually goes to www.disney.com.   :grin:

I haven't had a virus since the days of floppy-disk swapping in, hrm, lemme think... 1990 or '91.  I did have a hard drive crash last year that totally sucked and made me actually start backing stuff up since it cost several arms and legs to recover the drive.   This old fogey was not used to hard drives just dying without even a whimper or a chuggachugga.   Well, lesson learned.

I think it's a rule that any links to www.disney.com (http://www.goatse.cx/) have to actually link to Goatse.

--Dave (that site is actually work-safe now)

Heh, board auto-linked it. I just typed in the address but no link.