McAfee Response To Current False Positive Issue

By on Apr 21, 2010

In the past 24 hours, McAfee identified a new threat that impacts Windows PCs. Our researchers worked to address this threat that attacks critical Windows system executables and buries itself deep into a computer’s memory.

The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2.00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21.

McAfee is aware that a number of customers have incurred a false positive error due to this release. We believe that this incident has impacted a small percentage of our enterprise accounts globally and a fraction of our consumer base–home users of products such as McAfee VirusScan Plus, McAfee Internet Security Suite and McAfee Total Protection. That said, if you’re one of those impacted, this is a significant event for you, we understand that and we’re very sorry.

Our initial investigation indicates that the error can result in moderate to significant issues on systems running Windows XP Service Pack 3.The immediate impact on corporate users was lessened for corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, though those customers could also be impacted when running a scan.

The faulty update was removed from all McAfee download servers within hours, preventing any further impact on customers.

McAfee teams are working with the highest priority to support impacted customers. We have also worked swiftly and released an updated virus definition file (5959) within a few hours and are providing customers detailed guidance on how to repair any impacted systems.

Corporate Customers
– This entry in our virus information library provides workarounds
– Our knowledge base has two articles, one specific for VirusScan Enterprise users and one for Total Protection Service users
– Customers are discussing the issue in our online support community
– More details on this topic are available in an FAQ.

– This support page provides information for impacted consumers
– Consumers are also discussing the topic in the online community

To contact McAfee by phone in your region, go to the “Contact Us” page on our Web site and select your country for the correct number.

Early morning on Thursday night (at around 1 AM PT) we published a SuperDAT Remediation Tool to help customers fix affected systems. The tool suppresses the driver causing the false positive by applying an Extra.dat file in folder. It then restores the “svchost.exe” Windows file. The tool has been successful at remediating the problem caused by the faulty DAT update for multiple customers. The tool itself and more details on how it works are available in our knowledge base.

We are investigating how the incorrect detection made it into our DAT files and will take measures to prevent this from reoccurring.

We sincerely apologize for the inconvenience this has caused our customers and will update this blog posting as more details become available.


PS: I just published another blog in response to some of your comments below.

(Updated at 3.35 PM PT to include statement on number of customers impacted.)
(Updated at 3.50 PM PT with a link to details for consumers who were impacted.)
(Updated at 5.13 PM PT with link to knowledge base.)
(Updated at 5.44 PM PT to correct the number of impacted consumers.)
(Updated at 8.20 PM PT removing detail on 5959 DAT capabilities.)
(Updated at 9.27 PM PT to provide additional detail on customer impact added link to new blog post.)
(Updated at 10.01 PM PT to add a link to the support community.)
(Updated at 11.58 AM PT on Thursday to add additional KB article links.)
(Updated at 1.10 PM PT on Thursday to add mention of remediation tool.)
(Updated at 2.45 PM PT on Thursday to restate number of customers impacted.)
(Updated at 12.53 PM PT on Friday to add a link to the FAQ.)