McAfee Glitch Triggers Reboot Loop in Windows XP Systems
Problem with antivirus update
Thousands of enterprise workstations running Windows XP crashed or rebooted repeatedly yesterday after administrators installed a McAfee antivirus (AV) update.
The McAfee AV definition known as "DAT 5958," delivered as part of McAfee's VirusScan Enterprise product, pegged a false positive, mistaking a standard Windows driver (svchost.exe) as a virus. The antimalware application then suppressed the driver as if it were a malicious element, according to a notice from McAfee. Without this driver, Windows XP enters a continuous reboot loop known as "bricking." The error can result in "moderate to significant issues" on systems running Windows XP Service Pack 3, McAfee officials explained in an initial investigation of the problem.
McAfee's teams "are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly," according to a released statement from the company. "McAfee apologizes for any inconvenience to our customers."
According to Jason Miller, data and security team manager at Shavlik Technologies, and other experts, false-positive detections by AV programs are par for the course. This particular false positive happened to slip by McAfee's QA cycle and affected a lot of Windows XP customers. "This is a good reminder that even though what happened with McAfee is most likely a rare occurrence, administrators should always test new updates on test machines to ensure functionality," Miller said. "This ranges from antivirus applications to third-party vendor patches on an OS."
Amrit Williams, chief technology officer of BigFix, an IT security firm, said that this episode was not necessarily a sign that users should upgrade from Windows XP. However, he expressed alarm at the damage that could be done. "I would say this is another sign that systems management and security tools need to be abstracted and isolated from the OS and that the operating system itself is inherently flawed," he said. "If such a critical system file can be so easily manipulated and cause widespread outage, such a thing can only be resolved by manually reimaging the affected devices."
Instances of third-party applications, particularly AV software, crashing a Windows OS are very common, according to Williams. This specific issue with McAfee is "significantly worse in that it completely 'bricks' the device, forcing those affected to manually touch the machine to resolve [the problem]," Williams added. This process can be labor intensive and cause downtime, which can be a dilemma for IT pros working in distributed environments with limited IT staff and resources.
Microsoft announced that it is aware of the problem for Windows XP customers and indicated in a blog that McAfee plans to release DAT 5959, which corrects the false-positive problem. The blog also includes a manual workaround solution. In addition, Microsoft released workaround instructions for IT pros using Microsoft System Center Configuration Manager 2007 to resolve the problem.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.