McAfee Antivirus Update Flaw Forces Windows XP Reboot

McAfee, to say the least, had its fair share of problems Wednesday when a buggy antivirus software update caused computers running Windows XP to shut down and experience serial reboots.

An initial McAfee investigation indicated that the reboot glitch is linked to an antivirus update that detects a false positive, causing XP computers, specifically those running Service Pack 3, to somehow mistake a legitimate operating system for malware.

"McAfee is aware that a number of customers have incurred a false positive error due to this release. Corporations who kept a feature called 'Scan Processes on Enabled' in McAfee VirusScan Enterprise disabled, as it is by default, were not affected," the Santa Clara, Calif.-based company said in a statement.

Windows XP users who are affected by the error are subject to the blue screen of death and an almost unending loop of shutdown messages and reboots. However, the buggy update and reboot glitch did not appear to affect Windows Vista or Windows 7.

According to a SANS Institute report, the issue stemmed from an infected McAfee DAT file version 5958, which caused Windows XP systems to enter a continual reboot cycle and lose network connectivity. The report indicated that the flawed DAT file affects both individual workstations well as user workstations connected to a network.

Apparently McAfee's prized platform ePolicy Orchestrator, which is used to update virus definitions as well as DAT files, served as a catalyst for the accelerated spread of the bad DAT file, but can't be used to reverse the damage, according to SANS researchers.

"It can not be used to undo this bad signature because affected systems will lose network connectivity," said Guy Bruneau, SANS researcher, in a blog post Wednesday.

McAfee said that it released an updated DAT file to suppress the detection, although it doesn't repair the glitch, and said that "the faulty update was quickly removed from all McAfee download servers, preventing any further impact on customers. We are not aware of significant impact on customers."

Next: Thousands Of Computers Shut Down By Bug

Despite McAfee's remediation efforts, the bug effectively shut down tens of thousands of university and government computers in Michigan, Utah and Kentucky, as well as other systems around the country.

McAfee posted a Web page detailing how users can workaround the problem by temporarily disabling the access protection feature in its VirusScan Enterprise 8.5, manually installing the EXTRA.DAT file, and then restoring individual files that have been erroneously quarantined.

Meanwhile, McAfee said that it is continuing to "work on an automated solution" to repair the problem for customers, the company said in its advisory.

This isn't the first time that this kind of glitch has occurred, experts say. "It doesn't happen every day, but it does happen," said Peter Schlampp, vice president of product management at Solera Networks. The reason being is that antivirus vendors often race to the finish line to release their updates.

"And sometimes they make mistakes. Clearly that's what's happened here." Schlampp said, adding that it didn't have to be an antivirus update. "It could be any generic file that runs on a Windows XP system that could really wreak havoc on a system."

While this kind of security bug may be difficult to prevent, Schlampp said that end users could alleviate some of the ensuing damage by installing a fingerprinting technology that does comprehensive searches across the corporate network to find all the systems affected by the bad or malicious file. IT administrators can then immediately target the affected files without having to do a clean sweep.

"This type of capability makes sense even with general signature updates," Schlampp said. "It's like a TiVo for your network."