Why I don't use McAfee

[WolfeMacleod]

I know of a few people who's HDD's were wiped.



McAfee false-positive glitch fells PCs worldwide


When AV attacks

By Dan Goodin in San Francisco • Get more from this author

Posted in Security, 3rd July 2009 22:48 GMT



IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attacked their core system files. In some cases, this caused the machines to display the dreaded blue screen of death.

Details are still coming in, but forums here and here show that it's affecting McAfee customers in Germany, Italy, and elsewhere. A UK-based Reg reader, who asked to remain anonymous because he was not authorized by his employer to speak to the press, said the glitch simultaneously leveled half of a customer's 140 machines after they updated to the latest virus signature file.

"Literally half of the machines were down with this McAfee anti-virus message IDing valid programs as having this trojan," the IT consultant said. "Literally half the office switched off their PCs and were just twiddling their thumbs."

When the consultant returned to his office he was relieved that his own laptop, which also uses VirusScan, was working normally. Then, suddenly, when it installed the latest McAfee DAT file, his computer was also smitten. The anti-virus program identified winvnc.exe and several other legitimate files as malware and attempted to quarantine them. With several core system files out of commission, the machine was rendered an expensive paperweight.

A McAfee representative in the US didn't immediately respond to phone calls seeking comment. Friday is a holiday for many US employees in observance of Saturday's Independence Day.

Based on anecdotes, the glitch appears to be caused when older VirusScan engines install DAT 5664, which McAfee seems to have pushed out in the past 24 hours. Affected systems then begin identifying a wide variety of legitimate - and frequently crucial - system files as malware. Files belonging to Microsoft Internet Explorer, drivers for Compaq computers, and even the McAfee-associated McScript.exe were being identified as a trojan called PWS!hv.aq, according to the posts and interviews.

We're still trying to determine how widespread this false-positive glitch is being felt and whether people have found any reliable fixes. If you have insight, please leave a comment below. ®

[red-beard]

My mother's computer BSD yesterday. I'm supposed to look at it while they are away. And they run McAfee. So do I.

Suggest alternative?

[masraum]

Trend Micro. I've used it for several years and the last several places that I've worked have used it. I've never had problems.

[imcarthur]

i knew there was some reason that I keep updating Norton. But I just use the AV, not the suite.

The net is pretty quiet about the McAffe problem, though.

Ian

[89911]

I have used McAfee on all me computers since Comcast gives it away. What I have found is that it generally finds nothing. At lest AVG finds some violaters occasionally.

[onewhippedpuppy]

AVG all the way. Isn't McAfee commonly referred to as the most successful computer virus?

[TimT]

Quote:

Isn't McAfee commonly referred to as the most successful computer virus?

No, that would be Microsoft

[afterburn 549]

STOPZILLA truly works !!

[WolfeMacleod]

Quote:

Originally Posted by red-beard

Suggest alternative?

I really like Kaspersky. It's Russian. Russians make the best viruses, so they oughtta make the best AntiVius, too.

Seriously though, Kaspersky is some good programming. I switched to it several years ago when i started having some problems, but neither Norton or McAfee would pick anything up. Kaspersky picked up about 200 different viruses when I installed it.
Kaspersky's decompression/scanning of compressed files is also very good. Norton and McAfee, not so good.

[m21sniper]

malware bytes.

[Eric Coffey]

Avast has worked for me for years. It's free, and not nearly the resource hog that the others are IMO.

[Joeaksa]

Quote:

Originally Posted by onewhippedpuppy

AVG all the way. Isn't McAfee commonly referred to as the most successful computer virus?

Same here. No problems with AVG.

[Quicksilver]

McAfee is a huge resource hog. Symantec's consumer version, Norton Antivirus is better but it still installs too much stuff. AVG is a pretty lightweight product that can't keep up with the level of threats that are out there.

My antivirus of choice is Symantec Endpoint Protection without the Network Threat Protection installed. Previously this line was under the name Symantec Antivirus Corporate Edition. This product line was developed from the old Intel LanDesk Antivirus. It isn't intrusive and doesn't create problems while catching most anything. It is also uncommon enough that most well written viruses don't focus on correctly attacking it.

Antivirus is a moving target so track record counts for a lot but it can change in a hurry. Nothing can give a computer a complete level of protection except for disconnecting the network. Antivirus programs can detect viruses after they have been released into the wild, discovered, and analyzed. That means we are running after the threat. Viruses are now professionally written by very well paid programmers with the best technology. It is all about money.

When a virus is written nowadays they don't just release it because as soon as it is detected the antivirus programs will disable it. Remember they are written by professionals so they don't make that mistake. They take their new virus and create thousands of versions of it. That way if one is detected all the other versions can keep working.

You don't even need to do anything wrong or stupid to get attached. You just need to visit a completely up and up website that may be compromised, or you might go to any website that displays Flash banner ads that may have been submitted by a paying advertiser with no scruples. (Stupid behavior helps though!) Maybe you installed something free with out thinking why they would offer a free program when they had to pay the programmer and pay for the bandwidth.

So how to protect against bad stuff?
- Get one good, professionally written, well supported antivirus software. (2 antivirus programs will conflict and make your computer slow or crash...) Good antivirus programs include Symantec Endpoint Protection, F-Prot, Kaspersky, and Panda.
- Plug the holes.
··· Patch Windows. (Patching Windows can cause problems but the odds are better that you will avoid problems.)
··· Update Java.
··· Update Adobe Flash.
··· Use a third party PDF reader as your default in your browser. (Adobe Acrobat/Reader has some bugs that can not be plugged and is a huge problem)
··· Update your browser.
- Don't install free screen savers, cursors, or smiley programs.
- Boring is good. Exciting free stuff comes with exciting free problems.
- Use a less common browser. FireFox is a good choice as it doesn't support ActiveX which is a common pathway for attacks.

What to do if you are attacked?
- Attack it from all sides. It is easier to design a virus to counteract one protection program. It is extremely hard to protect against many protection programs. Use a number of spyware programs to scan the problem system: Spybot Search & Destroy, SuperAntiSpyware, Adaware, Trend Micro Housecall, Malware Bytes. (Remember that most free antispyware and/or antivirus programs are actually malware.)
- Delete everything the TEMP folder.
- Delete everything in Temporary Internet Files.
- Put the drive in an uninfected computer to scan it.
- Find someone who has done a lot of computer cleaning to go through it.
- If you have good backups recover to an old backup.
- And if all else fails, make a fresh install of Windows and transfer your data to the new system

[89911]

Good advice. I might add that you run your scans, if you think you have something, in SAFE mode.

[m21sniper]

My mom was running comcast security, norton, and avg 8.5 and complaining of performance degradation (what a shock, right?)

I removed all of them installed malware bytes, ran a scan, and found 227 infected files on the first pass that they'd all failed to detect.

[Quicksilver]

Malware Bytes is more focused on anti spyware so it will report cookies as an infection. (Not sure if this was your case) Cookies don't do anything except let websites identify you as you browse the web. There are privacy issues but it doesn't compromise the computer.
Also if you take any computer that has been touched by some sort of malware and run it through multiple scanners each one will find bits and pieces that the other ones didn't see. It isn't a big deal. The only important bit is to stop the bad stuff from running.
That being said: Malware Bytes is an excellent product but it is more of an antispyware product as opposed to an antivirus product.

Just as a general point: Any of the antivirus/security software supplied by an ISP is junk. (AOL's is the worst.)

If you want a real testimonial for an antivirus product ask what they are using at your local bank. If they are a large bank you know they have put a huge investment into making sure they are covered and that their protection software doesn't create problems. If they have a security breach they are accountable to multiple local, state, and federal agencies. They don't mess around and they don't guess.

[Quicksilver]

Quote:

Originally Posted by 89911

Good advice. I might add that you run your scans, if you think you have something, in SAFE mode.

It is a good tool to have in the box. I treat infected drives as toxic waste. I have seen infections where you slave the drive into a good computer and if you open the drive in any fashion other then Exploring (using the directory panel on the left) it would instantly infect the computer. If the drive AutoRuns it is game over.

The people writing this stuff are making some amazing attacks. The worst part is most of the stuff is designed to be invisible and some of it is completely impossible to detect on the computer that it is running on. It is really bad because if you don't know you are compromised you will log into your webmail and/or banks and never realize all of your information is being stolen.

[afterburn 549]

All I know is once I got "Stopzilla" life has been good

[imcarthur]

Thanks for the advice, Wayne. What is the story on Adode PDF reader? Is it really that vulnerable?

Ian

[Quicksilver]

Quote:

Originally Posted by imcarthur

Thanks for the advice, Wayne. What is the story on Adode PDF reader? Is it really that vulnerable?

Ian

Basically you can craft a PDF file to reference external data. The exploit is that you can get it to call a remote executable and there is no way to patch any current version of Adobe Acrobat or Adobe Reader to stop it. Adobe knows this so I would expect Acrobat 10 to slam the door on this but I don't think they are going to release new version this year.

I had a url to a site that was using this attack method a couple months ago and I spent a bit of time playing with it. I tried all Adobe versions of Acrobat and Reader from 6 thru 9 and the webpage would fire Adobe in the background so you would only see it in TaskMgr. Once Acrobat fired off it would then start loading a stream of different attack code. Most of the names were randomly generated but when you look at the actual files it was a systematic attack. The interesting bit was it used different attack code if you were in Firefox as opposed to Internet Explorer.

I see a fair quantity of the aftermath of attacks on computers but after seeing this and doing some reading I switched to Foxit as the default for PDFs. I've left Adobe on the system but it has to be manually opened. I've also loaded VMware on my home system with a couple different virtual machines. I have one I use for banking and nothing else. I use one of the others to look at sites that are questionable. If it gets hosed I just make a new copy of the boot image.

The nature of viruses has changed radically in the last couple years and in the last year it has become single minded and vicious. We are seeing attacks that are crafted to attack specific people! It is just amazing. This spring I had a customer in Louisiana who works with his wife that suffered a targeted attack. His wife received an email that said it was from his email address, had her name in it, and had a link to some "airline tickets". They were about to go on a trip so of course she clicked the link in the email from her husband. The email actually came from an IP address in the UK and the link loaded an attack that we couldn't remove so we had to send out a new drive and copy her data to it.