A faulty update of the popular McAfee antivirus definition file, distributed last week, cancelled numerous Microsoft Office files and also other applications on computers utilizing McAfee's own antivirus solution. The error was due to the McAfee antivirus erroneously identifying standard files and programs as infected by the W95/CTX virus. A major "false positives" case.

Photo credit: Michael Osterrieder

According to analysis conducted by Realtechnews.com, depending on the individual security set-up, the McAfee update n. 4715 began placing in quarantine or even deleting Excel files and other applications (the actual programs were deleted and not the documents generated by these programs).

Among the programs deleted by the incorrect false positives identified by the McAfee antivirus tool was Microsoft Graph, AutoCAD, Macromedia, MySQL, Adobe Photoshop, Visual Studio and the Acrobat updater.

They were all identified as viruses by the McAfee antivirus and were deleted or placed in quarantine. A partial list of the targeted files has been published by McAfee.

The error has been fixed but for most users of this antivirus, the major damage was done: there are hundreds, and in some cases thousands of .DDL and .EXE files to reload, and usually the most efficient way to do so is to use software that can restore a pre-saved configuration status or a full system's backup.

McAfee has quickly published instructions on how to restore the files damaged by its own antivirus while the Internet Storm Center has collected more information and irated direct reportings from IT corporate business network administrators.

To top it all, the defective antivirus software has generated a sudden surge of reported viral infections, as if a massive virus attack was taking place on the Internet, and this has motivated thousands of IT managers in starting up immediately complete scan checks of all their network computers, which caused in turn more problems for everyone.

Photo credit: Carl Silver

The viral attack was there but it was caused by the antivirus itself.

A true disaster. But the most frustrating issue is that McAfee declares that this type of things do happen frequently. McAfee typically has to do an emergency release of a virus definition file once every three months because of this false positives (innocent files that are identified as infecting or infected files) issue. (Source: ZDNet News)
Problems like this one make you think about the nature of today's antivirus tools based on definition files, which obviously require constant and meticulous updating.

Overall, the mainstream approach to virus protection is not very comforting. The antivirus software receives complete permission from us on a daily basis to access all of our computer components, software and data files while the same anti-virus is also being updated, changed and upgraded constantly and sent to our computer often in automated, "silent" mode.

This doesn't mean that you need to give up anti-virus software. For those of you who use Windows but are not part of a corporate network anti-virus software is an unavoidable requirement for true survival. An anti-virus program is the only adoptable safeguard until new operating systems and security infrastructures based on strong authentication will prohibit Internet downloaded files to be executed locally on your computer without explicit permission. Something that applies, albeit to a lesser degree, to Mac OS X and Linux boxes too.

The locally installed anti-virus remains an unavoidable requirement for most individual users, especially because many have the habit of opening email attachments without any restrain as well as downloading and installing files that come from dubious, unverified sources.

Against these bad habits, antivirus tools remain the last, precious line of defense.

In reality a better solution would be one of having the antivirus installed on a dedicated server which monitors and filters all of inbound Internet connections, avoiding for any dangerous file to physically reach your computer and infect it. But unfortunately this is a solution applicable only where there exist a conspicuous network of computers and not generally in the scenario in which most home working individuals operate.

The lesson learned after this security disaster is the one that teaches us to select anti-virus software on the basis of this tool having a feature allowing the placement of infected files under quarantine instead of immediately deleting them while supporting strong security preventive measures: extreme prudence with any file coming from the outside and frequent backups.

(C) 2006 by Paolo Attivissimo www.attivissimo.net.
Translated by Robin Good