A buggy update released Friday by security vendor McAfee for its consumer and enterprise antivirus products, left the computers of its customers unprotected and, in some cases, unable to access the Internet.
The incident affected both home and business users, some of whom were still trying to sort out the problems caused by the updates on Monday and Tuesday, according to messages posted on McAfee’s community forums and Facebook page.
The problems were introduced by McAfee updates DAT 6807, released on Friday, and the subsequent DAT 6808, depending on which product was used.
After installing these updates some home users started encountering errors when accessing the McAfee Security Center console, which prevented them from performing any action inside the program. Other users experienced a loss of Internet connection on their computers.
McAfee confirmed these problems on Sunday in a technical document that described two possible solutions, both requiring users to update to a newly released DAT 6809 file.
One workaround, intended for users who lost Internet connectivity on their computers, involved uninstalling the product, rebooting the computer, downloading an updated version of the product from McAfee’s website and installing it.
The other solution described automatic and manual methods of updating existing installations to DAT 6809. Users who continued to encounter errors after updating to this DAT version were advised to uninstall the product using a specialized tool called McAfee Consumer Product Removal (MCPR) and then install the updated version of the product.
Users of McAfee VirusScan Enterprise (VSE) 8.8.x, the company’s flagship enterprise antivirus product, had to wait until Monday for a so-called superDAT hotfix that wouldn’t require them to reinstall the product on thousands or hundreds of affected computers.
For VSE, the bad updates caused issues with the on-access scanner (OAS), a critical component that checks all files accessed by the system for signs of malware, the company said in a support document published on Monday.
Some administrators in charge of antivirus deployment in corporate environments expressed concern that while the OAS remains disabled a user could get infected and the malware could spread to other computers on the network.
“I have 46 out of 152 computers, having this issue,” a user who identified himself as bostjanc said on the McAfee community forum for business products. “I currently have over 3000 endpoints with this problem – solution asap please McAfee,” another user named Derosa said.
“The issue is well over 24 hours old now, and it’s been ‘officially’ confirmed for nearly 24. That’s a very long time to have AV [antivirus] in a faulty state,” a user named mjmurra wrote hours before McAfee released VSE 8.8 Hotfix 793640 to remediate the issue. “At least one saving grace is that many customers had their machine switched off over the weekend,” he said in a later post.
VSE 8.8 Hotfix 793640 is mandatory and includes the full DAT 6809 package, McAfee said.
Because of this the file is approximately 100MB in size and deploying it to thousands of machines posed a challenge for some administrators.
“McAfee is working on a smaller solution that will remediate the issue without the need to include the full DAT package,” the company said. “There is no current ETA for this release.”
In the meantime, McAfee recommended that the hotfix be deployed in stages on networks with offsite branches, where it might cause bandwidth issues. “For example, schedule the update task to run for one group at a time,” the company said.
Another problem encountered by administrators was determining which of the systems under their care were affected. The ones with the buggy DAT files should report a DAT and antivirus engine version of 0.0000 to the central ePolicy Orchestrator (ePO) server.
However, after the hotfix is deployed, some computers can continue to report this bogus information because of caching until they are forced to provide full property data to the ePO server, McAfee said.
Even though the hotfix does not force a reboot, the company recommended that administrators reboot all client systems at their earliest convenience in order to validate that the fix was successfully installed.
Some users whose affected systems include servers were not happy with this. “This has predominantly affected our servers and rebooting them isn’t an option,” a customer named harris_s said on the McAfee forum on Tuesday.
“I work in a very tightly controlled environment and rolling out a 100mb hotfix that MAY require a reboot ASAP is not going to happen,” a user named Superhoop said.
This is not the first time that McAfee has issued a bad DAT file. In April, a DAT update for McAfee email gateway security products resulted in system crashes and message scan failures.
However, McAfee is not the only antivirus company that was forced over the years to deal with buggy updates that affected their customers’ computers in a serious manner.
“Since these events are becoming a worrying trend, should we implement test procedures inside our organizations as we do with other updates like the ones deployed by Microsoft with Windows Update?” Manuel Humberto Santander Pelaez, a security incident handler at the SANS Internet Storm Center, asked in a blog post on Monday.
Some users who responded to his blog post believe that testing every antivirus update would cost too much time and resources compared to the possible benefits. Others said that delaying the update deployment by 24 hours or deploying the updates in stages starting with the least critical systems would limit the impact of a bad update.
Delaying antivirus updates increases a computer’s window of exposure to the latest threats. However, this is a calculated risk that some administrators are apparently willing to take.