mcafee's catastrophic false alarm

mcafee recently published a signature update which, when applied, caused their anti-malware software to falsely identify a critical windows component as malware and quarantine it. hilarity did not ensue. boot failure, on the other hand did.

what the hell, mcafee? i thought you folks knew better. this is not the first time a catastrophic false alarm has happened - i don't think it's even the first time it's happened to you. this is a problem that was identified years and years ago and i would have thought that every major AV vendor would have figured out how to avoid this.

i guess i was wrong, so i'll spell it out:

1. maintain a library of every version of every critical operating system component
2. before you release a new signature update, use a system with that update applied to scan the aforementioned library of critical operating system components
3. if there are any alerts, DO NOT RELEASE

this isn't rocket science - it's not even all that computationally expensive because it's just the critical files and just for the OS. sure it would be great if you could do this kind of testing to ensure you don't break a bunch of other things, but preventing the bricking of customer computers should be the bare minimum.

i'm not sure what kind of QA you're doing on your signature updates, but if you're not including this test (or worse if you are and this still happened) then you're doing it wrong.


EDITED 2010/04/22 19:59: it occurred to me after posting the above that there was in fact another way this problem could have been avoided that is perhaps a little more sophisticated.

for years now spam filters have been using whitelisting as a means of avoiding falsely classifying correspondence from important contacts as spam. if mcafee's known malware scanner were outfitted with a small whitelist of critical OS components that must not be false alarmed on under any circumstances then svchost.exe wouldn't have gotten quarantined and mcafee customers would have been saved a great deal of hassle.

this is a perfect example of how blacklists and whitelists can complement each other. i've been saying for a couple years that blacklists, whitelists, and sandboxing were complementary technologies and i've felt that anti-malware products would be even better if they incorporated all 3 of those preventative paradigms. to date the only vendor i'm aware of who actually does that is kaspersky (apparently they introduced sandboxing into their internet security suite this year), but as i haven't tried the product i can't comment on the efficacy of their execution. i'm also not so sure any of their whitelisting is integrated into their blacklist in the manner described above.

Tweet