March 10, 2006 6:34 PM PST

McAfee update exterminates Excel

For a brief period on Friday, McAfee's security tools killed more than viruses.

An error in McAfee's virus definition file released Friday morning caused the company's consumer and enterprise antivirus products to flag Microsoft's Excel, as well as other applications on users' PCs, as a virus called W95/CTX, Joe Telafici, director of operations at McAfee's Avert labs, told CNET News.com.

"At about 1 p.m. PST we started getting reports that people were seeing an unusual number of W95/CTX infections in their environment," Telafici said. "Files that we did identify would probably be deleted or quarantined, depending on your settings."

When a file gets quarantined, it's renamed and moved to a different folder. McAfee's antivirus software detected Excel.exe and Graph.exe, two Microsoft Office components, as well as other software, including AdobeUpdateManager.exe, an application installed alongside Adobe products that deals with software updates, Telafici said.

About 100 customers, individuals as well as corporations, reported the problem, Telafici said. McAfee, the world's second largest antivirus software vendor, rushed to fix the mistake. Consumers were automatically reverted to the older definition files at about 2:30 p.m. and an update was pushed to corporate users an hour later, he said.

The issue affected only desktop antivirus software, not McAfee's network-level products that scan e-mail, Telafici said. Also, the incorrect detection occurred only if the user ran a manual virus scan or during a scheduled scan, not during idle time or background scanning, for example, he said.

Such problems with security software are called false positives and they happen occasionally. McAfee typically has to do an emergency release of a virus definition file once every three months because of a false positive issue, Telafici said. "This is our once for the quarter I think," he said.

However, this time around it was a particularly big goof, because the company faulted Excel, Telafici admitted. "Usually, it is either custom applications or applications that did not exist at the time we wrote the signature file," he said.

McAfee has been able to pinpoint the cause of the problem and hopes it can avoid it in the future, Telafici said.

The problem occurred with virus definition file 4715, which was released at about 10:45 a.m. on Friday as part of McAfee's daily update cycle. The repaired, emergency-definition file 4716 was pushed out at about 3:30 p.m.

See more CNET content tagged:
McAfee Inc., virus definition, Microsoft Excel, virus, Microsoft Corp.

39 comments

Join the conversation!
Add your comment
Check your log file -- don't go by the update time
The article states that the updates were fixed at 3:30 pm. My virus scan updated at 5pm, so I thought I was OK; however I checked my log file anyway and found I had the bad update.

I think the issue is that the times mentioned in the article are PST, and I am in EST. Therefore, the final fix at 3:30 pm probably occured at 6:30pm on the east coast. Therefore, my 5pm download was of the bad definition file.

I forced a manual download and now I am on the fixed definition set.

Michael
Posted by emellaich (9 comments )
Reply Link Flag
Two servers 'hit' at work
That 3:30pm must have been Pacific. Two servers at work updated themselves at about 4 or 5pm Central time. Unfortunately, they then ran daily virus scans and quarantined a ton of files. I just spent an hour unquarantining everything.
Posted by andyross (15 comments )
Link Flag
ahh......
life in the windows world. Suckas!
Posted by Jesus#2 (127 comments )
Reply Link Flag
MS Office IS a virus!
Have you ever heard of a macro virus, or any type of document virus, other than a Microsoft Office macro virus?

Remove MS Office, there are no document viruses. Period.
Posted by booboo1243 (328 comments )
Reply Link Flag
Give it up
Ok, you don't like MS Office. We get it. But 90% of corporate computer users do. And McAfee made a mistake and flagged it. That is what this article is about. Not Linux/Mac fanboy-ism. Go back to your basement and leave the real computer work to the pros.
Posted by thenet411 (415 comments )
Link Flag
why stop at M$ Office?
Remove Microsoft and 99% of ALL malware goes away
Posted by qazwiz (208 comments )
Link Flag
MS Office is _not_ a Virus!
It requires user interaction to install, hence it is a Trojan.
Posted by samhuff (21 comments )
Link Flag
Your ignorance is appalling
"Have you ever heard of a macro virus, or any type of document virus, other than a Microsoft Office macro virus? Remove MS Office, there are no document viruses. Period."

Yes, I have heard of macro viruses for non-MS products. How about the several that showed up for Adobe's Acrobat for example?

You had better stop making this statement (yes, I've seen and ignored your previous misstatements) because it only makes you to be a fool.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
RE: McAfee 4715 - Error - Problems with Mcafee's version of Events
Hello!

I am writing to you regarding the error caused by McAfee on 03-10-2006, in reference to the 4715 update . I do not run Microsoft Office. However, I did use Adobe Acrobat version 6.0.2 and it must have tried to check for updates automatically. (incidentally, the last update on my computer for this progran was dated 05/11/2004). I accessed this program, Adobe, at 2:37 pm EST. At 2:39 pm EST, McAfee alerted me of a virus - W95/CTX.
Here is my problem with what McAfee says happened: I was NOT running a manual virus scan by McAfee at the time, nor was I running a scheduled scan - my scheduled scan was for 6:30 PM EST.

"The issue affected only desktop antivirus software, not McAfee's network-level products that scan e-mail,Telafici said. Also, the incorrect detection occurred only if the user ran a manual virus scan or during a scheduled scan, not during idle time or background scanning, for example, he said"

This is NOT what occurred on my computer at all! NO manual scan or scheduled scan was done when the virus alert popped up... this happened by itself two minutes after the launch of Adobe Acrbat 6.0.2, with no virus scan activity going on at the time, or in fact, that day at all! I had received the updates earlier in the day from McAfee, as I do receive automatic updates.

My OTHER problem with this article is that the "supposed virus" did not attatch to anything Microsoft on my computer, or Adobe Acrbat: it attached to a "dll" file in my Norton Ghost program. It affected this file: symlcrst.dll, which is located in C\programfiles\commonfiles\symantecshared\CCPD-LC\symlcrst.dll

I manually updated Mcafee after searching endlessly on the Internet for a clue to this problem. I finally found one hours after the error occurred, and downloaded the fix tool ( 4716 update), which is time stamped on my computer at 7:18 PM EST. I am not running a corporate version, by the way! However... the install time on this update was 8:04 PM EST, , and which WAS the time stamp with a date of 03/10/2006 for the file the virus attached to... my problem is that I am sure if or how this file was affected. When I started my computer today, this morning, 03/11/2006, @ 8:33 AM EST, the affected file updated to that time and date - today!!! I am not sure at this point if Norton Ghost changed that file time and date upon launch this morning, or if McAfee changed it!

I think people need to be made aware of the fact that a scan DID NOT have to occur, nor did it only attach to Windows Office files or Adobe Acrobat files This McAfee error attacked Norton Ghost, by Symantec! I am wondering why this occurred the way it did on my computer given McAfee's "official statement". My version of events as to how this affected my computer is easily verifiable on my system. I am wondering how many other people are not worried about this affecting their computers due to the wording of the McAfee statement.

Thanks for printing the article... McAfee's website, the numerous times I checked it during this event, did not at all indicate this was their error!!! I find this to be shameful and neglectful on the part of McAfee, and will discontinue service upon installation of a new virus program!
Posted by raspark (5 comments )
Reply Link Flag
Talkback comment: error in McAfee version
Your accound, Randy Sparks, completely squares with my experience. There was no early afternoon fix for me. In fact a rerun of a McAfee scan I did turned up an additional 7 infected files at about 8 pm. I spent Friday afternoon and evening calling all the geniuses in my book before I found a couple that could be in my office on Saturday at least by noon. Meanwhile, I had deleted some of the files and quarentined some others. There were 4 Semantec files that wouldn't go away by any of the three options. So I ripped out Semantec.

On Saturday, my hired geniuses had to reinstall stuff and reconfigure to tune of $250. After all this is New York.

As far as I'm concerned, McAfee did not do due diligence. They owed a mass mailing to all customers about this error as soon as it was known so we wouldn take actions that were unwarrented. Instead, all there was was their message that their business hours were from Mon-Fri and their tech service costs $2.75 per minute.

Since they made no effort to aliviate the trouble they caused so many, I feel they owe us damages. I'm sending them a copy of my bills for $250 and the bill for $100/hour I should have made in the office from Friday afternoon about 2:30 pm until Saturday at 5 pm when the problem was fully fixed.

I know it will end up in their round file, but hopefully a copy of this letter and the bills sent to the NYC Attorney General's Office Department of Consumer Affairs may have more effect.

Think I'm kidding? Google my name.

Monona Rossol
Posted by Monona (2 comments )
Link Flag
Talkback comment: error in McAfee version
Your accound, Randy Sparks, completely squares with my experience. There was no early afternoon fix for me. In fact a rerun of a McAfee scan I did turned up an additional 7 infected files at about 8 pm. I spent Friday afternoon and evening calling all the geniuses in my book before I found a couple that could be in my office on Saturday at least by noon. Meanwhile, I had deleted some of the files and quarentined some others. There were 4 Semantec files that wouldn't go away by any of the three options. So I ripped out Semantec.

On Saturday, my hired geniuses had to reinstall stuff and reconfigure to tune of $250. After all this is New York.

As far as I'm concerned, McAfee did not do due diligence. They owed a mass mailing to all customers about this error as soon as it was known so we wouldn take actions that were unwarrented. Instead, all there was was their message that their business hours were from Mon-Fri and their tech service costs $2.75 per minute.

Since they made no effort to aliviate the trouble they caused so many, I feel they owe us damages. I'm sending them a copy of my bills for $250 and the bill for $100/hour I should have made in the office from Friday afternoon about 2:30 pm until Saturday at 5 pm when the problem was fully fixed.

I know it will end up in their round file, but hopefully a copy of this letter and the bills sent to the NYC Attorney General's Office Department of Consumer Affairs may have more effect.

Think I'm kidding? Google my name.

Monona Rossol
Posted by Monona (2 comments )
Link Flag
He's right -- They are mistaken or lying
This gent is absolutely right: The definitions work for both the ON ACCESS and the ON DEMAND scanners. Mcafee is claiming this problem only affects people who did an ON DEMAND scan, which is simply not the case.

If any of the target files were in use or launched while 4715 was in place, the application was damaged.

They have also provided a utility to restore files, but if you are running Office 2000 as an example, replacing the file does not solve the problem. Office has to run a repair or a chaneg in setup to fix the problem.

Mcafee screwed up hard, and they are doing their best to make it look less severe of an issue than it is.
Posted by yipching (3 comments )
Link Flag
One needs to be careful....
.... both McAfee and Symantec tend to have self-promoting views
of viral threats, and less-than-effective responses to threats in
general.
Posted by Earl Benser (4310 comments )
Reply Link Flag
Don't ya just luv it? ( * GRIN *)
All I gotta say about this is MORE POWER TO THEM!!! (* ROFLOL *)

Microsoft started the assinine ordeal by flagging Symantic's Anti-Virus falsely...

I guess that this shows Microsoft that more than ONE can play at the same game... (* ROFLOL *)

They had the balls to pull it off. Symantic is currently going through a similar Microsoft fallout rigamarole which McAfee's initially faced when Microsoft dropped them and chose Symantec over the previous Microsoft de-factor standard which used to be McAfees.

Albeit... I have no proof of this... I can just feel it in my bones... they're seeking their revenge on Microsoft for the dastardly deeds which Microsoft pulled on no only them but more recently Symantic as well... but the tactics they are using is what Microsoft had recently pulled on Symantec... (* LOL *)

Don't ya just love it when a plan comes together... (* ROFLMAO *)

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Try thinking for a second
Yes, this was all a revenge strategy against microsoft. They intentionally pissed off a bunch of large corporate customers just to take a jab at microsoft. It even makes perfect business sense, I mean who wants happy clients. Brilliant deduction you made there.
Posted by Rolndubbs (194 comments )
Link Flag
Symantec Anti-competive
The corporate version of Symantec Anticompetive trigger over 100 tamper alerts every time a computer boots if any competitors antispyware software is installed.

In the past it has also added various antispyware applications to it's virus definition lists, calling them trojans or viruses.
Posted by ajbright (447 comments )
Reply Link Flag
McAfee screwed Weatherbug and Internet Access
Having been a long time user of Mcafee, I realized the hard way that a Mcafee update 10 days ago blocked my access (wireless) to the Internet. I discovered that an application conflict with Weatherbug (which I can't live without)did it. I could only find this out after unsucessful spyware and antivirus scans revealed nothing. I even called my DSL provider to help me out only to be told to call Dell for 'software' support of IE. Whatever...I even tried Microsoft's patches or fixes that seem to refer to the same kind of problem. The problem I faced was that IE was trying to download but really was not downloading online content. I could ping a remote address but not download any content. I did suspect some conflict with a patch or update but only found out after I re-imaged my computer and loaded one program at a time to check to see which program was causing the problem. This I did until I installed Mcafee and then Weatherbug. When Mcafee downloaded an update, my connection to the Internet was cut off even though my Linksys Wireless card's Icon in the sys tray showed I was still connected to my home's wireless modem/router. I now completely got rid of Mcafee and looking for some other anti virus program that hopefully does not screw my computer or any data. So wish me luck..I like Zonealarm's free Firewall, I might go with their anti virus stuff.
Posted by Maxelar (1 comment )
Reply Link Flag
So don't use Symantec or McAfee......
....seems to be a a rather obvious and perhaps essential solution.
Posted by Earl Benser (4310 comments )
Reply Link Flag
So what
Why make a big deal out of this...? Every company makes mistakes once in a while! McAfee certainly didn't do it on purpose!

--

Stan Oleynick, founder: <a class="jive-link-external" href="http://www.enthem.com" target="_newWindow">http://www.enthem.com</a>
Posted by stansoft (16 comments )
Reply Link Flag
It's not just once in a while......
... it happens all too frequently. McAfee probably didn't do it on
purpose, but the sloppy programming and program testing is
McAfee's fault. And both Symantec and McAfee go to all lengths to
hype the threat and sell more low quality software.

I won't use products from either company.
Posted by Earl Benser (4310 comments )
Link Flag
HP OpenView and Radia got deleted also
Several servers in our datacenter that happened to be running full scans at 6PM Eastern on Friday deleted dozens of EXE's from the following products:

HP OpenView Operations Agent (7.31)
HP Radia Client
Java 5 JRE
HP System Management Homepage (agent for HP Proliant Servers)
Posted by Kellino (36 comments )
Reply Link Flag
Add HP SecurePath (SAN muli-pathing) to the list
Add HP SecurePath (SAN muli-pathing) to the list
Posted by Kellino (36 comments )
Link Flag
Is not a virus...
Excel and other MS products are not virii.

By definition, a virus is a small piece of code that is highly efficient and performs its task quickly and more often than not, without error.
Posted by (1 comment )
Reply Link Flag
Soo....assuming that this problem is why I cant open Excel (but Word still opens)....how do I go about fixing it?
Posted by pamswoodenidea (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.