Confirmed: a bad McAfee update for Windows XP has shut down thousands, possibly millions, of computers around the world. That's big trouble. UPDATED:
Twitter has been buzzing with the news this afternoon that McAfee updates were shutting down XP PCs, and we've heard that California sent out an email to state workers a little while ago warning them of the problem. Also apparently affected: the University of Illinois at Urbana-Champaign, over 100,000 computers serviced by a UK IT firm, and presumably countless others based on the reports that keep coming in.
According to Engadget:
"DAT update 5958 deletes the svchost.exe file, which then triggers a false-positive in McAfee itself and sets off a chain of uncontrolled restarts and loss of networking functionality."
There's also, apparently, a fix (unconfirmed) according to Twitter user scratchfury:
boot to safe mode, rename mcshield.exe, reboot, run Virus Console, pick Tools -> Rollback DAT, name back to mcshield, reboot
That fix, though, as commenter Denver80203 points out below, only prevents you from getting nailed. Once your computer has been hit, things get a lot more complicated. UPDATE: The official fix from McAfee can be found here.
So far the impacted machines seem to be primarily enterprise and not consumer, but we'll update as soon as we know more about the scope of the problem.
UPDATE: McAfee just sent me the following (now updated) statement:
In the past 24 hours, McAfee identified a new threat that impacts Windows PCs. Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer's memory.
The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2.00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21.
McAfee is aware that a number of customers have incurred a false positive error due to this release. Corporations who kept a feature called "Scan Processes on Enable" in McAfee VirusScan Enterprise disabled, as it is by default, were not affected.
Our initial investigation indicates that the error can result in moderate to significant issues on systems running Windows XP Service Pack 3.
The faulty update was quickly removed from all McAfee download servers, preventing any further impact on customers. We are not aware of significant impact on consumers.
McAfee teams are working with the highest priority to support impacted customers. We have also worked swiftly and released an updated virus definition file (5959) within hours and are providing our customers detailed guidance on how to repair any impacted systems.
We are investigating how the incorrect detection made it into our DAT files and will take measures to prevent this from reoccurring.
We sincerely apologize for the inconvenience this has caused our customers.
So that's good news for consumers, and every bit as terrible news as expected for corporate users who've already been burned. [Engadget]