McAfee's virus-scanning products wreaked havoc on corporate and consumer systems on Friday, after a buggy virus definition file triggered the quarantine or deletion of a long list of executable files - including Microsoft Excel.
The problem began when virus definition file, or DAT file, number 4715 was released on Friday morning, US Pacific Time (about 6:30 pm GMT), as part of a standard daily updating routine. The file was designed to refine McAfee products' ability to catch the W95/CTX virus, McAfee said.
By 9 pm GMT the company's customers began reporting an unusual number of files being quarantined or deleted by scans using DAT file 4715. "We think McAfee's latest DAT file may be bad," said one user in a report released by the SANS Institute's Internet Storm Center (ISC). "They improved the detection for several variants of the W95/CTX virus, and now our scanners are detecting supposedly infected executables all over our network, including on an original Microsoft Office 11 CD."
While excel.exe was the most high-profile false positive, the list of wrongly identified files later released by McAfee was seven pages long. The list was regarded as incomplete by some ISC readers, who said the McAfee tools attempted to remove files such as Dell OpenManage, Cygwin, Perl, Sysinternals' PsTools suite, various Oracle binaries, and the SuperCACLS administration suite.
The files were either deleted or moved into a different folder, according to settings determined by the user. The files were only moved or deleted during scheduled or manual scans, and not during background scanning, according to McAfee.
"If... your readers have quarantine or delete set as the default action, the virus scan will do more damage than a real virus would," wrote the ISC user.
McAfee said about 100 customers reported problems. The company released an updated definition file, DAT 4716, to enterprises at about 11:30 pm GMT, McAfee said. McAfee also released a tool designed to automatically restore wrongly quarantined files, according to SANS, an arduous process if carried out manually.
"Hundreds of files per machine were incorrctly identified as virus-infected and (were) quarantined," wrote another user in an ISC report. "Many hours will be spent restoring these files from quarantine."
According to SANS, affected products included VirusScan Enterprise 8.0i, VirusScan Enterprise 7.1, VirusScan Enterprise 7.0, Managed VirusScan 4.0, Managed VirusScan 3.5, VirusScan Online 11, VirusScan Online 10, LinuxShield and the consumer-oriented VirusScan 7.03.