McAfee Response To Current False Positive Issue

In the past 24 hours, McAfee identified a new threat that impacts Windows PCs. Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer’s memory.

The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2.00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21.

McAfee is aware that a number of customers have incurred a false positive error due to this release. We believe that this incident has impacted less than one half of one percent of our enterprise accounts globally and a fraction of that within the consumer base–home users of products such as McAfee VirusScan Plus, McAfee Internet Security Suite and McAfee Total Protection. That said, if you’re one of those impacted, this is a significant event for you and we understand that.

Our initial investigation indicates that the error can result in moderate to significant issues on systems running Windows XP Service Pack 3.The immediate impact on corporate users was lessened for corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, though those customers could also be impacted when running an on demand scan.

The faulty update was removed from all McAfee download servers within hours, preventing any further impact on customers.

McAfee teams are working with the highest priority to support impacted customers. We have also worked swiftly and released an updated virus definition file (5959) within a few hours and are providing our customers detailed guidance on how to repair any impacted systems.

Corporate Customers
- These entries in our virus information library and the knowledge baseprovide workarounds for this issue for corporate customers
- Customers are discussing the issue in our online support community

Consumers
- This support page provides information for impacted consumers
- Consumers are also discussing the topic in the online community

To contact McAfee by phone in your region, go to the “Contact Us” page on our Web site and select your country for the correct number.

We are investigating how the incorrect detection made it into our DAT files and will take measures to prevent this from reoccurring.

We sincerely apologize for the inconvenience this has caused our customers and will update this blog posting as more details become available.

Barry

PS: I just published another blog in response to some of your comments below.

(Updated at 3.35 PM PT to include statement on number of customers impacted.)
(Updated at 3.50 PM PT with a link to details for consumers who were impacted.)
(Updated at 5.13 PM PT with link to knowledge base.)
(Updated at 5.44 PM PT to correct the number of impacted consumers.)
(Updated at 8.20 PM PT removing detail on 5959 DAT capabilities.)
(Updated at 9.27 PM PT to provide additional detail on customer impact added link to new blog post.)
(UPdated at 10.01 PM PT to add a link to the support community.)

Install software updates and security patches without rebooting

This story appeared on Network World at

http://www.networkworld.com/newsletters/techexec/2010/021510bestpractices.html

IT Best Practices Alert By Linda Musthaler, Network World 
February 12, 2010 12:03 AM ET

Sponsored by:

There’s a real irony to my article this week. Just as I began to write, I got an e-mail from one of my hosted service providers. To paraphrase the message, it says: “Dear Customer, we will be performing maintenance on your application server for a few hours this weekend. We plan to install critical software updates and security patches. During this window you may experience brief interruptions in service. Sorry for the inconvenience.”

You’ve seen similar messages before. Perhaps you even write them and send them out to your own customers when you need to install software updates and security fixes. While the process of installing software updates is disruptive and expensive — Gartner estimates downtime for a critical system costs $42,000 an hour — there’s no getting around the need to apply updates. According to Microsoft, 90 percent of the attacks in the wild exploit known vulnerabilities.

It’s essential to patch systems to keep them reliable and secure. But while you must patch, must you reboot the server to apply the patch? Not necessarily.

There’s a new subscription service launching this week that provides rebootless updates. Ksplice has just announced the general availability of its Ksplice Uptrack service for Linux servers. When a vendor releases software updates, Ksplice makes those updates into a module that can be applied to a server without rebooting it. This saves you the hassle of notifying customers of downtime and planning for staff members to work at 2:00 a.m. on a Sunday morning. The update can be applied painlessly and without any disruption to anyone’s work.

The company Ksplice was founded by four MIT engineers. The technology they’ve developed is based on thesis research, and it has received numerous accolades and honors, including The Wall Street Journal 2009 Technology Innovation Award. The technology can be applied to virtually any type of software, including operating systems and applications, running on a wide variety of devices, such as servers, network routers and switches, storage arrays, mobile devices and more. The potential for this technology is huge; if you aren’t using it today, you might use it in the not-too-distant future.

In the life cycle of a software update, the process starts when someone discovers a bug or security hole in the code. The software vendor releases an update, which the administrator installs. To apply the update and have it take effect, you typically restart the software; in the case of an OS patch, this means rebooting the machine — an inconvenience for you and all the users.

With the Ksplice service, when the software vendor releases an update, Ksplice makes the update rebootless and delivers it to customers where it can be installed and applied without any disruption. The software is up to date and secure.

Here’s the recipe for the secret sauce — how Ksplice makes an update rebootless. Ksplice has the source code for the software to be updated, say a Linux OS, as well as the source code for the update itself. The company then compiles the program twice, once without the patch and once with the patch. Ksplice compares the two versions and identifies the functions that have changed. Ksplice pulls out just these functions, packages them into a kernel module, and ships this module containing the replacement code to customers.

Customers then load the corrected version of the software module into memory. At a safe time, the old buggy version of the function has its first instruction replaced by a jump command. All callers to this function jump over to the corrected version of the code. Basically, it’s a detour around the old code so that the new code is always executed in memory.

Since the changes are in memory only, they aren’t persistent. This means an administrator still needs to apply the permanent fix at some point down the road. In the meantime, however, the Ksplice fix keeps the software secure without disrupting service.

Some 30 or so hosting companies have been early adopters of the technology, including SingleHop. Andrew Brooks is a security engineer at SingleHop, and he uses Ksplice Uptrack on about 500 (soon to be 600) Linux servers. “A zero-day exploit spreads like wildfire,” Brooks says. “We use Uptrack because it’s the fastest way to get a security patch applied to our servers. This gives us a competitive edge if we can reduce downtime for our customers.” Brooks says he spends less time on administration by having the patches waiting for him via RSS feeds. He can install an update without rebooting and without having to coordinate reboot schedules with hundreds of customers.

You can sign up for a free trial of the Ksplice Uptrack subscription service. If you like it and find value in it, sign on as a customer and reduce the worry of patching your software.

Read more about software in Network World’s Software section.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

All contents copyright 1995-2010 Network World, Inc. http://www.networkworld.com

This story appeared on Network World at http://www.networkworld.com/newsletters/techexec/2010/021510bestpractices.html Install software updates and security patches without rebooting IT Best Practices Alert By Linda Musthaler, Network World February 12, 2010 12:03 AM ET Sponsored by: There’s a real irony to my article this week. Just as I began to write, I got an e-mail from one of my hosted service providers. To paraphrase the message, it says: “Dear Customer, we will be performing maintenance on your application server for a few hours this weekend. We plan to install critical software updates and security patches. During this window you may experience brief interruptions in service. Sorry for the inconvenience.” You’ve seen similar messages before. Perhaps you even write them and send them out to your own customers when you need to install software updates and security fixes. While the process of installing software updates is disruptive and expensive — Gartner estimates downtime for a critical system costs $42,000 an hour — there’s no getting around the need to apply updates. According to Microsoft, 90 percent of the attacks in the wild exploit known vulnerabilities. It’s essential to patch systems to keep them reliable and secure. But while you must patch, must you reboot the server to apply the patch? Not necessarily. There’s a new subscription service launching this week that provides rebootless updates. Ksplice has just announced the general availability of its Ksplice Uptrack service for Linux servers. When a vendor releases software updates, Ksplice makes those updates into a module that can be applied to a server without rebooting it. This saves you the hassle of notifying customers of downtime and planning for staff members to work at 2:00 a.m. on a Sunday morning. The update can be applied painlessly and without any disruption to anyone’s work. The company Ksplice was founded by four MIT engineers. The technology they’ve developed is based on thesis research, and it has received numerous accolades and honors, including The Wall Street Journal 2009 Technology Innovation Award. The technology can be applied to virtually any type of software, including operating systems and applications, running on a wide variety of devices, such as servers, network routers and switches, storage arrays, mobile devices and more. The potential for this technology is huge; if you aren’t using it today, you might use it in the not-too-distant future. In the life cycle of a software update, the process starts when someone discovers a bug or security hole in the code. The software vendor releases an update, which the administrator installs. To apply the update and have it take effect, you typically restart the software; in the case of an OS patch, this means rebooting the machine — an inconvenience for you and all the users. With the Ksplice service, when the software vendor releases an update, Ksplice makes the update rebootless and delivers it to customers where it can be installed and applied without any disruption. The software is up to date and secure. Here’s the recipe for the secret sauce — how Ksplice makes an update rebootless. Ksplice has the source code for the software to be updated, say a Linux OS, as well as the source code for the update itself. The company then compiles the program twice, once without the patch and once with the patch. Ksplice compares the two versions and identifies the functions that have changed. Ksplice pulls out just these functions, packages them into a kernel module, and ships this module containing the replacement code to customers. Customers then load the corrected version of the software module into memory. At a safe time, the old buggy version of the function has its first instruction replaced by a jump command. All callers to this function jump over to the corrected version of the code. Basically, it’s a detour around the old code so that the new code is always executed in memory. Since the changes are in memory only, they aren’t persistent. This means an administrator still needs to apply the permanent fix at some point down the road. In the meantime, however, the Ksplice fix keeps the software secure without disrupting service. Some 30 or so hosting companies have been early adopters of the technology, including SingleHop. Andrew Brooks is a security engineer at SingleHop, and he uses Ksplice Uptrack on about 500 (soon to be 600) Linux servers. “A zero-day exploit spreads like wildfire,” Brooks says. “We use Uptrack because it’s the fastest way to get a security patch applied to our servers. This gives us a competitive edge if we can reduce downtime for our customers.” Brooks says he spends less time on administration by having the patches waiting for him via RSS feeds. He can install an update without rebooting and without having to coordinate reboot schedules with hundreds of customers. You can sign up for a free trial of the Ksplice Uptrack subscription service. If you like it and find value in it, sign on as a customer and reduce the worry of patching your software. Read more about software in Network World’s Software section. Linda Musthaler is a principal analyst with Essential Solutions Corporation. All contents copyright 1995-2010 Network World, Inc. http://www.networkworld.com