Today started out normal but quickly changed just after 9:30am CST. That’s when the calls started coming in about a virus. At first we were thinking that someones machine was compromised because they were all located in the same office. We put our cleaning software on flash drives, went up and pulled network cables and started scanning. Soon after I started I get an email about turning off all Windows XP computers from campus network security. Everyone assumes it’s a zero-day virus that we don’t have protection for. The best way to stop it is remove the computer. I then went from floor to floor of our building to tell people to turn their computers off. Sent off a few emails for the people in other buildings to try and protect as many computers as I can. Yes we shut down every Windows computer we have across campus.
After I did that I went up and started working on the computers that I originally pulled the network cables from. Trying to see if we have any software that would detect the virus. Remember at this point, which is probably a little after 10, I still don’t know it’s just a bad dat file. Our scans came clean but the machines were still rebooting. I finally just gave up until I heard what campus had to say.
It wasn’t until around 10:45 that we found out it was a false positive. That basically means McAfee freaked out on itself and started destroying Windows. I went around the building again telling everyone to turn their computers back on. And now starts the repair process. My team and I got everyone back up and running about 3 today.
What we did to fix it: Go into safe mode, load extra.dat in mcafee engine folder, restore quarantine files that occurred from morning incident and then restart computer. Once computer is restarted we updated McAfee and check services to make sure everything was running good. We tried many different things since we didn’t have anything official on how to fix the problem.
We only had about 20 machines total that were hit by the bad dat file that we had to physically go and fix. I consider myself lucky but there are a few things that really helped us out. For one we have a lot of Macs. I think we are about 60% Mac in our buildings and growing. I also push technology so we do have a fair number of machines that are either Vista or Windows 7. Those machines were unaffected by this issue. I think our campus was quick at responding and pulling the bad dat files off of our server. That limits the number of machines that could possible get hit. I’m guessing over the next few days we will probably still have another 5 to 10 machines with the issue in our buildings. People aren’t always in the office on a campus. There will also be home machines that got the update since campus provides the same protecting for home computers.
McAfee seriously messed up with this update. But this is just icing on the cake for my feelings towards them lately. Our virus infections have been on the rise the past 3 months and McAfee isn’t catching anything. It’s sad when spybot and malwarebytes can detect and delete virus’ but McAfee, which we pay for, doesn’t see anything. I’m glad today is over with but the world’s trust in McAfee has seriously depleted. Especially if it’s true that 100s of thousands of machines were infected.