McAfee's security software flags Windows kernel code as malware

Reporting on the incident last night, the SANS Internet Storm Centre said they had received "dozens of reports" from McAfee users who complained that a recent anti-virus update (DAT 5958) was causing Windows XP Service Pack 3 clients severe problems.

SANS said that Windows svchost.exe executable is being flagged as malicious by McAfee, resulting in an endless reboot loop or networking features that stop working.

According to Brian Krebs, a leading US security expert, one symptom is that McAfee reports that user systems are infected with W32.Wecorl.a.

"The anti-virus programme's attempts to destroy or quarantine that targetted process then forces the Windows machine into a reboot cycle", Krebs noted in his blog posting last night.

McAfee has responded to reports of the problems with confirmation that it is working urgently on a workaround and a patch for its software is in the pipeline.

"McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21. The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2pm GMT", the company said in a prepared statement.

Infosecurity notes that some versions of McAfee's software can be customised to ignore the presence of svchost.exe and 'trust' the relevant programme code. This may be a workaround for some users of the firm's IT security software.

What’s Hot on Infosecurity Magazine?