McAfee’s major screw-up

by Shijaz Abdulla on 22.04.2010 at 13:08

McAfee released an antivirus update yesterday that crippled Windows XP computers worldwide. The DAT 5958 update affects only computers running Windows XP Service Pack 3.

Here’s how the SANS Internet Storm Center describes the mess-up:

McAfee’s “DAT” file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and [lose] all network access. We have individual reports of other versions of Windows being affected as well. However, only particular configurations of these versions appear affected. The bad DAT file may infect individual workstations as well as workstations connected to a domain. The use of “ePolicyOrchestrator”, which is used to update virus definitions across a network, appears to have [led] to a faster spread of the bad DAT file. The ePolicyOrchestrator is used to update “DAT” files throughout enterprises. It can not be used to undo this bad signature because affected system will lose network connectivity.

The problem is a false positive which identifies a regular Windows binary, “svchost.exe”, as “W32/Wecorl.a”, a virus.

This is ridiculous if you ask me. The svchost.exe is a crucial Windows binary and just about everyone knows about it. Funny it should identify svchost.exe as a virus! I’ve been told this is the third mess-up from McAfee in a period of 4 years.

If you’re a McAfee customer, I have two recommendations for you:

1. Do not install the DAT 5958 update – block it. Wait for instructions from McAfee.

2. Consider implementing a state-of-the-art antivirus solution, that is more reliable and fares better in the comparative reports.

Microsoft Forefront Client Security is Microsoft’s cutting-edge client security solution which fared well in the VirusBulletin reports and many other studies. For more information, read my earlier post on “Forefront vs. the Competition”.


Forefront vs. the competition

by Shijaz Abdulla on 13.03.2010 at 13:49

In this post, I am sharing the current position of Forefront Client Security (Forefront Endpoint Protection) and Forefront Protection for Exchange in the market, in comparison to similar solutions from other competitors.

1. Forefront Client Security:

We have very high comparative ratings from VirusBulletin – which does independent testing of antivirus solutions.

Below: Average result of multiple tests between August 2009 to February 2010.

How to interpret this chart: Higher reactive AND proactive detection is good. MS Forefront Client Security/Endpoint Protection is place HIGHER than Symantec and McAfee, among other competitors. Trend Micro does not seem to be included in the latest study, but it failed 3 previous tests and didn’t make it in the chart.



2. Forefront Protection for Exchange Server

VirusBulletin, which conducts independent benchmarking of antivirus & antispam products has rated Microsoft Forefront Protection for Exchange highly.  MS Forefront for Exchange won the VBspam award consistently. For more information register at and view the reports.

How to interpret the chart: HIGH SPAM CATCH rate (SC) and LOW FALSE POSITIVE (FP) rate is good.

The latest March 2010 report (below) shows the MS forefront has the HIGHEST SPAM CATCH RATE (SC), while at the same time maintaining relatively LOWER FALSE POSITIVE (FP) compared Symantec, McAfee, McAfee and other popular anti spam solutions.



It is worth noting that what goes into Forefront Protection for SharePoint and Forefront Protection for OCS is the same set of antivirus engines that goes into Forefront Protection for Exchange.