McAfee fix and the dangers of virus handling

Filed Under: Malware

Quarantine image courtesy of Anonymous9000's Flickr photostream

In the security world the news has been dominated for the last 48 hours with tales of woe regarding the false-positive some McAfee customers encountered with svchost.exe. McAfee customers who have run into the problem can find detailed advice on fixing the issue in McAfee KB68780.

Our emotions regarding malware often lead us astray. Instinctively we want to delete or quarantine malware. McAfee's situation shows why this is a bad idea. According to their KB article if your system experienced this issue your copy of C:\Windows\System32\svchost.exe has either been quarantined or deleted.

When I was in the Sales Engineering department here at Sophos it seemed to be a full-time job explaining to prospects why it was a bad idea to delete or quarantine viruses and other malware. Why on earth would I want a known malicious file to remain on my PC?

Upon the discovery of malicious code, anti-virus solutions are unable to determine with 100% confidence whether the file in question is required to boot, or required for the regular operation of your PC. As a safety precaution it is best to prevent access to the identified file, but leave it in place and by no means delete it. Viruses often infect critical drivers and other key components of the operating system. If you delete these files upon detection (or even move them) you create a much more difficult recovery process.

Fortunately in this case, McAfee customers are able to boot into Safe Mode and take the actions necessary to restore the computer to a fully working state. There is still a lot of manual work involved, but it does not require you to boot a live CD or USB stick to save the system. In cases where more important files have been moved it can be difficult if not impossible to fix once the files have been tampered with.

My Point? For everyday computers in your workplace the best practice is to attempt to cleanup viruses, but not move them to a central area or delete them permanently. For extremely risk-averse environments and mission critical systems you may wish to be more conservative and simply block access to the file and require a human to take action before making system modifications.

The good news is that false positives are few and far between. Recovery is difficult enough, don't complicate it more than necessary.

Take it from an expert - don't transport malware around your computer/network, clean it up in place, and do your best to do no harm.

Creative Commons image courtesy of Anonymous9000's Flickr photostream.


You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at