In the security world the news has been dominated for the last 48 hours with tales of woe regarding the false-positive some McAfee customers encountered with svchost.exe. McAfee customers who have run into the problem can find detailed advice on fixing the issue in McAfee KB68780.
Our emotions regarding malware often lead us astray. Instinctively we want to delete or quarantine malware. McAfee’s situation shows why this is a bad idea. According to their KB article if your system experienced this issue your copy of C:\Windows\System32\svchost.exe has either been quarantined or deleted.
When I was in the Sales Engineering department here at Sophos it seemed to be a full-time job explaining to prospects why it was a bad idea to delete or quarantine viruses and other malware. Why on earth would I want a known malicious file to remain on my PC?
Upon the discovery of malicious code, anti-virus solutions are unable to determine with 100% confidence whether the file in question is required to boot, or required for the regular operation of your PC. As a safety precaution it is best to prevent access to the identified file, but leave it in place and by no means delete it. Viruses often infect critical drivers and other key components of the operating system. If you delete these files upon detection (or even move them) you create a much more difficult recovery process.
Fortunately in this case, McAfee customers are able to boot into Safe Mode and take the actions necessary to restore the computer to a fully working state. There is still a lot of manual work involved, but it does not require you to boot a live CD or USB stick to save the system. In cases where more important files have been moved it can be difficult if not impossible to fix once the files have been tampered with.
My Point? For everyday computers in your workplace the best practice is to attempt to cleanup viruses, but not move them to a central area or delete them permanently. For extremely risk-averse environments and mission critical systems you may wish to be more conservative and simply block access to the file and require a human to take action before making system modifications.
The good news is that false positives are few and far between. Recovery is difficult enough, don’t complicate it more than necessary.
Take it from an expert – don’t transport malware around your computer/network, clean it up in place, and do your best to do no harm.
Creative Commons image courtesy of Anonymous9000’s Flickr photostream.