Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Root Cose

    Hochgeladen von

    Ravi
    99 Ansichten8 Seiten
    McAfee released a software update on April 21, 2010 that added detection for new malware variants but contained a coding error. This error caused the antivirus software to incorrectly flag the critical Windows file svchost.exe as malicious, resulting in tens of thousands of computers experiencing endless reboots. The root causes were identified as the coding error in the new DAT file and quality assurance failures at McAfee that allowed the bug to affect customers. Solutions proposed include replacing the problematic DAT file, auditing McAfee's development and testing processes, and expanding test environments to cover all relevant operating system configurations.

    Originalbeschreibung:

    Implementation guide

    Originaltitel

    Root cose

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    McAfee released a software update on April 21, 2010 that added detection for new malware variants but contained a coding error. This error caused the antivirus software to incorrectly flag the critical Windows file svchost.exe as malicious, resulting in tens of thousands of computers experiencing endless reboots. The root causes were identified as the coding error in the new DAT file and quality assurance failures at McAfee that allowed the bug to affect customers. Solutions proposed include replacing the problematic DAT file, auditing McAfee's development and testing processes, and expanding test environments to cover all relevant operating system configurations.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    99 Ansichten8 Seiten

    Root Cose

    Hochgeladen von

    Ravi
    McAfee released a software update on April 21, 2010 that added detection for new malware variants but contained a coding error. This error caused the antivirus software to incorrectly flag the critical Windows file svchost.exe as malicious, resulting in tens of thousands of computers experiencing endless reboots. The root causes were identified as the coding error in the new DAT file and quality assurance failures at McAfee that allowed the bug to affect customers. Solutions proposed include replacing the problematic DAT file, auditing McAfee's development and testing processes, and expanding test environments to cover all relevant operating system configurations.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 8

    Page 1 \ 7

    RCA Name EXAMPLE: McAfee QA Failure


    Report Date 4/19/2012
    RCA Owner Brian Hughes - Sologic

    Root Cause Analysis Report


    Problem Statement

    Focal Point Loss of Productivity - tens of thousands of users

    When
    Start Date 4/21/2010
    Start Time 2pm GMT
    Unique Timing After adding detection for variants of the W32/Wecorl.a family of malware

    Where
    System McAfee antivirus software for Windows XP SP3
    Component DAT File 5985
    Location Tens of thousands of end users

    Actual I mpact Cost


    Customer Service Thousands of customers impacted
    Revenue Lost customer productivity 50,000,000.00
    Other... Due to the diversity of businesses impacted, many non
    financial areas could experience negative impact
    Cost Internal costs to solve 100,000.00
    Cost
    Actual I mpact Total: $50,100,000.00

    Potential I mpact
    Customer Service Could have been longer
    Revenue Could have been longer/wider 100,000,000.00
    Potential I mpact Total: $100,000,000.00

    Report and chart generated by Sologic’s Causelink software. www.sologic.com


    Page 2 \ 7
    Report Summaries
    Cause and Effect Summary
    On 4/21/2010 at approximately 2:00PM GMT McAfee released an update to it's Virus Software
    Enterprise 8.7 (VSE 8.7). The update added detection for variants of the W32/Wecorl.a family of
    malware. The update included DAT File 5985, which contained an unidentified coding error. This error
    caused a healthy system file, svchost.exe, to be flagged by VSE 8.7 as being malicious. Once the file
    was tagged as malicious, VSE 8.7 killed the svchost.exe process. Microsoft has a built-in safety
    mechanism that kicks in when a system executable is killed. This safety mechanism causes the
    system to reboot. Upon reboot, VSE 8.7 attempted to remove the now flagged svchost.exe file,
    disrupting the normal operation of the system. This caused users to experience the "blue screen of
    death" or an endless series of attempted reboots. Tens of thousands of users were impacted causing
    an estimated $50 million in lost productivity.
    CODING ERROR: DAT 5985 works by monitoring the memory activity of system files. The
    W32/Wecorl.a malware attempts to gain and maintain control of a system through the use of memory
    of executable system files. DAT 5985 mistakenly identified normal memory activity of svchost.exe
    during system startup as an attempt by malware to gain control of the system. This was due to a
    coding error. It is unknown why the coding error occurred, but two possible fault paths need to be
    examined.
    1) Was there a coding execution error?
    2) Was there a specification error?
    Either, or both, are possible.
    QUALITY SYSTEM FAILURE: McAfee's QA process missed the coding error before going into production.
    This error only manifests in system failure on Windows XP, Service Pack 3 (XP SP3). XP SP3 was not
    included in the test configuration for VSE 8.7. Also, there was no peer review of the driver completed
    before release. Both of these quality system failures require further examination.
    Page 3 \ 7
    Solutions
    ID Label Description
    1 Solution McAfee: Remove and replace DAT 5985
    Cause VSE 8.7 released to public
    Note
    Assigned Choose Criteria Not Checked
    Due Status Selected
    Term Choose Cost $0.00

    2 Solution McAfee: Conduct audit of DAT creation and implementation process


    Cause Error not discovered in McAfee QA
    Note
    Assigned Choose Criteria Not Checked
    Due Status Selected
    Term Choose Cost $0.00

    3 Solution McAfee: Strictly enforce rules and processes regarding DAT creation and quality
    assurance
    Cause Error not discovered in McAfee QA
    Note
    Assigned Choose Criteria Not Checked
    Due Status Selected
    Term Choose Cost $0.00

    4 Solution McAfee: Add missing operating systems and product configurations


    Cause XP SP3 with VSE 8.7 was not included in the test config
    Note
    Assigned Choose Criteria Not Checked
    Due Status Selected
    Term Choose Cost $0.00

    5 Solution McAfee: Leverage cloud based technologies for false remediation


    Cause Windows file svchost.exe flagged as 'malicious'
    Page 4 \ 7
    Note
    Assigned Choose Criteria Not Checked
    Due Status Selected
    Term Choose Cost $0.00

    6 Solution McAfee: Revise risk assessment criteria


    Cause Windows file svchost.exe flagged as 'malicious'
    Note
    Assigned Choose Criteria Not Checked
    Due Status Selected
    Term Choose Cost $0.00
    Page 5 \ 7
    Team
    ID Label Description Label Description
    1 First Name Brian Last Name Hughes
    Phone (1) 206-282-7703 Phone (2)
    Role Investigator Group Sologic
    Email brian.hughes@sologic.com

    2 First Name McAfee Last Name


    Phone (1) Phone (2)
    Role Group
    Email

    3 First Name The Tech Herald Last Name


    Phone (1) Phone (2)
    Role Group
    Email
    Page 6 \ 7
    Evidence
    ID Label Description
    1 Evidence Article: Quality Assurance Failure Led to McAfee Patch Problems, Steve Ragan, The Tech
    Herald, 4/23/2010
    Cause(s) Update required
    Malicious processes are terminated by VSE
    VSE determined svchost.exe was malicious
    svchost.exe process 'killed'
    Standard Microsoft safety action
    Killing svchost.exe causes reboot
    Error manifests on Win XP SP3
    Broadly used platform
    5985 DAT examines memory useage by svchost.exe
    svchost.exe memory is active during startup
    5985 DAT returned a false positive svchost.exe
    svchost.exe file was not malicious
    Windows file svchost.exe flagged as 'malicious'
    Malicious files are removed upon reboot by VSE
    GOTO: svchost.exe file removed
    attempt to remove svchost.exe
    svchost.exe file removed
    svchost.exe file required for normal operation
    Computers experienced continuous reboot
    Reboot loop renders computers unusable
    Large user base of VSE 8.7 + Win XP SP3
    Windows XP SP3 in use
    Malware frequently targets memory of executables

    Location http://www.thetechherald.com/articles/Quality-Assurance-failure-led-to-McAfee-patch-
    problems
    Link
    Contributor The Tech Herald
    Type Web Location
    Quality

    2 Evidence McAfee Blog Entry 4/21/2010 4:29pm


    Cause(s) McAfee created 5985 DAT
    Coding error in 5985 DAT
    GOTO: McAfee update returned false positive

    Location http://siblog.mcafee.com/support/mcafee-response-on-current-false-positive-issue/
    Link
    Page 7 \ 7
    Contributor McAfee
    Type Web Location
    Quality

    3 Evidence McAfee Blog Entry 4/21/2010 11:14pm


    Cause(s)
    Location http://siblog.mcafee.com/support/a-long-day-at-mcafee/
    Link
    Contributor McAfee
    Type Web Location
    Quality

    4 Evidence Speculation
    Cause(s)
    Location
    Link
    Contributor Choose
    Type Choose
    Quality

    5 Evidence McAfee FAQ List: Referenced by Tech Herald article, copy not made available
    Cause(s) W32/Wecorl.a can be polymorphic
    W32/Wecorl.a found on svchost.exe in some cases
    Polymorphic detection required
    5985 DAT detects W32 / Wecorl.a clusters
    Peer review of driver not completed
    XP SP3 with VSE 8.7 was not included in the test config
    Error not discovered in McAfee QA

    Location Unknown
    Link
    Contributor The Tech Herald
    Type Document
    Quality
    Terminated because:
    Chart Type Legend W32/Wecorl.a can be
    polymorphic Other causal paths more productive
    Transitory END

    Terminated because:
    Non-transitory svchost.exe file
    required for normal Desired state Terminated because:
    Malicious processes Evidence
    operation END are terminated by
    Omission - Transitory Desired state
    VSE END McAfee FAQ List: Referenced by Tech Herald
    article, copy not made available
    Omission - Non-transitory
    Evidence
    Focal Point Article: Quality Assurance Failure Led to Evidence
    McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010 Article: Quality Assurance Failure Led to
    Solution Implemented McAfee Patch Problems, Steve Ragan, The
    svchost.exe process Tech Herald, 4/23/2010
    'killed'
    Terminated because:
    5985 DAT detects W32 W32/Wecorl.a found
    / Wecorl.a clusters on svchost.exe in Other causal paths more productive
    some cases END
    Evidence
    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Terminated because: Evidence Evidence
    Tech Herald, 4/23/2010 VSE determined GOTO: McAfee update
    svchost.exe was returned false McAfee FAQ List: Referenced by Tech Herald McAfee FAQ List: Referenced by Tech Herald
    GO T article, copy not made available article, copy not made available
    malicious positive END

    Evidence Evidence
    Article: Quality Assurance Failure Led to McAfee Blog Entry 4/21/2010 4:29pm
    McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010
    Terminated because:
    McAfee created 5985 Polymorphic
    DAT detection required Desired state
    END

    Evidence Evidence
    McAfee Blog Entry 4/21/2010 4:29pm McAfee FAQ List: Referenced by Tech Herald
    article, copy not made available

    Terminated because:
    Update required
    Desired state
    END

    Evidence
    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Terminated because: Tech Herald, 4/23/2010
    Killing svchost.exe Standard Microsoft
    causes reboot safety action Desired state
    END

    Evidence Evidence
    Article: Quality Assurance Failure Led to Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The McAfee Patch Problems, Steve Ragan, The Error manifests on ? WHAT IS DIFFERENT
    Tech Herald, 4/23/2010 Tech Herald, 4/23/2010 Win XP SP3 ABOUT XP SP3 ?

    Evidence
    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010

    Terminated because:
    5985 DAT examines Malware frequently
    memory useage by targets memory of Other causal paths more productive
    svchost.exe executables END
    Coding error in 5985
    DAT
    Evidence Evidence
    Article: Quality Assurance Failure Led to Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The McAfee Patch Problems, Steve Ragan, The
    Evidence Tech Herald, 4/23/2010 Tech Herald, 4/23/2010
    McAfee Blog Entry 4/21/2010 4:29pm

    Terminated because:
    svchost.exe memory
    is active during Other causal paths more productive
    startup END

    svchost.exe file Evidence


    removed
    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Computers Tech Herald, 4/23/2010
    experienced
    continuous reboot Evidence
    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010
    Evidence
    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010 Terminated because:
    Windows XP SP3 in Broadly used
    use platform Desired state
    END

    Evidence Evidence
    5985 DAT returned a Article: Quality Assurance Failure Led to Article: Quality Assurance Failure Led to
    false positive McAfee Patch Problems, Steve Ragan, The McAfee Patch Problems, Steve Ragan, The
    svchost.exe Tech Herald, 4/23/2010 Tech Herald, 4/23/2010

    Evidence
    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010

    ? EXECUTION ERROR?

    ? WHY DID ERROR


    OCCUR?
    and
    or

    ? SPECIFICATION
    ERROR ?

    Windows file
    svchost.exe flagged
    as 'malicious'
    Peer review of ? WHY WASN'T PEER
    driver not completed REVIEW DONE ?

    Evidence
    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010 Evidence
    and
    or McAfee FAQ List: Referenced by Tech Herald
    article, copy not made available
    VSE 8.7 released to Error not discovered
    Solutions public in McAfee QA
    McAfee: Leverage cloud based technologies
    for false remediation

    Criteria Status Selected

    McAfee: Revise risk assessment criteria


    Solutions Evidence
    Criteria Status Selected McAfee: Remove and replace DAT 5985 McAfee FAQ List: Referenced by Tech Herald
    article, copy not made available
    Criteria Status Selected XP SP3 with VSE 8.7 ? WHY WASN'T VSE 8.7
    was not included in TESTED WITH XP SP3 ?
    the test config
    Solutions
    McAfee: Conduct audit of DAT creation and
    implementation process
    Evidence
    Criteria Status Selected
    McAfee FAQ List: Referenced by Tech Herald
    McAfee: Strictly enforce rules and article, copy not made available
    Loss of Productivity Terminated because: processes regarding DAT creation and
    - tens of thousands svchost.exe file was quality assurance
    of users not malicious Other causal paths more productive
    END Criteria Status Selected
    Solutions
    McAfee: Add missing operating systems and
    product configurations

    Evidence Criteria Status Selected


    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010

    Terminated because:
    Malicious files are
    removed upon reboot Desired state
    by VSE END

    Evidence
    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010

    Terminated because:
    attempt to remove GOTO: svchost.exe
    svchost.exe file removed GOTO
    END

    Evidence Evidence
    Article: Quality Assurance Failure Led to Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010 Tech Herald, 4/23/2010

    Terminated because:
    Reboot loop renders
    computers unusable Other causal paths more productive
    END

    Evidence
    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010

    Terminated because:
    Large user base of
    VSE 8.7 + Win XP SP3 Other causal paths more productive
    END

    Evidence
    Article: Quality Assurance Failure Led to
    McAfee Patch Problems, Steve Ragan, The
    Tech Herald, 4/23/2010

    Das könnte Ihnen auch gefallen