Beruflich Dokumente
Kultur Dokumente
When
Start Date 4/21/2010
Start Time 2pm GMT
Unique Timing After adding detection for variants of the W32/Wecorl.a family of malware
Where
System McAfee antivirus software for Windows XP SP3
Component DAT File 5985
Location Tens of thousands of end users
Potential I mpact
Customer Service Could have been longer
Revenue Could have been longer/wider 100,000,000.00
Potential I mpact Total: $100,000,000.00
3 Solution McAfee: Strictly enforce rules and processes regarding DAT creation and quality
assurance
Cause Error not discovered in McAfee QA
Note
Assigned Choose Criteria Not Checked
Due Status Selected
Term Choose Cost $0.00
Location http://www.thetechherald.com/articles/Quality-Assurance-failure-led-to-McAfee-patch-
problems
Link
Contributor The Tech Herald
Type Web Location
Quality
Location http://siblog.mcafee.com/support/mcafee-response-on-current-false-positive-issue/
Link
Page 7 \ 7
Contributor McAfee
Type Web Location
Quality
4 Evidence Speculation
Cause(s)
Location
Link
Contributor Choose
Type Choose
Quality
5 Evidence McAfee FAQ List: Referenced by Tech Herald article, copy not made available
Cause(s) W32/Wecorl.a can be polymorphic
W32/Wecorl.a found on svchost.exe in some cases
Polymorphic detection required
5985 DAT detects W32 / Wecorl.a clusters
Peer review of driver not completed
XP SP3 with VSE 8.7 was not included in the test config
Error not discovered in McAfee QA
Location Unknown
Link
Contributor The Tech Herald
Type Document
Quality
Terminated because:
Chart Type Legend W32/Wecorl.a can be
polymorphic Other causal paths more productive
Transitory END
Terminated because:
Non-transitory svchost.exe file
required for normal Desired state Terminated because:
Malicious processes Evidence
operation END are terminated by
Omission - Transitory Desired state
VSE END McAfee FAQ List: Referenced by Tech Herald
article, copy not made available
Omission - Non-transitory
Evidence
Focal Point Article: Quality Assurance Failure Led to Evidence
McAfee Patch Problems, Steve Ragan, The
Tech Herald, 4/23/2010 Article: Quality Assurance Failure Led to
Solution Implemented McAfee Patch Problems, Steve Ragan, The
svchost.exe process Tech Herald, 4/23/2010
'killed'
Terminated because:
5985 DAT detects W32 W32/Wecorl.a found
/ Wecorl.a clusters on svchost.exe in Other causal paths more productive
some cases END
Evidence
Article: Quality Assurance Failure Led to
McAfee Patch Problems, Steve Ragan, The
Terminated because: Evidence Evidence
Tech Herald, 4/23/2010 VSE determined GOTO: McAfee update
svchost.exe was returned false McAfee FAQ List: Referenced by Tech Herald McAfee FAQ List: Referenced by Tech Herald
GO T article, copy not made available article, copy not made available
malicious positive END
Evidence Evidence
Article: Quality Assurance Failure Led to McAfee Blog Entry 4/21/2010 4:29pm
McAfee Patch Problems, Steve Ragan, The
Tech Herald, 4/23/2010
Terminated because:
McAfee created 5985 Polymorphic
DAT detection required Desired state
END
Evidence Evidence
McAfee Blog Entry 4/21/2010 4:29pm McAfee FAQ List: Referenced by Tech Herald
article, copy not made available
Terminated because:
Update required
Desired state
END
Evidence
Article: Quality Assurance Failure Led to
McAfee Patch Problems, Steve Ragan, The
Terminated because: Tech Herald, 4/23/2010
Killing svchost.exe Standard Microsoft
causes reboot safety action Desired state
END
Evidence Evidence
Article: Quality Assurance Failure Led to Article: Quality Assurance Failure Led to
McAfee Patch Problems, Steve Ragan, The McAfee Patch Problems, Steve Ragan, The Error manifests on ? WHAT IS DIFFERENT
Tech Herald, 4/23/2010 Tech Herald, 4/23/2010 Win XP SP3 ABOUT XP SP3 ?
Evidence
Article: Quality Assurance Failure Led to
McAfee Patch Problems, Steve Ragan, The
Tech Herald, 4/23/2010
Terminated because:
5985 DAT examines Malware frequently
memory useage by targets memory of Other causal paths more productive
svchost.exe executables END
Coding error in 5985
DAT
Evidence Evidence
Article: Quality Assurance Failure Led to Article: Quality Assurance Failure Led to
McAfee Patch Problems, Steve Ragan, The McAfee Patch Problems, Steve Ragan, The
Evidence Tech Herald, 4/23/2010 Tech Herald, 4/23/2010
McAfee Blog Entry 4/21/2010 4:29pm
Terminated because:
svchost.exe memory
is active during Other causal paths more productive
startup END
Evidence Evidence
5985 DAT returned a Article: Quality Assurance Failure Led to Article: Quality Assurance Failure Led to
false positive McAfee Patch Problems, Steve Ragan, The McAfee Patch Problems, Steve Ragan, The
svchost.exe Tech Herald, 4/23/2010 Tech Herald, 4/23/2010
Evidence
Article: Quality Assurance Failure Led to
McAfee Patch Problems, Steve Ragan, The
Tech Herald, 4/23/2010
? EXECUTION ERROR?
? SPECIFICATION
ERROR ?
Windows file
svchost.exe flagged
as 'malicious'
Peer review of ? WHY WASN'T PEER
driver not completed REVIEW DONE ?
Evidence
Article: Quality Assurance Failure Led to
McAfee Patch Problems, Steve Ragan, The
Tech Herald, 4/23/2010 Evidence
and
or McAfee FAQ List: Referenced by Tech Herald
article, copy not made available
VSE 8.7 released to Error not discovered
Solutions public in McAfee QA
McAfee: Leverage cloud based technologies
for false remediation
Terminated because:
Malicious files are
removed upon reboot Desired state
by VSE END
Evidence
Article: Quality Assurance Failure Led to
McAfee Patch Problems, Steve Ragan, The
Tech Herald, 4/23/2010
Terminated because:
attempt to remove GOTO: svchost.exe
svchost.exe file removed GOTO
END
Evidence Evidence
Article: Quality Assurance Failure Led to Article: Quality Assurance Failure Led to
McAfee Patch Problems, Steve Ragan, The McAfee Patch Problems, Steve Ragan, The
Tech Herald, 4/23/2010 Tech Herald, 4/23/2010
Terminated because:
Reboot loop renders
computers unusable Other causal paths more productive
END
Evidence
Article: Quality Assurance Failure Led to
McAfee Patch Problems, Steve Ragan, The
Tech Herald, 4/23/2010
Terminated because:
Large user base of
VSE 8.7 + Win XP SP3 Other causal paths more productive
END
Evidence
Article: Quality Assurance Failure Led to
McAfee Patch Problems, Steve Ragan, The
Tech Herald, 4/23/2010