McAfee Glitch 'Bricks' Windows XP PCs

Thousands of enterprise workstations running Windows XP crashed or rebooted repeatedly yesterday after administrators installed a McAfee antivirus (AV) update.

The McAfee AV definition known as "DAT 5958," delivered as part of McAfee's VirusScan Enterprise product, pegged a false positive, mistaking a standard Windows driver (svchost.exe) as a virus. The antimalware application then suppressed the driver as if it were a malicious element, according to a notice from McAfee.

Without this driver, Windows XP enters a continuous reboot loop known as "bricking." The error can result in "moderate to significant issues" on systems running Windows XP Service Pack 3, McAfee officials explained in an initial investigation of the problem.

McAfee's teams "are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly," according to a released statement from the company. "McAfee apologizes for any inconvenience to our customers."

According to Jason Miller, data and security team manager at Shavlik Technologies, and other experts, false-positive detections by AV programs are par for the course. This particular false positive happened to slip by McAfee's QA cycle and affected a lot of Windows XP customers.

"This is a good reminder that even though what happened with McAfee is most likely a rare occurrence, administrators should always test new updates on test machines to ensure functionality," Miller said. "This ranges from antivirus applications to third-party vendor patches on an OS."

Amrit Williams, chief technology officer of BigFix, an IT security firm, said that this episode was not necessarily a sign that users should upgrade from Windows XP. However, he expressed alarm at the damage that could be done.

"I would say this is another sign that systems management and security tools need to be abstracted and isolated from the OS and that the operating system itself is inherently flawed," he said. "If such a critical system file can be so easily manipulated and cause widespread outage, such a thing can only be resolved by manually reimaging the affected devices."

Instances of third-party applications, particularly AV software, crashing a Windows OS are very common, according to Williams. This specific issue with McAfee is "significantly worse in that it completely 'bricks' the device, forcing those affected to manually touch the machine to resolve [the problem]," Williams added.

This process can be labor intensive and cause downtime, which can be a dilemma for IT pros working in distributed environments with limited IT staff and resources.

Microsoft announced that it is aware of the problem for Windows XP customers and indicated in a blog that McAfee plans to release DAT 5959, which corrects the false-positive problem. The blog also includes a manual workaround solution. In addition, Microsoft released workaround instructions for IT pros using Microsoft System Center Configuration Manager 2007 to resolve the problem.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Motherboard Image

    Darktrace Deal To Bring AI Security to Microsoft Products

    Microsoft and security solutions firm Darktrace plan to integrate the latter's AI products with Microsoft Azure, Azure Sentinel and Microsoft Defender for Endpoint.

  • 2021 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Microsoft Updates Azure Icon, Plans Default Font Change

    Microsoft recently announced a few planned design changes, including a new Azure icon.

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.