X

How to fix your McAfee-crippled computer

A false-positive update pushed out by McAfee wreaked havoc on workplace computers, but there is a fix available. Be warned: it's not easy.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
See full bio
Seth Rosenblatt
3 min read

McAfee pushed out a malformed security patch early on Wednesday that wound up crippling computers running Windows XP, but there is a fix available. Users should note that it's labor-intensive and must be applied manually to each computer. If you're running Windows Vista or Windows 7, your computer shouldn't be affected by the bad update.

As of 3 p.m. PDT, McAfee had yet to link on its front door to a fix for a false positive update with disastrous consequences that went out Wednesday morning. Screenshot by Seth Rosenblatt/CNET

If your computer is shutting down automatically, you must address that before you can fix anything else.

  • Step 1: Open a command prompt: Start menu, Run, then type cmd and hit Enter
  • Step 2: Type shutdown -a, which will prevent the shutdown from occurring

    • McAfee has revealed two fixes for the problem. Each one requires multiple steps, and can be confusing. If you're not comfortable with advanced computer fixes, you should get help with this.

    For the first fix, go to the McAfee interface through the Start menu, and disable Access Protection and On-Access Scanner.

  • Step 1: Click Start, Programs, McAfee, and then VirusScan Console
  • Step 2: Right-click "Access Protection"
  • Step 3: Select "Disable"

    • If you have Internet access, download the EXTRA.ZIP file provided by McAfee and unzip the EXTRA.DAT within. (Note that Nai.com is a safe site maintained by McAfee, for those who were wondering.) Once EXTRA.DAT has been extracted:

  • Step 1: Click Start, Run, then type services.msc and click "OK"
  • Step 2: Right-click the McAfee McShield service and select "Stop"
  • Step 3: Copy EXTRA.DAT to "\Program Files\Common Files\McAfee\Engine"
  • Step 4: Then restart the McAfee McShield service by right-clicking on it and choosing "Start" from the context menu
  • Step 5: Re-enable access protection by going back to the VirusScan Console
  • Step 6: Right-click "Access Protection"
  • Step 7: Select "Enable"
  • Step 8: In the VirusScan Console, go to the Quarantine Manager Policy
  • Step 9: Click the Manager tab
  • Step 10: Right-click on each file in the Quarantine and choose "Restore"

    • There is, of course, one massive hang-up with this McAfee-recommended solution: More likely than not, you don't have Internet access on your McAfee-borked computer. In fact, it's highly unlikely that you have access to much of anything, since deleting SVCHOST.EXE prevents key Windows 32-bit sub-system processes from functioning at all. To get the EXTRA.DAT on your computer, you'll probably have to download it on an unaffected computer, then copy it to either a USB drive or a CD-ROM and use the command prompt to copy it over to your C: drive.

    The second workaround requires that you apply the EXTRA.DAT fix as detailed above before beginning and that you have access to a second, unaffected Windows XP computer. On that computer, go to C:\WINDOWS\system32 and copy SVCHOST.EXE to a network location or a removable media device such as a USB stick. Then copy the SVCHOST.EXE from the unaffected computer to the affected computer, and restart the McAfee-afflicted computer. There are details on applying the EXTRA.DAT via ePolicy Orchestrator at McAfee's fix on Nai.com.

    Severe problems caused by buggy or false positive security updates are rare, but not unheard of. Recent instances include an update from Avast that marked hundreds of legitimate files as threats in December 2009, Computer Associates flagging a Windows system file as a virus in July 2009, and AVG marking ZoneAlarm as malware in October 2008.

    McAfee did not immediately responded to a request for comment.

    Updated at 5 p.m. PDT with additional information.

    McAfee Executive Vice President of Technical Support and Customer Service Brian MacPherson has written a blog post and a follow-up commenting on the situation, although neither addresses how the bad update made it past quality-control testing in the first place.

    Updated at 10:45 a.m. PDT with a statement from McAfee.