Lessons Learned from the McAfee DAT Fail

When I worked at Information Builders, founder and CEO Gerry Cohen would pass by my office in the evening and stop in and ask simply: what did we learn today?  While simple, that question forced you to take a look at the day and see what lessons could be learned from the experiences.

Last week, the security market had quite the experience as McAfee inadvertently disabled thousands of PC’s with an update to their signature files that knocked out a file critical to the XP operating system.  Now a week later, it is prudent to ask: what did we learn?

This was inevitable. The velocity and volume at which malicious attacks have been growing simply overwhelmed the process of writing and updating signatures to keep pace.  The signature counts are now over 7 million, with half of those signatures coming in 2009.  I have been shouting this from the mountaintop for over a year now – the process is not sustainable.  That is why we started the Worldwide Malware Counter to provide a visual representation of the problem.  Those who have chosen to look the other way can no longer ignore the evidence as this problem interrupted business, infrastructure, and healthcare.

This is an industry problem, not a McAfee problem. I don’t blame McAfee, I think the law of averages simply kicked in and they were the unlucky target.  The other vendors will likely jump on McAfee, but they in fact owe them a debt because deep down they all know it could have been their number that came up first.  Trading McAfee AV for some other AV software is not the answer.

This problem is not going away. Now the AV vendors will be under increasing scrutiny, and the relentless burden of writing signatures will only worsen.  They are being strangled on both ends, and similar problems are sure to follow.  Yes, they will all tighten their QA processes, but the forces at work will only grow stronger and the process will buckle again.  And by the way, have you ever stopped to think of the load on the network and the endpoints to continuously deliver and process ever larger DAT files? Or the performance hit of having to check 7M signatures constantly?

Malware writers will leverage the “Tony Stark Effect”. In Ironman, Tony Stark cannot have the shrapnel removed from his chest because it is too close to his heart.  In the same way, malware writers were already pushing attacks closer to the critical files at the heart of the operating system.  This pushed McAfee to extend some generic signatures too close to one of these files and it backfired.  Now the AV vendors will be skittish about signatures that get close to other files like SVCHOST, which is a gap that the malware writers will exploit.

The LINUX, Mac, and anti-AV forces will be in full voice. This event will feed the fires of those who either tout their OS as a malware free environment or those on the fringe that advocate running without AV software.  While we can detect the attacks that evade AV software, we never advocate going without AV and believe it has a place in the defensive strategy for the endpoint.  But it does need help, as antivirus detection rates demonstrate the holes.  I am also a believer that if everyone shifted to LINUX or the Mac, then the malware writers would follow.  Remember the answer to the famous question when Willie Sutton, the prolific bank robber, was asked “why do you rob banks?” – his response “because that is where they keep the money”.   If business moves to these OS’s, the malware will follow.

While I don’t blame McAfee, they really dropped the ball in responding to the crisis. McAfee is a partner and I normally find them pretty savvy with their marketing and their handling of the media.  But they flat out crashed and burned in handling this problem, starting with initial denials and following with near radio silence over the first 48 hours.  While this could have happened to any AV vendor, I do have to call out McAfee for the weak response.

It will be interesting to watch as this problem continues to play out.