CA auto-immune update trashes systems A beserker update to CA eTrust anti-virus software created all sorts of confusion on Wednesday. The 33.3.7051 update labeled a large number of binaries (.DLL and .exe files) - including some components of eTrust itself - as infected with something called StdWin32. These files were sent off to quarantine, resulting in disabled …
The organisation I work for runs eTrust (currently 8.1.637.0). After a the recent upgrade, Cygwin runs a like a dog, so slow that its almost unusable. Since I rely on Cygwin for some of my systems and software admin, eTrust has now moved closer to the top of my shit list. Last month it quarantined some of the Cygwin DLLs. Does CA have something against Cygwin?
... I always retain user oversight of actions by such tools, when I even bother to use them; honestly, I run XP daily and I think the last time I was infected with anything was about three years ago when I foolishly attached an acquaintance's external hard drive to my own machine under Windows rather than scanning it from secure environment first. I've found that using Firefox with NoScript and only permitting scripting to run on sites that absolutely need it (and even then marking all ad domains and similar as globally untrusted) has kept my machine clean. I periodically run a full scan from a standalone AV tool with recent signatures to be sure but I found that permanently installed products, especially those using on-access scanning and auto-action were more trouble than they were worth.
It seems pretty impressive that they have admitted the fault in fairly strong language. Quite rare in such circles, even when its your corporate customers you've messed up.
One the other hand is "remediation" even a word, even in America. It appears to be the classic American trick of rolling a word through all the grammatical forms until it loses all sense. Recovery would work, mediation might half work, remedial fits quite well but remediation. Presumably the act of carrying out remedial work - but is it English.
Looking at the files it ate.. it seemed totally random. I don't think it was "targetting" anything in particular.
Serendipitously I happened to be in early in the morning at our place because we are migrating some of our clients off CA to a rival product, so I managed to catch it before it trashed everything.
@BobK - remember that you can exclude certain files and directories from your scanning, that's worth having a try if you have persistent problems.
We are advising a large user on this technology. The user has 1000 PC's all 24/7 and could not stomach this sort of self inflicted problem caused by software you actually pay for.
It's bad enough that U$oft doesn't understand the meaning of the word LATER after it's updates that need a re-boot.
Sorry CA you are off the list.
It only hit 7 PCs and 99% of the detections I saw were in Incredibuild's ModuleCache folder, an eminently deletable local cache of of DLLs and EXEs from other machines. (mostly related to Visual Studio). One machine only lost network and CDrom drive access after a few .sys files got renamed. Some of the others on that blog weren't so lucky.
This totally destroyed us. eTrust blew away 750 files on a production siebel cluster. I couldn't even unquarantine the files since even eTrust AV was damaged and wouldn't start. It blew away our backup server too, so made restores impossible until the backup was fixed. I wasn't able to get a clear idea of what servers were affected because I couldn't get the central threat management console to start.
Possibly the worst work day of my life. Absolute madness. The only way my day could have been worse would have to involve gunfire.
CA salesmen are pretty slick. They always weasel their past me to get to management and treat them to whatever and push some unpolished product on us. Hopefully, the lesson is learned.
I've hated CA since the 90's when I had to work with ArcServe, so I'm not terribly surprised.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
