McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems. At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."
from slashdot
Excel = Virus ? At Least to McAfee
March 10, 2006
By Michael Santo
Contributing Writer, RealTechNews
Can you say oops? A really big oops? I hope you didn?t lose your copy of Excel because of this. Because of an error in a virus definition update, McAfee?s antivirus product was, for a brief time today, quarantining or deleting, depending upon your settings, Excel and other applications from PCs.
?At about 1 p.m. PST we started getting reports that people were seeing an unusual number of W95/CTX infections in their environment,? Telafici said. ?Files that we did identify would probably be deleted or quarantined, depending on your settings.?
When a file gets quarantined, it?s renamed and moved to a different folder. McAfee?s antivirus software detected Excel.exe and Graph.exe, two Microsoft Office components, as well as other software, including AdobeUpdateManager.exe, an application installed alongside Adobe products that deals with software updates, Telafici said. Source: News.com
The error occurred in virus definition file 4715, which was released at about 10:45 AM PST, and was fixed in virus definition file 4716, released at about 3:30 PM.
We Say: Reminds me of the earlier incident when Microsoft Anti-Spyware was flagging Norton Anti-Virus as spyware. Of course, as we said then, Microsoft?s product is beta, and McAfee?s is mature and released. False positives aren?t uncommon however, but this is something that should be caught during regression testing. Of course, this is most notable ? and somewhat humorous because of the product flagged ? Excel.
http://www.realtechnews.com/posts/2802
McAfee 4715 DAT False Positive Deletion Reports Follow-up
Published: 2006-03-12,
Last Updated: 2006-03-13 03:52:21 UTC by Patrick Nolan (Version: 3(click to highlight changes))
Friday we started receiving reports of file deletion problems from admins using McAfee AV, scans that were using the 4715 DAT's issued Friday were incorrectly identifying many executables as as W95/CTX virus. Portions of the information submitted are excerpted below, and we thank all of the admins who reported the problems which allowed us to get the early problem alert out. Your reports and the Diary warning McAfee/NAI rolls bad pattern helped many admins.
Update: 21:37 UTC - One of our readers, JD, tells us that McAfee has devleoped a tool that will restore files that were quarantined by DAT 4715. Customers are encouraged to contact their technical assistance manager. The tool may be posted on the McAfee website at some point (though it doesn't appear to be there for public download at the moment). --JAC
Update 2: 02:43 UTC 2006-03-13 - McAfee has release a list of (supposedly) all the files affected by DAT 4715. It includes some other interesting ones in addition to excel.exe, like setup.exe, uninstall.exe, shutdown.exe, and reg.exe to name just a few, but is clearly incomplete since it doesn't include any of the Oracle binaries that have been reported to be affected by some of our readers. The list can be found here. --JAC
McAfee DAT 4716 corrects the problem, references W95/CTX and says;
"Users who have moved detected files to quarantine should restore them to their original location. Windows users who have had files deleted should restore files from backup or use System Restore .
Virusscan Online users can restore the falsely detected file from the Manage Quarantined Files.."
ISC participants report excerpts;
"The 4715 dat files are incorrectly identifying multiple different files as being infected with W95/CTX when scanned with the on-demand scanner with the following products:
VirusScan Enterprise 8.0i
VirusScan Enterprise 7.1
VirusScan Enterprise 7.0
Managed VirusScan 4.0
Managed VirusScan 3.5
VirusScan Online 11
VirusScan Online 10
LinuxShield
VirusScan 7.03 (consumer)
At this time you should cancel any scheduled on-demand scans until the release of the 4716 DATs."
"Some example files are graph9.exe and excel.exe from office 2000" "....3700 files have been quarantined on over 100 pcs."
"We think McAfee's latest DAT file may be bad. They improved the detection for several variants of the W95/CTX virus, and now our scanners are detecting supposedly infected executables all over our network, including on an original Microsoft Office 11 CD. Our guess is that this is a false positive. If so, and your readers have quarantine or delete set as the default action, the Virusscan will do more damage than a real virus would."
"attempted to remove files such as Dell OpenManage, Cygwin, perl, Sysinternals pstools suite."
"anything that was in the PATH environment variable was targeted."
"Not only did it attempt to remove files in the %ORACLE_HOME%\bin directory, but also in the .patch_storage folder - so as far as oracle files, this was not limited to the PATH environment variable."
"This was also capable of navigating mapped drives, so if you had a file server setup as a common install location, if filesystem permissions permitted modification of such files, you'll want to refresh the installation files from the downloaded, compressed source file."
"[removed] ShavlikPro (commandline4.exe) and the entire SuperCACLs suite from trustedsystems.com"
"I started getting reports that looked lke a virus outbreak so I forced scans on all the network machines. This turned out to make matters worse because hundreds of files per machine were incorrctly identified as virus infected and quarantined. Many hours will be spent restoring these files from quarantine. Thankfully it was not set to delete the files."
"We had over 3700 quarantine events. I counted 297 individual file names."
http://isc.sans.org/diary.php?storyid=1184
solution: http://vil.nai.com/vil/content/v_138884.htm
My ePO logs showed over 14,000 detections when I checked in this morning. However, it's basically a non-problem. Office just pulls a fresh copy of the files out of the AIP and off it goes, Excel-ing like normal 
Facebook
Twitter