McAfee's epic fail: it's a matter of trust

McAfee
McAfee wrongly identified a key Windows XP component as malware

For most of us, security software is a necessary evil: you install it and learn to live with the annoying pop-ups and "update me!" nags because you know that one day it will, er, delete important bits of Windows.

That's what McAfee's software has been up to, anyway. An error in a virus definition file wrongly identified svchost.exe, an important Windows component, as malware.

The result? Crashing and constantly rebooting Windows XP PCs all over the place.

The good news is that it hasn't affected too many ordinary users, because most of us don't run XP any more. The bad news is that lots of corporate customers do, and McAfee's error affected hospitals, police forces and even Intel.

In related news, Intel's still running Windows XP. Isn't that the same firm that's always telling us we need the latest, greatest tech?

But we digress. How badly has McAfee screwed up here? On a scale of one to ten, where one is "not badly at all" and ten is "Oh my god!", this goes to eleventy-three. And yet the only thing that's really different about this problem is the publicity it's generated.

Not good enough

This kind of nonsense happens all the time. In 2007, AVG decided that Adobe Reader was a Trojan and a Symantec update crippled Chinese PCs. Last year, CA's eTrust software attempted to quarantine a whole bunch of Windows .dll and .exe files.

Earlier this year Kaspersky's software decided that Google AdSense was malware, while last summer McAfee decided Spotify was a virus.

This really isn't good enough. Security software that occasionally deletes your music software or trashes Windows is a bit like a dog that only eats children occasionally, a car that only runs over the odd pedestrian or a policeman who only shoots innocent people from time to time.

We know that security software is complicated stuff, and that it not only needs to detect thousands of different threats but it also needs to work with thousands of different configurations. It's a tough job, we know.

But security firms are telling us to trust them, and if we're going to do that we need to be confident that their products won't turn our PCs into ornaments. Being overly cautious and asking whether a new program is supposed to be there is fine. Attacking system components with an electronic axe isn't.

Here's hoping McAfee does a good job of handling the bad publicity - and that all security firms take steps to ensure problems on this scale can't happen again.

Computer security is rather like vaccination: if enough people have up-to-date security software then malware can't really spread; the people who do get it can't do much damage. It's the electronic equivalent of herd immunity.

If people don't install the updates because they feel they can't trust them, then everybody suffers.

Carrie Marshall
Contributor

Writer, broadcaster, musician and kitchen gadget obsessive Carrie Marshall (Twitter) has been writing about tech since 1998, contributing sage advice and odd opinions to all kinds of magazines and websites as well as writing more than a dozen books. Her memoir, Carrie Kills A Man, is on sale now. She is the singer in Glaswegian rock band HAVR.