Security professionals have urged organisations to test antivirus updates before live deployment, after a glitched McAfee anti-virus update last week left thousands of machines exposed.
On Monday night, McAfee issued an enterprise 100Mb Super DAT (Hotfix 793640) and a consumer fix (DAT 6809) for the borked updates which it rated as ‘critical’.
The glitched anti-virus signature updates (DAT 6807, 6808) affected Windows McAfee suites and VirusScan products. They disabled the anti-virus clients, and in some cases, severed internet access.
Enterprise customers had to apply the hotfix as a product update through the e-policy orchestrator, while consumers were advised to remove McAfee from affected machines and re-install the product in order for the fix to be applied.
Last week's borked update followed one issued by McAfee in April that crashed email services, and another by Microsoft for its anti-virus product that flagged Google as hosting the malicious Blackhole exploit kit.
AusCERT security analyst Jonathan Levine said organisations should test antivirus updates before live deployment.
“Everything should be tested before going live as part of best practice,” Levine said.
But he doubted many organisations would bother with testing.
Some users writing on the SANS Internet Storm Center supported the suggestion, saying the cost of testing may outweigh the resources to fix “the occasional glitch”.
Others had comprehensive testing procedures. One McAfee user ran an 18-hour delayed deployment schedule in their organisation in which an evaluation branch would test DAT files on a group of servers and workstations before releasing it to another branch for staggered deployment the next day.
“This has saved us during the bad DAT times … if there is an issue, we are usually only one or two DAT releases behind but catch up during the day,” they said.