This year, McAfee has been nominated for a Pwnie for Most Epic Fail because of the bad DAT release which erroneously detected (and deleted) critical Windows XP SP3 files. This isn't McAfee's first time on the list, either. In 2008, their "Hacker Safe" brand received criticism for missing the mark and instilling a false sense of security. It's not even the first time a bad DAT has resulted in damaging detections.
And, McAfee is hardly the only vendor to face this problem. Barely a month later, Symantec released files which detected and deleted World of Warcraft files.
But, who cares what a bunch of prankster kids think, right?
Wrong.
Most people probably focus on the bad QA practice that let the DAT into the world in the first place. Windows XP SP3 is widely used and that file is a critical piece of it, how could you possibly miss it? Are you even testing before you release to world, or are you so focused on the malware race that you didn't even bother?
But, I'm sure that the financial backlash from customers who filed claims for recovery costs and lost business (and those who simply left for another product) have made McAfee plenty aware of that failing. The answer isn't "test better." The answer involves improving the product.
What frustrated me most is how the customers let this through. What about your internal custom applications, scripts, and processes? Why aren't you testing every new DAT to make sure those aren't accidentally whacked? McAfee doesn't know what you're running in-house. Isn't that just as risky?
I don't think this is realistically because no one can afford a 24 hour DAT gap against malware. Realistically, that race is already won against signature-based detection. It's because McAfee doesn't make it easy to pilot DATs.
Implement a means to check new DATs into the evaluation branch and create a means to automate promotion of the evaluation branch into the current branch within the repository. Why hasn't this been done before? Because the QA has largely been near perfect up to this point once all things are considered. But they could be better.
UPDATE: 11/26/10
It looks like, in ePO 4.6, McAfee is instituting an evaluation branch for DATs. It's unclear, however, whether they will also be including a server task to promote content from one branch to another after a period of time, or if the branches are different, on a scheduled basis. I brought this up to some folks at Focus, and I got a "we'll see". It looks like a fix to this problem was at least half thought out.
But, with the increasing thought that signature detection is a failing game, and the recent revelation that McAfee VirusScan Enterprise (among many many others) is allowing malware execution even when it's detected... it will be interesting to see if a paradigm shift pushes the DAT QA issue entirely out of consideration.
