Why it's time to move away from McAfee

Last week, McAfee pushed out a virus definition file update the company now admits did not meet an acceptable level of quality assurance. Users found this out the hard way when the update crippled their computers. While the damage to individual computer systems has been repairable, I recommend that you look elsewhere for your computer's security.

Screen snapshot of CNET News editor's computer in Portland after McAfee was causing her computer to reboot.

(Credit: CNET)

My recommendation comes down to a harsh reality: corporations should be accountable for their actions, and users have choices. In the security realm, there are at least a dozen top-shelf paid and free security suites. Choose any one of them: you're not beholden to a company that will risk your data, time, and money--even accidentally.

Severe problems caused by buggy or false positive security updates are rare, but not unheard of, in the wide world of security software. Recent instances include an update from BitDefender that wreaked havoc on 64-bit Windows 7 computers last month, an Avast update that marked hundreds of legitimate files as threats in December 2009, one from Computer Associates that flagged a Windows system file as a virus in July 2009, a case of attacking the competition when freeware security giant AVG marked ZoneAlarm as malware in October 2008, and McAfee itself pushed program executables for Microsoft Excel and Adobe's update manager into quarantine in March 2006. So why is McAfee's latest error egregious enough to merit a switch?

For one thing, McAfee's faulty virus definition file flagged the Windows system-critical file SVCHOST.EXE as a threat and quarantined it. Among other problems, this had the effect of forcing the computer to shut down every 60 seconds, and preventing USB drives from connecting to the computer. For many users, replacement versions of SVCHOST.EXE had to be copied to CD before they could be used. The original fix was labor-intensive and complicated by the fact that the bad update prevented many affected people from accessing the Internet in the first place. McAfee finally announced a simple tool to apply the fix on Thursday night, but it still requires a second computer to download it, and it cannot be applied remotely.

Second, McAfee wasn't forthcoming with answers, and even initially downplayed the fact that hospitals, police departments, and supermarket chains were affected along with individual consumers. In disastrous situations like this, it's important to communicate clearly with your customers, which McAfee didn't. Not only did Barry McPherson, executive vice president of support and customer service, not publish a blog addressing the problemuntil mid-afternoon Wednesday, but IT professionals also felt McAfee's attempts to help them were less than professional.

Computer support specialist for the College of Business at Illinois State University Pete Juvinall was directly involved with fixing around 40 computers crippled by the update. He told me that the fix that McAfee originally published "didn't really quite work as intended." He added, "it really surprised me that it was two or three hours before 5959 surfaced." Knowledge Base article 5959 was the first source from McAfee to fix the problem.

Another computer support specialist, Charles Winston at the University of Washington, only had to fix three computers but said that he had "never seen anything like it. It was unbelievable that something of this scale happened." The IT department at the University of Michigan Medical School, which was also affected, refused to talk to me because they were still fixing computers as of Monday morning.

Neither McPherson's original post nor a follow-up written at 11:14 p.m. on Wednesday and titled "A long day at McAfee" contained an apology; that didn't arrive until late on Thursday night. Angry comments in response to a post by McAfee President and CEO David DeWalt written on Friday take far greater issue with his tone and terminology than the incident itself.

To its credit, McAfee announced Monday a plan to reimburse home users and extend their antivirus subscriptions for two years free of charge. Details of the program are still developing, but that doesn't excuse the incredible spread of damage that the update caused in the first place, nor the tone-deaf handling of the situation.

I say all this in light of the fact that McAfee's consumer security suite has made some impressive improvements this year. However, more than any other third-party program, security vendors have unfettered access to your system. Combine the worst of bad updates with gross errors in communicating to their customers about how to fix a problem that they caused, and I feel that it is irresponsible to continue to recommend McAfee for now.

You can check out other free and paid security options at CNET Download.com's Security Center.