What could be worse than a computer virus infection? How about a mother-of-all-virus-checkers infection? Note that this story is true despite its unbelievable details.
The day known as Black Wednesday started innocently enough, 600 employee's PCs humming away, running Mcafee version 7 which although occasionally irritating was not causing much trouble. The company had had no virus infections since I started working there so our internal security seemed to be working. Then at 12 noon our dear beloved Network Operations group (please note the sarcasm intended) without any warning turned on the Windows XP automatic update and simultaneously auto-updated Mcafee to version 8 for all non-production computers and servers.
The whole company ground to a halt.
Every PC tried to collect and install around 70 updates to Windows (requiring multiple restarts) and install the new version of Mcafee (with all of its various parts) all at the same time. The network was overwhelmed, even our external web presence stopped working (our internal and external network traffic shared the same bottlenecks, don't ask). The lunch people were unable to supply lunch (their POS PC froze). Customers couldn't be served, our field staff was unable to create orders, basically the whole company went dormant for the rest of the day.
The rest of the Java team and I went home that evening assuming things would work themselves out by the next day. We were wrong; the hell of the coming months started the next day.
Our Java team used the usual Java tools such as Eclipse, IntelliJ, Weblogic Workshop, DBVisualizer, and Weblogic. In Java, every piece of code (and often associated data) is packaged in JAR, WAR and EAR files, which are specialized versions of ZIP files. Everything you do in Java involves reading and writing these files, both when running Java applications and building applications. In all cases these files are read by the Sun Java runtime, and executable code is limited to valid and secure Java bytecode, not native code.
The Network Operations folks had turned on every feature in the new Mcafee, including the dreadful "Uncompress compressed files" setting. All of our Java development was stopped virtually dead in its tracks. Every access of a JAR, WAR or EAR file now resulted in the computer to freeze as Mcafee opened the file, uncompressed its contents, scanned each file inside, and then only returned control to the application once it was complete. During this time the CPU was entirely utilized by Mcafee, which was set to high priority. Launching your IDE usually took a few seconds, now it took 20 minutes. Some application builds took hours (especially with the weblogic.jar file, which was enormous) instead of minutes. Just typing in your IDE was type type type, wait 2 minutes, type type type. It turned your PC into a single-tasking computer circa 1979 running the full Windows XP.
At first we though it was simply a configuration error, and reported it as such. Network Operations said it was working as intended. We had to blink, this made no sense. Every Java developer was getting about 1 hour of work done per day at best. Being engineers we figured out what feature of Mcafee was causing the trouble. We couldn't turn it off, it was locked. We complained to our management, but Network Operations was more highly regarded in the company pecking order, and they simply said we were whining and the company's safety versus virus attacks (even though we had never had one before) was more important. We argued that native code viruses hiding in Java JAR files couldn't be executed by the Sun runtime and that there were no such viruses.
So they said (to everyone) we know of many Java viruses in the wild. Given that we had done an exhaustive search and found nothing, this was unbelievable so we demanded a meeting. The head of the NO department said (to a roomful of Java engineers) that he had a list of 500 Java viruses and that was the basis of why this was being done. No matter what we said he said the same thing over and over.
After the meeting I challenged him to turn over the list to us but he passed it off saying the head of Security was assembling the list. This guy never returned any messages (what could do say, he really worked for NO). Later one of the NO employees said that they had typed Java into a virus checker company search form and found 500 hits. Really. We looked and the only actual viruses were in the ancient Microsoft java runtime, which only ran in IE, and only for applets. Pointing this out to everyone made no difference. The NO had spoken.
This went on for about 3 months (I had just started a project that should have take a couple weeks and it dragged out over the whole 3 months) before we finally got our manager to suggest that we hire an "expert" to come in and suggest some kind of improvement. NO agreed but only if we paid for it, and they were allowed to pick the vendor. This was approved and so they hired an "expert" who turned out to be the vendor whose main customer was the NO group. His "analysis" said to turn off the compressed file option, but only for those employees who would run their PCs as ordinary users and give up their administration rights. Say what?
For those who don't do development on Windows XP, everyone runs as admin since ordinary users don't have enough rights to make any changes in their environment. It can be (painfully) made to work for simple Word users, but for programmers it's impossible. So now we had paid for the "expert" and it would look like we were just whiners who didn't want to get any work done if we didn't acquiesce to this. So we had no choice. First they wanted to test the choice so a few Java developers (and the QA team) lost their admin privileges.
Let me also add that this was not just affecting the Java team, though much worse. Our DBAs used DBVisualizer which is a Java application, and even they had trouble getting anything done. It didn't help that people like our "Enterprise Architect" said he didn't understand why we were whining, since it didn't make his computer any slower (he only used Word and Powerpoint). Some ordinary users reported virus infections as their computers were sluggish and stalled at times (no one ever told them about the changes) but were told it was nothing.
Upper management didn't seem to care or understand why the Java team had so much trouble getting any work done. After all, the production servers still ran as fast as usual (still running Mcafee version 7, yes our production servers ran virus checkers!) and their PCs seemed OK. The web systems folks were also in pain, as builds took all day (and often they turned off the virus checker, despite warnings of firing). Many of our test and QA systems were built with multiple copies of VMWare, thus they ran terrible slow as each virtualized system ran a copy of Mcafee 8.
Anyway the admin rights turned out to be a disaster as well, as we could no longer install software, even a Java runtime upgrade was impossible. The QA team would not even install our C++ applications to test them. Every install required filing a ticket, waiting for someone to get around and do it. The support staff was overworked now as well.
It didn't matter, viruses were everywhere, security was more important!
The "test period" went on for months as well, nearly a year later not everyone was even "upgraded" to the new option, which itself was terrible. However by that time I was gone, and a flood of other senior people left as well. Eventually the departure of so many valuable people was enough that upper management finally told the NO team to start caring.
Of course I no longer cared.
In this entire time not a single virus was ever caught anywhere in the entire software development area. I never heard of any computer actually spreading a virus anywhere in the company. And of course our production servers still ran Mcafee 7, so the argument that Mcafee 8 was necessary was itself silly.
The real irony of this whole story is that it's the same company in WTF #1:It's Not The Database Stupid.
Michael Chermside 02/22/2007 11:29
I'd just like to say that my company has the same stupid policy. They too insisted on scanning every jar file that was touched by any program. And it did indeed make it nearly impossible to get work done. The first solution was to buy very powerful (and expensive) PCs for all developers... but that didn't really help. The next solution was to switch to Windows XP (previously we were using Win2000). Apparently somehow Symantec (that's what we use) didn't behave the same way running on Windows XP. I believe it is still out there trying to scan every .jar file, but it doesn't take over the whole PC to do so.
Unbelievable, but true.
Tristram Brelstaff 02/22/2007 14:41
I've often thought that Mcafee was one of the best arguments in favour of Linux.
Iain Delaney 02/22/2007 16:44
Please, please! submit this story, (or a version of it) to www.theDailyWTF.com. More people need to hear this.
Saskia 02/22/2007 17:45
Isn't it easier to just use Linux and do (Java) development on that? If you aren't allowed to install it directly, just install VMWare and run Linux with all your Java tooling inside that. Alternatively, boot from a live CD and keep all your settings and installs in a virtual HD file that you store on your windows filesystem.
codist 02/22/2007 18:33
That would have made sense, but that's not the way NO worked.
Scared.. 02/22/2007 18:54
Wow. Can you PLEASE at least give us a HINT as to which company this is, so I never even consider working for them?
Matt 02/22/2007 21:30
I've been in similar shoes before re: Admin rights. At one company we were told they were going to use our department as the Guinea pigs to test no admin. Thankfully they gave us that warning... we immediately added a DB2ADMIN user (with Admin rights of course) to each developer machine. I was the only person actually using DB2 for testing, but the Network guys didn't need to know that. ;)
Unfortunately I've been in other shops that had also blocked admin, and I could not fall back on my old tricks. In fact the machine I got was once used by someone who DID have admin, and had somehow secured just about every file under his user, causing me all sorts of pain. I had to make a request every time I found a file that was secured improperly... it was weeks before I had things set right.
GUI Junkie 02/23/2007 01:31
Same thing happened here. We were using Eclipse and the whole build cycle came to a halt. Somebody told me Eclipse uses some overflow mechanism to optimize the compile process which triggers the antivirus to check.
We tried to convince the IT department to change the virus settings. Very similar to your story: ‘No problem here’ reactions.
Up until this day, I go to the Services, select McAfee and stop the virus checker. I repeat this every hour as the virus checker starts again, and again...
Nuri 02/23/2007 08:48
GUI Junkie - you could write a service of your own that watches McAfee and shuts that service down if it's ever active. You can even have this new McAfee-watcher run using your credentials.
martin 02/23/2007 10:49
I dont believe that a bunch of developers with local adminstrator rights are not able to get rid of something like mcaffee.
Stop the service
Change registry settings
Fake network traffic
You have so much time to find a creative solution.
shaking head
codist 02/23/2007 11:28
Believe me we tried every creative solution. We wrote services, we wrote applications to drop the priority, etc. Everything worked for while before they caught on and deleted the applications remotely or threatened us with firing. Every action on our PCs were logged. We had no rights to terminate the services involved. 12 people devoted a lot of time spent watching the computer spin to finding a way around this. Once we lost admin rights there was no hope at all.
Masiosare 02/23/2007 15:27
For other people with the same situation... you can change file permissions so not even McAfee can read it, so it can disable the antivirus even if the interface says otherwise.
Stealth enough so you don't have to run new processes and don't get caught by admins...
Just don't tell my network admins =P
FostWare 02/23/2007 19:29
Ask politely to have your machines VLANed and firewalled off from the rest of the network...
While the admin for a NOC, I separated and firewalled each department and gave certain groups (like devs) a little more autonomy.
I had to... the CSRs took laptops to mine sites for week long stints. Even after a quarantine virus scan, we could not guarantee the machine would not do something stupid on the network (Internet Connection Sharing or alternate AD domains were always favorites).
Network segreggation was also necessary, as we had managed accounting systems for clients on servers in our NOC
codist 02/23/2007 22:24
Our network had no internal firewalls, although it could be partitioned in some fashion, it would then allow no access to any of the databases needed for development (such as the AS/400). Again, we went through every gyration you can think of but none worked.
AdrienMerridiah 02/25/2007 12:57
Wow. That's really crap. I feel sorry for you. That would drive me insane. I would have quit months earlier.
Fab 03/09/2007 11:02
Honestly I don't know what to think about that - I have been confronted to unreasonable IT policies and to sub competent people but at some point someone should be able to stand up and be a little bit confrontational. Something that upper management understand very well is cost, if your manager has no willing to plaid for your case go over his head and do the same think until you find someone that listen and understand you.