McAfee Response to releasing bad DAT on 4.20.10 by Dave DeWalt
Feel free to forward this note to McAfee customers and partners.
McAfee Team —
In the past 24 hours, McAfee identified a new threat that impacts Windows PCs. Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer’s memory.
The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2.00 PM GMT+1 (6am Pacific Daylight Time) on Wednesday, April 21.
A number of customers incurred a false positive error due to this release. Corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, were not affected.
Our initial investigation indicates that the error can result in moderate to significant issues on systems running Windows XP Service Pack 3. The faulty update was quickly removed from all McAfee download servers, preventing any further impact on corporate customers. We are not aware of significant impact on consumers. In total, we believe this issue affects less than one half of one percent of our enterprise and consumer customers worldwide.
McAfee teams are working with the highest priority to support impacted customers. We worked swiftly and released an updated virus definition file (5959) within hours and are providing our customers detailed guidance on how to repair any impacted systems.
We are investigating how the incorrect detection made it into our DAT files and will take measures to prevent this from reoccurring.
We sincerely apologize for the inconvenience this has caused our customers.
Thanks.
The following information from Support can be forwarded to corporate customers affected by this issue —
This is an update to the w32/wecorl.a False Positive in 5958 DAT.
The false driver in DAT 5958 signature update focused on a specific downloader threat called w32/wecorl.a which pulls information from an external site and targets DCOM services. This threat was recently found, and exploits a Microsoft vulnerability (MS08). The driver is invoked when scanning memory of running processes.
The McAfee driver evaluation logic was not sufficiently narrow and thus caused various customer system issues.
Recovery Procedure using the Extra DAT
1. Boot in safe mode with “Network Option” enabled
2. Copy Extra DAT into c:\program files\commonfiles\mcafee\engine
3. If svchost.exe exists in (c:\windows\system32) and is not a “0” byte file, skip to step 5
4. If svchost.exe deleted, Pull up the VSE console and open “Quarantine manager”
Click on the detection and select “Restore”
1) If the VSE console does not come up:
C:\program files\mcafee\virusscan enterprise\mcconsol.exe /standalone
This will pull up the VSE console. Click on the detection and select “Restore”
2) If steps 4 and 4.1 do not work OR if svchost.exe is “0” bytes:
a. When possible Copy svchost.exe from the local C:\windows\ServicePackFiles\i386\svchost.exe
b. Copy svchost.exe from an unaffected system to c:\windows\system32 directory (same OS) from external media (USB, CD etc.)
If “paste” is grayed out, use the following commands:
Start -> run -> cmd
Run the following command “copy from [source\filename] to [destination\folder]”
Example: copy from x:\svchost.exe to c:\windows\system32
5. Reboot in normal mode
Recovery Procedure using DAT 5959
1. Boot in safe mode with “Network Option” enabled
2. If svchost.exe not deleted (look in c:\windows\system32\svchost.exe) and is not 0 byte then network connection should be possible - download 5959 DAT and skip to step 6
3. If svchost.exe deleted or if it is “0” bytes, then network connection may not be possible
4. If svchost.exe deleted, Pull up the VSE console and open “Quarantine manager”
Click on the detection and select restore
1) If the VSE console does not come up:
C:\program files\mcafee\virusscan enterprise\mcconsol.exe /standalone
This will pull up the VSE console
2). If steps 4 and 4.1 do not work OR svchost.exe is “0” bytes:
a. When possible Copy svchost.exe from the local C:\windows\ServicePackFiles\i386\svchost.exe
b. Copy svchost.exe from an unaffected system to c:\windows\system32 directory (same OS) from external media (USB, CD etc.)
If “paste” is grayed out, use the following commands:
Start -> run -> cmd
Run the following command “copy from [source\filename] to [destination\folder]”
Example: copy from x:\svchost.exe to c:\windows\system32
5. Download DAT 5959
6. Reboot in normal mode
Please click here for information from Support for consumers customers on this issue.
Results: eMail Size Limits #inboxlimit on Twitter
@dfrtizke We have 2 Stores on exchange. Executives 1.5gb Warning 1.75gb no send. Staff 100 mb Warning 250mb no send.
@trenyak 500 MB limit for Exchange mailbox; no limit to the size of incoming or outgoing message.
@mrsmagoo No enforced limits but pay more after 3 GB. It’s plenty. If mailbox is slow, we have user clean up
@hanabel We use Google Apps for non-profits; their Gmail limit is 7GB.
We’ve been using it 1.5 years and no problems.
@gkra we limit inbound message size to 50MB, and mail accounts to 2GB or 5GB depending on type of user (Zimbra).
@gkra The 50MB message size limit is to keep spam/virus scanning from bogging; ~100 msg/min for our dept alone.
@SdGeek 80MB much, much too small
@peterscampbell Exchange, 750MB (2GB enforced), 15MB max msg size, 250 addressees, exceptions if justified by business need.
@CantonDog can’t send at 43MB. can’t receive after 45MB. It’s pretty bad.
@keithbooe Can’t send at 500MB in Exchange mailbox but receive until the server quits. Get system nastygrams daily at 400MB
@Bundini 50MB default before a warning is issued
@johnmerritt 250MB box size, warn at 200MB, receive only at limit, 10MB attchments
3 years ago
