McAfee Response to releasing bad DAT on 4.20.10 by Dave DeWalt
Feel free to forward this note to McAfee customers and partners.
McAfee Team —
In the past 24 hours, McAfee identified a new threat that impacts Windows PCs. Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer’s memory.
The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2.00 PM GMT+1 (6am Pacific Daylight Time) on Wednesday, April 21.
A number of customers incurred a false positive error due to this release. Corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, were not affected.
Our initial investigation indicates that the error can result in moderate to significant issues on systems running Windows XP Service Pack 3. The faulty update was quickly removed from all McAfee download servers, preventing any further impact on corporate customers. We are not aware of significant impact on consumers. In total, we believe this issue affects less than one half of one percent of our enterprise and consumer customers worldwide.
McAfee teams are working with the highest priority to support impacted customers. We worked swiftly and released an updated virus definition file (5959) within hours and are providing our customers detailed guidance on how to repair any impacted systems.
We are investigating how the incorrect detection made it into our DAT files and will take measures to prevent this from reoccurring.
We sincerely apologize for the inconvenience this has caused our customers.
Thanks.
The following information from Support can be forwarded to corporate customers affected by this issue —
This is an update to the w32/wecorl.a False Positive in 5958 DAT.
The false driver in DAT 5958 signature update focused on a specific downloader threat called w32/wecorl.a which pulls information from an external site and targets DCOM services. This threat was recently found, and exploits a Microsoft vulnerability (MS08). The driver is invoked when scanning memory of running processes.
The McAfee driver evaluation logic was not sufficiently narrow and thus caused various customer system issues.
Recovery Procedure using the Extra DAT
1. Boot in safe mode with “Network Option” enabled
2. Copy Extra DAT into c:\program files\commonfiles\mcafee\engine
3. If svchost.exe exists in (c:\windows\system32) and is not a “0” byte file, skip to step 5
4. If svchost.exe deleted, Pull up the VSE console and open “Quarantine manager”
Click on the detection and select “Restore”
1) If the VSE console does not come up:
C:\program files\mcafee\virusscan enterprise\mcconsol.exe /standalone
This will pull up the VSE console. Click on the detection and select “Restore”
2) If steps 4 and 4.1 do not work OR if svchost.exe is “0” bytes:
a. When possible Copy svchost.exe from the local C:\windows\ServicePackFiles\i386\svchost.exe
b. Copy svchost.exe from an unaffected system to c:\windows\system32 directory (same OS) from external media (USB, CD etc.)
If “paste” is grayed out, use the following commands:
Start -> run -> cmd
Run the following command “copy from [source\filename] to [destination\folder]”
Example: copy from x:\svchost.exe to c:\windows\system32
5. Reboot in normal mode
Recovery Procedure using DAT 5959
1. Boot in safe mode with “Network Option” enabled
2. If svchost.exe not deleted (look in c:\windows\system32\svchost.exe) and is not 0 byte then network connection should be possible - download 5959 DAT and skip to step 6
3. If svchost.exe deleted or if it is “0” bytes, then network connection may not be possible
4. If svchost.exe deleted, Pull up the VSE console and open “Quarantine manager”
Click on the detection and select restore
1) If the VSE console does not come up:
C:\program files\mcafee\virusscan enterprise\mcconsol.exe /standalone
This will pull up the VSE console
2). If steps 4 and 4.1 do not work OR svchost.exe is “0” bytes:
a. When possible Copy svchost.exe from the local C:\windows\ServicePackFiles\i386\svchost.exe
b. Copy svchost.exe from an unaffected system to c:\windows\system32 directory (same OS) from external media (USB, CD etc.)
If “paste” is grayed out, use the following commands:
Start -> run -> cmd
Run the following command “copy from [source\filename] to [destination\folder]”
Example: copy from x:\svchost.exe to c:\windows\system32
5. Download DAT 5959
6. Reboot in normal mode
Please click here for information from Support for consumers customers on this issue.
