[Broni]

http://isc.sans.org/...ml?storyid=8656

McAfee's "DAT" file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and loose all network access. We have individual reports of other versions of Windows being affected as well. However, only particular configurations of these versions appear affected. The bad DAT file may infect individual workstations as well as workstations connected to a domain. The use of "ePolicyOrchestrator", which is used to update virus definitions across a network, appears to have lead to a faster spread of the bad DAT file. The ePolicyOrchestrator is used to update "DAT" files throughout enterprises. It can not be used to undo this bad signature because affected system will lose network connectivity.

The problem is a false positive which identifies a regular Windows binary, "svchost.exe", as "W32/Wecorl.a", a virus. If you are affected, you will see a message like:

The file C:WINDOWSsystem32svchost.exe contains the W32/Wecorl.a Virus.
Undetermined clean error, OAS denied access and continued.
Detected using Scan engine version 5400.1158 DAT version 5958.0000.

McAfee released an updated DAT file, and an "EXTRA.DAT" file to fix the problem. An EXTRA.DAT file is a patch to just fix the bad signature. McAfee's support web sites currently respond slowly and are down at times, likely due to the increased load caused by this issue.

Several readers reported that this procedure worked to recover:

1 - Boot the system in "Safe Mode"
2 - copy extra.dat in c:/program files/common files/mcafee/engine
3 - reboot.

If you lost "svchost.exe", then you need to copy it back to c:/Windows/system32/svchost.exe while in safe mode. This fix has to be applied locally at the workstation. However, it may be possible to do this remotely if your workstations support Intel's "vPro" technology. We should have a link to instructions shortly.

Additional information from McAfee: http://community.mca.../24056?tstart=0
McAfee Knowledgebase Article: https://kc.mcafee.co...=...&id=KB68780
EXTRA.DAT file: http://home.mcafee.c...aspx?key=265240.

[Advertisements]

Blair, Kat, could you post a blog entry on the best security options available both commercial and free? I think it is time to revisit this sector due to McAfee's major faux paux. Norton is bound to steal the market share, and I see Comodo getting more market share if they haven't already (they're very quiet and I don't see them in the mags or in the store).

[dinotech]

Blair, Kat, could you post a blog entry on the best security options available both commercial and free? I think it is time to revisit this sector due to McAfee's major faux paux. Norton is bound to steal the market share, and I see Comodo getting more market share if they haven't already (they're very quiet and I don't see them in the mags or in the store).

[dinotech]

Yesterday afternoon, the McAfee blog post was edited to remove this reference. The sentence now reads, ” We believe that this incident has impacted a small percentage of our enterprise accounts globally and a fraction of our consumer base…”

Why is it that companies continue to desensitize (help Sari!) their screw-ups? Whether they believe how low of an impact it was, it still cost a lot of money to fix, let alone man hours to devote to the issue. Evidently the fix that was issued didn't resolve all the problems, and left IT managers wondering if it really fixed the issue or not.

I believe in Comodo, although they have had their share of issues, they are an active company with the CEO posting religiously in his blog and on the forum (http://forums.comodo.com).

Dino