Security Alerts
McAfee DAT 5958 Causing
Windows XP Systems to become Unusable
4/21/2010
A false positive malware detection in McAfee DAT
version 5958.0000 released on April 21, 2010 6:00 AM PDT (UTC
-7) can cause Windows XP systems to become unresponsive, lose
network connectivity, get stuck in a restart loop, and become difficult
to use (lose task bar, lose icons, access denied, etc.).
Initial reports indicated that the errant DAT
affected only Windows XP SP3 systems, but we have received reports that
it also affects systems with SP1 and SP2. We have seen a report of server systems also being affected.
Threat Level
Warning: Virus Protection Definition
Update Causes Systems to be Unusable
(A "warning" alert is for a situation that is currently occurring or
conditions are right for the situation to occur soon.)
Severity: High.
Media attention: Yes.
Affected Software
McAfee VirusScan products
What Causes Systems To Become
Unresponsive?
McAfee virus protection is detecting
C:WINDOWS\system32\svchost.exe as containing the W32/Wecorl.a
Virus and is denying access to the file. The svchost.exe file
is core Windows file. Denying access to the file
sets off a chain of uncontrolled restarts and loss of networking
functionality.
How
Do I Protect My Computer?
Because affected systems may only become unusable after a reboot, users
are advised not to restart systems with the affected DAT file. As
of about 12:20 PM PDT (UTC-7), McAfee has released DAT 5959.0000.
Initial indications that installing this DAT solves the problems. McAfee sent an alert at 8:06 AM PDT (UTC -7) to
disable pull tasks and update tasks.
McAfee has pulled the errant DAT update as of
10:40 AM PDT (UTC -7). If your system has not downloaded the
errant DAT, you do not need to
do anything. However, some corporate server
might have downloaded the package waiting to update computers once they
plugged into the corporate network. So, you might want to
disable pull tasks and update tasks or disconnect systems from the
network.
Because the systems lose network connectivity, an
IT person will have to touch all affected PCs.
If your system has downloaded DAT 5958, you will
need to either roll back or forward the DAT. Trying to roll
back to last version is difficult. A "shutdown
/a" command may help if your system is in a restart loop.
The best solution to get you 100% up to date as of
April 21st, 2010 is get Super DAT 5959.
It will stop the false positive from occurring. If you
are using ePO, then make sure that the new DAT 5959 is loaded and
pushed to any downstream servers. Boot an affected system into
safe mode. Run sdat5958.exe file. If your policy is set to
Quarantine as opposed to Delete then you can recover svchost.exe and
restore it. Otherwise copy the svchost.exe file from a
known-good system to the system32 directory and restart the system.
More Information
Advisories
McAfee Post: McAfee KB 68780 or http://community.mcafee.com/thread/24056?tstart=0
(site down as of when this bulletin was written)
SANS Internet Storm Center: http://www.incidents.org/diary.html?storyid=8656
News
The Register: http://www.theregister.co.uk/2010/04/21/mcafee_false_positive/ The New York Times (AP article): McAfee Antivirus Program Goes Berserk, Reboots PCs
Managed Services
IT Professional Services does not use McAfee virus
protection products for systems
under Managed
Care.
Professional Services
If you need assistance recovering from this DAT
update or a security assessment, IT Professional Services
can help. Call our
help desk.
Find
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.
|