Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

McAfee DAT 5958  Causing Windows XP Systems to become Unusable
4/21/2010

A false positive malware detection in McAfee DAT version 5958.0000 released on April 21, 2010  6:00 AM PDT (UTC -7) can cause Windows XP systems to become unresponsive, lose network connectivity, get stuck in a restart loop, and become difficult to use (lose task bar, lose icons, access denied, etc.).

Initial reports indicated that the errant DAT affected only Windows XP SP3 systems, but we have received reports that it also affects systems with SP1 and SP2.  We have seen a report of server systems also being affected.

Threat Level

Warning:  Virus Protection Definition Update Causes Systems to be Unusable

(A "warning" alert is for a situation that is currently occurring or conditions are right for the situation to occur soon.)

Severity:  High.  

Media attention: Yes.

Affected Software

McAfee VirusScan products

What Causes Systems To Become Unresponsive?

McAfee virus protection is detecting C:WINDOWS\system32\svchost.exe as containing the W32/Wecorl.a Virus and is denying access to the file.  The svchost.exe file is core Windows file.  Denying access to the file sets off a chain of uncontrolled restarts and loss of networking functionality.

How Do I Protect My Computer?

Because affected systems may only become unusable after a reboot, users are advised not to restart systems with the affected DAT file.

As of about 12:20 PM PDT (UTC-7), McAfee has released DAT 5959.0000. Initial indications that installing this DAT solves the problems.

McAfee sent an alert at 8:06 AM PDT (UTC -7) to disable pull tasks and update tasks. 

McAfee has pulled the errant DAT update as of 10:40 AM PDT (UTC -7).  If your system has not downloaded the errant DAT, you do not need to do anything. However, some corporate server might have downloaded the package waiting to update computers once they plugged into the corporate network.  So, you might want to disable pull tasks and update tasks or disconnect systems from the network.

Because the systems lose network connectivity, an IT person will have to touch all affected PCs.

If your system has downloaded DAT 5958, you will need to either roll back or forward the DAT.  Trying to roll back to last version is difficult.  A "shutdown /a" command may help if your system is in a restart loop.

The best solution to get you 100% up to date as of April 21st, 2010 is get Super DAT 5959.  It will stop the false positive from occurring.  If you are using ePO, then make sure that the new DAT 5959 is loaded and pushed to any downstream servers.  Boot an affected system into safe mode. Run sdat5958.exe file.  If your policy is set to Quarantine as opposed to Delete then you can recover svchost.exe and restore it.  Otherwise copy the svchost.exe file from a  known-good system to the system32 directory and restart the system.

More Information

Advisories
McAfee Post:  McAfee KB 68780 or http://community.mcafee.com/thread/24056?tstart=0 (site down as of when this bulletin was written)
SANS Internet Storm Center: http://www.incidents.org/diary.html?storyid=8656

News
The Register: http://www.theregister.co.uk/2010/04/21/mcafee_false_positive/
The New York Times (AP article): McAfee Antivirus Program Goes Berserk, Reboots PCs

Managed Services

IT Professional Services does not use McAfee virus protection products for systems under Managed Care.

Professional Services

If you need assistance recovering from this DAT update or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030