McAfee DAT update causes windows to crash (UPDATE NEW DAT FILE)

McAfee has caused multiple systems to crash after a DAT update to 5958. It causes to falsly identify svchost.exe as virus W32/Wecorl. McAfee has tackeld this problem and released update 5959 to prevent this from happening. Here’s McAfee’s own statement about this false positive:

False positive detection of W32/Wecorl.a in 5958 DAT

 

Corporate KnowledgeBase ID:    KB68780
Published:    April 21, 2010

==================================

FAQ

Q: Exactly which versions of Windows and the svchost.exe file were affected?
A: Two versions of the svchost.exe file that are found in Windows XP SP3 systems were affected. svchost.exe
files found on Windows 2000, Windows 2003, Windows XP SP1, Windows XP SP2, Windows Vista,
Windows 7 and older version of Windows were not affected.
 
Details of US English files affected are: 
File Size               OS                                          File Version       Md5      
14,336                   XPPRO_SP3_x86_v1       5.1.2600.5512     E4 10 EC 73 E2 BE 2A 41 D9 23 B0 06 F5 1C 84 27  
14,336                   XPPRO_SP3_x86_v2       5.1.2600.5512     27 C6 D0 3B CD B8 CF EB 96 B7 16 F3 D8 BE 3E 18  
14,336                   XPPRO_SP3_x86_v3       5.1.2600.5512     A7 81 24 26 8A 77 F4 19 02 DB 18 F6 22 AF E6 13  
 
 
Q: What threat was the driver targeting?
A: The false positive occurred as a result of  memory scanning, drivers targeting new variants of the Wecorl family
of malware were invoked on the file svchost.exe as a part of the memory scanning process. Details of this threat family
can be found here.  Enhanced drivers in the 5958 DAT were authored to detect some low prevalence variants seen recently.

Q: Why were these Microsoft files not white listed to prevent false positives?
A: McAfee’s  DATs use techniques to avoid scanning and causing false positives on Microsoft files in the majority situations,
for example if this was a simple scan of the file as it was accessed on the file system these would have prevented the false positive.
  Because this was a memory scan of the running process that then caused a subsequent scan of the file on disk these mitigation techniques
were unfortunately circumnavigated. This sequence of events also contributed to the reason why this false positive was not caught in QA.

==================================

Environment

For details of all supported operating systems, see KB51109

Summary

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.

Background

For more background regarding the cause of this error, please see McAfee Response to DAT Version 5958 False Positive Error.

Problem

DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.

Solution

The issue is resolved in the 5959 DAT file release (April 21, 2010), which is available from the McAfee Security Updates page at:

http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

NOTE: Posting of the 5959 DAT file is currently in progress. It may take several hours for the new DAT file to replicate out to all McAfee download servers. 

IMPORTANT: If you are already affected by this issue, you must still either replace or restore svchost.exe.  McAfee is continuing to work on an automated solution to fully resolve the issue for affected customers.

Please watch for updates on this issue, which will be sent on a timely basis through Support Notification Service (SNS) and Platinum Proactive notifications.

To subscribe to SNS, visit http://my.mcafee.com/content/SNS_Subscription_Center.

This article will be updated as additional information becomes available.

 

Recommended Manual Recovery Procedure using the Extra DAT where DAT 5958 is currently installed

  1. Locate the extra.dat from here and unzip
  2. Boot in safe mode with “Network Option“ enabled
  3. Copy Extra DAT into c:program filescommonfilesmcafeeengine
  4. If svchost.exe exists in (c:windowssystem32) and is not a “0“ byte file, skip to step 5
  5. If svchost.exe deleted,  Pull up the VSE console and open “Quarantine manager“

Click on the detection and select “Restore“

1)      If the VSE console does not come up:
C:program filesmcafeevirusscan enterprisemcconsol.exe /standalone
This will pull up the VSE console. Click on the detection and select “Restore“

2)      If steps  4 and 4.1 do not work OR if svchost.exe is “0“ bytes:

  1. When possible Copy svchost.exe from the local C:windowsServicePackFilesi386svchost.exe or if not present c:windowssystem32dllcachesvchost.exe
  2. Copy svchost.exe from an unaffected system to c:windowssystem32 directory (same OS) from external media (USB, CD etc.)

If  “paste“ is grayed out, use the following commands:

Start -> run -> cmd            

Run the following command “copy from [sourcefilename] to [destinationfolder]“

Example:  copy x:svchost.exe c:windowssystem32

  1. Reboot in normal mode
  2. Use the product update to update to 5959
  3. Delete the Extra DAT file in c:program filescommonfilesmcafeeengine

 

Alternate Manual Recovery Procedure using DAT 5959 where DAT 5958 is currently installed 

  1. Boot in safe mode with “Network Option“ enabled
  2. If svchost.exe not deleted (look in c:windowssystem32svchost.exe) and is not 0 byte then network connection should be possible – skip to step 5
  3. If svchost.exe deleted or if it is “0“ bytes, then network connection may not be possible
  4. If svchost.exe deleted,  Pull up the VSE console and open “Quarantine manager“

Click on the detection and select restore

1)      If the VSE console does not come up:

C:program filesmcafeevirusscan enterprisemcconsol.exe /standalone

This will pull up the VSE console

2).    If steps 4 and 4.1 do not work OR svchost.exe is “0“ bytes:

  1. When possible Copy svchost.exe from the local C:windowsServicePackFilesi386svchost.exe or if not present c:windowssystem32dllcachesvchost.exe

b. Copy svchost.exe from an unaffected system to c:windowssystem32 directory (same OS) from external media (USB, CD etc.)

If “paste“ is grayed out, use the following commands:

Start -> run -> cmd

Run the following command “copy from [sourcefilename] to [destinationfolder]“

Example:  copy x:svchost.exe c:windowssystem32

  1. Download the 5959 SuperDAT from here
  2. Run the SuperDAT program
  3. Reboot in normal mode

 

Related Information

 

Threat Center (McAfee Avert Labs)   http://www.mcafee.com/us/threat_center/
Search the Threat Library http://vil.nai.com/ 
Submit a virus sample https://www.webimmune.net/default.asp 
Security updates and DAT files http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

 

 For additional information about EXTRA.DAT files, see KB68759.

To deploy the EXTRA.DAT via ePO 4.0 (KB52977)

Step 1 – Check in the EXTRA.DAT   NOTES:

  • You cannot check in packages while any pull or replication tasks are in progress.
  • If your environment requires testing new packages before deploying them, McAfee recommends using the Evaluation branch. After you finish testing the packages, you can move them to the Current branch on the Software, Master Repository tab.
     
  1. Log on to the ePO 4.0 console. To open a remote console through Internet Explorer type one of the URLs below in your browser:

    https://<servername>:8443
    https://<ipaddress_of_server>:8443

     

  2. Click the SoftwareMaster Repository tabs.
  3. Click Check In Package.
  4. Select extra.DAT.
  5. Click Browse and locate the downloaded extra.DAT, then click Open.
  6. Click Next. Information is displayed about the Extra.DAT you are about to add to the repository.
  7. Click Next.
  8. Select the branch where you want to add the extra.DAT. The default branch is Current.
  9. Click Save. The Extra.DAT will now be listed under Packages in the Master Repository list on the Master Repository page.
  10. Run a Repository Replication task to distribute the Extra.DAT file out to all distributed or remote repositories.

  Step 2 – Deploy the EXTRA.DAT

  1. Create a new ePolicy Orchestrator Agent Update task, and set the schedule to Run Immediately.
  2. Perform an Agent Wakeup call to send the new Update task to your clients and apply the extra.DAT.

    NOTE: If you prefer, you can reschedule an existing ePO Agent update task to deploy the extra.DAT.

 

To deploy the EXTRA.DAT via ePO 4.5 (KB67602)

Step 1 – Check in the EXTRA.DAT

NOTES:

  • You cannot check in packages while any pull or replication tasks are running.
  • If your environment requires testing new packages before deploying them, McAfee recommends using the Evaluation branch. After you finish testing the packages, move them to the Current branch on the Software, Master Repository tab.
     
  1. Log on to the ePO 4.5 console. To open a remote console through Internet Explorer, type one of the URLs below in your browser:

    https://<servername>:8443
    https://<ipaddress_of_server>:8443
     

  2. Click Menu, Software, Master Repository.
  3. Click Actions and select Check In Package.
  4. Select extra.DAT.
  5. Click Browse and locate the EXTRA.DAT, then click Open.
  6. Click Next. Information is displayed about the extra.DAT you are about to add to the repository.
  7. Click Next.
  8. Select the branch where you want to add the extra.DAT. The default branch is Current.
  9. Click Save. The extra.DAT will now be listed under Packages in the Master Repository list on the Master Repository page.
  10. If you have distributed repositories, run a Repository Replication task to distribute the extra.DAT to all Distributed or Remote repositories.
     

Step 2 – Deploy the extra.DAT

  1. Create a new ePolicy Orchestrator Agent Update task, and set the schedule to Run Immediately.
  2. Perform an Agent Wakeup call to send the new Update task to your clients and apply the extra.DAT.

    NOTE: If you prefer, you can reschedule an existing ePO Agent update task to deploy the extra.DAT.

 

Attachment

EXTRA.zip

One thought on “McAfee DAT update causes windows to crash (UPDATE NEW DAT FILE)”

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.