ePolicy Orchestrator (ePO) Hotfix 960279-2

ePolicy Orchestrator (ePO) Hotfix 960279-2 is now available. This release is a re-post of ePO Hotfix 960279, and addresses an installation issue for 5.x customers who migrated directly from ePO 4.x installations on Windows 32-bit, or had been installed to a custom location under the 64-bit Windows C:Program Files… directory.

To download Hotfix 960279-2, go to the McAfee downloads site below and look for ePOHF960279-2.zip:

Continue reading “ePolicy Orchestrator (ePO) Hotfix 960279-2”

McAfee ePolicy Orchestrator 5.0 and McAfee Agent 4.8 released

McAfee has released 2 new versions yesterday. ePolicy Orchestrator 5.0 and McAfee Agent 4.8 have been released.

McAfee-IconePolicy Orchestrator 5.0:

What’s new in this version:

  • Upgrade Compatibility Utility

Use the Upgrade Compatibility Utility to migrate your server configuration from previous ePolicy Orchestrator versions on unsupported server operating systems to a supported operating system. At the same time, identify and prevent incompatible product extensions from running in your ePolicy Orchestrator 5.0 environment.

  • McAfee Product Improvement Program

Help improve McAfee products by periodically collecting data on ePolicy Orchestrator managed systems. Continue reading “McAfee ePolicy Orchestrator 5.0 and McAfee Agent 4.8 released”

McAfee alert on W32/autorun.worm.aaeb-h worm [updated 28/11/12 @21:35 GMT+1]

W32/Autorun.worm.aaeb-h has the ability to infect removable media devices and mounted network shares. It can also copy itself into .zip and .rar archive files.

The infection starts either with manual execution of an infected file or by navigating to a folder that contains infected files. This threat has the ability to download other malware or updates to itself as directed by a Command-and-Control (C&C) server.

McAfee has released an Extra.DAT to detect and clean this threat. A new version of Stinger will be available later. McAfee will send another SNS notice when the Stinger is available.

To download the Extra.DAT and Stinger (when available), see KB76807:

For more information on McAfee product coverage and mitigation for this threat, see PD24169 – Threat Advisory: W32/Autorun.worm.aaeb:

*** UPDATE 21:35 ***

Download the latest stinger tool which can detect and remove this worm here:

How to install an extra.dat file:

To apply the ExtraDAT locally:

  1. Click Start, Run, type services.msc, and click OK.
  2. Right-click the McAfee McShield service and select Stop.
  3. Copy the ExtraDAT file to the following location:
    32-bit installations     <installation drive>Program FilesCommon FilesMcAfeeEngine     64-bit installations     <installation drive>Program Files (x86)Common FilesMcAfeeEngine
  4. In the Services window, right-click McAfee McShield and select Start.
    The new detections in ExtraDAT will take effect after the McShield service has started.

VirusScan Enterprise 8.8 Patch 2 Now Available

VirusScan Enterprise 8.8 Patch 2 is now available. This release includes new features, fixes, and enhancements including:

  • Lotus      Notes compatibility for 8.5.x
  • Additional      logging during Patch installation
  • Various      fixes for field-reported issues, ranging from BSODs to Updates using      excessive bandwidth, and CPU spikes.

To download Patch 2, go to the McAfee downloads site.  A valid license agreement number is required to download this patch.

You can view the Release Notes here.

McAfee released emergency DAT 6809 – Update #3 August 22nd

McAfee is issuing Emergency DAT Release 6809 due to Consumer issues with DAT 6807 as some Consumer customers may experience a loss of network connectivity after a recent update.

Enterprise customer are not impacted. McAfee DAT number sequencing requires 6809 to be sent to BOTH consumer and enterprise customers.

More information is available on the Consumer Service Portal at http://service.mcafee.com/FAQDocument.aspx?lc=1033&id=TS101446 .

Update August 20th:

McAfee has identified an issue with DAT 6807 and 6808 that is causing intermittent issues with VirusScan Enterprise 8.8.x. Specifically, these DATs can affect McShield.exe and cause issues with the on-access scanner.

If you have NOT deployed DAT 6807 or 6808, go directly to DAT 6809 or greater.

IF you HAVE deployed DAT 6807 or 6808, please go to McAfee KnowledgeBase KB76004 to review the steps to determine if endpoints in your environment are affected.

McAfee is investigating this issue and working on a superDAT remediation. Please go to KB76004 for continuing updates.

Update August 21st. More information about symptoms using 6807 and 6808 DAT files:

McAfee has identified an issue with DAT 6807 and 6808 that is causing intermittent issues with VirusScan Enterprise (VSE) 8.8.x. Specifically, these DATs can affect McShield.exe and may cause issues with the On-Access Scanner.

The following symptoms can also help to determine if you are affected by this issue:
• The On-Access Scanner (McShield.exe) will appear to be working. The process is running and visible in the Windows Task Manager.
• Process Explorer shows no file handle open to the MfeRuntime*.DAT file.
• DAT updates after 6807 appear to happen successfully. The DATs are copied into place, but are not loaded by McShield.exe.
• The registry values for the DAT versions are out of sync:
– The DAT version in the following location will be older (either 6807 or 6808): HKLMSoftwareMcAfeeAVEngineAvDATVersion
– The DAT version in the following location will show the latest update: HKLMSoftwareNetwork AssociatesePolicy OrchestratorApplication PluginsViruscan8800DATVersion
• In the ePolicy Orchestrator (ePO) console, the system properties for computers with this issue will report the DAT/Engine versions as follows:
– DAT Date 0/0/0
– DAT Version 0.0000
– Engine Version 0.0000

McAfee has released a new DAT version: 6809.

If you have NOT deployed DAT 6807 or 6808, go directly to DAT 6809 or later.
If you are updated to version 6807 or 6808, updating to 6809 will NOT solve these problems.

Update 3 August 22nd 2012

McAfee has released VSE 8.8 Hotfix 793640 to remediate the issue issue with DAT 6807 and 6808 that is causing intermittent issues with VirusScan Enterprise (VSE) 8.8.x. This is aMANDATORY HOTFIX. The hotfix contains the full DAT 6809 package.

You can download the hotfix from the following location:http://download.nai.com/products/hotfix/VSE88HF793640.Zip

This hotfix is approximately 100Mb in size and deployment can cause high bandwidth usage in large environments.

Enrolling the hotfix is possible by:

Standalone installation

  1. Extract the hotfix files to a temporary folder on your hard drive.
  2. Double-click VSE88HF793640.EXE.
  3. Follow the prompts in the installation wizard.

ePolicy Orchestrator check-in and deployment

  1. Open the ePO console and add the package VSE88HF793640.zip to your repository. The package type for the install is Products or Updates (.ZIP).
  2. When using Distributed Repositories on your network, you will first have to replicate the hotfix from the Master Repository to all locations.
  3. In your ePO System Tree at the highest level (Default: My Organization), create a Client Task of type McAfee Agent – Product Update. Choose “Package Types” at “Patches and Service Packs” for VirusScan Enterprise 8.8.0.
  4. Schedule the Client Task so that it will run today. Be aware that the Hotfix is 100MB and may have impact on your network utilization. Alternatively you can use Randomization of a few hours in the client task so you can make sure that not all systems are updated simultaneously. (for reference please check the McAfee KB Article)

    Third party deployment
    You can distribute the hotfix with any third party deployment solution that provides Administrator or local system credentials. To ensure that the installation runs silently, add the /SILENT switch (VSEHF793640.exe /SILENT)

    Verifying that the hotfix is successfully installed
    The hotfix does not force a reboot. Reboot all client systems at your earliest convenience to validate that the fix is successfully installed.

    Check for any of the following items to verify that the installation was successful:

    • After the client has sent property information to the ePO server, the Fix property for the client on the ePO server should show the hotfix number as 793640.
    • On the local system, check for the Hotfix_793640 entry in the appropriate registry location:
      – 32-bit systems: HKEY_Local_MachineSoftwareMcAfeeDesktopProtection
      – 34-bit systems: HKEY_Local_MachineSoftwareWow6432NodeMcAfeeDesktopProtection

    Mcafee has cancelled the DAT update version 6810 this Monday to ensure that users have no impact when the Hotfix is provided. The latest version of the DAT on your system after implementation will be 6809.

    For more information, check the McAfee knowledgebase: https://kc.mcafee.com/corporate/index?page=content&id=KB76004.

    McAfee has released VirusScan Enterprise Mandatory Security Hotfix 793781 — a second smaller hotfix to resolve the previously reported issue with DAT versions 6807 and 6808. This hotfix is approximately 2Mb and can be run locally or distributed via ePolicy Orchestrator and other third-party deployment tools.

    Hotfix 793781 makes the same changes to VirusScan Enterprise as Hotfix 793640 (100Mb), but does NOT contain the full DAT file. After you deploy the hotfix, affected systems MUST receive a full DAT update.

    For instructions on how to download and deploy this mandatory hotfix, see KB76004:


    McAfee Agent 4.6 Patch 2 Removed from Downloads Site

    McAfee Agent 4.6 Patch 2 Windows has been temporarily removed from the McAfee Downloads site due to an issue related to Microsoft Security Update KB2718523.

    McAfee Engineering is investigating this issue and will post a fixed build as soon as possible.

    For more information, see article KB75956:


    McAfee emergency DAT release for file infector

    McAfee is aware of a particularly malicious file infector that blue-screens endpoints and is difficult to detect. While this malware seems to be a targeted attack, McAfee strongly recommends that all customers increase their protection by applying the Emergency DAT Release which includes a generic detection for the dropper which starts the infection.

    McAfee has provided an extra.DAT and Stinger ZIP files for W32/DistTrack for detection and removal. See McAfee KnowledgeBase article KB75963 (https://kc.mcafee.com/corporate/index?page=content&id=KB75963).

    McAfee Global Threat Intelligence (GTI) will detect the known W32/DistTrack droppers when set to ‘Medium’. See “How to enable Global Threat Intelligence Technology in your McAfee product (KB70130)” (https://kc.mcafee.com/corporate/index?page=content&id=KB70130).

    NOTE: The following McAfee products currently employ McAfee DAT files:

    AntiSpyware Enterprise
    Anti-Virus Scanning Engine
    Email and Web Security Appliance Software
    GroupShield for Exchange
    SaaS Endpoint Protection
    Security for Lotus Domino
    Security for Mac
    Security Service for Exchange
    Security for SharePoint
    SuperDAT Manager
    VirusScan Command Line Scanner
    VirusScan Enterprise
    VirusScan Enterprise for Linux
    VirusScan Enterprise for Offline Virtual Images
    VirusScan Enterprise for SAP
    VirusScan for Mac
    VirusScan for UNIX

    McAfee Agent 4.6 Patch 1 available

    Hi guys,

    McAfee Agent 4.6 Patch 1 Windows and Extension  are now available from the McAfee ServicePortal (https://mysupport.mcafee.com) and McAfee Downloads site (http://mcafee.com/us/downloads).

    You can only download these files with an authorized and valid McAfee Grant number.




    McAfee VSE 8.8 Patch1

    Hi guys,

    Patch 1 for VirusScan Enterprise 8.8 is now available from the locations below:

    Patch 1 is considered a Mandatory release. For information on ratings, see KnowledgeBase article KB51560: https://kc.mcafee.com/corporate/index?page=content&id=KB51560

    Customers with McAfee Application Control or Solidcore version 5.1.2 should be aware of the issue and resolution described in KnowledgeBase article KB73274:


    McAfee VSE-Storage 1.0.x RPC Timeout and 0x14 Errors

    Hi guys,

    Just got word from McAfee about the following:

    “NetApp ONTAP 7.3.6 and 8.0.2 introduced an option to handle idle RPC sessions and in particular idle RPC sessions by file ID. Generally, this new strategy behaves when a particular FID associated with an RPC connection does not have any activity for more than 20 minutes (by default), Data ONTAP disconnects the connection, considering it idle. This change was added to address a memory leak that was experienced by applications that were opening (many) RPC connections and never closing them out. This lack of closing out of connections creates the NetApp memory leak.

    Because McAfee VSES uses the same infrastructure for keep-alive probes the disconnect/idle setting may cause performance issues when reading/writing large files to the filer(s).

    If you are experiencing VSE for Storage RPC Timeout disconnects with filers running 7.3.6 or 8.0.2 then current workaround steps are:

    1. Modify the following filer option cifs.rpcfd_timeout to a value of 0.
      To change the value run the following: options cifs.rpcfd_timeout 0 [ENTER].
    2. Confirm the option took by typing: options cifs.rpcfd_timeout [ENTER].
      The value returned for the option should be 0.
    3. Do one of the following to ensure the malfunctioning AV servers disconnect and reconnect:
      • Cycle the McAfee AV services on the server itself
      • Disable / Re-enable AV on the filer.

    Monitor for the behavior to re-appear.
    McAfee also recommends installing the latest hotfixes:

    • VSE for Storage 1.0.0 Patch 1 plus HF539302 and HF685485
    • VSE for Storage 1.0.2 plus HF672928 and HF692368

    To access the above VSE for Storage hotfixes, contact McAfee Customer Support.

    If you encounter VSE for Storage RPC Timeout disconnects with filers running 7.3.6 or 8.0.2, see “ONTAP RPC connections” when querying NetApp Knowledge Base Database or when opening a case with NetApp.”