McAfee 6807/6808 DAT Integrity Reporter Available

McAfee has released VSE 6807 & 6808 Integrity Reporter, a diagnostic tool to assist customers in resolving the previously reported issue with DAT versions 6807 and 6808, using ePO reporting capabilities. This tool is less than 300Kb and can be run as needed to provide ‘snapshot’ data to ePO via the McAfee Agent.

Integrity Reporter is a detection tool ONLY and makes no changes to the system except to create an analytical event that is sent to ePO. Returned results include identifying if a system needs to be restarted.

For instructions on how to use the tool and download it, see this link:https://community.mcafee.com/docs/DOC-4124

McAfee released emergency DAT 6809 – Update #3 August 22nd

McAfee is issuing Emergency DAT Release 6809 due to Consumer issues with DAT 6807 as some Consumer customers may experience a loss of network connectivity after a recent update.

Enterprise customer are not impacted. McAfee DAT number sequencing requires 6809 to be sent to BOTH consumer and enterprise customers.

More information is available on the Consumer Service Portal at http://service.mcafee.com/FAQDocument.aspx?lc=1033&id=TS101446 .

Update August 20th:

McAfee has identified an issue with DAT 6807 and 6808 that is causing intermittent issues with VirusScan Enterprise 8.8.x. Specifically, these DATs can affect McShield.exe and cause issues with the on-access scanner.

If you have NOT deployed DAT 6807 or 6808, go directly to DAT 6809 or greater.

IF you HAVE deployed DAT 6807 or 6808, please go to McAfee KnowledgeBase KB76004 to review the steps to determine if endpoints in your environment are affected.

McAfee is investigating this issue and working on a superDAT remediation. Please go to KB76004 for continuing updates.

Update August 21st. More information about symptoms using 6807 and 6808 DAT files:

McAfee has identified an issue with DAT 6807 and 6808 that is causing intermittent issues with VirusScan Enterprise (VSE) 8.8.x. Specifically, these DATs can affect McShield.exe and may cause issues with the On-Access Scanner.

The following symptoms can also help to determine if you are affected by this issue:
• The On-Access Scanner (McShield.exe) will appear to be working. The process is running and visible in the Windows Task Manager.
• Process Explorer shows no file handle open to the MfeRuntime*.DAT file.
• DAT updates after 6807 appear to happen successfully. The DATs are copied into place, but are not loaded by McShield.exe.
• The registry values for the DAT versions are out of sync:
– The DAT version in the following location will be older (either 6807 or 6808): HKLMSoftwareMcAfeeAVEngineAvDATVersion
– The DAT version in the following location will show the latest update: HKLMSoftwareNetwork AssociatesePolicy OrchestratorApplication PluginsViruscan8800DATVersion
• In the ePolicy Orchestrator (ePO) console, the system properties for computers with this issue will report the DAT/Engine versions as follows:
– DAT Date 0/0/0
– DAT Version 0.0000
– Engine Version 0.0000

McAfee has released a new DAT version: 6809.

If you have NOT deployed DAT 6807 or 6808, go directly to DAT 6809 or later.
If you are updated to version 6807 or 6808, updating to 6809 will NOT solve these problems.

Update 3 August 22nd 2012

McAfee has released VSE 8.8 Hotfix 793640 to remediate the issue issue with DAT 6807 and 6808 that is causing intermittent issues with VirusScan Enterprise (VSE) 8.8.x. This is aMANDATORY HOTFIX. The hotfix contains the full DAT 6809 package.

You can download the hotfix from the following location:http://download.nai.com/products/hotfix/VSE88HF793640.Zip

This hotfix is approximately 100Mb in size and deployment can cause high bandwidth usage in large environments.

Enrolling the hotfix is possible by:

Standalone installation

  1. Extract the hotfix files to a temporary folder on your hard drive.
  2. Double-click VSE88HF793640.EXE.
  3. Follow the prompts in the installation wizard.

ePolicy Orchestrator check-in and deployment

  1. Open the ePO console and add the package VSE88HF793640.zip to your repository. The package type for the install is Products or Updates (.ZIP).
  2. When using Distributed Repositories on your network, you will first have to replicate the hotfix from the Master Repository to all locations.
  3. In your ePO System Tree at the highest level (Default: My Organization), create a Client Task of type McAfee Agent – Product Update. Choose “Package Types” at “Patches and Service Packs” for VirusScan Enterprise 8.8.0.
  4. Schedule the Client Task so that it will run today. Be aware that the Hotfix is 100MB and may have impact on your network utilization. Alternatively you can use Randomization of a few hours in the client task so you can make sure that not all systems are updated simultaneously. (for reference please check the McAfee KB Article)

    Third party deployment
    You can distribute the hotfix with any third party deployment solution that provides Administrator or local system credentials. To ensure that the installation runs silently, add the /SILENT switch (VSEHF793640.exe /SILENT)

    Verifying that the hotfix is successfully installed
    The hotfix does not force a reboot. Reboot all client systems at your earliest convenience to validate that the fix is successfully installed.

    Check for any of the following items to verify that the installation was successful:

    • After the client has sent property information to the ePO server, the Fix property for the client on the ePO server should show the hotfix number as 793640.
    • On the local system, check for the Hotfix_793640 entry in the appropriate registry location:
      – 32-bit systems: HKEY_Local_MachineSoftwareMcAfeeDesktopProtection
      – 34-bit systems: HKEY_Local_MachineSoftwareWow6432NodeMcAfeeDesktopProtection

    Mcafee has cancelled the DAT update version 6810 this Monday to ensure that users have no impact when the Hotfix is provided. The latest version of the DAT on your system after implementation will be 6809.

    For more information, check the McAfee knowledgebase: https://kc.mcafee.com/corporate/index?page=content&id=KB76004.

    McAfee has released VirusScan Enterprise Mandatory Security Hotfix 793781 — a second smaller hotfix to resolve the previously reported issue with DAT versions 6807 and 6808. This hotfix is approximately 2Mb and can be run locally or distributed via ePolicy Orchestrator and other third-party deployment tools.

    Hotfix 793781 makes the same changes to VirusScan Enterprise as Hotfix 793640 (100Mb), but does NOT contain the full DAT file. After you deploy the hotfix, affected systems MUST receive a full DAT update.

    For instructions on how to download and deploy this mandatory hotfix, see KB76004:

    https://kc.mcafee.com/corporate/index?page=content&id=KB76004.

    McAfee DAT update causes windows to crash (UPDATE NEW DAT FILE)

    McAfee has caused multiple systems to crash after a DAT update to 5958. It causes to falsly identify svchost.exe as virus W32/Wecorl. McAfee has tackeld this problem and released update 5959 to prevent this from happening. Here’s McAfee’s own statement about this false positive: Continue reading “McAfee DAT update causes windows to crash (UPDATE NEW DAT FILE)”