McAfee is issuing Emergency DAT Release 6809 due to Consumer issues with DAT 6807 as some Consumer customers may experience a loss of network connectivity after a recent update.
Enterprise customer are not impacted. McAfee DAT number sequencing requires 6809 to be sent to BOTH consumer and enterprise customers.
More information is available on the Consumer Service Portal at http://service.mcafee.com/FAQDocument.aspx?lc=1033&id=TS101446 .
Update August 20th:
McAfee has identified an issue with DAT 6807 and 6808 that is causing intermittent issues with VirusScan Enterprise 8.8.x. Specifically, these DATs can affect McShield.exe and cause issues with the on-access scanner.
If you have NOT deployed DAT 6807 or 6808, go directly to DAT 6809 or greater.
IF you HAVE deployed DAT 6807 or 6808, please go to McAfee KnowledgeBase KB76004 to review the steps to determine if endpoints in your environment are affected.
McAfee is investigating this issue and working on a superDAT remediation. Please go to KB76004 for continuing updates.
Update August 21st. More information about symptoms using 6807 and 6808 DAT files:
McAfee has identified an issue with DAT 6807 and 6808 that is causing intermittent issues with VirusScan Enterprise (VSE) 8.8.x. Specifically, these DATs can affect McShield.exe and may cause issues with the On-Access Scanner.
The following symptoms can also help to determine if you are affected by this issue:
• The On-Access Scanner (McShield.exe) will appear to be working. The process is running and visible in the Windows Task Manager.
• Process Explorer shows no file handle open to the MfeRuntime*.DAT file.
• DAT updates after 6807 appear to happen successfully. The DATs are copied into place, but are not loaded by McShield.exe.
• The registry values for the DAT versions are out of sync:
– The DAT version in the following location will be older (either 6807 or 6808): HKLMSoftwareMcAfeeAVEngineAvDATVersion
– The DAT version in the following location will show the latest update: HKLMSoftwareNetwork AssociatesePolicy OrchestratorApplication PluginsViruscan8800DATVersion
• In the ePolicy Orchestrator (ePO) console, the system properties for computers with this issue will report the DAT/Engine versions as follows:
– DAT Date 0/0/0
– DAT Version 0.0000
– Engine Version 0.0000
McAfee has released a new DAT version: 6809.
If you have NOT deployed DAT 6807 or 6808, go directly to DAT 6809 or later.
If you are updated to version 6807 or 6808, updating to 6809 will NOT solve these problems.
Update 3 August 22nd 2012
McAfee has released VSE 8.8 Hotfix 793640 to remediate the issue issue with DAT 6807 and 6808 that is causing intermittent issues with VirusScan Enterprise (VSE) 8.8.x. This is aMANDATORY HOTFIX. The hotfix contains the full DAT 6809 package.
You can download the hotfix from the following location:http://download.nai.com/products/hotfix/VSE88HF793640.Zip
This hotfix is approximately 100Mb in size and deployment can cause high bandwidth usage in large environments.
Enrolling the hotfix is possible by:
- Extract the hotfix files to a temporary folder on your hard drive.
- Double-click VSE88HF793640.EXE.
- Follow the prompts in the installation wizard.
ePolicy Orchestrator check-in and deployment
- Open the ePO console and add the package VSE88HF793640.zip to your repository. The package type for the install is Products or Updates (.ZIP).
- When using Distributed Repositories on your network, you will first have to replicate the hotfix from the Master Repository to all locations.
- In your ePO System Tree at the highest level (Default: My Organization), create a Client Task of type McAfee Agent – Product Update. Choose “Package Types” at “Patches and Service Packs” for VirusScan Enterprise 8.8.0.
- Schedule the Client Task so that it will run today. Be aware that the Hotfix is 100MB and may have impact on your network utilization. Alternatively you can use Randomization of a few hours in the client task so you can make sure that not all systems are updated simultaneously. (for reference please check the McAfee KB Article)
Third party deployment
You can distribute the hotfix with any third party deployment solution that provides Administrator or local system credentials. To ensure that the installation runs silently, add the /SILENT switch (VSEHF793640.exe /SILENT)
Verifying that the hotfix is successfully installed
The hotfix does not force a reboot. Reboot all client systems at your earliest convenience to validate that the fix is successfully installed.
Check for any of the following items to verify that the installation was successful:
- After the client has sent property information to the ePO server, the Fix property for the client on the ePO server should show the hotfix number as 793640.
- On the local system, check for the Hotfix_793640 entry in the appropriate registry location:
– 32-bit systems: HKEY_Local_MachineSoftwareMcAfeeDesktopProtection
– 34-bit systems: HKEY_Local_MachineSoftwareWow6432NodeMcAfeeDesktopProtection
Mcafee has cancelled the DAT update version 6810 this Monday to ensure that users have no impact when the Hotfix is provided. The latest version of the DAT on your system after implementation will be 6809.
For more information, check the McAfee knowledgebase: https://kc.mcafee.com/corporate/index?page=content&id=KB76004.
McAfee has released VirusScan Enterprise Mandatory Security Hotfix 793781 — a second smaller hotfix to resolve the previously reported issue with DAT versions 6807 and 6808. This hotfix is approximately 2Mb and can be run locally or distributed via ePolicy Orchestrator and other third-party deployment tools.
Hotfix 793781 makes the same changes to VirusScan Enterprise as Hotfix 793640 (100Mb), but does NOT contain the full DAT file. After you deploy the hotfix, affected systems MUST receive a full DAT update.
For instructions on how to download and deploy this mandatory hotfix, see KB76004:
One thought on “McAfee released emergency DAT 6809 – Update #3 August 22nd”
We are finding that the first patch keeps reinstalling over and over, causing the registry key to delete itself, so it becomes difficult to know who has been patched.