Members
Stats
  • Total Posts: 28510
  • Total Topics: 8239
  • Online Today: 852
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: McAfee VSE false positive bricks PCs worldwide (DAT 5958, svchost.exe, wecorl.a)  (Read 4969 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Enterprise customers of a widely used McAfee anti-virus product were in a world of hurt on Wednesday after an update caused large swaths of their machines to become completely inoperable.

The problem started around 2 pm GMT when McAfee pushed out DAT 5958 to users of VirusScan Enterprise. The virus definition falsely identifies a core Windows file as infected, quarantines it and then shuts down the machine. When restarted, the PCs are unable to load Windows, a glitch that mires them in an endless reboot cycle.

"We support customers' platforms, and it means we are currently unable to do that," said the head of infrastructure security for a worldwide IT firm who asked not to be identified because he's not authorized to speak to the press. "Basically, our engineers are currently unable to work."

In a statement, McAfee said the false positive "can result in moderate to significant performance issues" on machines running Windows XP service pack 3, and that the defective definition has been removed from download servers. The infrastructure security head said XP machines running SP 1 and SP 2 were also affected.

"McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly," the statement continued. "McAfee apologizes for any inconvenience to our customers."

Judging from comments left on McAfee support forums, the snafu is causing considerable problems for many customers.

"How much longer before McAfee finds a fix or has the update 5959 to resolve this problem?" one admin wrote. "We are a school district and have over 5000 computers being effected by this DAT file. This Extra.dat files looks like it will work but guess what the 5958 update has already been applied so this will not work for us."

The infrastructure security head, who was working in one of his firm's UK offices, said about 30 percent of the company's PCs were affected, in part because admins disconnected working machines from the network after learning about the glitch. So far, his team has been able to bring only about 5 percent of the disabled machines back online.

The snafu causes VirusScan Enterprise to falsely flag svchost.exe as infected with malware known as Wecorl.a. More from the Sans Institute here: http://isc.sans.org/diary.html?storyid=8656

(ElReg.)

Samker's Computer Forum - SCforum.info





Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum

Recovering from the Flawed McAfee Update !!!


Nothing ruins an IT administrator's day faster than a software update from a security vendor wreaking havoc on the computer systems it is intended to protect. That is exactly the predicament faced by many IT administrators today when a flawed McAfee update rendered Windows XP PC's essentially useless (above).

Joris Evers, a McAfee spokesperson, e-mailed a statement explaining "In the past 24 hours, McAfee identified a new threat that impacts Windows PCs. Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer's memory."

Evers continued "The research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2:00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21."

Not long after that, reports began to surface that Windows PC's--primarily Windows XP SP3 PC's--were experiencing significant issues, including constant rebooting or the ever-popular BSOD (blue screen of death) system crash.

A number of customers experienced a false positive resulting in the ensuing chaos. The 5958 virus definitions apparently detect svchost.exe--a core system file on Windows PC's--as a malware threat. According to the McAfee statement, though, "corporations who kept a feature called "Scan Processes on Enable" in McAfee VirusScan Enterprise disabled, as it is by default, were not affected."

McAfee responded by quickly pulling the faulty update from the McAfee servers. An emergency extra.dat file was made available in the McAfee forums to address the issue, but the forums site was so overwhelmed with customer backlash that it was eventually taken offline. A corrected virus definition file--5959--is now available, and McAfee has posted instructions to recover affected systems: http://vil.nai.com/vil/5958_false.htm

Evers summed up with an apology to affected customers and the following mea culpa "We are investigating how the incorrect detection made it into our DAT files and will take measures to prevent this from reoccurring."

Identifying Affected Systems

Obviously, if your Windows XP SP3 system is displaying a BSOD or constantly rebooting you have some pretty strong evidence that the system was impacted by the faulty McAfee detection of the W32/wecorl.a virus.

A spokesperson for Solera Networks pointed out via an e-mailed statement that not all affected systems are so obvious, and highlighted the fact that network threats often originate internally without malicious intent. "As with today's McAfee incident, security issues don't always come from outside hackers with malicious intent. They may originate from non-malicious activities from a trusted partner, such as McAfee.": http://www.soleranetworks.com/

The statement adds "Though it seems that cleaning up individual machines may be sufficient, there may be remnants of files and systems affected that are not apparent. As it has been continually reported, many security breaches and the damage they do remains on networks for days and months, or longer, going unnoticed. Even a trusted partner can be wreaking havoc beyond the visible scope into the network."

Recovering Affected Systems

Solera Networks' customers are using products like Network Forensics and scanning all network activity for any evidence of where the faulty DAT file crossed the network, who downloaded it, when and what happened thereafter, considering the whole network. Using Network Forensics, these companies effectively go back in time and can perform complete cleanup with full visibility to the entire network in minutes.

Speaking of going back in time, affected systems may be able to simply reverse the affects of the faulty DAT by using Windows System Restore. Restoring the system to a point in time prior to when the 5958 DAT was pushed out should effectively take the computer back in time and reverse the damage.


Perhaps there is another subtle message here, too. The systems crippled by the faulty McAfee update were Windows XP SP3 PC's. Perhaps it's time to upgrade to Windows 7?


haz

  • SCF Advanced Member
  • ***
  • Posts: 117
  • KARMA: 26
  • Gender: Male
Thanks for the news, when I first found out about the problem I thought it was a miracle that non of our machines were hit by it, so I rushed to ePO to delete the update before it is distributed ( I put several hours of period between ePO pulling the updates and the other machines doing so from the ePO ) but I found that the DAT version in ePO was 5959 ! so the bad update was actually already downloaded and distributed and nothing happened ! I checked the PCs later to find out that even some of them still have the 5958 DAT version and they are working fine ! ( yes, a windows XP SP3 PCs ), I was confused till I read here that it only affected those who has the "Scan Processes on Enable" enabled..
thanks again

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Hi Haz, I must to say that you're very lucky. ;)

McAfee was make very big mess, users even headed over to Twitter to vent their rage.
If you're registered at Twitter simply type McAfee in Search box and you'll see: http://twitter.com/#search?q=mcafee


haz

  • SCF Advanced Member
  • ***
  • Posts: 117
  • KARMA: 26
  • Gender: Male
wow ! glad im not one of them ;)

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising