ID: 3939
Date: 21/04/2010
Title: 3939 - McAfee Signature Update Causing Wide Spread System Crashes
Platform level affected:Operating System
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Enterprise Application
Security software:AV/Content Scanning
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:McAfee
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Active
Potential Damage: Host DoS
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: McAfee
Reliability of source: Trusted
Source URL: https://kc.mcafee.com/corporate/index?page=content&id=KB68780
Abstract: Description of a problem with McAfee signature .DAT file 5958 and VirusScan Enterprise
CSIRTUK has observed multiple media reports of the latest McAfee signature update causing system crashes due to the virus detection service incorrectly identifying a core system file as a virus. Systems experiencing this condition are left in an unusable state.
Faulty Update: 5958
Affecting: Windows XP Service Pack 3
Core System File: svchost.exe
Users experiencing this are presented with the following message:
The file C:WINDOWSsystem32svchost.exe contains the W32 / Wecorl.a Virus. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5400.1158 DAT version 5958.0000.
Mitigation
McAfee has released a workaround to prevent the false positive detection associated with this condition with an update DAT file. The DAT file does not prevent the issue, it only suppresses the faulty reporting/detection. Mcafee recommends that users apply the update immediately to all infected systems experiencing the condition. McAfee has provided the following direction for patch application:
For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.
References:
http://isc.incidents.org/diary.html?storyid=8656
https://kc.mcafee.com/corporate/index?page=content&id=KB68780
Corporate KnowledgeBase ID: KB68780
Version: 1.0
Status: Published
Published: April 21, 2010
Updated: July 29, 2009
Environment
For details of all supported operating systems, see KB51109<http://kb.mcafee.com/agent/index?page=content&id=KB51109>
Summary
McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.
Problem
Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.
Solution 1
WARNING: If you have not done so already, do NOT download the 5958 DAT and disable all automatic pull and update tasks.
Please watch for updates on this issue, which will be sent on a timely basis through Support Notification Service (SNS) and Platinum Proactive notifications.
To subscribe to SNS, visit http://my.mcafee.com/content/SNS_Subscription_Center.
This article will be updated as additional information becomes available.
Solution 2
McAfee has developed an EXTRA.DAT to suppress this detection. The file is attached to this article.
Apply the EXTRA.DAT to all potentially affected systems as soon as possible.
To apply the EXTRA.DAT locally:
IMPORTANT: For VirusScan Enterprise 8.5i and later, an Access Protection feature must be temporarily disabled before proceeding. For instructions on how to temporarily disable Access Protection in the VirusScan Console, see KB52204<http://kb.mcafee.com/agent/index?page=content&id=KB52204> .
To apply the extra.DAT locally:
1. Click Start, Run, type services.msc and click OK.
2. Right-click the McAfee McShield service and select Stop.
3. Copy the extra.DAT file to the following location:
<installation drive>\Program Files\Common Files\McAfee\Engine
4. In the Services window, right-click McAfee McShield and select Start.
For instructions on how to deploy the EXTRA.DAT through ePolicy Orchestrator (ePO), see:
* ePO 4.0 - KB52977<http://kb.mcafee.com/agent/index?page=content&id=KB52977>
* ePO 4.5 - KB67602<http://kb.mcafee.com/agent/index?page=content&id=KB67602>
For additional information about EXTRA.DAT files, see KB68759<http://kb.mcafee.com/agent/index?page=content&id=KB68759>.
Related Information
Threat Center (McAfee Avert Labs) http://www.mcafee.com/us/threat_center/
Search the Threat Library http://vil.nai.com/<http://vil.nai.com/vil/default.aspx>
Submit a virus sample https://www.webimmune.net/default.asp
Security updates and DAT files http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Wed, 21 Apr 2010 19:57:00 GMT
Domain affected: Technical