General discussion

Update Issues with McAfee DAT 5958

As Per: McAfee DAT 5958 Update Issues

Published: 2010-04-21,
Last Updated: 2010-04-21 16:39:47 UTC
by Guy Bruneau (Version: 1)

We have received several reports indicating some issues with McAfee DAT 5958 causing Windows XP SP3 clients to be locked out. It is affecting svchost.exe. Here is an example of the message:

The file C:WINDOWSsystem32svchost.exe contains the W32/Wecorl.a Virus. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5400.1158 DAT version 5958.0000.

McAfee has posted additional information here.

Update 1:

Symptoms are: reboot loops and networking down. Trying to roll back to last version is difficult.

Early analysis leads us to believe the false positive only occurs on WinXP workstations with SP3 installed.

Dennis indicated that for him it appears to only affect systems connected to the internet and/or non-domain members. Workstations on the domain with the bad DAT appear do not appear to be affected.

Here: http://isc.sans.org/diary.html?storyid=8656

Discussion is locked
Follow
Reply to: Update Issues with McAfee DAT 5958
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Update Issues with McAfee DAT 5958
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Please Note..

Please read the announcement posted at McAfee's VirusScan Enterprise Forum:

'McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file dated April 21 at 2:00pm (GMT +1). McAfee advises NOT to download this DAT. Please disable pull tasks and update tasks.

Information updates will be given every 90 minutes through our Support Notification Service (SNS).

To sign up for SNS, go to: http://my.mcafee.com/content/SNS_Subscription_Center.

Update: McAfee has developed an EXTRA.DAT to suppress this detection. This EXTRA.DAT does NOT repair affected systems. See http://community.mcafee.com/docs/DOC-1374 for the EXTRA.DAT.

Details are in KB68780.
'

See: EXTRA.DAT to suppress detection of Announcement: w32/wecorl.a false positive with the 5958 DAT file.

- Collapse -
A New 5959 DAT Has Been Released

Download and install the newest one as soon as possible.. For those with retail versions, it should update automatically, or you can select the "Update Now" option from the McAfee icon in the lower right corner. For those with corporate versions of McAfee, the downloadable SuperDAT installer can be downloaded from the link below. (The SuperDAT will NOT work on retail versions of McAfee antivirus.):

http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

Hope this helps.

Grif

- Collapse -
Recover Option Given For Retail Home Users
- Collapse -
Recovery Option Given For Corporate Users

For those corporate users who weren't able to recover easily, McAfee has released a Recovery Tool and Article about the issue. See the link below:

http://vil.nai.com/vil/5958_false.htm

Hope this helps...

Grif

CNET Forums

Forum Info