grimlock1 Absent Member.
Absent Member.
17944 views

Mcafee Enterprise users, warning...

The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
my systems by detecting a false positive in svchost and causing a system
shutdown. Lovely. Most people can barely get logged in before it
starts shutting down, so naturally they can't read any e-mail I want to
send them about how to work around this.

This is going to be a fan-freaking-tastic day...
Labels (1)
0 Likes
47 Replies
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

Thanks for the heads-up!

>>> Patrick Farrell<pfarrell@packereng.com> 4/21/2010 10:53 AM >>>

The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
my systems by detecting a false positive in svchost and causing a system
shutdown. Lovely. Most people can barely get logged in before it
starts shutting down, so naturally they can't read any e‑mail I want to
send them about how to work around this.

This is going to be a fan‑freaking‑tastic day...


0 Likes
Knowledge Partner
Knowledge Partner

Re: Mcafee Enterprise users, warning...

grimlock;1964953 wrote:
The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
my systems by detecting a false positive in svchost and causing a system
shutdown. Lovely. Most people can barely get logged in before it
starts shutting down, so naturally they can't read any e-mail I want to
send them about how to work around this.

This is going to be a fan-freaking-tastic day...


Are you joking?!?!? If not then I need to go back to work and disable the repo pull that is scheduled after about 6 hours.

Thomas
0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 10:07 AM, Mary Matthews wrote:
> Thanks for the heads-up!


I had to pull it off our update server. I've verified this by manually
updating 2 systems that were running fine with the Apr 20 5957 dat's and
the moment I update them, BOOM. Unfortunately while my systems pull
from an internal box, I have them set to fall back to McAfee if they
can't get to the internal box, and some people logged in workstation
only so they couldn't hit the network repository and boom. 😞

Right now I'm only looking at a handful of systems, but it could get a
lot worse quickly. On hold with them now.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Mcafee Enterprise users, warning...

I asked in the McAfee forums if someone else have noticed the same behavior, lets see if there will be any responses.

McAfee Communities: System shutting down after latest DAT...

Thomas
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/10 9:53 AM, Patrick Farrell wrote:
> The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
> my systems by detecting a false positive in svchost and causing a system
> shutdown. Lovely. Most people can barely get logged in before it starts
> shutting down, so naturally they can't read any e-mail I want to send
> them about how to work around this.
>
> This is going to be a fan-freaking-tastic day...


Anybody using McAfee kind of asked for it. (:P)
0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 10:16 AM, thsundel wrote:
>
> grimlock;1964953 Wrote:
>> The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all
>> of
>> my systems by detecting a false positive in svchost and causing a
>> system
>> shutdown. Lovely. Most people can barely get logged in before it
>> starts shutting down, so naturally they can't read any e-mail I want
>> to
>> send them about how to work around this.
>>
>> This is going to be a fan-freaking-tastic day...

>
> Are you joking?!?!? If not then I need to go back to work and disable
> the repo pull that is scheduled after about 6 hours.
>
> Thomas
>
>

No, I'm not joking.

It detects svchost.exe as being infected with w32/wecorl.a Windows
then comes up and says it's shutting down because the dcom service
process launcher has terminated unexpectedly. I'm still in the hold
queue with McAfee support to talk to someone about this.

Now it's conceivable that my entire network was somehow infected with a
2 year old virus that somehow escaped Mcafee's detection right up until
the updates today, but I doubt it.

Also, if I disable on access scan, and then reboot, it boots fine. I
can then scan svchost.exe and it scans clean. Re-enable, reboot, boom.

0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 10:24 AM, Matthew Good wrote:
> On 4/21/10 9:53 AM, Patrick Farrell wrote:
>> The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
>> my systems by detecting a false positive in svchost and causing a system
>> shutdown. Lovely. Most people can barely get logged in before it starts
>> shutting down, so naturally they can't read any e-mail I want to send
>> them about how to work around this.
>>
>> This is going to be a fan-freaking-tastic day...

>
> Anybody using McAfee kind of asked for it. (:P)


Don't get me started on what Norton does to systems. I'm less that
enthused with McAfee more and more lately. I certainly won't be going
with Symantec. Panda anyone?

0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 10:26 AM, thsundel wrote:
>
> I asked in the McAfee forums if someone else have noticed the same
> behavior, lets see if there will be any responses.
>
> 'McAfee Communities: System shutting down after latest DAT...'
> (http://community.mcafee.com/thread/24058)
>
> Thomas
>
>


Guess what. Others are seeing it too. You got replies already.

0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 10:16 AM, thsundel wrote:

> Are you joking?!?!? If not then I need to go back to work and disable
> the repo pull that is scheduled after about 6 hours.
>
> Thomas


Time to get in the car man... Or, set yourself up some remote access.



0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On Wed, 21 Apr 2010 14:53:03 +0000, Patrick Farrell wrote:

> Most people can barely get logged in before it
> starts shutting down, so naturally they can't read any e-mail I want to
> send them about how to work around this.


They won't be able to read your e-mails about the problem? How is this
different from a normal day? Don't tell me your users actually normally
read e-mails you send out!



--
Joe
With great power comes great responsibility.

Joe Marton Emeritus Knowledge Partner
0 Likes
Knowledge Partner
Knowledge Partner

Re: Mcafee Enterprise users, warning...

grimlock;1964993 wrote:
On 4/21/2010 10:16 AM, thsundel wrote:

> Are you joking?!?!? If not then I need to go back to work and disable
> the repo pull that is scheduled after about 6 hours.
>
> Thomas


Time to get in the car man... Or, set yourself up some remote access.


Yep got many answers, time to get my as* off the sofa and back to work.

Many thanks for the heads up grimlock!

Thomas
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On Wed, 21 Apr 2010 15:29:21 +0000, Patrick Farrell wrote:

> Don't get me started on what Norton does to systems. I'm less that
> enthused with McAfee more and more lately. I certainly won't be going
> with Symantec. Panda anyone?


So far Kaspersky seems fairly decent, though not perfect. Had a couple
of cases where it decided to quarantine grpwise.exe. That was fine, but
now I've got that defined as an exception so it will never mess with GW
again.



--
Joe
With great power comes great responsibility.

Joe Marton Emeritus Knowledge Partner
0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 10:48 AM, Joseph Marton wrote:
> On Wed, 21 Apr 2010 14:53:03 +0000, Patrick Farrell wrote:
>
>> Most people can barely get logged in before it
>> starts shutting down, so naturally they can't read any e-mail I want to
>> send them about how to work around this.

>
> They won't be able to read your e-mails about the problem? How is this
> different from a normal day? Don't tell me your users actually normally
> read e-mails you send out!
>


True.. I always set my e-mails to show all status, and I frequently see
"deleted" but not opened. Naturally those are the ones that call with
questions regarding what was in the e-mail.

Even if they read it, they usually read about one paragraph and then
call and ask me something that was farther down. I'll ask "Did you read
my e-mail?" Well part of it, but I decided to call instead.

Sigh.

0 Likes
CitrixDude Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

Good lord!!

I just disabled Master Repository pull that was scheduled to get updates in 15 minutes... so I am currently at DAT 5957 (5958 is the BAD one I read).

This is insane.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.