grimlock1 Absent Member.
Absent Member.
17986 views

Mcafee Enterprise users, warning...

The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
my systems by detecting a false positive in svchost and causing a system
shutdown. Lovely. Most people can barely get logged in before it
starts shutting down, so naturally they can't read any e-mail I want to
send them about how to work around this.

This is going to be a fan-freaking-tastic day...
0 Likes
47 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

Thanks for the heads-up!

>>> Patrick Farrell<pfarrell@packereng.com> 4/21/2010 10:53 AM >>>

The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
my systems by detecting a false positive in svchost and causing a system
shutdown. Lovely. Most people can barely get logged in before it
starts shutting down, so naturally they can't read any e‑mail I want to
send them about how to work around this.

This is going to be a fan‑freaking‑tastic day...


0 Likes
Knowledge Partner
Knowledge Partner

Re: Mcafee Enterprise users, warning...

grimlock;1964953 wrote:
The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
my systems by detecting a false positive in svchost and causing a system
shutdown. Lovely. Most people can barely get logged in before it
starts shutting down, so naturally they can't read any e-mail I want to
send them about how to work around this.

This is going to be a fan-freaking-tastic day...


Are you joking?!?!? If not then I need to go back to work and disable the repo pull that is scheduled after about 6 hours.

Thomas
0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 10:07 AM, Mary Matthews wrote:
> Thanks for the heads-up!


I had to pull it off our update server. I've verified this by manually
updating 2 systems that were running fine with the Apr 20 5957 dat's and
the moment I update them, BOOM. Unfortunately while my systems pull
from an internal box, I have them set to fall back to McAfee if they
can't get to the internal box, and some people logged in workstation
only so they couldn't hit the network repository and boom. 😞

Right now I'm only looking at a handful of systems, but it could get a
lot worse quickly. On hold with them now.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Mcafee Enterprise users, warning...

I asked in the McAfee forums if someone else have noticed the same behavior, lets see if there will be any responses.

McAfee Communities: System shutting down after latest DAT...

Thomas
0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/10 9:53 AM, Patrick Farrell wrote:
> The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
> my systems by detecting a false positive in svchost and causing a system
> shutdown. Lovely. Most people can barely get logged in before it starts
> shutting down, so naturally they can't read any e-mail I want to send
> them about how to work around this.
>
> This is going to be a fan-freaking-tastic day...


Anybody using McAfee kind of asked for it. (:P)
0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 10:16 AM, thsundel wrote:
>
> grimlock;1964953 Wrote:
>> The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all
>> of
>> my systems by detecting a false positive in svchost and causing a
>> system
>> shutdown. Lovely. Most people can barely get logged in before it
>> starts shutting down, so naturally they can't read any e-mail I want
>> to
>> send them about how to work around this.
>>
>> This is going to be a fan-freaking-tastic day...

>
> Are you joking?!?!? If not then I need to go back to work and disable
> the repo pull that is scheduled after about 6 hours.
>
> Thomas
>
>

No, I'm not joking.

It detects svchost.exe as being infected with w32/wecorl.a Windows
then comes up and says it's shutting down because the dcom service
process launcher has terminated unexpectedly. I'm still in the hold
queue with McAfee support to talk to someone about this.

Now it's conceivable that my entire network was somehow infected with a
2 year old virus that somehow escaped Mcafee's detection right up until
the updates today, but I doubt it.

Also, if I disable on access scan, and then reboot, it boots fine. I
can then scan svchost.exe and it scans clean. Re-enable, reboot, boom.

0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 10:24 AM, Matthew Good wrote:
> On 4/21/10 9:53 AM, Patrick Farrell wrote:
>> The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
>> my systems by detecting a false positive in svchost and causing a system
>> shutdown. Lovely. Most people can barely get logged in before it starts
>> shutting down, so naturally they can't read any e-mail I want to send
>> them about how to work around this.
>>
>> This is going to be a fan-freaking-tastic day...

>
> Anybody using McAfee kind of asked for it. (:P)


Don't get me started on what Norton does to systems. I'm less that
enthused with McAfee more and more lately. I certainly won't be going
with Symantec. Panda anyone?

0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 10:26 AM, thsundel wrote:
>
> I asked in the McAfee forums if someone else have noticed the same
> behavior, lets see if there will be any responses.
>
> 'McAfee Communities: System shutting down after latest DAT...'
> (http://community.mcafee.com/thread/24058)
>
> Thomas
>
>


Guess what. Others are seeing it too. You got replies already.

0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 10:16 AM, thsundel wrote:

> Are you joking?!?!? If not then I need to go back to work and disable
> the repo pull that is scheduled after about 6 hours.
>
> Thomas


Time to get in the car man... Or, set yourself up some remote access.



0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On Wed, 21 Apr 2010 14:53:03 +0000, Patrick Farrell wrote:

> Most people can barely get logged in before it
> starts shutting down, so naturally they can't read any e-mail I want to
> send them about how to work around this.


They won't be able to read your e-mails about the problem? How is this
different from a normal day? Don't tell me your users actually normally
read e-mails you send out!



--
Joe
With great power comes great responsibility.

Joe Marton Emeritus Knowledge Partner
0 Likes
Knowledge Partner
Knowledge Partner

Re: Mcafee Enterprise users, warning...

grimlock;1964993 wrote:
On 4/21/2010 10:16 AM, thsundel wrote:

> Are you joking?!?!? If not then I need to go back to work and disable
> the repo pull that is scheduled after about 6 hours.
>
> Thomas


Time to get in the car man... Or, set yourself up some remote access.


Yep got many answers, time to get my as* off the sofa and back to work.

Many thanks for the heads up grimlock!

Thomas
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.