Knowledge Partner
Knowledge Partner

Re: Mcafee Enterprise users, warning...

grimlock;1965097 wrote:
On 4/21/2010 12:49 PM, Chris Cox wrote:
> On Wed, 2010-04-21 at 14:53 +0000, Patrick Farrell wrote:
>> The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
>> my systems by detecting a false positive in svchost and causing a system
>> shutdown. Lovely. Most people can barely get logged in before it
>> starts shutting down, so naturally they can't read any e-mail I want to
>> send them about how to work around this.
>>
>> This is going to be a fan-freaking-tastic day...

>
> This attack from McAfee just took out a ton of our Win 98 boxes.
>
> 🙂 I'm glad I'm not the administrator of those.
>


Their forums are down now from the traffic.


And their knowledge base is also difficult to get to. Seems like many have been affected by this. It will be nice to see if they apologize with a press release.

Thomas
0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 1:06 PM, thsundel wrote:
>
> abibbas;1965084 Wrote:
>> Where is that extra.dat file?

>
> https://kc.mcafee.com/corporate/index?page=content&id=KB68780
>
> Thomas
>
>


Their forums are down right now 🙂

If you need the extra.dat just e-mail me and I'll send it.

0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 1:05 PM, Craig wrote:
> Are my DOS machines safe? I'm running MSAV.


Well considering dos doesn't have an svchost.exe I'd say you are fine 🙂
0 Likes
Knowledge Partner
Knowledge Partner

Re: Mcafee Enterprise users, warning...

On Wed, 21 Apr 2010 18:57:27 GMT
Patrick Farrell <pfarrell@packereng.com> wrote:

> On 4/21/2010 1:06 PM, thsundel wrote:
> >
> > abibbas;1965084 Wrote:
> >> Where is that extra.dat file?

> >
> > https://kc.mcafee.com/corporate/index?page=content&id=KB68780
> >
> > Thomas
> >
> >

>
> Their forums are down right now 🙂
>
> If you need the extra.dat just e-mail me and I'll send it.
>

Looks like the have a special page up.....
http://vil.nai.com/vil/5958_false.htm
http://download.nai.com/products/mcafee-avert/5958/extra.zip

--
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.45-0.1-default
up 6 days 6:48, 4 users, load average: 0.12, 0.15, 0.32
GPU GeForce 8600 GTS Silent - CUDA Driver Version: 195.36.15

--
Cheers Malcolm °¿° SUSE Knowledge Partner
SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
If you appreciate what I've posted, click the LIKE button below. If this
solves your problem, please click the ACCEPT AS SOLUTION button.
0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 9:53 AM, Patrick Farrell wrote:
> The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all of
> my systems by detecting a false positive in svchost and causing a system
> shutdown. Lovely. Most people can barely get logged in before it starts
> shutting down, so naturally they can't read any e-mail I want to send
> them about how to work around this.
>
> This is going to be a fan-freaking-tastic day...


Odd one.. On every system so far, it hasn't actually deleted svchost.exe.

I get a call from one of our guys offsite.. Machine takes forever to log
in, task bar is reduced to a line at the bottom of the screen and he
can't stretch it up, and his usb ports aren't working.

Sure enough svchost.exe is 0 bytes and it has the current defs.
Fortunately there's a backup copy in windows\system32\dllcache
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On Wed, 2010-04-21 at 18:16 +0000, thsundel wrote:
> grimlock;1965097 Wrote:
> > On 4/21/2010 12:49 PM, Chris Cox wrote:
> > > On Wed, 2010-04-21 at 14:53 +0000, Patrick Farrell wrote:
> > >> The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking

> > all of
> > >> my systems by detecting a false positive in svchost and causing a

> > system
> > >> shutdown. Lovely. Most people can barely get logged in before it
> > >> starts shutting down, so naturally they can't read any e-mail I want

> > to
> > >> send them about how to work around this.
> > >>
> > >> This is going to be a fan-freaking-tastic day...
> > >
> > > This attack from McAfee just took out a ton of our Win 98 boxes.
> > >
> > > 🙂 I'm glad I'm not the administrator of those.
> > >

> >
> > Their forums are down now from the traffic.

>
> And their knowledge base is also difficult to get to. Seems like many
> have been affected by this. It will be nice to see if they apologize
> with a press release.


We're using that extra.dat workaround with an old svchost file via
thumb drive to repair the laptops. Fortunately we stopped our ePO
server soon enough so that at least at our site, it's just a handful
for the moment.


0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 2:14 PM, Chris Cox wrote:

> We're using that extra.dat workaround with an old svchost file via
> thumb drive to repair the laptops. Fortunately we stopped our ePO
> server soon enough so that at least at our site, it's just a handful
> for the moment.


There should be a copy in windows\system32\dllcache

On the 1 system where I had to replace the svchost (which had 0 bytes)
that's where I pulled it from.



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

I think I heard Patrick Farrell say something like:

> This is going to be a fan-freaking-tastic day...


Yeah, what a lovely update, perfect way to interrupt our OES2 Linux
training

--
Stevo
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

I think I heard CitrixDude say something like:

>
> So very true... THANK YOU for posting this warning. Seriously, Thank
> you very much!
>
> I would have had 200+ Servers and 3000 workstations with this issue
> right now.


It only seems to affect winxp sp3 machines, don't think your servers
would have been hit.

--
Stevo
0 Likes
ksulzberger Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

We've had success so far with:

Apply Sdat5959.exe
ftp://ftp.nai.com/pub/antivirus/datfiles/4.x/


Then restore files which have been quarantined:
1. Open the VirusScan Console.
2. Double-click Quarantine Manager Policy.
3. Click the Manager tab.
4. Right-click the required item and select Restore.


> On 4/21/2010 9:53 AM, Patrick Farrell wrote:
>
>> The April 21st dat updates (5958.0000) (VirusScan 8.7i)are nuking all
>> of my systems by detecting a false positive in svchost and causing a
>> system shutdown. Lovely. Most people can barely get logged in before
>> it starts shutting down, so naturally they can't read any e-mail I
>> want to send them about how to work around this.
>>
>> This is going to be a fan-freaking-tastic day...
>>

> Odd one.. On every system so far, it hasn't actually deleted
> svchost.exe.
>
> I get a call from one of our guys offsite.. Machine takes forever to
> log in, task bar is reduced to a line at the bottom of the screen and
> he can't stretch it up, and his usb ports aren't working.
>
> Sure enough svchost.exe is 0 bytes and it has the current defs.
> Fortunately there's a backup copy in windows\system32\dllcache
>



0 Likes
grimlock1 Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

On 4/21/2010 2:55 PM, Stevo wrote:

> It only seems to affect winxp sp3 machines, don't think your servers
> would have been hit.
>


Someone in here said it hit their win98 machines but they may just have
been joking 🙂

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Mcafee Enterprise users, warning...

I think I heard Patrick Farrell say something like:

> Someone in here said it hit their win98 machines but they may just
> have been joking 🙂


LOL! I did get asked about home machines running mcafee, I told them
to be prepared for a mess if their machine was left on & connected to
the web today.

--
Stevo
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.