Bad DAT (5958) from McAfee

After receiving today’s news about the bad DAT file that McAfee released I decided to write up a quick little instruction set on how to reverse changes until McAfee releases a more formal fix via a new DAT file

Message sent out from McAfee Today

“McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file April 21 at 2:00pm (GMT +1), which is affecting numerous customers.

McAfee advises customers NOT to download this DAT and to disable automatic pull and update tasks.

Watch for updates on this issue, which will be sent on a timely basis”

Here are my Recommended quick fix steps for reversing the DAT and restoring any affected files

Step One:

From ePO delete the bad DAT file from the master repository

Step Two:
In the system tree choose My Organization at the top.  Select the Client Tasks Tab and create a new task.  Select Restore from Quarantine then click next
Enter the name of the file that is subject to the bad dat (W32/Wecorl.a) then click next and save the task.  This will restore the file to the original spot in the file system just in case it is needed.

Step Three:
Open the McAfee Agent Policy
Click on the Updates Tab
Ensure the DAT File Downgrade option is selected

Step Four:
Run a repository replication task.  If possible run it manually and select DAT files only to be replicated to reduce WAN bandwidth

Step Five:
Issue a wakeup call for small sites.  Be sure to use randomization.  If this is not possible just let the systems check in on their scheduled Agent to Server Communication Interval.  When the machines check into ePO they will roll back their DAT files because the version of the DAT on the master repository is older than their current version.

After a day or so remove the task so that it doesn’t pose any issues in the future