False positive detection of w32/wecorl.a in 5958 DAT

22 04 2010
Corporate KnowledgeBase ID: KB68780
Published: April 21, 2010

Environment

For details of all supported operating systems, see KB51109

Summary

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.

Background

For more background regarding the cause of this error, please see McAfee Response to DAT Version 5958 False Positive Error

.

Problem

DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.

Solution

The issue is resolved in the 5959 DAT file release (April 21, 2010), which is available from the McAfee Security Updates page at:

http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

NOTE: Posting of the 5959 DAT file is currently in progress. It may take several hours for the new DAT file to replicate out to all McAfee download servers.

IMPORTANT: If you are already affected by this issue, you must still either replace or restore svchost.exe.  McAfee is continuing to work on an automated solution to fully resolve the issue for affected customers.

Please watch for updates on this issue, which will be sent on a timely basis through Support Notification Service (SNS) and Platinum Proactive notifications.

To subscribe to SNS, visit http://my.mcafee.com/content/SNS_Subscription_Center.

This article will be updated as additional information becomes available.

Recommended Manual Recovery Procedure using the Extra DAT where DAT 5958 is currently installed

  1. Locate the extra.dat from here and unzip
  2. Boot in safe mode with “Network Option“ enabled
  3. Copy Extra DAT into c:\program files\commonfiles\mcafee\engine
  4. If svchost.exe exists in (c:\windows\system32) and is not a “0“ byte file, skip to step 5
  5. If svchost.exe deleted,  Pull up the VSE console and open “Quarantine manager“

Click on the detection and select “Restore“

1)      If the VSE console does not come up:
C:\program files\mcafee\virusscan enterprise\mcconsol.exe /standalone
This will pull up the VSE console. Click on the detection and select “Restore“

2)      If steps  4 and 4.1 do not work OR if svchost.exe is “0“ bytes:

  1. When possible Copy svchost.exe from the local C:\windows\ServicePackFiles\i386\svchost.exe or if not present c:\windows\system32\dllcache\svchost.exe
  2. Copy svchost.exe from an unaffected system to c:\windows\system32 directory (same OS) from external media (USB, CD etc.)

If  “paste“ is grayed out, use the following commands:

Start -> run -> cmd

Run the following command “copy from

to [destination\folder]“

Example:  copy x:\svchost.exe c:\windows\system32
<ol>
<li>Reboot in normal mode</li>
<li>Use the product update to update to 5959</li>
<li>Delete the Extra DAT file in c:\program files\commonfiles\mcafee\engine</li>
</ol>
<strong>Alternate Manual Recovery Procedure using DAT 5959 where DAT 5958 is currently installed</strong><strong> </strong>
<ol>
<li>Boot in safe mode with “Network Option“ enabled</li>
<li>If svchost.exe not deleted (look in c:\windows\system32\svchost.exe) and is not 0 byte then network connection should be possible – skip to step 5</li>
<li>If svchost.exe deleted or if it is “0“ bytes, then network connection may not be possible</li>
<li>If svchost.exe deleted,  Pull up the VSE console and open “Quarantine manager“</li>
</ol>
Click on the detection and select restore

1)      If the VSE console does not come up:

C:\program files\mcafee\virusscan enterprise\mcconsol.exe /standalone

This will pull up the VSE console

2).    If steps 4 and 4.1 do not work OR svchost.exe is �0� bytes:
<ol>
<li>When possible Copy svchost.exe from the local C:\windows\ServicePackFiles\i386\svchost.exe or if not present c:\windows\system32\dllcache\svchost.exe</li>
</ol>
b. Copy svchost.exe from an unaffected system to c:\windows\system32 directory (same OS) from external media (USB, CD etc.)

If “paste“ is grayed out, use the following commands:

Start -> run -> cmd

Run the following command “copy from

to [destination\folder]“

Example:  copy x:\svchost.exe c:\windows\system32

  1. Download the 5959 SuperDAT from here
  2. Run the SuperDAT program
  3. Reboot in normal mode

Related Information

Threat Center (McAfee Avert Labs) http://www.mcafee.com/us/threat_center/
Search the Threat Library http://vil.nai.com/
Submit a virus sample https://www.webimmune.net/default.asp
Security updates and DAT files http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

For additional information about EXTRA.DAT files, see KB68759.

To deploy the EXTRA.DAT via ePO 4.0 (KB52977)

Step 1 – Check in the EXTRA.DAT NOTES:

  • You cannot check in packages while any pull or replication tasks are in progress.
  • If your environment requires testing new packages before deploying them, McAfee recommends using the Evaluation branch. After you finish testing the packages, you can move them to the Current branch on the Software, Master Repository tab.
  1. Log on to the ePO 4.0 console. To open a remote console through Internet Explorer type one of the URLs below in your browser:https://<servername&gt;:8443
    https://<ipaddress_of_server&gt;:8443
  2. Click the SoftwareMaster Repository tabs.
  3. Click Check In Package.
  4. Select extra.DAT.
  5. Click Browse and locate the downloaded extra.DAT, then click Open.
  6. Click Next. Information is displayed about the Extra.DAT you are about to add to the repository.
  7. Click Next.
  8. Select the branch where you want to add the extra.DAT. The default branch is Current.
  9. Click Save. The Extra.DAT will now be listed under Packages in the Master Repository list on the Master Repository page.
  10. Run a Repository Replication task to distribute the Extra.DAT file out to all distributed or remote repositories.

Step 2 – Deploy the EXTRA.DAT

  1. Create a new ePolicy Orchestrator Agent Update task, and set the schedule to Run Immediately.
  2. Perform an Agent Wakeup call to send the new Update task to your clients and apply the extra.DAT.NOTE: If you prefer, you can reschedule an existing ePO Agent update task to deploy the extra.DAT.

To deploy the EXTRA.DAT via ePO 4.5 (KB67602)

Step 1 – Check in the EXTRA.DAT

NOTES:

  • You cannot check in packages while any pull or replication tasks are running.
  • If your environment requires testing new packages before deploying them, McAfee recommends using the Evaluation branch. After you finish testing the packages, move them to the Current branch on the Software, Master Repository tab.
  1. Log on to the ePO 4.5 console. To open a remote console through Internet Explorer, type one of the URLs below in your browser:https://<servername&gt;:8443
    https://<ipaddress_of_server&gt;:8443
  2. Click Menu, Software, Master Repository.
  3. Click Actions and select Check In Package.
  4. Select extra.DAT.
  5. Click Browse and locate the EXTRA.DAT, then click Open.
  6. Click Next. Information is displayed about the extra.DAT you are about to add to the repository.
  7. Click Next.
  8. Select the branch where you want to add the extra.DAT. The default branch is Current.
  9. Click Save. The extra.DAT will now be listed under Packages in the Master Repository list on the Master Repository page.
  10. If you have distributed repositories, run a Repository Replication task to distribute the extra.DAT to all Distributed or Remote repositories.

Step 2 – Deploy the extra.DAT

  1. Create a new ePolicy Orchestrator Agent Update task, and set the schedule to Run Immediately.
  2. Perform an Agent Wakeup call to send the new Update task to your clients and apply the extra.DAT.NOTE: If you prefer, you can reschedule an existing ePO Agent update task to deploy the extra.DAT.

« »


Actions

Information

  • Date : April 22, 2010
  • Categories : McAfee

Leave a comment