mcafee DAT 5958 false positive

LoLth · 22-04-2010 11:27AM #1

updates to McAfee yesterday caused SVCHOST.exe to be detected as infected with wercoil.a

http://isc.sans.org/diary.html?storyid=8656

yay! macafee have released an updated DAT file 5959 which corrects this issue.

Ash.J.Williams · 22-04-2010 02:22PM

LoLth wrote: »

updates to McAfee yesterday caused SVCHOST.exe to be detected as infected with wercoil.a

http://isc.sans.org/diary.html?storyid=8656

yay! macafee have released an updated DAT file 5959 which corrects this issue.

Indeed, Had 4 pc's effected today. Obtained the correct DAT and replace svchost with a clean one from another pc, or from C:\windows\servicepackfiles....major inconvenience.

LoLth · 22-04-2010 04:09PM

restoring the affected file from quarantine also works (assuming you can get the thing to boot)

LoGiE · 22-04-2010 05:26PM

Not fun when 300 pc's get bricked with there nics disappearing.... I just hope some of the people in their test lab are clearing there desks this morning.

ICN · 22-04-2010 08:58PM

Pain in the Hole.

My Windows XP Laptop is now running with a Windows 2000 theme.

Nothing opens up / works in general - yada yada yada..

I had all that NT stuff & shutting down etc.. only to be replaced by that. Great.

Read a few comments on their w.site. A Guy handing in all his final stuff for college had his PC nuked & he's obviously stressing out a little now..

McAfee's "apology" was / is a joke..

http://siblog.mcafee.com/support/mcafee-response-on-current-false-positive-issue/

Just love McAfee :rolleyes:

Definitely changing over to something else now after this.

Any recommendations?

ICN · 22-04-2010 09:38PM

Back up & running now after about 10mins.

Wasnt too bad in the end - but my heart goes out to anyone who doesnt know how to fix a computer by themselves.

Bet theres a load of confused oldies around the country tonight with PC's from Harvey Norman & PC world that dont know WTF is going on.. except that its one more reason to hate technology.

LoLth · 23-04-2010 09:09AM

Yep, its a good point on the oldies but it applies to almost everyone.

There have been a few of these "dodgy" AV updates recently and a lot more than there were say 5 years ago. Add to that the AVG linkscanner blocking innocent links before you even clicked on them and in doing so registerign your IP as having made a page impression ("so you're saying that I *did* visit the KKK website? when?"

It brings to light the whole issue of trusting a third party and also raises the issue of having time to test new rollouts vs responding in a timely manner. Up to now I would think that the majority of IT departments would have trusted that companies like McAfee do thorough testing and only do a cursory check , if any, to make sure the update goes accordign to plan. I wonder how many security policies are being changed now to add a delay to the general rollout of new DAT files to give a test machine time not to implode.

mcafee DAT 5958 false positive

Comments