w32/wecorl.a False Positive – Danke McAffen

Gestern Abend, plötzlich bei diversen Kunden und wenigen Rechnern in unserem Unternehmen: Reboot auf Reboot, Taskleiste funktioniert nicht, keine Netzwerkdienste und nur wenige Dienste gestartet. Was ist passiert? Der erste Gedanke eine neue Malware geht um und wird noch nicht von den Scanneren erkannt, aber in den Newstickern ist nicht zu finden. Also ging es selber auf die Fehlersuche und nach etwas umschauen ist der Fehler erkannt. McAfee hat die svchost.exe Datei in Windows XP Rechnern als schädliche Software erkannt und in die Quarantäne verschoben, deswegen funktioniert fast nichts auf den Rechnern.

Die Manuelle Lösung kam per Mail, kurz nachdem ich den Fehler schon selber eingegrenzt und am ersten Rechner behoben habe:

Emergency DAT 5959 has been posted and is available at http://www.mcafee.com/apps/downloads/security_updates/dat.asp. This file is available in English and is replicating in other languages. For MORE information, go to the 5958 DAT Report on http://vil.nai.com/vil/5958_false.htm.


================================
UPDATE (12:47pm US/CDT)

McAfee is aware that a number of corporate customers have incurred a false positive error due to incorrect malware alerts. Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.

The 5958 DAT has been removed from McAfee download servers, preventing any further impact to corporate customers. McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. You can view information at https://kc.mcafee.com/corporate/index?elq_mid=2363&elq_cid=1499606&page=content&id=KB68780 (NOTE: system is currently slow) or the McAfee Community at http://community.mcafee.com/docs/DOC-1374/

We will notify you of an emergency update when available, or in 90 minutes.

================================
ORIGINAL EMAIL (11:06am US/CDT)

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file April 21 at  2:00pm (GMT +1). McAfee advises NOT to download this DAT. Please disable pull tasks and update tasks.

Information updates will be sent every 90 minutes to keep you advised.

Die Mail mit einer Automatisierung hat McAfee heute morgen nachgereicht:

McAfee has developed a SuperDAT remediation Tool to restore the svchost.exe file on affected systems.

Q: What does the SuperDAT Remediation Tool Do?
A: The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:program filescommonfilesmcafeeengine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%dllcachesvchost.exe, if not present it will attempt a restore from %WINDOWS%servicepackfilesi386svchost.exe, if not present it will attempt a restore from quarantine. After the tool is run, the machine needs to be rebooted.

Recommended Recovery SuperDAT Procedure
1. From a machine that has Internet access, locate and download the Recovery SuperDAT at http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe and save it to portable media.
2. Take the portable media to each affected machine and run the tool. If you are not able to run the tool on the affected machine, boot in safe mode
3. Execute the Recovery SuperDAT tool
4. Reboot in normal mode
5. Use the product update to update to 5959

For additional FAQs and information, go to https://kc.mcafee.com/corporate/index?elq_mid=2373&elq_cid=1499606&page=content&id=KB68780 which will remain up to date.

================================
UPDATE #4 (7:38pm US/CDT)

McAfee has published recovery procedures for the following two scenarios:
• Recommended Manual Recovery Procedure using the Extra DAT where DAT 5958 is currently installed
• Alternate Manual Recovery Procedure using DAT 5959 where DAT 5958 is currently installed
This information has been posted on http://vil.nai.com/vil/5958_false.htm and will be continuously updated as more information and procedures become available.

================================
UPDATE #3 (2:55pm US/CDT)

Emergency DAT 5959 has been posted and is available at http://www.mcafee.com/apps/downloads/security_updates/dat.asp. This file is available in English and is replicating in other languages. For MORE information, go to the 5958 DAT Report on http://vil.nai.com/vil/5958_false.htm.

================================
UPDATE #2 (12:47pm US/CDT)

McAfee is aware that a number of corporate customers have incurred a false positive error due to incorrect malware alerts. Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.
The 5958 DAT has been removed from McAfee download servers, preventing any further impact to corporate customers. McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. You can view information at https://kc.mcafee.com/corporate/index?elq_mid=2373&elq_cid=1499606&page=content&id=KB68780 (NOTE: system is currently slow) or the McAfee Community at http://community.mcafee.com/docs/DOC-1374/
We will notify you of an emergency update when available, or in 90 minutes.

================================
ORIGINAL EMAIL (11:06am US/CDT)

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file April 21 at 2:00pm (GMT +1). McAfee advises NOT to download this DAT. Please disable pull tasks and update tasks.

Information updates will be sent every 90 minutes to keep you advised.

UPDATE
Spät aber immerhin:

Heise: Signatur-Update von McAfee macht Windows-PCs unbenutzbar
Golem: McAfees Virenscanner legt Windows-Systeme lahm

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.