Last Updated: 2006-03-14 15:49:13 UTC
by Patrick Nolan (Version: 3)
Update: 21:37 UTC - One of our readers, JD, tells us that McAfee has devleoped a tool that will restore files that were quarantined by DAT 4715. Customers are encouraged to contact their technical assistance manager. The tool may be posted on the McAfee website at some point (though it doesn't appear to be there for public download at the moment). --JAC
Update 2: 02:43 UTC 2006-03-13 - McAfee has release a list of (supposedly) all the files affected by DAT 4715. It includes some other interesting ones in addition to excel.exe, like setup.exe, uninstall.exe, shutdown.exe, and reg.exe to name just a few, but is clearly incomplete since it doesn't include any of the Oracle binaries that have been reported to be affected by some of our readers. The list can be found here. --JAC
Update 3: 15:48 UTC 2006-03-14 - The tool is now available. See here. --JAC
McAfee DAT 4716 corrects the problem, references W95/CTX and says;
"Users who have moved detected files to quarantine should restore them to their original location. Windows users who have had files deleted should restore files from backup or use System Restore .
Virusscan Online users can restore the falsely detected file from the Manage Quarantined Files.."
ISC participants report excerpts;
VirusScan Enterprise 8.0i
VirusScan Enterprise 7.1
VirusScan Enterprise 7.0
Managed VirusScan 4.0
Managed VirusScan 3.5
VirusScan Online 11
VirusScan Online 10
VirusScan 7.03 (consumer)
At this time you should cancel any scheduled on-demand scans until the release of the 4716 DATs."
"Some example files are graph9.exe and excel.exe from office 2000" "....3700 files have been quarantined on over 100 pcs."
"We think McAfee's latest DAT file may be bad. They improved the detection for several variants of the W95/CTX virus, and now our scanners are detecting supposedly infected executables all over our network, including on an original Microsoft Office 11 CD. Our guess is that this is a false positive. If so, and your readers have quarantine or delete set as the default action, the Virusscan will do more damage than a real virus would."
"anything that was in the PATH environment variable was targeted."
"Not only did it attempt to remove files in the %ORACLE_HOME%\bin directory, but also in the .patch_storage folder - so as far as oracle files, this was not limited to the PATH environment variable."
"This was also capable of navigating mapped drives, so if you had a file server setup as a common install location, if filesystem permissions permitted modification of such files, you'll want to refresh the installation files from the downloaded, compressed source file."
"We had over 3700 quarantine events. I counted 297 individual file names."