Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: McAfee DAT 5958 Update Issues - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
McAfee DAT 5958 Update Issues

McAfee's "DAT" file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and loose all network access. We have individual reports of other versions of Windows being affected as well. However, only particular configurations of these versions appear affected. The bad DAT file may infect individual workstations as well as workstations connected to a domain. The use of "ePolicyOrchestrator", which is used to update virus definitions across a network, appears to have lead to a faster spread of the bad DAT file. The ePolicyOrchestrator is used to update "DAT" files throughout enterprises. It can not be used to undo this bad signature because affected system will lose network connectivity.

The problem is a false positive which identifies a regular Windows binary, "svchost.exe", as "W32/Wecorl.a", a virus. If you are affected, you will see a message like:

The file C:WINDOWSsystem32svchost.exe contains the W32/Wecorl.a Virus. 
Undetermined clean error, OAS denied access and continued. 
Detected using Scan engine version 5400.1158 DAT version 5958.0000.

McAfee released an updated DAT file, and an "EXTRA.DAT" file to fix the problem. An EXTRA.DAT file is a patch to just fix the bad signature. McAfee's support web sites currently respond slowly and are down at times, likely due to the increased load caused by this issue.

Several readers reported that this procedure worked to recover:

1 - Boot the system in "Safe Mode"
2 - copy extra.dat in c:/program files/common files/mcafee/engine
3 - reboot.

If you lost "svchost.exe", then you need to copy it back to c:/Windows/system32/svchost.exe while in safe mode.

Additional information from McAfee: http://community.mcafee.com/thread/24056?tstart=0
McAfee Knowledgebase Article: https://kc.mcafee.com/corporate/index?page=content&id=KB68780
EXTRA.DAT file: http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=265240.

 THANKS TO ALL THE CONTRIBUTORS! We got too many to mention here. Please keep it coming using our contact page: http://isc.sans.org/contact.html

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Guy

405 Posts
ISC Handler
It deletes the svchosts.exe. So that mean no networking when the machine comes backup. So roll back is going to involve a USB stick and a new pair of shoes after walking to 1000 hosts :(
Peter P

8 Posts Posts
We're seeing this issue as well. Only SP3 so far. We were able to stop the spread of the bad DAT file with our ePO server and were able to push out the old DAT that helped some of our machines. We also had some laptop users get the DAT file from home or while coming into the office.

One fix is to delete the bad DAT file the client at "C:\Program Files\Common Files\McAfee\Engine". Delete any av*.dat. Then reboot and the old DAT should be grabbed.

We now have about 100 machines that are in a reboot loop. It looks like the svchosts is in quarantine.
Anonymous

Posts

I can remember such poisonous update about 10 years ago and we had flushed McAfee right there and then for Symantec
Anonymous

Posts
Took out almost all of our 600 users in head office and call centers.. What a mess....
Having to touch each machine to get it back...
Anonymous

Posts
We have a fix for this issue
you can find it on my blog post at http://cosine-security.blogspot.com/2010/04/mcafee-dat-5958-fix.html
TheLightCosine

5 Posts Posts
I just configured our policy to exclude "svchost.exe" for virus scan to avoid this problem.

We have not been affected yet. Do you think this will work?
Anonymous

Posts
I just configured our policy to exclude "svchost.exe" for virus scan to avoid this problem.

We have not been affected yet. Do you think this will work?
Anonymous

Posts
None of our XP SP3 machines seemed to be affected it by it yet. All but 12 are now at the 5959 level and I dropped the extra.dat in the EPO repository as well.
Anonymous

Posts
We have an evaluation group of systems set-up to receive dats before rolling out to production. Model has served us well.
Anonymous

Posts
Update toi the fix I originally psoted on my blog. There appears to be a 'safer' way to recover the svchost binary. While it is a less convenient method, it is probably the best way. More at:
http://cosine-security.blogspot.com/2010/04/mcafee-5958-dat-issue-fix-update.html
TheLightCosine

5 Posts Posts
I got a problem around 13:00. It is not like reported in thi blog, but the svchost.exe has been deleted and windows got in real problem.

No reboot loop, no message, but about nothing was working. IE not accessible. Application working with windows XP SP3 not running.

I have contacted Technical Support by chat on another machine (without McAfee) and I have never been told that there was any problem with the latest update although I asked for directly. I finally found how to fix my computer through a blog. I was lucky, but I am angry because Mc Afee never told that there was a problem, on the web site, Technical Support or other media.

An the tel center ... what an annoying thing! Sales centered not client centered.
Anonymous

Posts
I have no idea how my firm dodged this bullet. We are currently sitting on version 5960 and use Sonicwall to push our updates out to the workstations.
When the news broke, I was cringing waiting for the phone to start ringing off the hook.....silence IS golden!
Anonymous

Posts
I ran into a problem with one of our computers. I hadn't read this article, yet. And so, when I discovered that one of our systems was missing its network connections, I attempted to repair the operating system using a Windows setup disk. The repair made it to the Installing Devices portion and then rebooted. Now the system is stuck in an endless boot loop in the middle of the repair. I have tried going into safe mode. It does not matter what I do. it wants to continue running the repair, but it can't. Now that I know about the Mcafee problem, I could fix it if I could just get back to the desktop. Do you have any suggestions for breaking out of the Windows XP Repair loop?
Anonymous

Posts
we are dumping mcafee, we have over 3000 machines go down almost half had svchost.exe deleted.
Anonymous

Posts

- http://www.symantec.com/connect/blogs/malware-authors-taking-advantage-mcafee-false-positive
April 22, 2010 - "... We have seen poisoned search results since the problem first surfaced. Search terms such as McAfee, 5958, or DAT are returning results that can lead to malicious and fake antivirus scan sites, resulting in the installation of malware... This attack by the malware creators is quite insidious since many of the people searching for information about this problem are most likely already affected by the problem and are looking for a solution using another computer..."
.
Jack

160 Posts Posts
I've written an open source fix for this McAfee problem. You can find it at: http://minjs.org/svchostfix/
Anonymous

Posts
I found this post that helped me fix all my machines that were affected by the faulty McAfee 5958 update. It really helped.

http://links.maas360.com/mcafee5958recover
Anonymous

Posts
I had that issue back in 2010 with my then new Dell Inspiron Laptop running the new Windows 7 and I had to spend $600 with a Dell technical support agent for them to remotely remove a traces of McAfee from the laptop and install Norton 360. If it was a issue with McAfee, why did I have to pay that money myself for the repairs?
Anonymous

Posts
The SANS forums really need some kind of protection against thread necromancy...
seriously.. 6 years? How'd you even stumble upon such an old post..
Visi

39 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!