[CCoE Notice] New McAfee Agent installation

Luong, Kiet A KDLuong at Central.UH.EDU
Wed Apr 21 16:01:42 CDT 2010 

Good afternoon,

 

Following an announcement by McAfee that one of its regularly scheduled
virus definition (DAT files) update caused shutdown and bluescreen
problems, we will be installing a McAfee agent on all Cullen College of
Engineering supported Windows systems to help maintain control of virus
definition updates and McAfee application updates to help prevent spread
of future bad DAT files and to make sure all machines will have
up-to-date versions of the antivirus application.  The new agent will
cause the McAfee icon to look a little bit different (bottom right
corner).  This agent should assist us in scheduling the virus definition
update and deployment.  There is no action on your part to remedy this
problem, but we will be remotely (and discretely) installing the McAfee
agent on all college supported Windows computers. 

If you experience unusual symptoms that render your computer unusable,
please let me know immediately so we can get your system back in service
as soon as possible.

The problem was widespread on this campus, but so far, we've only seen a
few instances of it in our college.  Instead of providing a link, I will
post the contents of the announcement from the McAfee website below.
Thank you.

 

 


False positive detection of w32/wecorl.a in 5958 DAT


 

Corporate KnowledgeBase ID:

  

KB68780

Published:

  

April 21, 2010

  


Environment 


For details of all supported operating systems, see KB51109


Summary 


McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file
that was released on April 21, 2010.


Problem 


Blue screen or DCOM error, followed by shutdown messages after updating
to the 5958 DAT on April 21, 2010.


Solution 


The issue is resolved in the 5959 DAT file release (April 21, 2010),
which is available from the McAfee Security Updates page at:

http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&
segment=enterprise 

NOTE: Posting of the 5959 DAT file is currently in progress. It may take
several hours for the new DAT file to replicate out to all McAfee
download servers.  

 

IMPORTANT: If you are already affected by this issue, you must still
either replace or restore svchost.exe.  See Workaround 2 below. McAfee
is continuing to work on an automated solution to fully resolve the
issue for affected customers.


Please watch for updates on this issue, which will be sent on a timely
basis through Support Notification Service (SNS) and Platinum Proactive
notifications.

To subscribe to SNS, visit
http://my.mcafee.com/content/SNS_Subscription_Center.

This article will be updated as additional information becomes
available.

 


Workaround 1 


McAfee has developed an EXTRA.DAT to suppress this detection. The file
is attached to this article. This EXTRA.DAT does not fix the issue, it
only suppresses the detection.

Apply the EXTRA.DAT to all potentially affected systems as soon as
possible.

For systems that have already encountered this issue, start the computer
in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT,
restore the affected files from Quarantine.
  

IMPORTANT:  For VirusScan Enterprise 8.5i and later,  an Access
Protection feature must be temporarily disabled before proceeding:

1.	Click Start, Programs, McAfee, VirusScan Console. 
2.	Right-click Access Protection and select Disable. 
3.	Apply the EXTRA.DAT as described below. 
4.	Right-click Access Protection and select Enable. 

 

To apply the EXTRA.DAT locally: 

1.	Download the EXTRA.ZIP file attached to this article and extract
the EXTRA.DAT file. 
2.	Click Start, Run, type services.msc and click OK. 
3.	Right-click the McAfee McShield service and select Stop. 
4.	Copy the EXTRA.DAT file to the following location:
	
	<installation drive>\Program Files\Common Files\McAfee\Engine 
	
	  
5.	In the Services window, right-click McAfee McShield and select
Start. 

For instructions on how to deploy the EXTRA.DAT through ePolicy
Orchestrator (ePO), see: 

*	ePO 4.0 - KB52977 (click HERE
<http://vil.nai.com/vil/5958_false.htm?elq_mid=2363&elq_cid=1446548#KB52
977>  to see the relevant instructions below)
	  
*	ePO 4.5 - KB67602 (click HERE
<http://vil.nai.com/vil/5958_false.htm?elq_mid=2363&elq_cid=1446548#KB67
602>  to see the relevant instructions below) 


To restore files from Quarantine locally:

1.	Open the VirusScan Console. 
2.	Double-click Quarantine Manager Policy. 
3.	Click the Manager tab. 
4.	Right-click the required item and select Restore. 

For additional information, see the VirusScan Enterprise Product Guide
for your version of VirusScan Enterprise.

For instructions on how to use an ePolicy Orchestrator Scheduled task to
restore quarantined files, see the ePolicy Orchstrator Product Guide.


Workaround 2


If the false detection has deleted or quarantined svchost.exe on your
system:

IMPORTANT: Ensure that you have applied the EXTRA.DAT to suppress the
false positive detection before restoring svchost.exe. 

Copy the svchost.exe from a working system

1.	On a computer that is not affected by the issue, navigate to the
location below:
	
	C:\WINDOWS\system32
	  
2.	Copy svchost.exe to a network location or removable media
device. 
3.	On the affected system, copy svchost.exe to the location below:
	
	C:\WINDOWS\system32
	  
4.	Restart the affected computer. 

 


Related Information 

Threat Center (McAfee Avert Labs)  

http://www.mcafee.com/us/threat_center/

Search the Threat Library

http://vil.nai.com/ <http://vil.nai.com/vil/default.aspx>  

Submit a virus sample

https://www.webimmune.net/default.asp 

Security updates and DAT files

http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&
segment=enterprise

 For additional information about EXTRA.DAT files, see KB68759.

To deploy the EXTRA.DAT via ePO 4.0 (KB52977)

Step 1 - Check in the EXTRA.DAT

 

NOTES: 

*	You cannot check in packages while any pull or replication tasks
are in progress.
*	If your environment requires testing new packages before
deploying them, McAfee recommends using the Evaluation branch. After you
finish testing the packages, you can move them to the Current branch on
the Software, Master Repository tab.
	 

1.	Log on to the ePO 4.0 console. To open a remote console through
Internet Explorer type one of the URLs below in your browser:
	
	https://<servername>:8443 
	https://<ipaddress_of_server>:8443
	 
2.	Click the Software, Master Repository tabs.
3.	Click Check In Package.
4.	Select extra.DAT.
5.	Click Browse and locate the downloaded extra.DAT, then click
Open.
6.	Click Next. Information is displayed about the Extra.DAT you are
about to add to the repository.
7.	Click Next.
8.	Select the branch where you want to add the extra.DAT. The
default branch is Current.
9.	Click Save. The Extra.DAT will now be listed under Packages in
the Master Repository list on the Master Repository page.
10.	Run a Repository Replication task to distribute the Extra.DAT
file out to all distributed or remote repositories.

 

Step 2 - Deploy the EXTRA.DAT

1.	Create a new ePolicy Orchestrator Agent Update task, and set the
schedule to Run Immediately.
2.	Perform an Agent Wakeup call to send the new Update task to your
clients and apply the extra.DAT.
	
	NOTE: If you prefer, you can reschedule an existing ePO Agent
update task to deploy the extra.DAT.

 

To deploy the EXTRA.DAT via ePO 4.5 (KB67602)

Step 1 - Check in the EXTRA.DAT 

NOTES: 

*	You cannot check in packages while any pull or replication tasks
are running. 
*	If your environment requires testing new packages before
deploying them, McAfee recommends using the Evaluation branch. After you
finish testing the packages, move them to the Current branch on the
Software, Master Repository tab. 
	  

1.	Log on to the ePO 4.5 console. To open a remote console through
Internet Explorer, type one of the URLs below in your browser:
	
	https://<servername>:8443 
	https://<ipaddress_of_server>:8443
	  
2.	Click Menu, Software, Master Repository. 
3.	Click Actions and select Check In Package. 
4.	Select extra.DAT. 
5.	Click Browse and locate the EXTRA.DAT, then click Open. 
6.	Click Next. Information is displayed about the extra.DAT you are
about to add to the repository. 
7.	Click Next. 
8.	Select the branch where you want to add the extra.DAT. The
default branch is Current. 
9.	Click Save. The extra.DAT will now be listed under Packages in
the Master Repository list on the Master Repository page. 
10.	If you have distributed repositories, run a Repository
Replication task to distribute the extra.DAT to all Distributed or
Remote repositories. 
	  

Step 2 - Deploy the extra.DAT

1.	Create a new ePolicy Orchestrator Agent Update task, and set the
schedule to Run Immediately. 
2.	Perform an Agent Wakeup call to send the new Update task to your
clients and apply the extra.DAT.
	
	NOTE: If you prefer, you can reschedule an existing ePO Agent
update task to deploy the extra.DAT. 

        

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://Bug.EGR.UH.EDU/pipermail/engi-dist/attachments/20100421/0fdb1a7a/attachment-0001.html

More information about the Engi-Dist mailing list