Re: errant McAfee DAT update causing widespread issues on WinXP comput

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

Thanks for sharing Alex, (Related info)

I'm attaching a screenshot sent to \me yesterday wherein Mcafee was
detecting Deef Freeze as a virus. (This seemed to be only on new
installations.  The lab manager called the vendor (Faronics) and they read
of the filename (00139138.EXE) and said they knew of the issue and Mcafee
was working on a patch.  I exempted the filename (not the path) since it
was apparently always the same and that fixed the problem.  However, I was
just forwarded a voicemail a few minutes ago from Faronics saying that
McAfee released an update to fix this issue and to update signatures to
fix the issue.    Perhaps it was the same definition as the one you
mentioned.  Not sure.  It does not say which dat version was affected so I
apologize for not including here.

Thanks,
Dexter
alkeller () sfsu edu writes:
> for those of you running McAfee Virusscan it would appear that an errant
> DAT update is causing serious issues for a large number of computers
> running WinXP SP3.
>
> [ http://isc.sans.org/ ]http://isc.sans.org/
> [ http://abcnews.go.com/Technology/wireStory?id=10437730
> ]http://abcnews.go.com/Technology/wireStory?id=10437730
>
> more info from McAfee below. McAfee's websites are extremely slow right
> now.
>
> best,
> alex
>
> ---------------------------
> UPDATE
>
> McAfee is aware that a number of corporate customers have incurred a
> false positive error due to incorrect malware alerts. Our initial
> investigation indicates that the error can result in moderate to
> significant performance issues on systems running Windows XP Service Pack
> 3. 
>
> The 5958 DAT has been removed from McAfee download servers, preventing
> any further impact to corporate customers. McAfee teams are working with
> the highest priority to support impacted customers and plan to provide an
> update virus definition file shortly. You can view information at [
> https://kc.mcafee.com/corporate/index?elq_mid=2362&elq_cid=118534&page=content&id=KB68780
> ]https://kc.mcafee.com/corporate/index?elq_mid=2362&elq_cid=118534&page=content&id=KB68780
> (NOTE: system is currently slow) or the McAfee Community at [
> http://community.mcafee.com/docs/DOC-1374/
> ]http://community.mcafee.com/docs/DOC-1374/ <[
> http://community.mcafee.com/docs/DOC-1374/?elq_mid=2362&elq_cid=118534
> ]http://community.mcafee.com/docs/DOC-1374/?elq_mid=2362&elq_cid=118534> 
>
> We will notify you of an emergency update when available, or in 90
> minutes.
>
> ORIGINAL EMAIL (11:06am US/CDT)
>
> McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file
> April 21 at � 2:00pm (GMT +1). McAfee advises NOT to download this DAT.
> Please disable pull tasks and update tasks. � 
>
> Information updates will be sent every 90 minutes to keep you advised.
>
> -- 
> Alex Keller
> Systems Administrator
> Academic Technology, San Francisco State University
> Office: Burk Hall 153 Phone: (415)338-6117 Email: [
> mailto:alkeller () sfsu edu ]alkeller () sfsu edu