From: Ablang on
Recovering from the Flawed McAfee Update

By Tony Bradley

http://www.pcworld.com/businesscenter/article/194740/recovering_from_the_flawed_mcafee_update.html?tk=nl_dnx_h_crawl

Nothing ruins an IT administrator's day faster than a software update
from a security vendor wreaking havoc on the computer systems it is
intended to protect. That is exactly the predicament faced by many IT
administrators today when a flawed McAfee update rendered Windows XP
PC's essentially useless.
People who read this also read:

A faulty virus update did more harm than good for McAfee
customers.Joris Evers, a McAfee spokesperson, e-mailed a statement
explaining "In the past 24 hours, McAfee identified a new threat that
impacts Windows PCs. Researchers worked diligently to address this
threat that attacks critical Windows system executables and buries
itself deep into a computer's memory."

Evers continued "The research team created detection and removal to
address this threat. The remediation passed our quality testing and
was released with the 5958 virus definition file at 2:00 PM GMT+1 (6am
Pacific Time) on Wednesday, April 21."

Not long after that, reports began to surface that Windows PC's--
primarily Windows XP SP3 PC's--were experiencing significant issues,
including constant rebooting or the ever-popular BSOD (blue screen of
death) system crash.

A number of customers experienced a false positive resulting in the
ensuing chaos. The 5958 virus definitions apparently detect
svchost.exe--a core system file on Windows PC's--as a malware threat.
According to the McAfee statement, though, "corporations who kept a
feature called "Scan Processes on Enable" in McAfee VirusScan
Enterprise disabled, as it is by default, were not affected."

McAfee responded by quickly pulling the faulty update from the McAfee
servers. An emergency extra.dat file was made available in the McAfee
forums to address the issue, but the forums site was so overwhelmed
with customer backlash that it was eventually taken offline. A
corrected virus definition file--5959--is now available, and McAfee
has posted instructions to recover affected systems.

Evers summed up with an apology to affected customers and the
following mea culpa "We are investigating how the incorrect detection
made it into our DAT files and will take measures to prevent this from
reoccurring."

Identifying Affected Systems

Obviously, if your Windows XP SP3 system is displaying a BSOD or
constantly rebooting you have some pretty strong evidence that the
system was impacted by the faulty McAfee detection of the W32/wecorl.a
virus.

A spokesperson for Solera Networks pointed out via an e-mailed
statement that not all affected systems are so obvious, and
highlighted the fact that network threats often originate internally
without malicious intent. "As with today's McAfee incident, security
issues don't always come from outside hackers with malicious intent.
They may originate from non-malicious activities from a trusted
partner, such as McAfee."

The statement adds "Though it seems that cleaning up individual
machines may be sufficient, there may be remnants of files and systems
affected that are not apparent. As it has been continually reported,
many security breaches and the damage they do remains on networks for
days and months, or longer, going unnoticed. Even a trusted partner
can be wreaking havoc beyond the visible scope into the network."

Recovering Affected Systems

Solera Networks' customers are using products like Network Forensics
and scanning all network activity for any evidence of where the faulty
DAT file crossed the network, who downloaded it, when and what
happened thereafter, considering the whole network. Using Network
Forensics, these companies effectively go back in time and can perform
complete cleanup with full visibility to the entire network in
minutes.

Speaking of going back in time, affected systems may be able to simply
reverse the affects of the faulty DAT by using Windows System Restore.
Restoring the system to a point in time prior to when the 5958 DAT was
pushed out should effectively take the computer back in time and
reverse the damage.

Perhaps there is another subtle message here, too. The systems
crippled by the faulty McAfee update were Windows XP SP3 PC's. Perhaps
it's time to upgrade to Windows 7?
From: Leythos on
In article <cbbb0479-515a-437c-bbfd-2a2a5bc67f52
@q31g2000prf.googlegroups.com>, ron916(a)gmail.com says...
> Perhaps there is another subtle message here, too. The systems
> crippled by the faulty McAfee update were Windows XP SP3 PC's. Perhaps
> it's time to upgrade to Windows 7?
>

A better solution would be to abandon McAfee and don't look back. I have
uninstalled it from thousands of machines in favor of ANYTHING ELSE for
years.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free(a)rrohio.com (remove 999 for proper email address)
From: Buffalo on


Leythos wrote:
> In article <cbbb0479-515a-437c-bbfd-2a2a5bc67f52
> @q31g2000prf.googlegroups.com>, ron916(a)gmail.com says...
>> Perhaps there is another subtle message here, too. The systems
>> crippled by the faulty McAfee update were Windows XP SP3 PC's.
>> Perhaps it's time to upgrade to Windows 7?
>>
>
> A better solution would be to abandon McAfee and don't look back. I
> have uninstalled it from thousands of machines in favor of ANYTHING
> ELSE for years.

I run Win2000Pro and I dl'd and used McAfee that was offered by Comcast.
Stupid program erased all the email in my Inbox. Great anti-virus program.
:)
Buffalo :)


From: David H. Lipman on
From: "Buffalo" <Eric(a)nada.com.invalid>



| Leythos wrote:
>> In article <cbbb0479-515a-437c-bbfd-2a2a5bc67f52
>> @q31g2000prf.googlegroups.com>, ron916(a)gmail.com says...
>>> Perhaps there is another subtle message here, too. The systems
>>> crippled by the faulty McAfee update were Windows XP SP3 PC's.
>>> Perhaps it's time to upgrade to Windows 7?


>> A better solution would be to abandon McAfee and don't look back. I
>> have uninstalled it from thousands of machines in favor of ANYTHING
>> ELSE for years.

| I run Win2000Pro and I dl'd and used McAfee that was offered by Comcast.
| Stupid program erased all the email in my Inbox. Great anti-virus program.
::)
| Buffalo :)


There's a *big* difference between the retail version (offered by Comcast) and the
Enterprise version.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: Buffalo on


David H. Lipman wrote:
> From: "Buffalo" <Eric(a)nada.com.invalid>
>
>
>
>> Leythos wrote:
>>> In article <cbbb0479-515a-437c-bbfd-2a2a5bc67f52
>>> @q31g2000prf.googlegroups.com>, ron916(a)gmail.com says...
>>>> Perhaps there is another subtle message here, too. The systems
>>>> crippled by the faulty McAfee update were Windows XP SP3 PC's.
>>>> Perhaps it's time to upgrade to Windows 7?
>
>
>>> A better solution would be to abandon McAfee and don't look back. I
>>> have uninstalled it from thousands of machines in favor of ANYTHING
>>> ELSE for years.
>
>> I run Win2000Pro and I dl'd and used McAfee that was offered by
>> Comcast. Stupid program erased all the email in my Inbox. Great
>> anti-virus program. :)
>> Buffalo :)
>
>
> There's a *big* difference between the retail version (offered by
> Comcast) and the Enterprise version.

Would the Enterprise version have deleted all my emails,
sent,drafts,,,,,,instead of just my Inbox ones ?
Just kidding.
Buffalo