Corporate KnowledgeBase

False positive detection of w32/wecorl.a in 5958 DAT
Printer Friendly Version Printer Friendly Rate Content Rate this Page

Corporate KnowledgeBase ID:    KB68780
Published:    April 21, 2010
 

Environment

For details of all supported operating systems, see KB51109

Summary

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.

Problem

Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.

Solution

WARNING: If you have not done so already, do NOT download the 5958 DAT and disable all automatic pull and update tasks.

Please watch for updates on this issue, which will be sent on a timely basis through Support Notification Service (SNS) and Platinum Proactive notifications.

To subscribe to SNS, visit http://my.mcafee.com/content/SNS_Subscription_Center.

This article will be updated as additional information becomes available.

To receive email notification when this article is updated, click Subscribe at the top of the page. (You must be logged in at https://mysupport.mcafee.com to subscribe.)

Workaround 1

McAfee has developed an EXTRA.DAT to suppress this detection. The file is attached to this article. This EXTRA.DAT does not fix the issue, it only suppresses the detection.

Apply the EXTRA.DAT to all potentially affected systems as soon as possible.

For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.


To apply the EXTRA.DAT locally:

IMPORTANT:  For VirusScan Enterprise 8.5i and later,  an Access Protection feature must be temporarily disabled before proceeding.  For instructions on how to temporarily disable Access Protection in the VirusScan Console, see KB52204.

To apply the EXTRA.DAT locally:
  1. Download the EXTRA.ZIP file attached to this article and extract the EXTRA.DAT file.
  2. Click Start, Run, type services.msc and click OK.
  3. Right-click the McAfee McShield service and select Stop.
  4. Copy the EXTRA.DAT file to the following location:

    <installation drive>\Program Files\Common Files\McAfee\Engine 

     
  5. In the Services window, right-click McAfee McShield and select Start.
For instructions on how to deploy the EXTRA.DAT through ePolicy Orchestrator (ePO), see:
To restore files from Quarantine locally:

  1. Open the VirusScan Console.
  2. Double-click Quarantine Manager Policy.
  3. Click the Manager tab.
  4. Right-click the required item and select Restore.
For additional information, see the VirusScan Enterprise Product Guide for your version of VirusScan Enterprise.

For instructions on how to use an ePolicy Orchestrator Scheduled task to restore quarantined files, see the ePolicy Orchstrator Product Guide.

Related Information

Threat Center (McAfee Avert Labs)   http://www.mcafee.com/us/threat_center/
Search the Threat Library http://vil.nai.com/ 
Submit a virus sample https://www.webimmune.net/default.asp 
Security updates and DAT files http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

 For additional information about EXTRA.DAT files, see KB68759.

Attachment

EXTRA.zip
6K • < 1 minute @ 56k, < 1 minute @ broadband


Previous Document ID

01234

Rate this Page

Please take a moment to complete this form to help us better serve you.

Rate this document
 
 
Did this article resolve your issue?
 
 
Please provide any comments below
 
 

Your response will be used to improve our document content. Requests for assistance should be submitted through your normal support channel as we cannot respond from this site.

Find Answers

Ask a New Question


Corporate KnowledgeBase Information

Categories: