McAfee
Response to DAT Version 5958 False Positive Error
Summary
·
On April 21, 2010, McAfee learned that one
of its virus definition DAT files, which ensure updated protection on our anti-malware
solutions, falsely identified a file as malware on a subset of Windows systems,
causing a false positive error and disrupting users’ systems.
·
McAfee notified customers not to update
their systems to the incorrect DAT, removed the DAT from all download sites, and
made available a corrected DAT shortly thereafter. For home office and small
business customers who receive automatic updates, McAfee rolled back to the
prior DAT and rolled out the new one once available.
·
For customers who have experienced system
impact, McAfee has made available remediation instructions in the McAfee KnowledgeBase. McAfee
is actively working on a comprehensive root cause analysis, and will make the
information publicly available as quickly as possible.
Overview
On April 21, 2010, McAfee learned that one
of its virus definition DAT files, version 5958, which ensure updated
protection on our anti-malware solutions, falsely identified a critical Windows
system file, “svchost.exe”, as malware.
The detection was in response to a threat
that attacks critical Windows system executables and buries itself deep into
memory. This detection was in DAT release 5958. Once applied to systems, the
DAT incorrectly identifies the Microsoft system file “svchost.exe” as malware,
prompting McAfee anti-malware solutions to remove or quarantine the file.
Customers have reported a variety of symptoms, ranging from a system “blue
screen”, loss of network connectivity, inability to use USB, and experiencing a
perpetual state of reboot. Users have reported these symptoms when both the
file is present on the system (in quarantine), or has been deleted entirely.
For more information on this issue, users may visit the McAfee Threat Center.
Remediation
On discovery of the issue, McAfee immediately
issued support advisories and notified customers not to update to 5958, as well
as removed the DAT file from download sites. McAfee fixed the issue in the DAT
and released a corrected DAT file version 5959. This was corrected to not include
the false detection.
McAfee has thoroughly tested DAT version 5959
against this issue, and encourages all customers to update to this latest
version. More details on the problem and workarounds can be found in McAfee KnowledgeBase.
For customers who have been adversely
affected, McAfee has made information available for how to remediate systems.
Please visit the McAfee KnowledgeBase.
The KnowledgeBase and all supporting documentation will be continuously updated
as we uncover information and create additional remediation options.
McAfee is focused on a comprehensive root
cause analysis of the issue. We will make this information available publicly
as quickly as possible.