Corporate KnowledgeBase
False positive detection of w32/wecorl.a
in 5958 DAT
| Corporate KnowledgeBase ID: | KB68780 | |
| Published: | April 21, 2010 |
Environment
For details of all supported operating systems, see KB51109
Summary
McAfee is aware of a w32/wecorl.a false positive with the 5958
DAT file that was released on April 21, 2010.
Problem
Blue screen or DCOM error, followed by shutdown messages after
updating to the 5958 DAT on April 21, 2010.
Solution
WARNING: If you
have not done so already, do NOT download the 5958 DAT and disable all
automatic pull and update tasks.
Please watch for updates on this issue, which will be sent on a timely
basis through Support Notification Service (SNS) and Platinum
Proactive notifications.
To subscribe to SNS, visit http://my.mcafee.com/content/SNS_Subscription_Center.
This article will be updated as additional information becomes
available.
To receive email notification when this article is updated, click Subscribe
at the top of the page. (You must be logged in at https://mysupport.mcafee.com to
subscribe.)
Workaround 1
McAfee has developed an EXTRA.DAT to suppress this detection. The
file is attached to this article. This EXTRA.DAT does not fix the
issue, it only suppresses the detection.
Apply the EXTRA.DAT to all potentially affected systems as soon as possible.
For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.
To apply the EXTRA.DAT locally:
IMPORTANT: For VirusScan Enterprise 8.5i and later, an Access Protection feature must be temporarily disabled before proceeding. For instructions on how to temporarily disable Access Protection in the VirusScan Console, see KB52204.
To apply the EXTRA.DAT locally:
To restore files from Quarantine locally:
For instructions on how to use an ePolicy Orchestrator Scheduled task to restore quarantined files, see the ePolicy Orchstrator Product Guide.
Apply the EXTRA.DAT to all potentially affected systems as soon as possible.
For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.
To apply the EXTRA.DAT locally:
IMPORTANT: For VirusScan Enterprise 8.5i and later, an Access Protection feature must be temporarily disabled before proceeding. For instructions on how to temporarily disable Access Protection in the VirusScan Console, see KB52204.
To apply the EXTRA.DAT locally:
- Download the EXTRA.ZIP file attached to this article and extract the EXTRA.DAT file.
- Click Start, Run, type services.msc and click OK.
- Right-click the McAfee McShield service and select Stop.
- Copy the EXTRA.DAT file to the following
location:
<installation drive>\Program Files\Common Files\McAfee\Engine
- In the Services window, right-click McAfee McShield and select Start.
To restore files from Quarantine locally:
- Open the VirusScan Console.
- Double-click Quarantine Manager Policy.
- Click the Manager tab.
- Right-click the required item and select Restore.
For instructions on how to use an ePolicy Orchestrator Scheduled task to restore quarantined files, see the ePolicy Orchstrator Product Guide.
Related Information
| Threat Center (McAfee Avert Labs) | http://www.mcafee.com/us/threat_center/ |
| Search the Threat Library | http://vil.nai.com/ |
| Submit a virus sample | https://www.webimmune.net/default.asp |
| Security updates and DAT files | http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise |
For additional information about EXTRA.DAT files, see KB68759.
Attachment
Previous Document ID
01234