McAfee Corporate users..

[Cookie]

Just a heads up for anyone currently being battered via email/phone by people, there's some major issue with the latest DAT file (5958 I think) that was rolled out by McAfee

It's a false positive virus detection I believe, but it's constantly rebooting our servers/clients

It's quite funny watching the monitoring software going absolutely [word filtered]

 

[McBunny]

i stopped epo rolling this out at about 4:30 not that mine had actually downloaded it yet anyway it checks the repository at 7am

 

[Andy.]

I'll pass this on to our security guy. Cheers for the heads up.

 

[jenic]

Weve just had the latest mcafee installed on all our work laptops.

Complete crock of s**t tbh, has caused loads of issues with our work as we have been unable to connect to some of our ethernet equipment and now I have yet another password to have to remember. Happy days

 

[ChrisR]

Hah I left early today, not had a phone call yet to say it's gone tits up...

 

[Cookie]

Heh, my BB is getting hammered tonight.. thankfully we have a US team online and in the office to fix it, as well as some of my colleagues in Jersey

It's still gonna be a mess in the morning, joy!

 

[Gray]

ahh I am sure our American counterparts will be enjoying this... See what happens in the morning!

 

[KDF]

I do IT consultancy for a company in Glasgow, 1500 machines just got hit with this.. mass panic ensued lol I finished up and 5, said good luck (it's nothing to do with me) and left lol

 

[Cookie]

We had probably about the same number hit.. hundreds and hundreds of servers too woops

Edit: For anyone that needs more info, here's the link on the McAfee KB https://kc.mcafee.com/corporate/index?page=content&id=KB68780

 

[ChrisR]

Well I let my conscience get the better of me and logged in to disable the repository pull.

Can't be doing with the hassle tomorrow if it does screw up, that link says they've updated the dats again since, but our pull is scheduled for the evening so it might still pull the bad one down.

And I'm not even on call tonight, how nice of me (although it'd be me fixing the thing tomorrow).

Ta for the heads up

 

[Cookie]

No worries

 

[ChrisR]

Should get me a brownie point mailing the bosses at this hour telling them about it

 

[Andy.]

It blew right over us. Apparently only 0.5% of all business accounts were affected. McAfee quickly released 5959 which solved the problem.

 

[Clart]

we had about 2000 PCs worldwide rebooted themselves. nice.

 

[McBunny]

just had one it was a laptop that was out and about yesterday so it pulled the update direct from mcafee instead of from our epo

 

[ivegota16v]

its easy enough to fix

http://vil.nai.com/vil/5958_false.htm

just a pain in the ass.....!

 

[@Spoonie]

For those using SCCM 2007

http://blogs.technet.com/configurat...ng-mcafee-antivirus-deleting-svchost-exe.aspx

 

[Cookie]

It's hit our Indian office pretty hardddddddd

Apparently 5959 is knackering all sorts of services on the local machines.. woops

Edit: Evidently that's caused by svchost.exe being quarantined, the Indian office aren't too bright

 

[McBunny]

obviously lol

strangely the one affected here hadnt had it quarantined that i could tell so just copied it back over the top

 

[Gareth]

3500 computers effected here, woop, lol. Thankfully I've only had to sort one of them (so far anyway)

 

[Cookie]

Most of our desktop estate has been switched to Vista, so apparently we had far less damage than most.

India was wiped out though, they are still on XP

 

[Gareth]

the vast majority of our company are on XP still.

 

[DMS]

FLOL. Only just noticed this topic after replying to your training one.
The support guys here have been running around all morning trying to sort this shite out. I think across 3 schools in Westminster, Nottingham and Manchester we've had a total of 380 odd client machines that will no longer boot correctly.

 

[DMS]

Even funnier is that if you read the McAfee license agreement, it explicitly states that they will accept no responsibility, financial or otherwise, for any loss or damage that occurs as a result of using their software.

 

[McBunny]

well tbh no company would it would be financial suicide

 

[DMS]

Exactly. I bet their Execs are relieved they've got that little statement in their license agreement after all this.

 

[McBunny]

i always liked the java disclaimer dont use on life support machines on nuclear installations

 

[DMS]

Not as good as the warning they had ont he back of KP Nuts:

Warning: May contain traces of nuts.

EDIT: LOL - http://www.theserverside.com/blogs/thread.tss?thread_id=38213

 

[DMS]

Official McAfee response to this f**k up:

McAfee takes full responsibility for what has occurred and sincerely apologizes to you for the inconvenience it has caused.
What happened?
On Wednesday, April 21, McAfee responded to a new global threat to Windows PCs and released a virus signature update that significantly impaired some of our customers' computers. Our impacted customers reported a variety of symptoms, ranging from a system “blue screen” to experiencing a perpetual state of reboot.
How did this happen?
A problem arose during our QA testing process as we were creating the DAT 5958 file. We had recently made a change to our QA environment as we were working to address a rare and urgent request from a mission-critical government defense customer. Unfortunately, the QA environment was not reverted back after we responded to the urgent request.
As a result of the changed test environment, the generic signature for W32/Wecorl.a in DAT 5958 was not tested for memory scanning on Windows XP Service Pack 3. All other tests were executed and passed on Windows XP Service Pack 3 in addition to all other supported operating system platforms. The false positive would have been detected, had the test environment been in its standard setup and properly configured for memory scanning on Windows XP Service Pack 3.
What we’re doing to help impacted customers?
Upon learning of this issue, our top priority has been to get everyone up and running as quickly as possible. Immediately upon being notified of the issue our global teams began proactively reaching out to our customers.
We promptly alerted customers, removed the incorrect DAT, replaced it with a corrected version, and have been frequently updating with customers on developments. We released information and best practices in our blog and KnowledgeBase, made tools available to help customers get back up and running, and provided corporate customers with hands-on support to repair impacted systems.
What steps are we taking to prevent this from happening again?
We have undergone a thorough root cause analysis and are implementing many failsafe process improvements to ensure this never happens again.
This includes:
· a failsafe change control process;
· expanded use of automated test system configuration tools;
· implementing additional QA protocols for any releases that directly impact critical system files;
· rolling out additional capabilities in Artemis that will provide another level of protection against false positives by leveraging an expansive white list of critical system files and their associated cryptographic hashes;
· and other critical product enhancements that will engineer safeguards into the system protection process.
If you would like more information on the root cause and the detailed steps we are taking to prevent this from happening in the future, we would be happy to schedule a call with a McAfee executive to brief you on additional details.
What we’re offering?
If you are one of McAfee’s corporate customers with PCs that have been rendered inoperable or severely impaired as a result of the faulty DAT 5958 file McAfee released, we sincerely apologize for the inconvenience this has caused.
McAfee is offering a customer commitment package that starts with a health check. The health check begins with an automated tool then is followed up by a 4 hour session with one of our remote consultants. We also commit that the results of your Health Check will be reviewed by senior members of our Engineering, Support and Theatre leadership teams. Then we will provide you with access to the online Health Check tool for a full year so you can run it as often as you like. If you are interested I would be happy to make that request for you. Or, if you’d prefer, you can make the request directly by emailing Register@McAfeeQuickstart.com by June 15, 2010.


What tools, resources, or other assistance can McAfee provide that will alert me to these as soon as you know?
Our Support Notification Service (SNS) provides valuable product information via email to help you maximize the functionality and protection capabilities of your McAfee products.
· SNS Support ALERTS – critical information sent immediately and requiring action. Includes virus/malware outbreaks; DAT file false-positives; product vulnerabilities; and critical remediation updates.
· SNS Support Notices – selected product information sent immediately. Includes updates, upgrades, patches, EOS/EOL, release notices; operational issues (password resets, portal issues; etc.).
· SNS Weekly Bulletins – include Notices and ALERT information plus updates on other category products for the preceding week.

In this particular situation, working with our McAfee Labs team, we issued an initial Support Notification Service alert within one hour to 180 thousand contacts in our database, and over the next 14 hours provided four subsequent alerts with additional, tools, procedures, recommendations, and ongoing updates on how to mitigate the issue, and when the replacement DAT was available.

Where can customers turn for the latest information on this issue?
• The McAfee information library and the Knowledge Base site updated (http://www.mcafee.com/us/about/false_positive_response.html) to provide complete solutions for this issue.
United Kingdom
+800 1225 5624
+800 6247 7463


Patrick McNamara
Internal Channel Account Manager
UK & Ireland

 

[Cookie]

LOL at sincerely apologise

Maybe they can pay for the man hours it took us to fix the problem