Mcafee blocca centinaia di migliaia di utenti Windows XP

[ 7 ] Comments
Share

E per chi in uno di questi giorni è arrivato in ufficio, si è seduto, ha acceso il pc ed è andato in crash ecco l’arcano:

Mcafee, grazie (o a causa?) di un aggiornamento di routine, ha “semplicemente” confuso una legittima componente di Windows per un virus da mettere in quarantena. Il file SVCHOST.exe, infatti, è stato stranamente identificato come il virus W32/Wecorl.a.

E con questo chiuderei anche l’articolo ma voglio continuarlo per darvi più informazioni possibili…

Le conseguenze sono state letali per le macchine che avevano installato l’update: in taluni casi è iniziato un reboot continuo, in altri le macchine sono state portate al crash. In entrambi i casi ogni operazione sul terminale è divenuta impossibile di fronte all’ovvio sconcerto di quanti hanno pensato di essere vittime di una pericolosa infezione.

Una prima Engadget indica tra le 30 e le 60mila unità colpite. E adesso chi risarcirà il tempo e il lavoro perduto a causa di un “piccolo inconveniente” di cui l’azienda non si è scusata nemmeno? Ma si, tanto non ci vuole niente a formattare.

McAfee ha in seguito chiesto venia per l’errore, ha sminuito la portata del problema ed ha elargito le istruzioni necessarie per il ripristino del sistema. Il report conferma come l’aggiornamento 5958 DAT fosse fallace ed identificasse un falso positivo, consigliando quindi di non riavviare il terminale nel caso in cui l’update indicato fosse già stato scaricato. Quanti si trovano colpiti dal problema debbono installare l’apposito , piccolo applicativo in grado di sistemare ogni cosa annullando gli interventi dell’update precedente.

COME RISOLVERE IL PROBLEMA?
Vi rimetto per intero quello che trovereste andando all’indirizzo http://vil.nai.com/vil/5958_false.htm
________________________________________________________________________________

False positive detection of w32/wecorl.a in 5958 DAT (for Corporate/Business users) – VirusScan Enterprise

Problem

Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.

Solution 1

McAfee has developed a SuperDAT remediation Tool to restore the svchost.exe file on affected systems.

What does the SuperDAT Remediation Tool Do?
The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe. If not present, it attempts a restore from the following:

  • %WINDOWS%\servicepackfiles\i386\svchost.exe
  • Quarantine.

After the tool has been run, restart your computer.
Recommended recovery SuperDAT procedure

  1. From a computer that has Internet access, locate and download the Recovery SuperDAT at and save it to portable media.
  2. Take the portable media to each affected computer and run the tool.NOTE: If you are not able to run the tool on the affected computer, (re)start your computer in Safe Mode.
    For instructions on starting in Safe Mode, see
  3. Run the Recovery SuperDAT tool.
  4. Restart in normal mode.
  5. Use the product update to update to DAT 5959.

Solution 2

The issue is resolved in the 5959 DAT file release (April 21, 2010), which is available from the McAfee Security Updates page at: 

IMPORTANT: If you are already affected by this issue, you must still either replace or restore svchost.exe. McAfee is continuing to work on an automated solution to fully resolve the issue for affected customers.

Recovery procedure using DAT 5959

  1. Download the 5959 DAT file (5959xdat.exe) on a working computer and copy it to a removable media device such as a CD or USB stick.
  2. Start the affected computer in Safe Mode with networking enabled.
  3. Copy 5959xdat.exe to the computer, then double-click it to update the VSE DAT files.
  4. Launch Windows Explorer and navigate to C:\WINDOWS\system32.
    1. If svchost.exe exists in this folder and is not a 0 byte file, continue to Step 8.
    2. If svchost.exe has been deleted (or is a 0 byte file), launch the VirusScan Console (Click Start, Programs, McAfee, VirusScan Console).If you are unable to launch the VirusScan Console, click Start, Run, type the following command (including the quotes) and click OK:“C:\program files\mcafee\virusscan enterprise\mcconsol.exe” /standalone
  5. Double-click Quarantine Manager Policy, then click the Manager tab.
  6. Right-click the detection and select Restore.
  7. Restart your computer normally.

If you are unable to restore svchost.exe from Quarantine or if svchost.exe is 0 bytes, do the following:

  • If you have more than one computer.
    From the unaffected computer, copy the svchost.exe file in c:\Windows\System32 to c:\Windows\System32 on the affected computer. You can copy the file to a removable media device such as a CD or USB stick to do this.

    IMPORTANT: The two computers must have the same version of Windows.

  • If you have a single computer, or if all your computers have been affected.
    On the affected computer, copy the svchost.exe file to c:\WINDOWS\system32 using one of the following methods:

    • From Windows Explorer, go to the folder c:\windows\ServicePackFiles\i386\ (or if not present, C:\WINDOWS\system32\dllcache\), and make a copy of svchost.exe, then go to c:\WINDOWS\system32 and paste the file in the folder.
    • From the command prompt (If svchost.exe is located in c:\windows\ServicePackFiles\i386\), type the following command and press ENTER:”copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32
    • From the command prompt (If svchost.exe is located in c:\WINDOWS\system32\dllcache), type the following command and press ENTER:”copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32\dllcache”
  • If (the correct version of) svchost.exe cannot be located on any of your computers
    1. Start your computer from your Windows XP installation disk and select the Recovery console.
    2. Follow the onscreen instructions and log on as Windows XP admin.
      This will take you to the command prompt.

      Example: C:\WINDOWS>

    3. From the prompt, type <drive_letter>: and press ENTER.
      Where <drive_letter> is the drive where your XP installation disk is located. Default drive is C:.
    4. Type cd \I386 and press ENTER.
      The prompt should is now <drive_letter>:\I386>
    5. Type expand svchost.ex_  <drive_letter>:\windows\system32 and press ENTER.
      <drive_letter> is the letter of the drive where Windows XP is installed. Default drive is C.
      You now have a new copy of svchost.exe in your system32 folder.
    6. Type exit and press ENTER.
      Your computer restarts.

Workaround 1

McAfee has developed an EXTRA.DAT to suppress this detection. The file is attached to this article. This EXTRA.DAT does not fix the issue, it only suppresses the detection.

Apply the EXTRA.DAT to all potentially affected systems as soon as possible.

For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.

To apply the EXTRA.DAT locally to an affected computer
IMPORTANT: For VirusScan Enterprise 8.5i and later, temporarily disable Access Protection before proceeding. For details, see: .

To apply the EXTRA.DAT locally:

  1. Download the EXTRA.ZIP file attached to this article and extract the EXTRA.DAT file.
  2. Start the affected computer in Safe Mode with networking enabled.
  3. Copy EXTRA.DAT to C:\Program Files\Common Files\McAfee\Engine.
  4. Launch Windows Explorer and navigate to C:\WINDOWS\system32:
    1. If svchost.exe exists in this folder and is not a 0 byte file, continue to Step 9.
    2. If svchost.exe has been deleted (or is a 0 byte file), launch the VirusScan Console (Click Start, Programs, McAfee, VirusScan Console).If you are unable to launch the VirusScan Console, click Start, Run, type the command below (including quotes) and click OK:“C:\program files\mcafee\virusscan enterprise\mcconsol.exe” /standalone
  5. Double-click Quarantine Manager Policy, then click the Manager tab.
  6. Right-click the detection and select Restore.
  7. Restart the computer normally.

If you are unable to restore svchost.exe from Quarantine or if svchost.exe is 0 bytes, do the following:

  • If you have more than one computer.
    From the unaffected computer, copy the svchost.exe file in c:\Windows\System32 to c:\Windows\System32 on the affected computer. You can copy the file to a removable media device such as a CD or USB stick to do this.

    IMPORTANT: The two computers must have the same version of Windows.

  • If you have a single computer, or if all your computers have been affected.
    On the affected computer, copy the svchost.exe file to c:\WINDOWS\system32 using one of the following methods:

    • From Windows Explorer, go to the folder c:\windows\ServicePackFiles\i386\ (or if not present, C:\WINDOWS\system32\dllcache\), and make a copy of svchost.exe, then go to c:\WINDOWS\system32 and paste the file in the folder.
    • From the command prompt (If svchost.exe is located in c:\windows\ServicePackFiles\i386\), type the following command and press ENTER:”copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32
    • From the command prompt (If svchost.exe is located in c:\WINDOWS\system32\dllcache), type the following command and press ENTER:”copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32\dllcache”
  • If (the correct version of) svchost.exe cannot be located on any of your computers
    1. Start your computer from your Windows XP installation disk and select the Recovery console.
    2. Follow the onscreen instructions and log on as Windows XP admin.
      This will take you to the command prompt.

      Example: C:\WINDOWS>

    3. From the prompt, type <drive_letter>: and press ENTER.
      Where <drive_letter> is the drive where your XP installation disk is located. Default drive is C:.
    4. Type cd \I386 and press ENTER.
      The prompt should is now <drive_letter>:\I386>
    5. Type expand svchost.ex_  <drive_letter>:\windows\system32 and press ENTER.
      <drive_letter> is the letter of the drive where Windows XP is installed. Default drive is C.
      You now have a new copy of svchost.exe in your system32 folder.
    6. Type exit and press ENTER.
      Your computer restarts.

Workaround 2

ePO Users
For instructions on how to deploy the EXTRA.DAT through ePolicy Orchestrator (ePO), see:

  • ePO 4.0 –
  • ePO 4.5 –

Related Information

IMPORTANT: If you are a consumer user, to resolve this issue see KnowledgeBase article: TS100969 – ALERT: 5958 DAT Update Issue (For Home Users Only).

  • For additional information about EXTRA.DAT files, see KB68759.
Corporate KnowledgeBase ID: KB68780
Threat Center (McAfee Avert Labs)
Search the Threat Library http://vil.nai.com/
Submit a virus sample https://www.webimmune.net/default.asp
Security updates and DAT files

7 Responses to Mcafee blocca centinaia di migliaia di utenti Windows XP

  1. [...] This post was mentioned on Twitter by Thinking Technologie. Thinking Technologie said: Post modificato: Mcafee blocca centinaia di migliai di utenti Windows XP ( http://blog.thinkingroup.it/?p=208 ) [...]

  2. Social comments and analytics for this post…

    This post was mentioned on Twitter by thinkingroup: Post modificato: Mcafee blocca centinaia di migliai di utenti Windows XP ( http://blog.thinkingroup.it/?p=208 )…

  3. WP Themes scrive:

    Amiable dispatch and this enter helped me alot in my college assignement. Thanks you for your information.

  4. 黑帽SEO scrive:

    Nice post…Thank you for sharing some good things!!

  5. 英文SEO scrive:

    Hello everyone thanks for

    good information.

  6. smeacepaumb scrive:

    Just want to say what a great blog you got here!
    I’ve been around for quite a lot of time, but finally decided to show my appreciation of your work!

    Thumbs up, and keep it going!

    Cheers
    Christian, watch south park online

  7. Great article Thank

    you so much!

Lascia un Commento