Publiée par Alexandre Laurent le Jeudi 22 Avril 2010
Distribuée mercredi, la dernière mise à jour de l'antivirus McAfee a entrainé le signalement comme menaces potentielles de processus système valides. Partout dans le monde, des machines équipées de Windows XP SP3 ont alors été victime de plantages à répétition. Leur nombre exact n'est pas connu, mais de nombreuses entreprises ou organisations ont été victimes de la détection de ce faux positif. Dans le lot, plusieurs lecteurs de Clubic, qui nous ont fait part des problèmes rencontrés.
« Nous avons été victime ce jour d'une série de reboot violents de machines au bureau, suite à une détection d'un possible virus "w32/wecorl.a". McAfee, tentait alors d'éradiquer le virus, détruisant entre autre les processus "svchost" potentiels porteurs du virus. Puis, à la Sasser, le redémarrage forcé du PC dans les 60 s s'enclenchait. A la suite de cela, la plupart des machines n'ont plus été en mesure de fonctionner normalement, problème d'accès réseau principalement », raconte par exemple A. B.
L'éditeur a rapidement reconnu le problème et tenté d'en expliquer l'origine. Ses équipes auraient récemment découvert une nouvelle menace informatique susceptible d'atteindre les machines équipées de Windows. Mercredi, aux alentours de 2 heures de matin, elles ont donc distribué une mise à jour de la liste des définitions de menace (DAT 5958) sur laquelle repose le mécanisme de détection intégré à son logiciel. Problème : la menace concernée a parfois été détectée sur des machines saines (principe du faux positif), au niveau de certains des processus génériques svchost.exe, entrainant la désactivation de ces derniers, alors qu'ils sont indispensables au fonctionnement du système.
Quelques heures après la mise en ligne de cette mise à jour défectueuse, McAfee a reconnu l'existence du problème et fait procéder à son retrait. Nous sommes en train de déterminer comment cette détection incorrecte a pu être intégré à nos fichers DAT et allons prendre des mesures pour éviter que cela se reproduise, a indiqué mercredi soir Barry McPherson, vice président support chez McAfee. « Les erreurs arrivent. Aucune excuse », a-t-il ajouté dans un second temps, en tentant tout de même de relativiser la portée de l'incident : « Nous pensons que cet incident a touché moins de un demi pour cent de notre base de clients particuliers et entreprises dans le monde ».
L'éditeur invite les utilisateurs touchés par le problème à lancer une recherche de mise à jour au sein de l'antivirus, de façon à ce que la mise à jour fautive soit écrasée par la précédente liste de définition. Si la mise à jour n'était pas possible, il propose également une méthode manuelle permettant de régler le problème.
Si rapide qu'ait été la réponse, certains risquent de garder un mauvais souvenir de l'épisode. « Leur solution a été de procéder à un downgrade forcé vers la 5957 et de copier le fichier svchost.exe d'un autre pc si celui ci a été supprimé. Ils ont quand même mis la journée à enlever leur MAJ corrompue ! C'est un scandale ! Demain je dois passer sur tout mon parc informatique de 300 machines pour faire la manipulation », tempêtait J. G. mercredi soir dans un courrier adressé à la rédaction.
Solution : http://vil.nai.com/vil/5958_false.htm
False positive detection of w32/wecorl.a in 5958 DAT (for Corporate/Business users) - VirusScan Enterprise
| Corporate KnowledgeBase ID: | | KB68780 |
| Published: | | April 22, 2010 |
Environment
Microsoft Windows XP with SP3
Summary
IMPORTANT: - This article applies to Corporate or Business users only.
- If you are a Home or Consumer user, see article TS100969
McAfee is aware of a
w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.
WARNING: If you receive a detection for
w32/wecorl.a,
Do not restart your computer until you have performed the remediation steps in this article.
Please watch for updates on this issue, which will be sent on a timely basis through Support Notification Service (SNS) and Platinum Proactive notifications.
To subscribe to SNS, visit
http://my.mcafee.com/content/SNS_Subscription_Center.
This article will be updated as additional information becomes available.
Problem
Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.
Solution 1
McAfee has developed a SuperDAT remediation Tool to restore the svchost.exe file on affected systems.
What does the SuperDAT Remediation Tool Do?
The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by looking first in %SYSTEM_DIR%\dllcache\svchost.exe. If not present, it attempts a restore from the following:
- %WINDOWS%\servicepackfiles\i386\svchost.exe
- Quarantine.
After the tool has been run, restart your computer.
Recommended recovery SuperDAT procedure
- From a computer that has Internet access, locate and download the Recovery SuperDAT at http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe and save it to portable media.
- Take the portable media to each affected computer and run the tool.
NOTE: If you are not able to run the tool on the affected computer, (re)start your computer in Safe Mode.
For instructions on starting in Safe Mode, see http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true
- Run the Recovery SuperDAT tool.
- Restart in normal mode.
- Use the product update to update to DAT 5959.
Solution 2
The issue is resolved in the
5959 DAT file release (April 21, 2010), which is available from the McAfee Security Updates page at:
http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise IMPORTANT: If you are already affected by this issue, you must still either replace or restore
svchost.exe. McAfee is continuing to work on an automated solution to fully resolve the issue for affected customers.
Recovery procedure using DAT 5959 - Download the 5959 DAT file (5959xdat.exe) on a working computer and copy it to a removable media device such as a CD or USB stick.
- Start the affected computer in Safe Mode with networking enabled.
- Copy 5959xdat.exe to the computer, then double-click it to update the VSE DAT files.
- Launch Windows Explorer and navigate to C:\WINDOWS\system32.
- If svchost.exe exists in this folder and is not a 0 byte file, continue to Step 8.
- If svchost.exe has been deleted (or is a 0 byte file), launch the VirusScan Console (Click Start, Programs, McAfee, VirusScan Console).
If you are unable to launch the VirusScan Console, click Start, Run, type the following command (including the quotes) and click OK:
"C:\program files\mcafee\virusscan enterprise\mcconsol.exe" /standalone
- Double-click Quarantine Manager Policy, then click the Manager tab.
- Right-click the detection and select Restore.
- Restart your computer normally.
If you are unable to restore
svchost.exe from Quarantine or if
svchost.exe is
0 bytes, do the following:
- If you have more than one computer.
From the unaffected computer, copy the svchost.exe file in c:\Windows\System32 to c:\Windows\System32 on the affected computer. You can copy the file to a removable media device such as a CD or USB stick to do this.
IMPORTANT: The two computers must have the same version of Windows.
- If you have a single computer, or if all your computers have been affected.
On the affected computer, copy the svchost.exe file to c:\WINDOWS\system32 using one of the following methods:
- From Windows Explorer, go to the folder c:\windows\ServicePackFiles\i386\ (or if not present, C:\WINDOWS\system32\dllcache\), and make a copy of svchost.exe, then go to c:\WINDOWS\system32 and paste the file in the folder.
- From the command prompt (If svchost.exe is located in c:\windows\ServicePackFiles\i386\), type the following command and press ENTER:
"copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32"
- From the command prompt (If svchost.exe is located in c:\WINDOWS\system32\dllcache), type the following command and press ENTER:
"copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32\dllcache"
- If (the correct version of) svchost.exe cannot be located on any of your computers
- Start your computer from your Windows XP installation disk and select the Recovery console.
- Follow the onscreen instructions and log on as Windows XP admin.
This will take you to the command prompt.
Example: C:\WINDOWS>
- From the prompt, type <drive_letter>: and press ENTER.
Where <drive_letter> is the drive where your XP installation disk is located. Default drive is C:.
- Type cd \I386 and press ENTER.
The prompt should is now <drive_letter>:\I386>
- Type expand svchost.ex_ <drive_letter>:\windows\system32 and press ENTER.
<drive_letter> is the letter of the drive where Windows XP is installed. Default drive is C.
You now have a new copy of svchost.exe in your system32 folder.
- Type exit and press ENTER.
Your computer restarts.
Workaround 1
McAfee has developed an EXTRA.DAT to
suppress this detection. The file is attached to this article. This EXTRA.DAT does not fix the issue, it only suppresses the detection.
Apply the EXTRA.DAT to all potentially affected systems as soon as possible.
For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.
To apply the EXTRA.DAT locally to an affected computer IMPORTANT: For VirusScan Enterprise 8.5i and later, temporarily disable Access Protection before proceeding. For details, see:
KB52204.
To apply the
EXTRA.DAT locally:
- Download the EXTRA.ZIP file attached to this article and extract the EXTRA.DAT file.
- Start the affected computer in Safe Mode with networking enabled.
- Copy EXTRA.DAT to C:\Program Files\Common Files\McAfee\Engine.
- Launch Windows Explorer and navigate to C:\WINDOWS\system32:
- If svchost.exe exists in this folder and is not a 0 byte file, continue to Step 9.
- If svchost.exe has been deleted (or is a 0 byte file), launch the VirusScan Console (Click Start, Programs, McAfee, VirusScan Console).
If you are unable to launch the VirusScan Console, click Start, Run, type the command below (including quotes) and click OK:
"C:\program files\mcafee\virusscan enterprise\mcconsol.exe" /standalone
- Double-click Quarantine Manager Policy, then click the Manager tab.
- Right-click the detection and select Restore.
- Restart the computer normally.
If you are unable to restore
svchost.exe from Quarantine or if
svchost.exe is
0 bytes, do the following:
- If you have more than one computer.
From the unaffected computer, copy the svchost.exe file in c:\Windows\System32 to c:\Windows\System32 on the affected computer. You can copy the file to a removable media device such as a CD or USB stick to do this.
IMPORTANT: The two computers must have the same version of Windows.
- If you have a single computer, or if all your computers have been affected.
On the affected computer, copy the svchost.exe file to c:\WINDOWS\system32 using one of the following methods:
- From Windows Explorer, go to the folder c:\windows\ServicePackFiles\i386\ (or if not present, C:\WINDOWS\system32\dllcache\), and make a copy of svchost.exe, then go to c:\WINDOWS\system32 and paste the file in the folder.
- From the command prompt (If svchost.exe is located in c:\windows\ServicePackFiles\i386\), type the following command and press ENTER:
"copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32"
- From the command prompt (If svchost.exe is located in c:\WINDOWS\system32\dllcache), type the following command and press ENTER:
"copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32\dllcache"
- If (the correct version of) svchost.exe cannot be located on any of your computers
- Start your computer from your Windows XP installation disk and select the Recovery console.
- Follow the onscreen instructions and log on as Windows XP admin.
This will take you to the command prompt.
Example: C:\WINDOWS>
- From the prompt, type <drive_letter>: and press ENTER.
Where <drive_letter> is the drive where your XP installation disk is located. Default drive is C:.
- Type cd \I386 and press ENTER.
The prompt should is now <drive_letter>:\I386>
- Type expand svchost.ex_ <drive_letter>:\windows\system32 and press ENTER.
<drive_letter> is the letter of the drive where Windows XP is installed. Default drive is C.
You now have a new copy of svchost.exe in your system32 folder.
- Type exit and press ENTER.
Your computer restarts.
Workaround 2
ePO Users
For instructions on how to deploy the EXTRA.DAT through ePolicy Orchestrator (ePO), see:
Search the Threat Library
http://vil.nai.com/ Submit a virus sample
https://www.webimmune.net/default.asp
Security updates and DAT files
https://www.webimmune.net/default.asp
EXTRA.zip 6K • < 1 minute @ 56k, < 1 minute @ broadband
