Well, antivirus “fun” abounds today. The victim du jour are XP SP3 users and the perp is none other than McAfee.
From SANS:
We have received several reports indicating some issues with McAfee DAT 5958 causing Windows XP SP3 clients to be locked out. It is affecting svchost.exe. Here is an example of the message:
The file C:WINDOWSsystem32svchost.exe contains the W32/Wecorl.a Virus. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5400.1158 DAT version 5958.0000.
We received confirmation from McAfee earlier today. 5958 DAT was released at GMT +1 April 21. This has the potential to make systems unstable and throw them into an endless reboot loop. The offending DAT file has been removed from all of the McAfee update sites. The replacement DAT 5959 should now be available for download according to their email.
Pity the poor admins that have to clean up that mess.
(Image used under CC from Chris Daniel)
Yeah, I got to see this happen today first hand. Luckily we already had some good practices in place that prevented users from getting new DATs right away. The only ones affected were a few systems not organized correctly in the tree. Majorly sucked for some though. One guy reported getting hit with this on over 600 machines and having to handle each one individually.
@Matt
600 machines by hand? Holy hell. Where do they send the bill for that overtime?
HAHA I don’t know. My manager was on the phone with McAfee today and said they were just brushing it off then tried to sell him something else. The nerve.