Altiris Fix for McAfee Virus Update Issue

XCEND – Technical Announcement

Yesterday, thousands of clients who rely on McAfee Anti-virus to protect their organizations were impacted by a McAfee update that is causing tens of thousands of systems to reboot.

  • McAfee update locking users out of their PCs, Do Not Update

Despite rumors circulating that it’s not possible to automate the process of fixing affected machines, Symantec has announced a fix for those customers who currently use Altiris Deployment Solution. See below for an overview of several proposed solutions, including a Knowledge Base article describing the fix. You may download the

XCEND recognizes the magnitude and urgency surrounding this issue and we are available to assist in whatever capacity that we can to help our clients remediate this situation as efficiently as possible. To contact XCEND Professional Services, please use our contact form or call us directly at (810)494-7144.


Option 1: Use Altiris Deployment Solution (DS) to fix McAfee false positive.

Relies on DS and PXE technology to send down a repair image that installs McAfee fix and repairs svchost.exe file. Existing customers can download a preconfigured Deployment Server job that contains the fix. New Symantec customers can download a package that will install Deployment Solution, PXE and SQL Express as well as the job needed for the fix.

 Status: DS job is now available to customers; bundled install will be available 4/23/10.

Option 2: Use Altiris Client Management Suite and vPro to fix McAfee false positive.
 

Relies on vPro technology to reboot the system to a repair image that installs McAfee fix and repairs svchost.exe file.

Status: Available 4/23/10

McAfee is claiming that this only affects Windows XP sp3 32bit machines and have only provided an updated .dat file for that environment. Currently that is all the fix supports, but we will update our support as McAfee does.


Knowledge Base Article ID: 52533

McAfee rebooting Windows XP Systems – False positive detection of w32/wecorl.a in 5958 DAT – svchost.exe – Fix via Deployment Solution

Applies To

• Deployment Solution 6.9 SP4

Problems/Symptoms

Windows XP machines running one of the McAfee Enterprise products listed below reboot due to a w32/wecorl.a false positive with the 5958 DAT file released by McAfee on April 21, 2010.

The false positive incorrectly identifies svchost.exe as malware and attempts to clean or quarantine the file. As soon as this happens, the client machine is forced to reboot. If svchost.exe is successfully quarantined or deleted, the machine gets stuck in a reboot cycle.

Environment

Software Affected:
McAfee VirusScan Enterprise 8.5i
McAfee VirusScan Enterprise 8.7i

Operating system affected:

Windows XP SP3

Solutions used to resolve the issue:

Altiris Deployment Solution 6.9 (using LinuxPE)
Altiris Deployment Solution 7.1 (using LinuxPE)

Note: Even though both version of DS can be used to implement this solution, the steps below are written specifically for version 6.9. If you need help adapting the steps for 7.1, please contact Support.

Cause

This following article published by McAfee explains the issue:
https://kc.mcafee.com/corporate/index?page=content&id=KB68780

Resolution

NOTE: Please read the entire resolution before beginning any of the steps.
While most administrators are going machine-to-machine to resolve this issue, Altiris Deployment Server can be used to automate the resolution.

The following are needed before you begin:

  • EXTRA.DAT  (Download directly from McAfee via this LINK)
  • svchost.exe (Copy this file from a working system running Windows XP SP3)
  • SvcHost_Repair.zip (Attached to the right-hand pane of this article)

LinuxPE must also be used as the pre-boot environment. If you don’t already have it installed, please do so before proceeding.

Once the previous steps are complete, the following solution can be implemented:

  1. Browse to the eXpress share on the Deployment Server and create a folder named SvcHost_Repair.
    Verify that the spelling and case match what’s listed in step 1 exactly or the job will fail (Linux commands are case sensitive).
  2. Unzip SvcHost_Repair.zip and copy the extracted file to the folder created in step 1.
  3. Copy EXTRA.DAT and svchost.exe to the folder created in step 1.
  4. Right-click in the Jobs pane of the Deployment Console and choose Import, or choose File > Import and browse to the BIN file extracted in step 2.
  5. Complete the import wizard to finish importing the job which will have the name McAfee Fix.
  6. Drag the job onto a test system to make sure everything works as anticipated.
  7. Once you’re comfortable with the process and know that it works the way you want it to, drag the job onto all systems that require it.

When the job runs on a client machine, it checks for the presence of svchost.exe. If the file is missing, the version of svchost.exe provided in step 3 will be copied to the machine. EXTRA.DAT will be copied to the machine regardless of whether or not svchost.exe is present.

WARNING: This solution should only be used on machines running Windows XP SP3. The job attached to this article does not use any conditions to determine whether or not the job should run on a machine. Do NOT run it on any other version of Windows! (Some checking as described above has been validated, which should minimize the potential for breaking existing systems.