Archief - De topics van lang geleden

McAfee verkeerde DAT-file

12-03-2006, 20:04 door G-Force, 1 reacties
Hieronder een bericht van de handler on duty waarin gemeld wordt dat
er bepaalde virusscanners van McAfee een slechte DAT-file hadden
ontvangen bij een van de laatste downloads. Het gaat om 4715 DAT die
ten onrechte een groot aantal legitieme bestanden als W95/CTX virus
bestempelt . Aangeraden wordt om 4716 DAT te downloaden of een latere versie. Het probleem wordt dan gecorrigeerd. Hieronder de tekst van de handler
========================================================
McAfee 4715 DAT False Positive Deletion Reports Follow-up (NEW)
Published: 2006-03-12,
Last Updated: 2006-03-12 18:57:12 UTC by Patrick Nolan (Version: 1)

Friday we started receiving reports of file deletion problems from admins
using McAfee AV, scans that were using the 4715 DAT's issued Friday
were incorrectly identifying many executables as as W95/CTX virus.
Portions of the information submitted are excerpted below, and we thank
all of the admins who reported the problems which allowed us to get the
early problem alert out. Your reports and the Diary warning McAfee/NAI rolls
bad pattern helped many admins.

McAfee DAT 4716 corrects the problem, references W95/CTX and says;
"Users who have moved detected files to quarantine should restore them
to their original location. Windows users who have had files deleted
should restore files from backup or use System Restore .

Virusscan Online users can restore the falsely detected file from the
Manage Quarantined Files.."

ISC participants report excerpts;
"The 4715 dat files are incorrectly identifying multiple different files as
being infected with W95/CTX when scanned with the on-demand scanner
with the following products:

VirusScan Enterprise 8.0i
VirusScan Enterprise 7.1
VirusScan Enterprise 7.0
Managed VirusScan 4.0
Managed VirusScan 3.5
VirusScan Online 11
VirusScan Online 10
LinuxShield
VirusScan 7.03 (consumer)

At this time you should cancel any scheduled on-demand scans until the
release of the 4716 DATs."

"Some example files are graph9.exe and excel.exe from office
2000" "....3700 files have been quarantined on over 100 pcs."

"We think McAfee's latest DAT file may be bad. They improved the
detection for several variants of the W95/CTX virus, and now our scanners
are detecting supposedly infected executables all over our network,
including on an original Microsoft Office 11 CD. Our guess is that this is a
false positive. If so, and your readers have quarantine or delete set as the
default action, the Virusscan will do more damage than a real virus would."

"attempted to remove files such as Dell OpenManage, Cygwin, perl,
Sysinternals pstools suite."

"anything that was in the PATH environment variable was targeted."

"Not only did it attempt to remove files in the %ORACLE_HOME%bin
directory, but also in the .patch_storage folder - so as far as oracle files,
this was not limited to the PATH environment variable."

"This was also capable of navigating mapped drives, so if you had a file
server setup as a common install location, if filesystem permissions
permitted modification of such files, you'll want to refresh the installation
files from the downloaded, compressed source file."

"[removed] ShavlikPro (commandline4.exe) and the entire SuperCACLs
suite from trustedsystems.com"

"I started getting reports that looked lke a virus outbreak so I forced scans
on all the network machines. This turned out to make matters worse
because hundreds of files per machine were incorrctly identified as virus
infected and quarantined. Many hours will be spent restoring these files
from quarantine. Thankfully it was not set to delete the files."

"We had over 3700 quarantine events. I counted 297 individual file names."
Reacties (1)
15-03-2006, 08:04 door jubo
McAfee heeft een herstel utility uitgebracht:
[url=http://vil.nai.com/vil/stinger/ctxundo.asp]McAfee
W95/CTX Quarantine File Restore Utility[/url].
CTXundo is a stand-alone utility that can be used to recover
from the false alarm on W95/CTX that was introduced in the
4715 dat files. This tool will only recover files that were
detected and then quarantined only with the VirusScan
Enterprise products. It will not recover files that may have
been deleted by any product or quarantined with VirusScan
Online, Managed VirusScan or LinuxShield.

A listing of the files detected is available [url=http://vil.nai.com/images/CTX_file_list.pdf]here[/url].

You can find information for this threat on the [url=http://vil.nai.com/vil/content/v_138884.htm]Virus
Information Library[/url].
Reageren

Deze posting is gelocked. Reageren is niet meer mogelijk.