We are in the middle of an upgrade going from 4.x to 5.2.5.
We have had a big increase in the number of machines that are getting the "endpoint encryption is not installed" error message that have 5.2.5. Some users have had the issue happen to them multiple times. Other than a potential MBR virus (getting one of the broken machines soon to investigate), has anyone noticed an issue with 5.2.5 having this problem in general?
The upgrade appears to run fine. The error occurs after the upgrade and new 5.2.5 builds, so I don't think its a matter of having something attached to the computer during the upgrade. I am comparing MBRs on broken machines. Certain users continually get this error; this is the cause of concern. Virus/Malware causing this? I hope McAfee is able to do something with the 'broken' MBRs to determine what is causing this. Its becoming a concern here since it is occuring more frequently with 5.2.5.
From what I can see at this point from a broken machine....
It looks like the SafeBoot MBR has been overwritten. Sector 0 appears to have a non-SafeBoot MBR. Sector 1 is also populated with what appears to be a duplicate of sector 0 with slight differences. Sector 3 is populated with "Error loading virtualization module. Contact network administrator..... To boot to the Rescue and Recovery Environment, Press F11... There has been a signature failure"
Sector 4-8 appears to have something else in it (all hex). I have multiple broken machines from the same user - the same broken MBR (and sectors 3-8) is on both broken machines. So it appears something the user is doing is triggering this.
What do I have here? I have no idea right now. Does anyone think this could be some sort of malware or rootkit causing this?
More information... User appears to had "White Smoke" installed before the machine was rebooted and broke. From what I have read White Smoke is a MBR virus. I assume what has happened is a new variant is out in the wild that McAfee Virus Scan does not pick up, machines gets infected and breaks....
I used TDSKiller from Kaspersky and it found a rootkit on the infected drive (just slaved the drive and it was still able to read the infected MBR). I quarantined the files and submitted to McAfee (not detected by McAfee). Detected as Win32/Alureon.MBR, Rootkit.Tdss.AW, etc by other vendors.
Scan results from one of the files --> http://www.virustotal.com/file-scan/report.html?id=40914dfd49a3a0df1c4aa0cf867450762a3ac16d398a2559d...
I will post when this variant is caught and cleaned by McAfee. Thanks for listening, you have been a great crowd!
Message was edited by: cdobol on 12/15/10 10:29:02 AM ESTMessage was edited by: cdobol on 12/15/10 10:30:16 AM EST