Wondering if anyone can help. We have several computers that run McAfee Total Protection for Small Business that have become infected with Sality.NAR (according to a NOD scan). All automatically update their AV defs.
Unfortunately, the first thing that happens is McAfee gets disabled and you can't re-enable it. You can't reboot into safe mode (try and it just reboots) without doing a windows repair and if you uninstall McAfee you can't get it re-installed (can't even copy the install binary to the machine, or even get to the McAfee website!).
We have installed AVG which detects the threat as Tanatos.M (which fits none of the symptoms and seems unlikely) and has a go at repairing but doesn't get it completely removed.
We did get McAfee re-installed on one PC after the NOD scan which sort of worked but the machine keeps getting reinfected and McAfee keeps getting disabled again. We have completed some McAfee scans and they found Sality, removed them apparently then got disabled again and virus still there if you recheck.
On another PC (after AVG) cannot install McAfee with the original problem as trying to reinstall prior to running AVG on all the PC's (gives a cab file warning telling us to upgrade our IE, despite being on latest versions).
We are having a similar problem, but our detected threats are W32/Sality.stub, W32/Sality.ad, and W32/Sality.dll. This is a large Enterprise, so this nasty has spread quickly to thousands of machines and many servers.
So far, for us, it only affects machines that are not protected with McAfee, or have the local McAfee related services disabled. We have been able to isolate Sality somewhat by strengthening the On-Access scanning policies on the File Servers. We used the AVG removal tool just as you did on some machines with success. However neither the CMA (agent) nor VirusScan Enterprise will install on a box (client or server) that was previously infected with Sality.
I have noticed that McAfee's application installers are no longer able to add the required registry settings to create services. I'll be digging into this more as time allows and post findings and an example Framework install log.
Just a thought.. Have you tried updating the corporate 8.5i VirusScan to the newest release of the 5300 Scan Engine..? It was released for manual download last week and won't be activated in the full/automatic updates for a couple of weeks. I've now installed it on about 40 machines and it seems to work well. It might be worth a try to manually install the 5300 scan engine on an infected computer and run the scan with the new virus defs.. Maybe it will remove the problem correctly. (The manual scan engine update won't work correctly on the retail versions of McAfee because they use a different type of updater.)
As to a fix for your inability to reinstall McAfee, after you've removed the virus and are sure it's not in the system restore volumes (be sure to check for the .dll files mentioned in the "W32/Sality.ad" link above), have you tried running SR back to a time when things were functioning correctly..? It may remove those registry blocks which are preventing McAfee from installing.
Thanks Grif for the great ideas. I haven’t upgraded the engine in quite awhile; I'll definitely get the clients upgraded. Actually, our existing products do find and remove Sality before infection. However, we are in a rollout phase with the workstations (client scope) and have about 11,000 more to upgrade. Those machines have CA eTrust on them, and eTrust is allowing them to get infected, making our rollout difficult.
The server scope is done, however unlike the client side (which is really locked down), Access Protection is not enabled on servers (company policy). So our app owners, web support, DBA's and developers can disable McAfee services at will.
With so many machines, I have to script everything. I'll have to play with an infected machine a bit to see if I can script a pre-scan/repair/rollback before pushing the agent. No rollback on servers though...we are rebuilding those
A note on this particular virus.. One of the primary ways of spread is its ability to check for network shares, and once found, the .exe and .scr files on the "shared" directories are then infected as well. If you haven't already, strengthen the security for the shared directories..
In addition, since this particular virus can be dropped by other malware, it might be a good idea to check for spyware type issues by using the free removal tool below.. Performing a full cleanup with the tool might allow McAfee to install correctly. Still, on 11,000 machines, it might not be a workable solution.
Thanks very much for the reply. I think (with the help you provided) that the virus is gone after running AVG a couple of times. Total Protection is up and running and things appear to be running fine. I really appreciate you saving me a $100 trip to the repair shop!
We were concerned about a national McAfee rollout to thousands of un-protected workstations & laptops with a known Sality outbreak. I pulled the trigger anyway and deployed the agents. Less than %5 of the launch failed, and VSE 8.5i cleaned up our field environment very well.
Sality continues to show up here and there on our server network, but it's getting better. Some things that helped us:
If you choose to scan default files only with the On-Access scanner, make sure you add TMP files to the list. Sality spread from server to server on our network via Admin users TMP files.
Don't leave McAfee services unprotected. We found application server owners disabling McShield as a part of a 'standard troubleshooting step' and then leaving it disabled. Use the access protection feature.
Definitely make sure you have the 5300 engine deployed throughout, with updated DATS.
Sality did corrupt some shared use executables on our network, rendering them useless after a virus clean. Leaving them infected, the applications would still operate, but the Virus would continue to spread.