cancel
Showing results for 
Search instead for 
Did you mean: 
pfarrell
Level 7
Report Inappropriate Content
Message 21 of 194

Re: W32/Wecorl.a 0-day?

Thanks.  Where do we look for the information?

ajacobs
Level 12
Report Inappropriate Content
Message 22 of 194

Re: W32/Wecorl.a 0-day?

We are working on sending out a message through Support Notification Service (SNS) now.

To sign up for SNS, go to: http://my.mcafee.com/content/SNS_Subscription_Center

I will also respond to this thread.

andregca
Level 7
Report Inappropriate Content
Message 23 of 194

Re: W32/Wecorl.a 0-day?

I don't see the option rollback dats on my Virusscan Console (Viruscan Enterprise + Antispyware Enterprise 8.7.0i).

Any further hints?

Highlighted
PhilR
Level 12
Report Inappropriate Content
Message 24 of 194

Re: W32/Wecorl.a 0-day?

Oh dear, McAfee KB is slashdotted.

This hasn't affected my XP SP3 box, even though it had been running 5958 for two hours before I rolled back the DAT file.

That implies that I have a config which somehow "saved" my PC.

So what are the necessary conditions to cause this problem?

Re: W32/Wecorl.a 0-day?

Did McAfee remove the bad DAT from the download page?

I see

5958xdat.exe(Windows-Intel)readme.txt4/21/1062.89English

Does anyone know if this is a good or bad DAT?

Thanks,

Tahir

pfarrell
Level 7
Report Inappropriate Content
Message 26 of 194

Re: W32/Wecorl.a 0-day?

I would imagine they would bump the definition number to 5959 and not reuse the old one.

Mal09
Level 12
Report Inappropriate Content
Message 27 of 194

Re: W32/Wecorl.a 0-day?

Indeed. 5959 will be issued sometime in the next few hours. (Not official advice from McAfee - just the way these things work)

rastan01
Level 8
Report Inappropriate Content
Message 28 of 194

Re: W32/Wecorl.a 0-day?

Anyone have a good way of fixing this without touching every PC that got the update?  Currently, we are goint to each PC, running shutdown -a, and then rolling back the driver.  Even when an updated version comes out, I don't think there will be enough time for the PC to get the file and apply it before it reboots.

Mal09
Level 12
Report Inappropriate Content
Message 29 of 194

Re: W32/Wecorl.a 0-day?

psexec.exe from Sysinternals.com http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx ?

Set the local directory to be the Windows one, copy the file etc etc. Or create a batch file to pull it from a share on another machine.

That is assuming that a) The correct services are running on the machine to use PSEXEC, and b) that Windows File Protection doesn't stop the copy.

Also you would probably need to consider versions of the file affected. In a corprate environment this shouldn't be a biggie.

You can get a list of affected machines from EPO, and make them into a list to use with PSEXEC.

Message was edited by: Mal09 on 21/04/10 16:21:10 GMT

Re: W32/Wecorl.a 0-day?

Does anyone has step by step recovery for the clients which are affected and are in constant reboot cycle mode?

Thanks,

--Tahir

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community