Before you remove the attachment and link to https://kc.mcafee.com/corporate/index?page=content&id=KB68780 again please make sure that page is accessible. It's not currently. I've been trying to load it for 5 minutes. The support tech that I opened the incident with asked me to post that file in the forums which is why I did so.
Looks like a lot of networks were affected by the 5958 DAT causing all kinds of havoc.
There is no immediate fix from McAfee yet, but what you need to do is roll back to the previous DAT.
IM using EPO 4.5 console, and this is what I ve done:
Login to your epo console, and disable your updating.
Menu > Policy > Policy Catalog
From the Drop down, select McAfee Agent as your product. It will refresh and show you your Assignments.
Look for one called My Default., Edit Settings.
Click on Repositories.
In the Repositories List, disable any and all repositories from being updated, Save.
Next go to Updates.
check on DAT file downgrades: check off: Enable DAT file downgrades when the version in the repository is older than local version.
You will need to do this for the policies other than My Default (if you have any).
Now to roll back a DAT...
You need to go to your Master Repository, and select the change branch on the DAT file previous to the 5958 (hence 5957, 6) and move it to current branch.
Perform a DAT upgrade.
I also found this KB to be useful; https://kc.mcafee.com/corporate/index?page=content&id=KB59840
Ive been on support waiting for an agent since 1:16 minutes, they are getting slammed with this stuff. LOL.
Good luck to all the admins othere battling this.
McAfee has released the 5959 DAT but we have found that the svchost.exe file has become corrupted and needs to be manually replaced which we have done by slaving the affected hard drive to a clean machine and copying an uncorrupted svchost file to the Windows\System32 folder. Does anybody know a way to copy the file on the fly while still logged on to Windows?
I think McAfee should include this fix in their update since they broke the svchost file in the first place. It probably wouldn't be hard to do but would no doubt require a reboot. Are you listening McAfee?!
I love how in the AP news release McAfee isn't aware of any significant impact on consumers? Their phone lines were jammed all morning, the forums went down for hours due to the traffic load, but hey they aren't aware of any impact..
We wrote a batchscript which we deployed with novell, here it is (test still in progress, but should work).
It checks the version of the .dat file - if 5958 (hex 0x1746) then the fix will be supplied.
It also checks if it is a Win2k OS.
We kill the "svchost.exe" process twice, because the svchost.exe sometimes starts very fast so the copy action fails.
Hope it will help!
for /f "tokens=3 delims= " %%i in ('reg query HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\AVEngine\ /v AVDatVersion')
do set control=%%i
if NOT %control% == 0x1746 goto done
if exist C:\WINNT\explorer.exe goto done
xcopy \\SERVERNAME\APPS\APPS\INSTALL\MCAFEE\svchost.exe c:\windows\system32 /Y /R /H /G /C /K
xcopy \\SERVERNAME\APPS\APPS\INSTALL\MCAFEE\svchost.exe C:\WINDOWS\system32\dllcache /Y /R /H /G /C /K
\\SERVERNAME\APPS\APPS\INSTALL\MCAFEE\sdat5959.exe /logfile c:\virus.log /F /silent
btw: In germany it is nearly midnight... We made all 8 long hours 😕 Thanks McAfee!
Nachricht geändert durch koffy on 21.04.10 16:17:39 CDTNachricht geändert durch koffy on 21.04.10 16:19:38 CDT
Here is another way. Create a batch file called Update.bat
copy "c:\program files\common files\mcafee\engine\oldengine\avv*" "c:\program files\common files\mcafee\engine\"
ECHO REBOOT PC NOW
1. Boot computer into safemode
2. Login as local administrator
3. Run update.bat file.
4. Once complete then reboot computer and it should login to the network fine.
If you are still having issues with SVCHOST copy from a clean XP workstation SP 3 and add it to a thumb drive an add another line to copy.
Add the following line to the bat file
copy svchost.exe c:\windows\system32.
Hope this helps.