cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jmcleish
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 171 of 194

Re: W32/Wecorl.a 0-day?

Have a look at this- this may explain why some machines were affected and some not

https://kc.mcafee.com/corporate/index?page=content&id=KB68787

Former Member
Not applicable
Report Inappropriate Content
Message 172 of 194

Re: W32/Wecorl.a 0-day?

We have version 5.1.2600.5512 same file size as the article...I don't know what the MD5 stuff is or how to compare it though.

Again none of our machines were affected and all had dat 5958 until 5959 was released.

Re:

Have a look at this- this may  explain why some machines were affected and some not

https://kc.mcafee.com/corporate/index?page=content&id=KB68787

pg13
Level 9
Report Inappropriate Content
Message 173 of 194

Re: W32/Wecorl.a 0-day?

Our svchost.exe that was affected is on a French Windows XP, and the MD5 is not listed on that article. So maybe the list of MD5 is not comprehensive; at least from a language point of view it is not comprehensive.

Former Member
Not applicable
Report Inappropriate Content
Message 174 of 194

Re: W32/Wecorl.a 0-day?

Update: Googled and checked the MD5 on our systems It is: 27C6D03BCDB8CFEB96B716F3D8BE3E18 which the article lists as affected.  This did not bite us.  I'm still very curious as to why and if other folks out there were also unaffected.  Obviously, people who had the problem are more likely to post.

There has to be some rhyme or reason why.  I stick with policy defaults generally.  Did people who had problems make significant changes.

Original post:

We  have version 5.1.2600.5512 same file size as the article...I don't know  what the MD5 stuff is or how to compare it though.

Again none  of our machines were affected and all had dat 5958 until 5959 was  released.

Re:

Have  a look at this- this may  explain why some machines were affected and  some not

https://kc.mcafee.com/corporate/index?page=content&id=KB68787

kink80
Level 12
Report Inappropriate Content
Message 175 of 194

Re: W32/Wecorl.a 0-day?

Do you have the Processes on Enable option checked on your VirusScan Enterprise 8.7.0 > On -Access Genreal Policies? I too had only a handful of machines out of sevral thousand that flagged svchost.exe as the W32/Wecorl.a. Of those all were discovered when an On demand Scan was initiated. Even after they found the svchost.exe to be a virus McAfee was denied access to the files but a reboot was forced.

Former Member
Not applicable
Report Inappropriate Content
Message 176 of 194

Re: W32/Wecorl.a 0-day?

No, we did not check off Processes on Enable.  We left the default of unchecked when we set it up.  I've suspected that this is what saved us (as long as folks did not run an on demand scan). Though others have posted that they did not check this and still had problems.

kink80
Level 12
Report Inappropriate Content
Message 177 of 194

Re: W32/Wecorl.a 0-day?

I just saw that on another post. http://community.mcafee.com/message/126228#126228 I do believe that not checking this option is why my machines were not affected by this problem. The problems they saw were probably the same as I experienced. (i.e. I just saw problems on machines that ran a scan while the 5958 DAT was in place.) Now the ~9000 machines that did get the 5958 DAT are all at 5959 or 5960 at this point.

pg13
Level 9
Report Inappropriate Content
Message 178 of 194

Re: W32/Wecorl.a 0-day?

I saw somewhere else on the forum that the original release of VS 8.7 was shipped with Processes on enable turned off by default, but certain releases (VS 8.7 with patch 3 I think) were shipped with that setting on by default. That could explain the confusion and the non consistemcy among those who are or are not affected.

Former Member
Not applicable
Report Inappropriate Content
Message 179 of 194

Re: W32/Wecorl.a 0-day?

Ok, so sounds like I lucked out because mine are managed by EPO and we used the default EPO setting of off.  I'm going to hope that is it, though I'm still a bit nervous about.

pg13
Level 9
Report Inappropriate Content
Message 180 of 194

Re: W32/Wecorl.a 0-day?

I wouldn't worry too much. I think that if you still haven't noticed anything wrong in your environment, then you really haven't been hit by this bug.

But I've been wrong before 🙂

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community