cancel
Showing results for 
Search instead for 
Did you mean: 

Re: VSE 8.8. 6807 DAT problem - urgent!

Yes that is a way of testing, although with 10,000 endpoints it wouldnt be very practical.

Perhaps this is why McAfee have said this is a mandatory hotfix, to simply push to all endpoints so individual systems don't need to be tested to see whether they are impacted or not.

greebs
Level 7
Report Inappropriate Content
Message 132 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

Ok, I have pushed the hotfix out to all machines now and all seems to be fixed. However, it seems that machines that have been off since before the problem began are not installing the hotfix (has been public holidays in Malaysia until today)  - they have grabbed the latest 6811.0000, but don't install the hotfix. I assume this is normal?

jcain13
Level 7
Report Inappropriate Content
Message 133 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

@nzmikewilson - Did you find a query that will give you info and status for the on access scanner?

Re: VSE 8.8. 6807 DAT problem - urgent!

@Jcain13: There's no native query that will do this. I'm seeing if I can achieve this another way, perhaps by using the custom property fields from the agent to populate from registry entries which shows if OAS is disabled.

However regarding this hotfix it doesnt matter anyway, as McAfee say "Even  if OAS is enabled, it may not be functioning correctly."

I've pushed the 2Mb hotfix out to our servers, and workstations are still receiving it. The  servers were on using DAT 6811, so after the hotfix was applied  I did not see any evidence of the system pulling the FULL 100Mb dat file from the repository, as the KB  says:

"This hotfix has a smaller initial footprint, but remediated systems will require a full DAT update as soon as possible."

The KB doesnt explain if the system will automatically pull the full DAT file from the repository, or if a client task needs to be created to pull the full 6811 DAT file (NOT the incremental 6811 version).. Does anyone know the answer to this?

Running the SQL Query below shows the number of systems with hotfix 793781. If you pushed HF 793640 then enter that into the query instead.

select ln.nodename as Hostname, pp.productversion as Version, pp.hotfix as Patch, ps.value as Hotfix from epoleafnode ln join epoproductproperties pp on ln.autoid = pp.parentid join epoproductsettings ps on pp.autoid = ps.parentid where ps.settingname = 'Fixes' and ps.value like '%793781%'

order by hostname

mjmurra
Level 12
Report Inappropriate Content
Message 135 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

nzmikewilson wrote:

"This hotfix has a smaller initial footprint, but remediated systems will require a full DAT update as soon as possible."

The KB doesnt explain if the system will automatically pull the full DAT file from the repository, or if a client task needs to be created to pull the full 6811 DAT file (NOT the incremental 6811 version).. Does anyone know the answer to this?

Happens at the next update task. Client machine will report back to EPO at the next check-in that it has 1111 dat version, the usual client update task (when next scheduled) will upgrade the dat using the full dat file to the latest.

Re: VSE 8.8. 6807 DAT problem - urgent!

Thanks MJMurra! Perhaps I'll read the KB more carefully next time

Re: VSE 8.8. 6807 DAT problem - urgent!

Most of our users had shutdown their machines early enough on Friday that they did not get 6707 or 6708. I have 6 machines that were on. I've updated those machine manually and rebooted them. I've checked the registry and they seem to be all set - onAccess scanning is back on. (keeping my fingers crossed).

Do I have to send the   "THIS IS A MANDATORY HOTFIX" to the machines that went from 6706 to 6709?

Thank you!

Re: VSE 8.8. 6807 DAT problem - urgent!

kimberlynnh wrote:

Most of our users had shutdown their machines early enough on Friday that they did not get 6707 or 6708. I have 6 machines that were on. I've updated those machine manually and rebooted them. I've checked the registry and they seem to be all set - onAccess scanning is back on. (keeping my fingers crossed).

Do I have to send the   "THIS IS A MANDATORY HOTFIX" to the machines that went from 6706 to 6709?

Thank you!

I am also confused. Although we run queries Monday and yesterday and could find only 3 machines with 0.0000 values; today I found one XP and one 2003 machines with On-Demand Scanner disabled by ramdonly accessing them.

The small HF793781 installed ok (manually) and fixed the issue. Why don't McAfee just say: "No matter what, this is a MANDATORY HF. Even if you have NOT deployed 6807/6708.

Still trying some random machines

Labnuke
Level 7
Report Inappropriate Content
Message 139 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

McAfee has released VirusScan Enterprise Mandatory Security Hotfix 793781 — a second smaller hotfix to resolve the previously reported issue with DAT versions 6807 and 6808. This hotfix is approximately 2Mb and can be run locally or distributed via ePolicy Orchestrator and other third-party deployment tools.

Hotfix 793781 makes the same changes to VirusScan Enterprise as Hotfix 793640 (100Mb), but does NOT contain the full DAT file. After you deploy the hotfix, affected systems MUST receive a full DAT update.

For instructions on how to download and deploy this mandatory hotfix, see KB76004:

https://kc.mcafee.com/corporate/index?page=content&id=KB76004.

on 8/21/12 9:03:47 PM GMT-05:00
Highlighted
mjmurra
Level 12
Report Inappropriate Content
Message 140 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

I ran the following query through EPO, which shows me which machines registered an update event against either of the faulty dats. After removing the duplicates, this leaves me with the number of potentially affected systems in my environment, and allows me to target resources directly at them.

:

- <queries>

- <query>

<name language="en">Dodgy Dat candidates</name>

<description language="en" />

<property name="target">EPOProductEvents</property>

<property name="tableURI">query:table?orion.table.columns=EPOProductEvents.ProductCode%3AEPOProductEvents.HostName%3AEPOProductEvents.IPV6%3AEPOProductEvents.UserName%3AEPOProductEvents.version&orion.table.order.by=EPOProductEvents.ProductCode%3AEPOProductEvents.HostName%3AEPOProductEvents.IPV6%3AEPOProductEvents.UserName%3AEPOProductEvents.version&orion.table.order=az</property>

<property name="conditionURI">query:condition?orion.requied.sexp=&orion.condition.sexp=%28+where+%28+and+%28+or+%28+version_eq+EPOProductEvents.version+%226807.0000%22+%29+%28+version_eq+EPOProductEvents.version+%226806.0000%22+%29+%29+%28+eq+EPOProductEvents.ProductCode+%22VIRUSCAN8800%22+%29+%29+%29</property>

<property name="summaryURI">query:summary?orion.sum.query=false&orion.query.type=table.table</property>

</query>

</queries>

((The SQL version is

select [EPOProductEvents].[ProductCode], [EPOProductEvents].[HostName], [EPOProductEvents].[IPV6], [EPOProductEvents].[UserName], [EPOProductEvents].[version], [EPOProductEvents].[AutoID] from [EPOProductEvents] where ( ( ( [EPOProductEvents].[verMjr] = 6807 and [EPOProductEvents].[verMin] = 0000 ) or ( [EPOProductEvents].[verMjr] = 6806 and [EPOProductEvents].[verMin] = 0000 ) ) and ( [EPOProductEvents].[ProductCode] = N'VIRUSCAN8800' ) ) order by [EPOProductEvents].[ProductCode] asc )

The next obvious step is to cross-reference this with systems that have had the Hotfix applied,  (probably through SQL), to give a list of machines that are noted as being on the bad dat versions and to target these specifically.

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community