cancel
Showing results for 
Search instead for 
Did you mean: 
bostjanc
Level 10
Report Inappropriate Content
Message 141 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

Greetings!

"Luckily I had day off yesterday", now when I'm reading this n-posts I see that even uninstalling VSE does not make 100% sure that everything is fixed.

Hear my scenario.
When I have found out which machines are affected (thoose machines who were turned on durring the weekend, and received 6807 or 6808 update),
my approach was:
* push 6809 to all pcs - which didn not helped
* then i have decided to TAG problematic pcs and push the task from epo to remove VSE
* wake up agents
* and a task to deploy vse again
* wake up agents
* and push full product update
* remove the TAGS

Now reading this posts, some of you say it was not enough? Explain, plz.

-If I look thru queries and report if there are any pc's left with vse engine: 0.0000 the result is noone.

-Some of you say that even if the engine on a problematic machines are not 0.0000 anymore and OAS is not disabled I should check with EICAR.

Ok here comes another problem. I have tagged thoose problematic machines before the remove/install VSE, but when I have finished the tasks and checked if there are any 0.0000 engine versions I have removed the "problematic" tags from thoose machines.

Soo I only remember a few names of the machines that were tagged. I have gone to thoose machines with a RDP and ran: http://www.rexswain.com/eicar.com and MCAFEE thru a lovely warning message.

Questions:
-Soo in my case, do I still need to push

* both fixes: Hotfix 793781, Hotfix 793640.

* Only one of them?

* Or noone?

-How can I check now if everything works fine, because

* I don't have a disabled icon of VSE OAS anymore,

* noone 0.0000 engine version machines,

* and noone tags of a machines which have been affected with 6807/6808

???

with best regards

Labnuke
Level 7
Report Inappropriate Content
Message 142 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

The query you show - btw thanks for sharing - can it be imported into EPO 4.6? If so, what format does it have to be saved as to import?

When I save it as an XML file and try to import, I get the following error:

The query could not be imported because the uploaded file is either corrupt or in an unexpected format. Click "OK" to return to the "Queries" page.

on 8/22/12 6:53:46 AM GMT-05:00
mjmurra
Level 12
Report Inappropriate Content
Message 143 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

Labnuke wrote:

The query you show - btw thanks for sharing - can it be imported into EPO 4.6? If so, what format does it have to be saved as to import?

When I save it as an XML file and try to import, I get the following error:

The query could not be imported because the uploaded file is either corrupt or in an unexpected format. Click "OK" to return to the "Queries" page.

on 8/22/12 6:53:46 AM GMT-05:00

Seems like the forum software has mangled the XML (should have attached it - not pasted it). It came from 4.5 btw. There's a few extra spaces and the wrapped lines should be on one line.

To recreate, create a new query using Product Events, choose table format, select the fields: Hostname, productcode, version (optionally add in username).

In filters, select product and make it equal to VIRUSSCAN8800, choose version equals 6807.0000 or equals 6808.0000 .

I think that will work (although not near an EPO server at the moment to verify).

Message was edited by: mjmurra on 22/08/12 10:24:37 PM

Re: VSE 8.8. 6807 DAT problem - urgent!

I have tested the smaller HF in a system that it is not affected with this problem, and it does not reset the DAT to 1.1111 . So it works fine.

I have a question. We know that systems that did not get the 6807 or 6808 DAT are not affected but, ALL the systems that got either one of these DAT have problems?

I know that we have to deploy the HF in all of them but I have found one system (Wondows 2008 R2), that got both DATs and the EICAR test is fine.

mjmurra
Level 12
Report Inappropriate Content
Message 145 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

phl92812 wrote:

I have a question. We know that systems that did not get the 6807 or 6808 DAT are not affected but, ALL the systems that got either one of these DAT have problems?

Not every machine was affected. AFAIK, there are basically four scenarios:

- Client never touched 6807/6808 - All good.

- Client had one of those versions installed - On-Access Scanner disabled.

- Client had one of those versions installed - On-Access Scanner not disabled, but won't detect viruses. [EPO may or may not show correct version of dat installed]

- Client had one of those versions installed - On-Access Scanner not disabled, will detect viruses.

The one that concerns me the most is the third one above. It's what my personal work machine had happen - and I ran through all of the checks noted in the technotes and none of them failed. After applying the first fix, this did resolve the issue.

I believe reboots, and many other factors affected what is seen by clients .

Re: VSE 8.8. 6807 DAT problem - urgent!

The question that is still unanswered is, what happend when the 2 false DAT's where loaded. For me they must have screwed up something, that is fixed with the HF, but what exactly happend? It could not be the DAT only.

Maybe someone of you knows...

TIA

Thomas

runcmd
Level 10
Report Inappropriate Content
Message 147 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

@Thomas_RCC

Root cause is in the hotfix release notes.  If I understand it correctly, the two DATs in question were released with new certificates and many VirusScan clients did not accept the new cert.

Message was edited by: runcmd on 8/22/12 10:01:28 AM EDT
Labnuke
Level 7
Report Inappropriate Content
Message 148 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

Seems interesting to me that it did not cause any issues in VS8.7. Guess that version doesn't use certs to confirm DAT origination.

Labnuke
Level 7
Report Inappropriate Content
Message 149 of 230

Re: VSE 8.8. 6807 DAT problem - urgent!

Thanks for clarifying your query. I misunderstood the purpose of the query - I thought it was to look for the "fixes" property on systems and not DAT versions. Thank you fror sharing though.

Re: VSE 8.8. 6807 DAT problem - urgent!

Still having big problems with 2003 Servers, they've had the first hotfix and the 6011 DAT, but right clicking on the M and selecting About... doesn't show ANY dat or engine info. About VirusScan Enterprise also not showing DAT or engine info.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator