5 Replies Latest reply on Jan 24, 2011 7:06 PM by Kelvinh4au

    Virus scan Enterprise 8.0.0 update infected with trojan

      I have an issue with Mcafee 8.0.0 where the updated virus profile .dat file is infected with a trojan. I use melwarebyes to scan it it always fines that the updated mcafee antivirus profile is infected. It appears that the last good update is way back in Aug 19, 2009. Anyone have any clues how to fix this?

        • 1. Re: Virus scan Enterprise 8.0.0 update infected with trojan
          tonyb99

          VSE 8.0 finished support in 2008 when users were advised to upgrade, the last version 1 DAT came out march 31st 2010 and there are no others after this as all DATS are now version 2 DATS which v 8.0 doesnt support.

           

          Assuming you have a valid support contract you want to update to vse 8.7 the current main version ( although 8.8 has just been released)

          • 2. Re: Virus scan Enterprise 8.0.0 update infected with trojan

            I followed up with a bit more research and found that it is indeed out of date. the amazing thing is, the antivirus doesn't give any warning that it's out of date. I contacted our own help desk (contracted out to IBM) who suggest I download the .dat file direct from Mcafee and that should solve it. So great help they were. It does have a valid license, but when I go to the update link for Mcafee it asks for a 'grant license'. I have asked our help desk for the number. I'm assuming they have an agreement to allow access for updates in this manner.

             

            A bit of information to anyone else suffering from this problem. It appears that the update utility gets hijacked and runs to import a trojan. If you run melwarebytes it finds the infected update file and then removes it. But of cause the antivirus update untility runs again and puts it straight back. In my case the antivirus has been password locked and so changing any settings is not possible, hence I can not turn off the update. I have instead renamed the destination directory to something else. I don't want to uninstall the program at this stage as I'm sure i need a valid installation to perform an online update to a new version.

             

            Cheers,

             

            Kelvin

            • 3. Re: Virus scan Enterprise 8.0.0 update infected with trojan
              tonyb99

              you will need whoever provided your software to update it either by giving you a preconfigured installer or using a managment tool like an epo agent to install the software automatically its unlikely they would provide you with their grant number directly. You need to raise with your servicecentre that you are basically not covered at all as that far in program and definitions out of date its not doing much of anything and hasnt been for some time.

               

              If they advise you its going to take a while then get the vse itself off from add remove programs (leave the mcafee agent/epo agent if you have one installed) and throw one of the free packages (like MS security essentials) on in the meantime until you can get them to provide the latest supportable version, then do some serious scanning. malwarebytes is a good start point, you may also want to try the microsoft online scanner.

               

              out of interest what os and patch level are you on ?

              1 of 1 people found this helpful
              • 4. Re: Virus scan Enterprise 8.0.0 update infected with trojan
                Regis

                Hi Kevin,

                 

                Sorry to hear of your struggles with this -- getting owned through an update utility is no fun.

                 

                There's a tool that's been around for a few years now known as Evilgrade -- it aims to own machines by way of a variety of software update utilities.   I'm not sure if they have a module to hijack mcafee updates in this way, but forensically speaking, I'm curious if perhaps it was something like this that may have attacked your 8.0 installation?

                 

                http://www.zdnet.com/blog/security/evilgrade-exploit-toolkit-pwns-insecure-onlin e-updates/1576

                by http://www.infobytesec.com/    They have a pdf slide presentation on Evilgrade.  If you'd prefer a pdf you might better trust, google up Francisco Amato - evilgrade - ENG and use googles quick view to view the PDF. 

                 

                However, I don't see that there's a module for McAfee in evilgrade.

                • 5. Re: Virus scan Enterprise 8.0.0 update infected with trojan

                  I have removed the old antivirus (version 8.0.0 patch 14) and loaded MS security essentials and run a full scan. I have also made sure i have the latest MS security updates. I have done a full scan with both MSE and malwarebytes and removed any threats (mostly tracking cookies). I also ended up removing the firewall as it would block everything no matter what settings it was on. In the end it was useless as it had to be turned off. I will wait till I get some sort of download agent from our own help desk (when they wake up as they still haven't caught on the Mcafee 8 is no longer supported) before attempting to replace the free MSE i'm using. I ahev also loaded 'free superantispyware'. Added to the problem, I'm working in Batam Indonesia, so I can only use a slow net connection to do anything. MSE took number of hours to laod and update.

                   

                  Thank you all for your help (quicker better than our own help desk).

                   

                  Cheers,

                   

                  Kelvin