1 2 Previous Next 11 Replies Latest reply on Jul 8, 2009 4:03 AM by hwo

    Servers BSOD after latest patches

      Hello All

      We have a problem on several servers after installing latest patches
      two servers are: W2k AS SP4 with McAfee VSE 8.7 patch1 and hotfix
      one server: W2k AS SP4 with McAfee VSE 8.5 patch8 and hotfix

      All servers are domain controllers and have Exchange 2000 SP3 installed.

      Blue screen comes with parameters:
      STOP 0x0000001E (0xC0000005,0x8046E3B2,0x00000000,0x00000000)

      uninstalling mcAfee and installing version before last patch solves the problem.

      Please help
        • 1. RE: Servers BSOD after latest patches
          same problem, watch here:

          http://community.mcafee.com/showthread.php?t=231901

          The problem is that last mcafee dat have false positive in some files, this include system files...

          I SUGGEST U TO NOT REBOOT SERVER UNTIL A SOLUTION IS PROVIDED FROM MCAFEE.

          I have contacted Virus_Research@avertlabs.com
          • 2. W32/Sality.gen
            Hi, after the Update of 5664 and a Reboot of the Server i can confirm two things happening:

            1. Backdoor Install of NTRootkit-AB in C:\windows\system32\drivers\khplmn.sys
            2. an immidiate infection if all .EXE Files with the W32/Sality Virus.

            Unfortunately this thread is serious, as i scanned drives with another Virus Scanner and this one found the same Virus!

            This means two things: 1. McAfee rolled out and manipulated DAT upgrade without noticing.
            2. McAfee Update servers most have been compromised!

            I suggest also to, under NO circumstances reboot any Machine installed with the update 5664 - 5667.

            Additionally i highly reccomend to run a full scan of all drives with a 3rd party virus scanner!

            If McAfee support does need any files/dumps whatever, please let me know what i can give you to provide a solution asap.
            • 3. RE: W32/Sality.gen
              ^ Scammer/spammer, or somebody who really have an issue?
              • 4. RE: W32/Sality.gen
                tonyb99


                I have been running full scans with 5664/5665/5666 and 5667 DATS since friday and over the weekend and have found nothing of the sort on w2330/xpsp2/3, I think you may just have had a compromised server if the files are showing as infected with a 3rd party tool, I have had no issue with the DATs or Mcafee servers apart from the 5664 false positive with 5100 engine on one old build pc as it upgraded.
                • 5. RE: W32/Sality.gen


                  Well, before 5664 we did not had a single Virus Warning on the network. I will investigate further. Thank's for your feedback.
                  • 6. RE: W32/Sality.gen
                    tonyb99
                    What third party scanner did you use and what was the macfee sality variant?

                    You can check the DAT readmes at http://vil.nai.com/vil/DATReadme.aspx to see when enhanced detection for that variant was updated or released.

                    I find that usually find that Mcafee have just released an enhanced detection anytime I get lots of hits showing up all of a sudden
                    • 7. RE: W32/Sality.gen


                      W32/Sality.gen.

                      We traced back the worm to an infected workstation, so i don't think that has something to do with the McAfee updates. This was just coincidence reported to us as "false" positive while actually it was an outbreak for real!
                      We were able to fix the outbreak thanks to avg's sality removal tool.

                      Appologize to mcafee for beeing to jumpy on that.
                      • 8. RE: W32/Sality.gen
                        tonyb99
                        sality is b**ch when it gets to server executables my commiserations
                        • 9. Sality is a B****


                          Any suggestions how to get it removed out of a network? All clients are running 5669 DAT now and still its not completely removed. The Tool from AVG rmslt.exe seems to be not able to clean all files, which i do not care about, but any suggestions how to address a threat like this?

                          Thanks for anything
                          1 2 Previous Next