This content has been marked as final. Show 11 replies
same problem, watch here:
The problem is that last mcafee dat have false positive in some files, this include system files...
I SUGGEST U TO NOT REBOOT SERVER UNTIL A SOLUTION IS PROVIDED FROM MCAFEE.
I have contacted Virus_Research@avertlabs.com
Hi, after the Update of 5664 and a Reboot of the Server i can confirm two things happening:
1. Backdoor Install of NTRootkit-AB in C:\windows\system32\drivers\khplmn.sys
2. an immidiate infection if all .EXE Files with the W32/Sality Virus.
Unfortunately this thread is serious, as i scanned drives with another Virus Scanner and this one found the same Virus!
This means two things: 1. McAfee rolled out and manipulated DAT upgrade without noticing.
2. McAfee Update servers most have been compromised!
I suggest also to, under NO circumstances reboot any Machine installed with the update 5664 - 5667.
Additionally i highly reccomend to run a full scan of all drives with a 3rd party virus scanner!
If McAfee support does need any files/dumps whatever, please let me know what i can give you to provide a solution asap.
^ Scammer/spammer, or somebody who really have an issue?
I have been running full scans with 5664/5665/5666 and 5667 DATS since friday and over the weekend and have found nothing of the sort on w2330/xpsp2/3, I think you may just have had a compromised server if the files are showing as infected with a 3rd party tool, I have had no issue with the DATs or Mcafee servers apart from the 5664 false positive with 5100 engine on one old build pc as it upgraded.
Well, before 5664 we did not had a single Virus Warning on the network. I will investigate further. Thank's for your feedback.
What third party scanner did you use and what was the macfee sality variant?
You can check the DAT readmes at http://vil.nai.com/vil/DATReadme.aspx to see when enhanced detection for that variant was updated or released.
I find that usually find that Mcafee have just released an enhanced detection anytime I get lots of hits showing up all of a sudden
We traced back the worm to an infected workstation, so i don't think that has something to do with the McAfee updates. This was just coincidence reported to us as "false" positive while actually it was an outbreak for real!
We were able to fix the outbreak thanks to avg's sality removal tool.
Appologize to mcafee for beeing to jumpy on that.
sality is b**ch when it gets to server executables my commiserations
Any suggestions how to get it removed out of a network? All clients are running 5669 DAT now and still its not completely removed. The Tool from AVG rmslt.exe seems to be not able to clean all files, which i do not care about, but any suggestions how to address a threat like this?
Thanks for anything