9 Replies Latest reply on Aug 27, 2012 9:00 AM by JoeyMc

    VSE 8.8 Hotfix 793781 machine does not perform full DAT update?

    pierce

      Hey,

       

      I have just deployed the hotfix 793781 to a few machines and I am yet to see any of them zero out the DAT file and try to download the latest full dat. I have been watching mine like a hawk since applying the hotfix and nothing.

       

      Anyone else seen this hotfix actually working?

       

      If not I will go and try the bigger version.

       

      thanks,

      Pierce

        • 1. Re: VSE 8.8 Hotfix 793781 machine does not perform full DAT update?
          pierce

          Found the solution in the extended FAQ: https://kc.mcafee.com/corporate/index?page=content&id=KB76042

           

          Quote: The available hotfix solutions make the determination of whether a system is in need of remediation.

           

          So just deploy the hotfix everywhere and it will wipe out the DAT if needed, if the machine dosnt need it then the machine will do nothing.

           

          thanks,

          Pierce

          • 2. Re: VSE 8.8 Hotfix 793781 machine does not perform full DAT update?

            Yeah, basically it will do one of the following:

             

            - Reload the current dats.

            - Trash the current dats and bring them back to 1111 version.

             

            I think there's also an exit if the dat file is too low.

             

            In the 1111 state, the computer will operate normally, if the EPO agent talks back to EPO it will report Dat 1111 etc (it may do this as a result of the event of update anyway depending on your config). There's no automatic update after the fix - the computer relies on it's normal update routine and will download the full dat then.

             

            Note a machine has minimal protection in the 1111 state, so it's not one to keep for a very long time.

            1 of 1 people found this helpful
            • 3. Re: VSE 8.8 Hotfix 793781 machine does not perform full DAT update?
              pierce

              thanks for the clarification, starting pushing out the hotfix more widely and some machines are starting to report in with DAT 1111, making sure to reboot them and force an update to latest DAT as soon as possible!

              • 4. Re: VSE 8.8 Hotfix 793781 machine does not perform full DAT update?
                twenden

                We had about 73 systems reporting engine 0.0000. We have fixed all these systems, via ePO, by uninstalling and then reinstalling VSE 8.8. The systems, that I spot checked were able to detect Eicar.  Basically, my question is whether it is still advisable to deploy the 2MB hotfix. My normal practice is to never release hotfixes but wait until a Patch gets released. Have read stories about hotfix being deployed causing issues with later upgrades to other patches, version upgrades etc. Am I just paranoid?  All the bad DATs, ePO agent issues etc have made me question any new patches as we don't have the staff or time to fix 2,000 end-points. Since, we don't have anyone else showing up with 0.0000 in ePO, then can we assume that we are alright or do we need to deploy this hotfix?

                • 5. Re: VSE 8.8 Hotfix 793781 machine does not perform full DAT update?
                  pierce

                  I would say deploy it.

                   

                  I had everyone reporting in as fine this morning, no 0.00. DAT's. I pushed the hotfix to 100 test machines and 5 reported back with DAT version 1111 after, so these machines were reporting everything as fine, but after the hotfix it correctly showed that on access scanning was disabled/broken/messed up. Sent another task to update the DAT and now everything seems to be working as expected on these systems.

                   

                  Now im pushing this hotfix everywhere to see what else it uncovers, I suspect my dev machines and servers that are on 24/7 are probably the worst hit as they were up all weekend and would have got these bad DAT updates which have disconnected the DAT from the scanner making it useless.

                   

                  With all the hotfixes i have applied they have never caused me any additional issues updating.

                   

                  Also this is rated as mandatory so if you want support first thing will be to install the hotfix before getting help... We have very few resources for mcafee to do anything so rely on mcafee support and the less issues with that the better.

                  • 6. Re: VSE 8.8 Hotfix 793781 machine does not perform full DAT update?
                    twenden

                    Call McAfee Gold support and was told that you only need to push the hotfix out to broken systems. I have already fixed the ones that reported 0.0000 in ePO by reinstalling VSE 8.8. I told the tech that the compliance chart is showing most systems advancing to the latest DAT and to whether this was OK. Was told this is fine and again you should only deploy to broken systems.

                    • 7. Re: VSE 8.8 Hotfix 793781 machine does not perform full DAT update?

                      twenden wrote:

                       

                      Call McAfee Gold support and was told that you only need to push the hotfix out to broken systems. I have already fixed the ones that reported 0.0000 in ePO by reinstalling VSE 8.8. I told the tech that the compliance chart is showing most systems advancing to the latest DAT and to whether this was OK. Was told this is fine and again you should only deploy to broken systems.

                       

                      That tech is incorrect. In my experience, the HF must be applied to any machine that had the affected dat files installed, and just because EPO doesn't appear to show anything wrong with a client doesn't mean the client is actually detecting threats.

                      1 of 1 people found this helpful
                      • 8. Re: VSE 8.8 Hotfix 793781 machine does not perform full DAT update?
                        pierce

                        As luck would have it you can deploy a small reporting tool to let you know if your systems actually need remediation at all:

                        https://community.mcafee.com/docs/DOC-4124

                         

                        I agree with mjmurra that it sounds like the mcafee tech is talking rubbish, those level1's in gold are never the best, always ask for level 2!

                         

                        I would estimate that 10% of my machines are affected and NONE of them reported a bad dat until after the hotfix, so thats a terrible metric to run this by.

                        • 9. Re: VSE 8.8 Hotfix 793781 machine does not perform full DAT update?
                          JoeyMc

                          Only a handful of my systems have reported the 0.0000 Engine version.

                          However, many of my system are showing McAfee errors in the system log as stated in the KB Article:

                           

                          Type:     Warning

                          Source: mfehidk

                          Event ID:              516

                          Event Time:        8/17/2012 11:59:04 PM

                          User:     n/a

                          Computer:          x

                          Description:

                          Process **\VsTskMgr.exe pid (1424) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

                           

                          Installing the hotfix has fixed this error so we will be deploying it to all systems.

                          1 of 1 people found this helpful