Mcafee FALSE POSITIVE virus 5958 Dat

4-21-10
DAT 5958 is FALSELY reporting svchost.exe as infected and deleting the file. This can cause all sorts of hell on the machine.

1. disable mcafee
2. copy svchost.exe from another machine to c:\windows\system32 (it will be gone if you are a victim).

Right click copy/paste may not work
Nor will a USB drive

You may have to burn the file to cd and copy with DOS commands

copy (cd drive letter):\svchost.exe c:\windows\system32

Then in mcafee console, roll back the DAT. You can't do this without being connected to the network (dumb, I know)


Good luck!

Fred

 

this is the email we got from Mcafee by the way: (just to support my claim)

From: Larry_Carmicheal@mcafee.com [mailto:Larry_Carmicheal@mcafee.com]
Sent: Wednesday, April 21, 2010 10:29 AM
Subject: FW: Extra.DAT to suppress false-positive in DAT 5958 (was RE: URGENT: Serious False-Positive in DAT 5958. DO NOT DEPLOY DAT 5958!)
Importance: High


Everyone,



Please do not deploy the false-positive in DAT 5958. Here is the Extra.DAT that will suppress the false positive in DAT 5958.



Larry R. Carmicheal

Account Manager - Colorado

McAfee

972-987-2482 Direct

lcarmich@mcafee.com







From: Embree, Robert
Sent: Wednesday, April 21, 2010 11:16 AM
To: DL North America Inside Sales
Subject: FW: Extra.DAT to suppress false-positive in DAT 5958 (was RE: URGENT: Serious False-Positive in DAT 5958. DO NOT DEPLOY DAT 5958!)
Importance: High



I got this from one of my Platinum support Engineers, it should help if any of our customers are experiencing 5958 related issues.





The attached Extra.DAT will suppress the false-positive in DAT 5958.



KnowledgeBase articles about deploying Extra.DAT:

· KB67602: How to manually check in and deploy an EXTRA.DAT through ePolicy Orchestrator 4.5

· KB52977: How to manually check in and deploy an EXTRA.DAT through ePolicy Orchestrator 4.0