Professional Documents
Culture Documents
4/22/2010
McAfee added detection for variants of the W32/Wecorl.a threat in DAT file 5958.
This detection caused a false positive on the svchost.exe Windows system file.
The threat parasitically patches the svchost.exe file by modifying data at the entry
point or the entry point itself of the original file, to maintain control on the system.
In some instances the patch has been found to be polymorphic in nature. McAfee
had observed prior infected versions of svchost.exe files and had detection for this
threat. This specific detection was added to target a cluster of infected svchost.exe
files gathered through our malware collections, directly associated with samples
The false positive occurred as a result of new signatures targeting new variants of the
Wecorl family of malware when invoked on the file svchost.exe as a part of the memory
scanning process. Details of this threat family can be found here:
http://vil.nai.com/vil/content/v_153184.htm. Enhanced drivers in the 5958 DAT were
authored to detect some low prevalence variants seen recently.
To remediate this type of threat, detection is customarily written to kill the infected
and allowing for full remediation of the infected system. This type of remediation
is standard implementation to gain access to the file objects that may be locked by
file causing issues from network connectivity loss to rendering systems unstable
-1-
3. Doesn’t McAfee white list known Windows system files?
executables and attack their memory space (e.g. via DLL injection). McAfee’s
Microsoft files in the majority of situations, for example, if this was a simple scan
of the file as it was accessed on the file system, a false positive would have been
prevented. Because this was a memory scan of the running process that then
caused a subsequent scan of the file on disk these mitigation techniques were
versions of the svchost.exe file was affected. Svchost.exe files found on Windows
Windows Vista, Windows 7 and older versions of Windows were not affected.
2A 41 D9 23 B0 06 F5 1C 84 27
B8 CF EB 96 B7 16 F3 D8 BE 3E 18
F4 19 02 DB 18 F6 22 AF E6 13
-2-
McAfee’s corporate customers who have the McAfee VirusScan Enterprise
product have reported a variety of symptoms, ranging from a system “blue screen”
(not to be confused with BSOD, but due to the issues with Explorer and
a perpetual state of reboot. Users have reported these symptoms when both the file
McAfee rolled back the faulty DAT before the update hit the majority of consumer
user systems.
state with the right critical Windows files in place. McAfee has also developed a
There are two primary causes for why this DAT file got through our quality
processes:
-3-
was not done, and the Risk Assessment of the driver in question was
Specifically, XP SP3 with VSE 8.7 was not included in the test
associated with DAT creation and Quality Assurance. In the immediate term
configurations.
Comments
There are no comments yet for this post.
-4-