-1- -1-

4/22/2010

McAfee FAQ on bad DAT issue

McAfee has provided the following FAQ regarding the false
positive in the 5958 DAT:
1. What threat was McAfee trying to detect that resulted in a
false positive error?

McAfee added detection for variants of the W32/Wecorl.a threat in DAT file 5958.

This detection caused a false positive on the svchost.exe Windows system file.

The threat parasitically patches the svchost.exe file by modifying data at the entry

point or the entry point itself of the original file, to maintain control on the system.

In some instances the patch has been found to be polymorphic in nature. McAfee

had observed prior infected versions of svchost.exe files and had detection for this

threat. This specific detection was added to target a cluster of infected svchost.exe

files gathered through our malware collections, directly associated with samples

from the W32/Wecorl.a families.

The false positive occurred as a result of new signatures targeting new variants of the
Wecorl family of malware when invoked on the file svchost.exe as a part of the memory
scanning process. Details of this threat family can be found here:
http://vil.nai.com/vil/content/v_153184.htm. Enhanced drivers in the 5958 DAT were
authored to detect some low prevalence variants seen recently.

2. Why did detection for this threat require an invasive approach

for detection and remediation?

To remediate this type of threat, detection is customarily written to kill the infected

process, in some instances causing a reboot (a standard Microsoft safety action),

and allowing for full remediation of the infected system. This type of remediation

is standard implementation to gain access to the file objects that may be locked by

the running processes.

Unfortunately this caused removal or attempted removal of legitimate svchost.exe

file causing issues from network connectivity loss to rendering systems unstable

due to the false.

-1-
 3. Doesn’t McAfee white list known Windows system files?

Complex and sophisticated malware frequently target Windows system

executables and attack their memory space (e.g. via DLL injection). McAfee’s

DATs use techniques to avoid scanning and preventing false positives on

Microsoft files in the majority of situations, for example, if this was a simple scan

of the file as it was accessed on the file system, a false positive would have been

prevented. Because this was a memory scan of the running process that then

caused a subsequent scan of the file on disk these mitigation techniques were

unfortunately not invoked.

4. Exactly which versions of Windows operating system and the

svchost.exe file were affected?

A subset of systems running Windows XP Service Pack 3 and having specific

versions of the svchost.exe file was affected. Svchost.exe files found on Windows

2000, Windows 2003, Windows XP Service Pack 1, Windows XP Service Pack 2,

Windows Vista, Windows 7 and older versions of Windows were not affected.

Details of svchost.exe files affected are:

File Size OS File Version Md5

14,336 XPPRO_SP3_x86_v1 5.1.2600.5512 E4 10 EC 73 E2 BE

2A 41 D9 23 B0 06 F5 1C 84 27

14,336 XPPRO_SP3_x86_v2 5.1.2600.5512 27 C6 D0 3B CD

B8 CF EB 96 B7 16 F3 D8 BE 3E 18

14,336 XPPRO_SP3_x86_v3 5.1.2600.5512 A7 81 24 26 8A 77

F4 19 02 DB 18 F6 22 AF E6 13

5. How exactly were user systems impacted?

-2-
 McAfee’s corporate customers who have the McAfee VirusScan Enterprise

product have reported a variety of symptoms, ranging from a system “blue screen”

(not to be confused with BSOD, but due to the issues with Explorer and

svchost.exe), loss of network connectivity, inability to use USB, and experiencing

a perpetual state of reboot. Users have reported these symptoms when both the file

is present on the system (in quarantine), or has been deleted entirely.

Minimal impact has been observed to McAfee’s consumer customers because

McAfee rolled back the faulty DAT before the update hit the majority of consumer

user systems.

6. Why was VSE 8.7 primarily affected as compared to VSE 8.5?

Because of the different implementation of memory scanning within the products,

VSE 8.7 customer were more broadly affected by the false.

7. How do affected customers restore their systems?

McAfee has enumerated instructions to restore systems to their normal functional

state with the right critical Windows files in place. McAfee has also developed a

SuperDAT remediation tool to restore the svchost.exe file on affected systems.

Specific instructions are available in the McAfee Knowledgebase at:

https://kc.mcafee.com/corporate/index?page=content&id=KB68780

8. How did this DAT file get through McAfee’s Quality

Assurance process?

There are two primary causes for why this DAT file got through our quality

processes:

1) Process – Some specific steps of the existing Quality Assurance

processes were not followed: Standard Peer Review of the driver

-3-
 was not done, and the Risk Assessment of the driver in question was

inadequate. Had it been adequate it would have triggered additional

Quality Assurance steps.

2) Product Testing – there was inadequate coverage of Product and

Operating System combinations in the test systems used.

Specifically, XP SP3 with VSE 8.7 was not included in the test

configuration at the time of release.

9. What is McAfee going to do to ensure this does not repeat?

McAfee is currently conducting an exhaustive audit of internal processes

associated with DAT creation and Quality Assurance. In the immediate term

McAfee will do the following to provide mitigation from false detections:

1) Strict enforcement of rules and processes regarding DAT creation

and Quality Assurance.

2) Addition of the missing Operating Systems and Product

configurations.

3) Leveraging of cloud based technologies for false remediation.

4) A revision of Risk Assessment criteria is underway.

Posted at 8:16 AM by Bole, Jim | Category: DAT | Permalink | Email this Post |
Comments (0)

Comments
There are no comments yet for this post.

-4-