Centrality Ltd Deals With the McAfee 5958 Dat Debacle

Providing high quality infrastructure design, implementation and support services since 1996, Centrality is a leading IT managed services provider. A clear testament of our commitment are the excellent, congenial, long-term relationships we have with our clients. Such relationships continue to form the foundation for our company’s growth. By availing themselves to Centrality’s agile and proficient use of technology as their strategic or tactical IT resource partner, our clients remain competitive and keep control of costs.

Cloud computing is now an established service utilized by the vast majority of businesses. The migration of CRM data and applications from physical in-house dedicated physical servers to the cloud began over 10 years ago. Creating your CRM infrastructure in the cloud is made easy with a Salesforce crm customization. Customizing Salesforce involves a team of specialists who can code new modules, either business logic, front-end components, or both, and use the Salesforce programming language, APEX, and the front end framework, VisualForce. Customizing the functionality of a Salesforce platform to your organization’s unique requirements will help keep the customers you have, win new ones, and drive your business growth more efficiently. We can help migrate, under a controlled plan, all or part of your existing infrastructure to the cloud. We will discuss your options so the final solution meets all your business needs

Our clients trust in our ability to handle any situation was on display on April 21,2010 when McAfee released an update to its antivirus definitions for corporate customers. McAfee's "DAT" file version 5958 caused widespread problems with Windows XP SP3. Many affected systems entered a reboot loop and lost all network access. The corrupted DAT file infected individual workstations, as well as workstations connected to a domain. For businesses that made use of  the McAfee ePolicyOrchestrator used to update virus definitions across a network were doubly hard hit. It appeared that the ePolicyOrchestrator caused a even faster spread of the bad DAT file. It was a disaster for many organizations and businesses, as well as individuals.

As Mike Davis, Managing Director of  Centrality Ltd prepared to leave work at 1.30 a.m. he told an interviewer via telephone that the buggy McAfee antivirus update problem took out PCs at about 40 percent of the customers of U.K.

The problem started late in the afternoon, Davis said. "We started getting calls about 4 p.m. U.K. time on our help desk from customers that were having their XP-based machines just reboot seemingly randomly," he said. After realizing that it was happening to several different customers simultaneously, Centrality quickly figured out that the problem had to do with McAfee's update, and started shutting down McAfee ePolicy Orchestrator management servers to keep the problem from spreading. By then, however, several thousand computers had disappeared from the networks it manages.


McAfee Dat 5958 Issue

UPDATE: 13:35 22/04/2010 (GMT + 1)

The McAfee 5958 Dat is causing the SVCHost.exe (a critical Windows system file) to be classed as a Virus.  Cleansing action against this file is then undertaken making some critical elements of Windows cease to function.  Most critically systems are coming back up without any network functionality which makes remote resolution of the issue difficult.
Only Windows XP systems seem to be affected at this stage, although we have Windows XP machines with the 5958 update that are not affected.

McAfee have release two updates recently.  The first (Extra.dat) can be added to update 5958 to prevent the false positive from re-occuring.  The second is the the full 5959 DAT update.  However if you have machines affected by this issue, adding Extra.dat or DAT v5959 will not completely fix your PC.
We have a number of clients affected by this issue and have put some resolution steps together to resolve the problem.  Our recommendations are below:

Option 1 : Manual Recovery - Try this first

  1. Download the extra.dat file from McAfee (http://vil.nai.com/vil/5958_false.htm) and place on a USB stick (assuming no network access)
  2. As an administrator on the affected machine copy the Extra.dat file to the Engine folder

    On most machines this will be"c:\program files\common files\mcafee\engine" 
  3. Reboot your PC
  4. Log back on as an administrator user
  5. Run the following command: sfc /scanfile=\svchost.exe  eg:

    sfc /scanfile=c:\windows\system32\svchost.exe
  6. Reboot your PC
  7. Login and manually update your DATs to 5959 or above

Option 2 : Manual recovery (Safe Mode)

This process is useful when you can't get any files on to your affected pc (either USB stick, network, CD etc) as all recovery actions are performed with files already on your C: Drive

  1. Boot Windows in to Safe Mode
  2. Log on and get to a command prompt
  3. Using the command line, copy the contents of the McAfee OldEngine folder to the parent "Engine" folder.

    On most machines this will mean:

    copy c:\progra~1\common~1\mcafee\engine\oldeng~1\*.* c:\progra~1\common~1\mcafee\engine

    Note: You MUST use the 8.3 notation (e.g. with ~1)  for file and directories that are longer than 8 characters
  4. Using the command line, copy svchost.exe from the DLLCache to Sys32. 

    Again, on most machines, this will mean:

    copy c:\windows\system32\dllcache\svchost.exe c:\windows\system32
  5. Reboot your machine
  6. Go in to McAfee Console and prevent any automatic updates until you are confident it is safe to re-enable them.

Option 3: Automated recovery

Centrality has developed an automated recovery process that will enable remote networked machines to be recovered with minimal intervention, however Microsoft licensing

Centrality Ltd accepts no liability for any loss or damage incurred when following these instructions.

Centrality Ltd:
Telephone: 0845 2300 411
Non-UK: +44 (0) 1462 810 628
Email: admin(at)centrality.com