FAO any McAfee epo users

Yup, screwed me today at around 4pm.

Slowly, slowly it started to hit everyone around me. The damage this will cause us is massive. Now i'm remote and can't get on but at least it's a lovely day tomorrow.

PS - Mcafee is a load of crap
 
yer we have ours set to update and scan at 5... 5:15 came and we were in a world of stuff....

i'm out on site tomorrow so should be fine for me :D
 
We've been hit hard, and can't figure out any way of remotely fixing machines that have had svchost.exe removed.

Looks like we're going to have to visit each desktop across all sites :(
 
I wouldn't say McAfee is a load of crap, I'm not a fan of some parts of it but overall, as much of a ncessary evil av is, it's not too bad.

Trojan said:
Looks like we're going to have to visit each desktop across all sites :(
Click to expand...

Probably quicker to just rebuild them all remotely, imaging systme dependent that is.

Seems a lot of people have been hit, I'm wary about updating the repository now even though it's saying the latest version available is 5859.
 
Got an alert late laste night from CPNI RSS feed. That's a real bugger, thankfully we dont use McAffee but it just goes to show how a weakness on something like antivirus can be so devistating!
 
Ev0 said:
Probably quicker to just rebuild them all remotely, imaging systme dependent that is.
Click to expand...

We ended up physically fixing all critical/urgent PCs which took around 10 mins per PC (boot into a recovery environment, copy over svchost and extra.dat, then reboot). For all remaining ones, we managed to get a task sequence working that updated the PCs via SCCM, as per the following link:

http://blogs.technet.com/configurat...ng-mcafee-antivirus-deleting-svchost-exe.aspx

Had to make a few changes, like including a fresh copy of svchost rather than relying on dll cache, and set the advert to run the files from the distribution point rather than downloading, but got there in the end.

Ev0 said:
Seems a lot of people have been hit, I'm wary about updating the repository now even though it's saying the latest version available is 5859.
Click to expand...

5859 is fine. We've updated all of our PCs to it and no issues.
 
Ev0 said:
I wouldn't say McAfee is a load of crap, I'm not a fan of some parts of it but overall, as much of a ncessary evil av is, it's not too bad.



Probably quicker to just rebuild them all remotely, imaging systme dependent that is.

Seems a lot of people have been hit, I'm wary about updating the repository now even though it's saying the latest version available is 5859.
Click to expand...

Won't work, trashing svchost.exe effectively removes network access.

For those of you affected, NAI have released a remediation tool that automates the process of recovering the file and stopping the false positive here. - still requires a visit to the PC though. Our desktop techs are earning their money this morning :p
 
Goliath said:
Won't work, trashing svchost.exe effectively removes network access.
Click to expand...

What it even stops pxe booting? :)

I'd just send a ghost task to wakeup machines, it boots them straight into the ghost console and off we go. Doesn't need to be booted into Windows, although would need to get people to power off the machine first.

Luckily thought haven't had to bother, updatd to 5859 this morning and everything is fine.

Asked my wife if her place this morning was ok and whilst the main network was fine seems one of their telemetry networks was hit, doh.
 
Ev0 said:
What it even stops pxe booting? :)

I'd just send a ghost task to wakeup machines, it boots them straight into the ghost console and off we go. Doesn't need to be booted into Windows, although would need to get people to power off the machine first.
Click to expand...

Correct, PXE booting into WinPE is fine, that's what we ended up doing as per my post above. It was much quicker than re-imaging as the full re-image can take a couple of hours depending on how many tier2 and tier3 apps the users have installed.
 
Last edited:
Ev0 said:
Our repository update isn't scheduled for the early hours of the morning so was able to stop this, but thought there might be someone here who might also like to know about this :)
Click to expand...

Likewise...THANK *insert expletive here*

on 5959 at the moment, all is well
 
We've had a fun time with this - most of our PC's died between 3:30 and 4:30pm yesterday. Some pulled 5859 through epo this morning and sorted themselves out, but we've still had everyone in the IT department plus anyone else who's has an IT related post visit hundreds of desktops across multiple sites and run the Superdat tool manually as a local admin.

This is really not good enough from McAfee.
 
Apparantly it hit us quite bad too. Luckily I'm on a course all week so not there to clean up the mess :p
 
I think when it comes to tools like this Symantec is king, I think they make some great software but our place wont use them as they're classed as a competitor in other fields :(

This is right up there with the VMware expiry mess up and countless other non-virus related outages induced by companies :p
 
Nightmare today with this. About 500 machines affected. Fortunately, the 5859 got pulled through EPO this morning as people desperately logged on to check emails etc. Had to go around about 150 machines and safe mode boot (our Virus Scan cannot be disabled from command promt/killing the process) and run SuperDAT tool.

However, even the PCs with the virus that got shut down didn't kill Windows completely as they kept booting and then getting an NT AUTHORITY shutdown message stating DCOM service as the problem. So we didn't get hit too hard. A few isolated cases where svchost was missing from %root%\system32 however Windows still booted and we just copied a version from a known working machine.


Spent the whole day on this today, nightmare.
 
karlbbb said:
Nightmare today with this. About 500 machines affected. Fortunately, the 5859 got pulled through EPO this morning as people desperately logged on to check emails etc. Had to go around about 150 machines and safe mode boot (our Virus Scan cannot be disabled from command promt/killing the process) and run SuperDAT tool.

However, even the PCs with the virus that got shut down didn't kill Windows completely as they kept booting and then getting an NT AUTHORITY shutdown message stating DCOM service as the problem. So we didn't get hit too hard. A few isolated cases where svchost was missing from %root%\system32 however Windows still booted and we just copied a version from a known working machine.


Spent the whole day on this today, nightmare.
Click to expand...

It's not a virus it's a false positive on a critical startup file isn't it ?
 
Got to work this morning and was just bombarded with this! Luckily we stopped our EPO from deploying it but some of our clients got hit hard by it. We've found that some computers wont even detect removable devices so we can easily just transfer it across!
 
You must log in or register to reply here.
Back
Top Bottom