Change Language: 
Skip Navigation Links
 
Konsulttjänster
Labbar
Events
 
Filer
Bloggar
 
Om oss
Experter
Presscenter
 

 


Ett spetskompetensbolag med experter inom it-säkerhet och infrastruktur. I bolaget finns en unik sammansättning av expertkonsulter som enskilda eller i team utför kvalificerade uppdrag åt företag, myndigheter och organisationer.

BLOGGAR

Här finner du diverse blogginlägg skapade av personer i Truesec Expert Team
MCAffe har nog att göra nu...
2010-04-30 10:15:00


av Marcus Murray

Efter att ha varit ute på flera olika företag som brabbats av MCAffe är det inte utan att man undrar över olika saker.

Är det exempelvis ok att Antivirusföretagens programbaror har behörighet att manipulera kritiska systembinärer.

Att dom i sin virusuppdatering skapade en situration där dom helt enkelt manipulerade svchost.exe borde ju inte ens vara möjligt.

Nu är jag en av dom som anser att det finns belägg för att hela dagens antivirusmodell är helt utdaterad men dom kunde väl åtminstonde göra en extra check typ.

1. filen matchar en pattern i vår signaturdatabas och är därmed en potentiell malware.
2. Kontrollera att filen ÅTMINSTONE inte är en känd systemfil.
3. Ta beslut.

Det hade åtminstonde förhindrat denna typ av katastrofer...

 

Mer info ut KB:n på MCAfees site:

  • This article applies to Corporate or Business users only
  • If you are a Home or Consumer user, see article TS100969
     

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.


WARNING:

  • If you receive a detection for w32/wecorl.a, do not restart your computer until you have performed the remediation steps in this article. 
  • If you have Endpoint Encryption installed and your hard disk is encrypted, follow the steps in KB68807 before you continue.


Watch for updates on this issue, which will be sent on a timely basis through Support Notification Service (SNS) and Platinum Proactive notifications. To subscribe to SNS, visit http://my.mcafee.com/content/SNS_Subscription_Center.
 

This article will be updated as additional information becomes available.
To receive email notification when this article is updated, click Subscribe at the top of the page. (You must be logged in at https://mysupport.mcafee.com to subscribe.)

Problem

Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.

Solution

McAfee has developed a SuperDAT remediation Tool to restore the svchost.exe file on affected systems.

NOTE: For details on deploying the remediation MSI package via a Group Policy Object, see KB68814.

What does the SuperDAT Remediation Tool do?
The tool suppresses the driver causing the false positive by applying an Extra.dat file in c:\program files\commonfiles\mcafee\engine folder. It then restores the svchost.exe by first looking in %SYSTEM_DIR%\dllcache\svchost.exe. If not present, it attempts a restore from the following:

  • %WINDOWS%\servicepackfiles\i386\svchost.exe
  • Quarantine.
     
After the tool has been run, restart your computer.

Recommended recovery SuperDAT procedure

  1. From a computer that has Internet access, locate and download the Recovery SuperDAT from: http://download.nai.com/products/mcafee-avert/tools/SDAT5958_EM.exe (v1.9 MD5=7493ec6600b98627222a4d09300d2173 ; SDAT5958_EM.exe:[0-6D9CF]) (size: 448,976 bytes) and save it to portable media.
  2. Take the portable media to each affected computer and run the tool.

    NOTE: If you are not able to run the tool on the affected computer, (re)start your computer in Safe Mode. For instructions on starting in Safe Mode, see http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true 
     
  3. Run the Recovery SuperDAT tool.
  4. Restart in Normal Mode.
  5. Use the product update to update to DAT 5959 or later.

Workaround 1

McAfee has developed an EXTRA.DAT to suppress this detection, which does not fix the issue, it only suppresses the detection. The file is attached to this article.

Apply the EXTRA.DAT to all potentially affected systems as soon as possible.

For systems that have already encountered this issue, start the computer in Safe Mode and apply the EXTRA.DAT. After applying the EXTRA.DAT, restore the affected files from Quarantine.


To apply the EXTRA.DAT locally to an affected computer
IMPORTANT: For VirusScan Enterprise 8.5i and later, temporarily disable Access Protection before proceeding. For details, see: KB52204.

To apply the EXTRA.DAT locally:
  1. Download the EXTRA.ZIP file attached to this article and extract the EXTRA.DAT file.
  2. Start the affected computer in Safe Mode with networking enabled.
  3. Copy EXTRA.DAT to C:\Program Files\Common Files\McAfee\Engine.
  4. Launch Windows Explorer and navigate to C:\WINDOWS\system32:

    1. If svchost.exe exists in this folder and is not a 0 byte file, continue to Step 7.
    2. If svchost.exe has been deleted (or is a 0 byte file), launch the VirusScan Console (Click Start, Programs, McAfee, VirusScan Console).

      If you are unable to launch the VirusScan Console, click Start, Run, type the command below (including quotes) and click OK:

      "C:\program files\mcafee\virusscan enterprise\mcconsol.exe" /standalone

       
  5. Double-click Quarantine Manager Policy, then click the Manager tab.
  6. Right-click the detection and select Restore.
  7. Restart your computer normally.

If you are cannoty restore svchost.exe from Quarantine, or if svchost.exe is 0 bytes, do the following:
  • If you have more than one computer.
    From the unaffected computer, copy the svchost.exe file in c:\Windows\System32 to c:\Windows\System32 on the affected computer. You can copy the file to a removable media device such as a CD or USB stick to do this.

    IMPORTANT: The two computers must have the same version of Windows.
     
  • If you have a single computer, or if all your computers have been affected.
    On the affected computer, copy the svchost.exe file to c:\WINDOWS\system32 using one of the following methods:

    • From Windows Explorer, go to the folder c:\windows\ServicePackFiles\i386\ (or if not present, C:\WINDOWS\system32\dllcache\), and make a copy of svchost.exe, then go to c:\WINDOWS\system32 and paste the file in the folder.
       
    • From the command prompt (If svchost.exe is located in c:\windows\ServicePackFiles\i386\), type the following command and press ENTER:

      copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32
       
    • From the command prompt (If svchost.exe is located in c:\WINDOWS\system32\dllcache), type the following command and press ENTER:

      copy c:\windows\ServicePackFiles\i386\svchost.exe c:\WINDOWS\system32\dllcache

  • If the correct version of svchost.exe cannot be located on any of your computers

    Option 1 - Restore from CD

    1. Start your computer from your Windows XP installation disk and select the Recovery console.
    2. Follow the onscreen instructions and log on as Windows XP admin.
      You see the command prompt. Example:  C:\WINDOWS>
       
    3. From the prompt, type <drive_letter>: and press ENTER.
      Where <drive_letter> is the drive where your XP installation disk is located. Default drive is C:.
       
    4. Type cd \I386 and press ENTER.
      You see the prompt: <drive_letter>:\I386>
       
    5. Type the following command and then press ENTER:

      expand svchost.ex_  <drive_letter>:\windows\system32 and press ENTER.

      where <drive_letter> is the letter of the drive where Windows XP is installed. Default drive is C.
      You now have a new copy of svchost.exe in your system32 folder.
       
    6. To restart your computer, type exit and then press ENTER .

 
Option 2 - Use the recovery partition on your hard disk
If your computer was not supplied with an XP installation disk, it is likely that all installation files are located on a separate partition on your hard disk. This can be accessed by pressing F8 during a restart and selecting the appropriate Repair or Recovery option from the menu. This option may be named differently depending on your manufacturer.
 
IMPORTANT: Take care not to run a full reinstallation as this would overwrite all existing files.

Workaround 2

ePO Users
For instructions on how to deploy the EXTRA.DAT through ePolicy Orchestrator (ePO), see:

Related Information

IMPORTANT: If you are a consumer user, to resolve this issue see KnowledgeBase article: TS100969 - ALERT: 5958 DAT Update Issue (For Home Users Only).

For additional information about EXTRA.DAT files, see KB68759.

Threat Center (McAfee Avert Labs)   http://www.mcafee.com/us/threat_center/
Search the Threat Library http://vil.nai.com/ 
Submit a virus sample https://www.webimmune.net/default.asp 
Security updates and DAT files http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise
Är det svårt, dyrt eller ren slarv?
2010-03-01 21:05:00


av Hasain Alshakarti

Kunde inte låta bli att notera texten nedan på ett informationsblad som beskriver hur man gjorde för att ansluta till ett trådlöst WIFI nät. Det som drog min blick extra mycket var notisen på bladet som syns på bilden nedan.

  

Jag blir riktigt fundersam när jag ser sådana beskrivningar där vi lär våra användare ett felaktigt beteende. Vad tror vi kommer att hända om samma användare får ett liknande fel när han eller hon surfar till sin internetbank eller företagets webbmail mm.

/Hasain
Can you say PWN3D?
2006-06-27 11:24:00


av Jonas Ländin

Jag snubblade över en ganska stilig demonstration av "VNC remote authentication bypass vulnerability" som jag tänkte att jag kunde posta här.

Titta själv!

 
XSS blir ett allvarligt hot
2006-10-03 16:41:00


av Johannes Gumbel

Cross Site Scripting (XSS), SQL-injektion, Kommando-injektion, etc. Alla populära brister i webbapplikationer. Till för inte så länge sedan har XSS ofta ansetts som ganska harmlöst, inte alls lika allvarligt som SQL/LDAP/Kommando-injektion. Inte ens efter att de första XSS maskarna/virus blev alla övertygade om att det verkligen var ett problem.

För er som redan är övertygade och bara vill få ta del av den magiska världen av browser-hacking, och för er som inte alls är övertygade och behöver få mera information, föreslår jag att ni kollar in http://www.gnucitizen.org/projects/attackapi/. Denna site inkluderar även länkar/artiklar om hur ni kan trojanisera både mp3 och pdf (har inte hunnit läsa själv än, tyvärr) osv.

Gnucitizen (länken ovan) har även en intressant artikel om hur man kan bygga en slave/master relation mellan en browser som kört vårat javascript och en av oss kontrollerad webbserver. Ganska sweet och skrämmande (på samma gång) i mina öron.

Jag tänkte jag skulle ge er en till länk, en presentation från blackhat där det demonstreras hur javascript kan användas för att angripa interna resurser, mycket inressant. http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf#search=%22hacking%20intranet%20websites%20from%20the%20outside%22