McAfee is preparing a "root cause analysis" of the problem which will be presented as soon as it is complete. According to McAfee representatives, they are offering to patch users with a valid contract into free technical phone support at (866) 622-3911 for those with the 5958 "false positive error."

Meanwhile, McAfee has posted this response to the 5958 "false positive error."

"Typically, customers who use McAfee's Enterprise Policy Orchestrator (EPO) have aggressive update deployment set-ups to ensure the exposure time to true virus threats is minimized," mycentrality.com said in a after-action report it drafted on the McAfee disaster (download PDF). "It is because of this standard, aggressive, deployment process that the update was able to get to a large number of machines so quickly."

Overview

McAfee learned that one of its virus definition DAT files, version 5958, which ensure updated protection on our anti-malware solutions, falsely identified a critical Windows system file, “svchost.exe”, as malware.

The detection was in response to a threat that attacks critical Windows system executables and buries itself deep into memory. This detection was in DAT release 5958. Once applied to systems, the DAT incorrectly identifies the Microsoft system file “svchost.exe” as malware, prompting McAfee anti-malware solutions to remove or quarantine the file. Customers have reported a variety of symptoms, ranging from a system “blue screen”, loss of network connectivity, inability to use USB, and experiencing a perpetual state of reboot. Users have reported these symptoms when both the file is present on the system (in quarantine), or has been deleted entirely. For more information on this issue, users may visit the McAfee Threat Center.

Remediation

On discovery of the issue, McAfee immediately issued support advisories and notified customers not to update to 5958, as well as removed the DAT file from download sites. McAfee fixed the issue in the DAT and released a corrected DAT file version 5959. This was corrected to not include the false detection.

McAfee has thoroughly tested DAT version 5959 against this issue, and encourages all customers to update to this latest version. More details on the problem and workarounds can be found in the McAfee KnowledgeBase.

1. 2. 3.