McAfee VirusScan Plus 08/09

[tcsenter]

A few years ago, McAfee changed VirusScan Plus (VSP) so that it doesn't support regular DAT and SuperDAT stand-alone update files. The only "supported" method of getting newer DAT and scan engine files into VSP is connecting to the internet during or after installation. If you need to install VSP on a compromised computer that cannot connect to the internet (for whatever reason), you are stuck with whatever definition files comes on the VSP install CD, which are guaranteed to be months old.

Although not supported by McAfee, there is a way to integrate the latest DAT/ENGINE updates into the VSP installation files (copied from CD to a computer), then burn back to CD so that it can be installed on a PC that may not be able to connect to the internet. Just download the signed CABs directly from the same URL that VSP updater uses and drop them into the installation files, replacing the old ones.

For 32-bit OS, the files in question are:

vsodat.cab = DAT files
vsoeng.cab = 32-bit scan engine

For 64-bit OS, the DAT file is the same, but you need 64-bit compatible scan engine:

vsoeng64.cab = 64-bit scan engine


The DAT CAB file we are downloading is actually named avvdat.cab, which must be renamed to vsodat.cab. The URL for the DAT file will change with the DAT version, which are updated daily:

http://download.mcafee.com/molbin/iss-loc/virusscan/vsodat/{latest DAT number}/avvdat.cab


As of this writing, the latest DAT version is 5660, which you can determine from the DAT download page. If the latest DAT filename is sdat-5660, insert "5660" into the download URL for avvdat.cab in place of {latest DAT number}. e.g.

http://download.mcafee.com/molbin/iss-loc/virusscan/vsodat/5660/avvdat.cab

Availability of the avvdat.cab may lag several hours behind the official DAT availability. For example, at the time I edited this, avvdat.cab based on DAT 5661 is not yet available (but previous versions work fine). Again, you must rename avvdat.cab to vsodat.cab. The scan engine gets updated only once or twice per year at most, so the URL for the scan engine cab should be good for a while:

http://download.mcafee.com/molbin/iss-loc/virusscan/vsoeng/13.11/5301.4018/vsoeng.cab (32-bit)

http://download.mcafee.com/molbin/iss-loc/virusscan/vsoeng/13.11/5301.4018/vsoeng64.cab (64-bit)


Locate these files in the installation source and replace them with the new ones. Burn the install files back to CD and install on the target PC. VSP will have the latest DAT and scan engine for the antivirus and antispyware components only. Since the target PC is assumed to have no internet connectivity (for whatever reason), Personal Firewall and SiteAdvisor needn't be installed, just Security Center and VirusScan.

 

[Miramonti]

I don't know if this is relevant but the latest, DAT 5664, is giving false positives to system files and blue-screening computers:

McAfee false-positive glitch fells PCs worldwide: When AV attacks

IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attacked their core system files. In some cases, this caused the machines to display the dreaded blue screen of death.

Details are still coming in, but forums here and here show that it's affecting McAfee customers in Germany, Italy, and elsewhere. A UK-based Reg reader, who asked to remain anonymous because he was not authorized by his employer to speak to the press, said the glitch simultaneously leveled half of a customer's 140 machines after they updated to the latest virus signature file.

"Literally half of the machines were down with this McAfee anti-virus message IDing valid programs as having this trojan," the IT consultant said. "Literally half the office switched off their PCs and were just twiddling their thumbs."

When the consultant returned to his office he was relieved that his own laptop, which also uses VirusScan, was working normally. Then, suddenly, when it installed the latest McAfee DAT file, his computer was also smitten. The anti-virus program identified winvnc.exe and several other legitimate files as malware and attempted to quarantine them. With several core system files out of commission, the machine was rendered an expensive paperweight.

A McAfee representative in the US didn't immediately respond to phone calls seeking comment. Friday is a holiday for many US employees in observance of Saturday's Independence Day.

Based on anecdotes, the glitch appears to be caused when older VirusScan engines install DAT 5664, which McAfee seems to have pushed out in the past 24 hours. Affected systems then begin identifying a wide variety of legitimate - and frequently crucial - system files as malware. Files belonging to Microsoft Internet Explorer, drivers for Compaq computers, and even the McAfee-associated McScript.exe were being identified as a trojan called PWS!hv.aq, according to the posts and interviews.

We're still trying to determine how widespread this false-positive glitch is being felt and whether people have found any reliable fixes. If you have insight, please leave a comment below. ®

 

[tcsenter]

Added note:

I've noticed that McAfee VSP will NOT update the application files unless you opt to 'download updates' during installation, even if updated application files are available and you use the update feature after (not during) installation.

IOW, if you use the aforementioned method to manually integrate the virus/malware definitions only, then skip downloading updates during installation, you could be missing out on newer application files. I would only recommend manually updating the antivirus/malware definition and scan engine files if the computer cannot connect to the internet (for whatever reason).

After the target PC has been cleaned/fixed, if you intend to keep using McAfee VSP, I would recommend uninstalling then reinstalling VSP, but this time select 'download updates' during installation to obtain the latest application file updates.