McAfee, ePO, Extra.DAT files, sniffing glue, and you March 8, 2010
I haven’t found any reference to this fix when searching the Googles, so I’m dropping it out here. Comment if you find this useful.
While remediating the frequent updates to the W32/Qakbot/Pinkslipbot variants, I ran into an issue where the usual sandbagging-vendor response of “Oh, you don’t have all the latest patches? Call back when you do” was NOT going to cut it.
I’d been submitting the new variants to McAfee, like a good little soldier, and loading up the Extra.DAT files into our ePO server to make sure that they got pushed down to all of our workstation machines. Everything looked good, the Extra.DAT imported in okay, and tra-la, puppies and kittens for all, right?
Yeah, not so much. See here’s a thing with McAfee AntiVirus 8.7 (with all patches, from my research), and being managed by ePO. Let’s say you get an Extra.DAT file to handle the new variant of W32.Akbot, and you push it down to your clients. Hooray! Good jawrb! And lo, it came to pass, that production DAT files come out that handle detection and removal better than the off-the-cuff Extra.DAT file, so you pull the Extra.DAT out of production.
But let’s say that same virus makes its way back into your environment, but with a brand new update that is slipping by McAfee. So, once again, you submit it to McAfee, and they give you a brand spanking new Extra.DAT. Frickin’ sweet, right? Yeah, not so much. Because while you load it into ePO fine, and manually installing it on a client seems to work, for some reason, none of your workstations will pick up this Extra.DAT. And this is why:
Because it’s got the same detection name as a previous Extra.DAT. It doesn’t matter that it’s an entirely different DAT file, the odds are that your clients will keep rejecting this Extra.DAT because they’re convinced that they already got it, and it was superseded by production DAT files. So, whatchoo gonna do? Simple:
Save it in notepad, and in ePO, check it into your Master Repository:
I’LL BET THIS VIRUS HAS A BIG PAYLOAD, AMIRITE GUYS? GUYS???
There you go. This is good to know if you’re dealing with repeated infections of a prolifically updated virus (a common occurrence for many malware packages now, as the malware writers have solid financial backing). In my experience, it will display, in the “About” page of your local McAfee Anti-Virus install, the actual name of the variant in the Extra.DAT field, and not your… ahem… special name. But name at your own risk, unless you really do want to explain the W32/DonkeypunchManagement virus to your boss.