McAfee 4715 DAT flawed, lots of false positives!!

Make sure to update to 4716 immediatly!!



From an post by Apluswebmaster at Spybot's forum:


- http://isc.sans.org/diary.php?storyid=1179
Last Updated: 2006-03-11 01:29:45 UTC
"NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products. Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment.
If you weren't affected and/or are using a different AV product, it might still be worthwhile to spend a couple of minutes on the following questions:
* How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak"?
* Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming? Where exactly do these patterns come from? Is the previous pattern version available there as well?"

-------------------------------------------------
EDIT/ADD:
RE: False positives from 4715 DAT file of 3.10.2006:
- http://vil.nai.com/vil/content/v_138884.htm
"...Users who have moved detected files to quarantine should restore them to their original location. Windows users who have had files deleted should restore files from backup or use System Restore.
Virusscan Online users can restore the falsely detected file from the Manage Quarantined Files by clicking on the Restore button as shown..."
>>> (See URL above for complete info and screenshots.)
Also see:
- http://isc.sans.org/diary.php?storyid=1184
Last Updated: 2006-03-12 18:58:01 UTC

--------------------------------------------------
More...
- http://vil.nai.com/vil/content/v_138884.htm
W95/CTX ...
"... Update March 12, 2006 - 15:28 PDT --
A complete list of files, which are known to trigger this incorrect identification, can be downloaded here*."
* http://vil.nai.com/images/CTX_file_list.pdf
EDIT/ADD:
- http://isc.sans.org/diary.php?compare=1&storyid=1184
"...Update: 02:43 UTC 2006-03-13 - McAfee has release a list of (supposedly) all the files affected by DAT 4715. It includes some other interesting ones in addition to excel.exe, like setup.exe, uninstall.exe, shutdown.exe, and reg.exe to name just a few, but is clearly incomplete since it doesn't include any of the Oracle binaries that have been reported to be affected by some of our readers..."

---------------------------------------------
FYI... re: http://isc.sans.org/diary.php?compare=1&storyid=1184
"...McAfee has developed a tool that will restore files that were quarantined by DAT 4715..."

- http://vil.nai.com/vil/content/v_138884.htm
"...Update March 13, 2006 - 17:45 PDT --
Tools for recovering quarantine files due to this incorrect identification can be found here*..."

McAfee W95/CTX Quarantine File Restore Utility
* http://vil.nai.com/vil/stinger/ctxundo.asp

Nice one Joe5, thanks for keeping us updated on this.. O0