McAfee Antivirus Definition Errors
What is happening:
At 5:00 pm, on Tuesday 10/23/12, the Information Security Office received a report that McAfee Antivirus using definition 6874 was erroneously detecting the Windows hosts file (C:\WINDOWS\system32\drivers\etc\host) as being infected by "Generic Qhosts.C". In most cases McAfee was reporting that it had "Cleaned" the file, but in a few cases it had marked the file for deletion and may have deleted it. These erroneous reports are being treated as false positives.
In addition, definition 6874 has erroneously alerted infections on host files modified by the legitimate security program Spybot. It is suspected that the definition produces errors for other security programs as well.
To stop the reports of false positives on personal and campus Windows machines that use the campus-provided McAfee Antivirus software, the EPO server has been modified to ignore C:\WINDOWS\system32\drivers\etc\host. (EPO admins, this exception has been added this to your individual policies for your areas.)
Communication regarding this issue was sent to the Tech Users group around 11:00 pm on 10/23/12.
What to do:
- For the moment, barring new information from McAfee, this error will be treated as a false positive and can be safely ignored.
- McAfee users that do not use the EPO server should also ignore warnings of machines infected by "Generic Qhosts.C".
- The Information Security Office is in the process of contacting the support areas for the computers (less than 10 at last count) that had marked the host file for deletion.
- If your computer has shown the "Generic Qhosts.C" warning from McAfee within the last 48 hours, please contact your support personnel for assistance.
Please direct questions to the UWM Help Desk at 414-229-4040 or gettechhelp.uwm.edu.