Configuration Manager 2007 Task Sequence to assist in resolving McAfee Antivirus deleting svchost.exe

GrayAndYellowGears By now I’m sure you all heard about the false positive detection of w32/wecorl.a in 5958 DAT issue with McAfee and how it can cause a no-boot situation in Windows XP SP3.  McAfee themselves as well as some of our colleagues on the Windows team have a resolution posted that describes how to fix this one a one-by-one basis, but what if you have a lot of clients experiencing the issue?  Well if you’re running System Center Configuration Manager 2007 then your life just got a whole lot easier.  Using ConfigMgr 2007, this issue can be remediated by a SCCM 2007 Task Sequence by booting into WinPE via PXE or Boot Media and copying svchost.exe from the DLLCache back to its proper location. The EXTRA.DAT file from the above McAfee article can also be copied over to its proper location to prevent the issue from occurring again.  Here are the details:


Symptoms

When McAfee virus definition 5958 DAT file dated April 21, 2010 is applied in Windows XP SP3, svchost.exe is removed from C:\Windows\System32 causing the machine to go into a reboot loop and possibly blue-screen.


Cause

When McAfee virus definition 5958 DAT file is applied in Windows XP SP3, it incorrectly identifies svchost.exe as the w32/wecorl.a virus causing the file to be quarantined and removed from C:\Windows\System32. For more information please see the following McAfee article:


False positive detection of w32/wecorl.a in 5958 DAT : https://kc.mcafee.com/corporate/index?page=content&id=KB68780


Resolution

This issue can be remediated by via an SCCM 2007 Task Sequence by booting into WinPE via PXE or Boot Media and copying svchost.exe from the DLLCache back to its proper location. The EXTRA.DAT file from the above McAfee article can also be copied over to its proper location to prevent the issue from occurring again.


To create the Task Sequence:


1) Download and unzip the EXTRA.zip file from the above McAfee link. The ZIP file should contain one file called EXTRA.DAT.


2) In the SCCM 2007 Admin console, navigate to “Computer Management” –> “Software Distribution” –> “Packages” node.


3) In the “Packages” node create a package that contains the EXTRA.DAT file downloaded from Step 1. A program does not need to be created with the package.  Make sure to copy the package to the DPs.


4) In the SCCM 2007 Admin console, navigate to the “Computer Management” –> “Operating System Deployment” –> “Task Sequences” node.


5) Right click on the “Task Sequences” node and choose “New” –> “Task Sequence


6) In the “New Task Sequence Wizard“, select “Create a new custom task sequence” and then click on the “Next >” button.


7) In the “Task Sequence name:” field, give the Task Sequence an appropriate name such as “McAfee Fix“.


8) Next to “Boot image:“, click on the “Browse…” button and choose an appropriate x86 Boot Image. Click on the “OK” button and then the “Next >” button.


9) Click on the “Next >” button and then the “Close” button.


10) Right click on the newly created Task Sequence and select “Edit“.


11) Click on the “Add” menu and choose “General” –> “Run Command Line“.


12) In the “Run Command Line” task fill out the following fields appropriately:


Name:
Copy svchost.exe


Command line:
xcopy “C:\Windows\System32\dllcache\svchost.exe” “C:\Windows\System32\*.*” /Y


13) Click on the “Options” tab.


14) Select “Add Condition“, and then “Task Sequence Variable“.


15) In the “Task Sequence Variable” window, enter the following information:


Variable:
_SMSTSInWinPE


Condition:
equals


Value:
true


16) Click on the “OK” button.


17) Click on the “Add” menu and choose “General” –> “Run Command Line“.


18) In the “Run Command Line” task fill out the following fields appropriately:


Name:
Copy McAfee Extra.dat file

Command line:
xcopy “.\EXTRA.DAT” “C:\Program Files\Common Files\McAfee\Engine\*.*” /Y


Package
Click on the “Package” option, then click on the “Browse…” button and select the package created in Step 3. Click on the “OK” button.


19) Click on the “OK” button to save the Task Sequence.


20) Advertise the Task Sequence to a Collection of the affected computers. When creating the advertisement, make sure to choose the option “Make this task sequence available to boot media and PXE“. To prevent the Task Sequence from accidently running on unintended PCs, it is advisable NOT to set a Mandatory assignment on the Advertisement.


The above Task Sequence assumes that drive where Windows and McAfee are installed will populate as C: while in WinPE. In some circumstances, the C: drive may populate as another drive letter such as E:. In these circumstances, the above Task Sequence will need to be modified to accommodate for such scenarios. Additional tasks could be added to the Task Sequence and all tasks could be marked with “Continue On Error” to account for multiple scenarios.


Frank Rojas | Support Escalation Engineer


Follow MSManageability on Twitter