Re: McAfee Anti-virus software causing grief to Oracle binaries (win32)

• From: "Paul Drake" <bdbafh@xxxxxxxxx>
• To: "Oracle-L@Freelists. Org" <oracle-l@xxxxxxxxxxxxx>
• Date: Sun, 12 Mar 2006 13:37:39 -0500

On 3/12/06, Paul Drake <bdbafh@xxxxxxxxx> wrote:
>
> If you are using McAfee antivirus software on your win32 Oracle servers -
> check your logs.
>
> It attempted to remove files such as Dell OpenManage, Cygwin, perl,
> Sysinternals pstools suite.
> Basically, anything that was in the PATH environment variable was
> targeted.
>
> Not only did it attempt to remove files in the %ORACLE_HOME%\bin
> directory, but also in the .patch_storage folder - so as far as oracle
> files, this was not limited to the PATH environment variable.
>
> This was also capable of navigating mapped drives, so if you had a file
> server setup as a common install location, if filesystem permissions
> permitted modification of such files, you'll want to refresh the
> installation files from the downloaded, compressed source file.
>
> More info to follow - I haven't even made coffee yet.
>
> Paul
>


Apparently, this is a known issue.
Sounds like a good time to roll out 10.1.0.5 + 10.1.0.5 patch 1
(CPUJan2006).

Paul



http://isc.sans.org/diary.php?storyid=1179
Handler's Diary March 11th 2006<http://isc.sans.org/diary.php?date=2006-03-11>
previous <http://isc.sans.org/diary.php?storyid=1178> -
next<http://isc.sans.org/diary.php?storyid=1180>
 McAfee/NAI rolls bad pattern
<http://isc.sans.org/diary.php?storyid=1179> Published:
2006-03-11,
Last Updated: 2006-03-11 01:29:45 UTC by Daniel Wesemann (Version: 1)

 NAI/McAfee today released pattern version 4716 only hours after 4715 had
come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX"
on a number of files that are part of quite prominent third party products.
Good for you if you have your AV configured to "quarantine" bad files and
not to delete them outright, this makes restoring the chewed up files after
a false positive considerably faster. Nevertheless, things like this can get
messy pretty quickly if the AV scanner starts to quarantine vital components
of your environment.

If you weren't affected and/or are using a different AV product, it might
still be worthwhile to spend a couple of minutes on the following questions:

   - How would you detect such a "bad pattern" in your environment, and,
   more importantly, how would you distinguish between "false positive" and
   "virus outbreak" ?
   - Would you have the capability to roll back to the last "known good"
   pattern if help from the vendor were not forthcoming ?  Where exactly do
   these patterns come from ?  Is the previous pattern version available there
   as well ?
   -

• References:
  • McAfee Anti-virus software causing grief to Oracle binaries (win32)
    • From: Paul Drake

Other related posts:

• » McAfee Anti-virus software causing grief to Oracle binaries (win32)
• » Re: McAfee Anti-virus software causing grief to Oracle binaries (win32)
• » RE: McAfee Anti-virus software causing grief to Oracle binaries (win32)
• » Re: McAfee Anti-virus software causing grief to Oracle binaries (win32)

1. Home
2. oracle-l
3. Archive
4. 03-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---