ConfigMgr 2007: Task Sequence to assist resolving McAfee Antivirus deleting svchost.exe

When McAfee virus definition 5958 DAT file dated April 21, 2010 is applied in Windows XP SP3, svchost.exe is removed from C:\Windows\System32.

When McAfee virus definition 5958 DAT file is applied in Windows XP SP3, it incorrectly identifies svchost.exe as the w32/wecorl.a virus causing the file to be quarantined and removed from C:\Windows\System32. For more information please see the following McAfee article:

False positive detection of w32/wecorl.a in 5958 DAT
https://kc.mcafee.com/corporate/index?page=content&id=KB68780

This issue can be remediated by via an Configuration Manager 2007 Task Sequence by booting into WinPE via PXE or Boot Media and copying svchost.exe from the DLLCache back to its proper location. The EXTRA.DAT file from the above McAfee article can also be copied over to its proper location to prevent the issue from occurring again.

To create the Task Sequence:

1) Download and unzip the EXTRA.zip file from the above McAfee link. The ZIP file should contain one file called EXTRA.DAT.

2) In the Configuration Manager 2007 Admin console, navigate to "Computer Management" --> "Software Distirbution" --> "Packages" node.

3) In the "Packages" node create a package that contains the EXTRA.DAT file downloaded from Step 1. A program does not need to be created with the package. Make sure to copy the package to DPs.

4) In the Configuration Manager 2007 Admin console, navigate to the "Computer Management" --> "Operating System Deployment" --> "Task Sequences" node.

5) Right click on the "Task Sequences" node and choose "New" --> "Task Sequence"

6) In the "New Task Sequence Wizard", select "Create a new custom task sequence" and then click on the "Next >" button.

7) In the "Task Sequence name:" field, give the Task Sequence an appropriate name such as "McAfee Fix".

8) Next to "Boot image:", click on the "Browse..." button and choose an appropriate x86 Boot Image. Click on the "OK" button and then the "Next >" button.

9) Click on the "Next >" button and then the "Close" button.

10) Right click on the newly created Task Sequence and select "Edit".

11) Click on the "Add" menu and choose "General" --> "Run Command Line".

12) In the "Run Command Line" task fill out the following fields appropriately:

Name:
Copy svchost.exe

Command line:
xcopy "C:\Windows\System32\dllcache\svchost.exe" "C:\Windows\System32\*.*" /Y

13) Click on the "Options" tab.

14) Select "Add Condition", and then "Task Sequence Variable".

15) In the "Task Sequence Variable" window, enter the following information:

Variable:
_SMSTSInWinPE

Condition:
equals

Value:
true

16) Click on the "OK" button.

17) Click on the "Add" menu and choose "General" --> "Run Command Line".

18) In the "Run Command Line" task fill out the following fields appropriately:

Name:
Copy McAfee Extra.dat file

Command line:
xcopy ".\EXTRA.DAT" "C:\Program Files\Common Files\McAfee\Engine\*.*" /Y

Package
Click on the "Package" option, then click on the "Browse..." button and select the package created in Step 3. Click on the "OK" button.

19) Click on the "OK" button to save the Task Sequence.

20) Advertise the Task Sequence to a Collection of the affected computers. When creating the advertisement, make sure to choose the option "Make this task sequence available to boot media and PXE". To prevent the Task Sequence from accidently running on unintended PCs, it is advisable NOT to set a Mandatory assignment on the Advertisement.

The above Task Sequence assumes that drive where Windows and McAfee are installed will populate as C: while in WinPE. In some circumstances, the C: drive may populate as another drive letter such as E:. In these circumstances, the above Task Sequence will need to be modified to accommodate for such scenarios. Additional tasks could be added to the Task Sequence and all tasks could be marked with "Continue On Error" to account for multiple scenarios.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.