McAfee VirusScan and disabled SFC

[BrandonMills]

So I've been using nLite for Windows XP installations for quite awhile now and haven't ran into any major issues. Using it combined with driverpacks lets me deploy XP installations that work out of the box on modern hardware without downloading drivers and massive updating. On most of these systems, I also install McAfee VirusScan, as that is the virus scanning product that our Institute chooses to use. So recently I went to check out the PC setup of someone who was complaining that suddenly her system wasn't working. I took a look at the system and, sure enough, there seemed to be plenty wrong with this system. It seemed as if majorly important DLLs had gone missing. I figured that a virus might be the case, so I took a look at the McAfee VirusScan log files and found detected of a virus called "PatchedSFC". PatchedSFC?

http://vil.nai.com/vil/content/v_249816.htm - note the updated dat file from March 22nd.

So I decided to go upstairs to my own XP box to re-confirm my findings. Sure enough, McAfee detected my patched SFC file as being a potentially dangerous program during a manual scan. I've been running an nLite install with McAfee since SP2 and I've never ran into this situation of a detection. This leads me to believe that one day, McAfee updated it's definitions, decided that it didn't like the patched sfc.dlls, and since cleaning failed, deleted it on the next reboot. Gee, thanks McAfee.

As someone who uses nLite to setup XP systems regularly, I'm *not* happy about this. This could rapidly turn into a massive headache, and I'm not quite sure when McAfee decided that a patched windows file constitutes a threat to your system. I'm going to make follow up posts once I gather more information, but could I get some confirmations about this finding from the community? I'm assuming that since it's in the McAfee SuperDat, that any McAfee product should behave similarly. I'm going to work on fixing the downed system and gathering what all has happened.

Edit - Virusscan update in the log that seems to have triggered the detection was 5928. In the readme file for this update, the PatchedSFC detection was updated. I'm assuming that the users machine I was working on had more issues than just the SFC detection at this point. I'm trying to not jump to too many conclusions here, but understand that I used nLite and McAfee for a lot of installs, so I am a little antsy right now.

Edit #2 - Ok, I attempted to 'clean' the sfc_os.dll and cleaning 'failed', but then it stopped detecting as PatchedSFC. Ok...whatever. I'm lost now.

Edit #3 - Starting to make sense. The system that was hit was indeed hit with the virus that McAfee was trying to detect and cleanse from the system. Turns out McAfee couldn't properly detect this virus, and thus this virus hit this system. So indeed, the system I went to was hit by PatchedSFC. However, for some odd reason, I still get false positives on sfc_os.dll on nLite installs with SFC disabled, but I can't always replicate it. Hmmmm... I don't *think* this is all just my problem, but I guess it's possible... My XP system is fairly lock-tight. I guess what I need to know now is, is anyone else getting sfc_os.dll detecting as PatchedSFC by the latest McAfee DAT files? Maybe this is just my problem. I kind of hope it is just my problem.

Edit #4 - Was not aware I was not supposed to use nLite for personal use only, either. I apologize and I'll be removing my copies of nLite'd XP CDs from my desk area tomorrow morning.

Edited March 25, 2010 by BrandonMills

[Ponch]

I also install McAfee VirusScan, as that is the virus scanning product that our Institute chooses to use.

Let me remind you that when you installed nLite, you accepted the fact it was for strictly personal use only.

[johnhc]

BrandonMills, wow, looks like you are in a pickle. I suggest you look for a new way to manage your PCs. I think the author/owner of nLite does not license commercial use for this among many reasons. I probably should not even go this far, but I disable SFC to do my install, then re-enable it afterwords by copying the original sfc_os.dll file back and altering the Registry entry, in that order. I don't use McAfee, but have seen no problems. I think it is not good to run without SFC anyway. Other nLite users should also take warning that leaving SFC disabled could lead to trouble. For that we are thankful for your report. Good luck, John.

[BrandonMills]

BrandonMills, wow, looks like you are in a pickle. I suggest you look for a new way to manage your PCs. I think the author/owner of nLite does not license commercial use for this among many reasons. I probably should not even go this far, but I disable SFC to do my install, then re-enable it afterwords by copying the original sfc_os.dll file back and altering the Registry entry, in that order. I don't use McAfee, but have seen no problems. I think it is not good to run without SFC anyway. Other nLite users should also take warning that leaving SFC disabled could lead to trouble. For that we are thankful for your report. Good luck, John.

I don't think it's as bad as I made it out to be. I was unaware of it being personal use only, and I will stop using it for installing XP around the office. I think it became more of a scare of what could happen for me. Luckily I moved away from nLite and went with WDS for Vista and 7 installs. I'm discarding all nLite'd copies of XP I have tomorrow morning. There really aren't too many reasons ( or any? ) that people should be running XP given the current state of 7.

Again, I apologize if I made an error in using nLite this way. I began doing this back when Vista was just not an option and the default image of XP was so out of date that to install it on new hardware caused more problems than I wanted to handle. ( People complaining about it not finding the hard drive when SATA drivers weren't found, not having IE7 slipstreamed when IE6 is totally unusable in Service Pack 3, etc.. )