McAfee false positive detection of w32/wecorl.a when using 5958 DAT file
Published Mar 16 2019 03:34 AM 341 Views
First published on TECHNET on Apr 21, 2010
Hi all,

We are posting on a different day that usual to alert you to a potentially painful issue you may already be experiencing. McAfee today identified an issue with DAT file version 5958 detecting a false positive of the w32/wecorl.a virus. When this occurs, Svchost.exe is quarantined, which will cause the machine to go into a reboot loop and possibly blue-screen.

For more information, please refer to the following McAfee articles:

Here is a copy of the official Microsoft alert about the issue:

Microsoft has been made aware of an issue with a McAfee DAT file update - released Wednesday, April 21, 2010 - that has been causing stability issues on Windows XP client systems. The symptom is caused by a false-positive detection on a core Windows file (svchost.exe). Once the file is quarantined by McAfee, the system may encounter one of the following symptoms:

· The computer shuts down when a DCOM error or a RPC error occurs

· The computer continues to run without network connectivity.

· The computer triggers a Bugcheck (Blue Screen).

The DAT file version that that caused the problem is McAfee DAT 5958. This file was propagated to client machines that conduct automatic updates of definition files. McAfee updated the DAT file soon after the problem was identified with a new version that does not cause the problem.

Resolution Steps

Please review the following KB Articles for specific steps to resolve the issue on systems that are affected.

McAfee KB Article:

Microsoft KB Article:


We recommend customers affected by this symptom first review the McAfee KB Article referenced above. For further assistance, customers should contact McAfee. Customers who are unable to resolve the issue through these means can contact Microsoft for technical support using resources found on this Web page: .

Keep an eye on the McAfee link for new information as it develops.

Tim Newton

Version history
Last update:
‎Mar 16 2019 03:34 AM
Updated by: