cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ni_sec
Level 7
Report Inappropriate Content
Message 1 of 5

False Positive: msi is infected with ZeroAccess!cfg

An installer .msi file for one of our products is being flagged as infected with ZeroAccess!cfg.  I suspect this is a false positive, based on VirusTotal results:

https://www.virustotal.com/gui/file/4d087b21ace9d20ff7fdad7318320e09bbc4d8a1a7bd8c9ee53d15cb7e7f06be...

I have tried to email a sample of this file to **personal information omitted**, however, all of my attempts have been returned as undeliverable due to Local Policy Violation, though I believe I have followed the correct steps.  I am looking for assistance in getting this reviewed.    

4 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: False Positive: msi is infected with ZeroAccess!cfg

Hi @ni_sec ,

Please open a ticket with McAfee Support with the following details.

1) Submit the sample by following the instructions in the link below.

https://kc.mcafee.com/corporate/index?page=content&id=KB68030

2) Upload "OnAccessScan_Activity.log" from the following location.

C:\ProgramData\McAfee\Endpoint Security\Logs

3) Mention if the file is part of in-house application or 3rd Party (If 3rd Party Name the vendor)

 

Thanks

ni_sec
Level 7
Report Inappropriate Content
Message 3 of 5

Re: False Positive: msi is infected with ZeroAccess!cfg

@Pravas I have followed the steps in KB68030, but have encountered several issues:

1) I don't have a grant number, which is required to open a service ticket.  The customer who is reporting this to me also does not have a grant number as they are using this McAfee tool:

https://www.mcafee.com/enterprise/en-us/downloads/free-tools/stinger.html

2) I have tried to submit the sample via email to virus_research_at_avertlabs_com, however, when I attach the sample in a zip file, per the instructions, I get a response that my email is undeliverable due to Local Policy Violation.

ni_sec
Level 7
Report Inappropriate Content
Message 4 of 5

Re: False Positive: msi is infected with ZeroAccess!cfg

@Pravas - Can you provide support for this issue?  I have not had any reply to my previous post.

Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: False Positive: msi is infected with ZeroAccess!cfg

Hi @ni_sec ,

Unfortunately we cannot analyze without a sample. We only receive submission through channels mentioned in KB68030.

If customer doesn't have grant no. then please reach customer care on the support no. mentioned in the link below.

https://www.mcafee.com/enterprise/en-in/global-contact-us.html

Meanwhile if you trust the file, please add a File/Folder exclusion instead. The following guide should help.

1) https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-unmanaged-ma...

2) https://kc.mcafee.com/corporate/index?page=content&id=KB50998

Thanks

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community