I developed an installation package for a freeware product which includes SQL Server 2014 databases. Some of our customer's are using Mcafee Endpoint security. It contains the following rule
"Deleting files commonly targeted by ransomware-class malware"
Our Installation package needs to remove the temporary files created by the Setup and the freeware product. Due to the above rule, cleanup failed and setup blocked by the McAfee
We are getting many complaints from the market and they cannot use installer to upgrade the product.
Could you please guide us on the procedure that should be followed by us in the installer to safely delete our own files ?
The "Deleting files commonly targeted by ransomware-class malware" rule is one which is not enabled by default policies, however monitoring for this rule (once it is enabled) is triggered (again, with default settings,) when the parent process has a reputation that says it "Might be Malicious."
The bottom of page 49 goes into this a bit, if you want to take a look.
What I would recommend in this scenario is to check out KB85568 to see how to submit your software for whitelisting.
I would suggest you to run a GetSusp tool on a machine with the installer package in place:
It will show you if heuristics gets it as a suspicious file or unknow for GTI
Also it would be good to submit it as a false-positive with McAfee Labs to prevent future detections:
Otherwise you can go on and add ATP policy exclusion on all machines you have such issue similar to below one or simply disable that DAC rule temporary: