cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee Endpoint security - File deletion issues

Hi,

I developed an installation package for a freeware product which includes SQL Server 2014 databases. Some of our customer's are using Mcafee Endpoint security. It contains the following rule

"Deleting files commonly targeted by ransomware-class malware"

Our Installation package needs to remove the temporary files created by the Setup and the freeware product. Due to the above rule, cleanup failed and setup blocked by the McAfee

We are getting many complaints from the market and they cannot use installer to upgrade the product.

Could you please guide us on the procedure that should be followed by us in the installer to safely delete our own files ?

TIA

Venkat

5 Replies
McAfee Employee dvarnell
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: McAfee Endpoint security - File deletion issues

Hi KSVENKAT,

The "Deleting files commonly targeted by ransomware-class malware" rule is one which is not enabled by default policies, however monitoring for this rule (once it is enabled) is triggered (again, with default settings,) when the parent process has a reputation that says it "Might be Malicious."

Endpoint Security Adaptive Threat Protection Product Guide

The bottom of page 49 goes into this a bit, if you want to take a look.

 

What I would recommend in this scenario is to check out KB85568 to see how to submit your software for whitelisting.

Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

Re: McAfee Endpoint security - File deletion issues

Hello,

I would suggest you to run a GetSusp tool on a machine with the installer package in place:

https://www.mcafee.com/enterprise/en-us/downloads/free-tools/getsusp.html

It will show you if heuristics gets it as a suspicious file or unknow for GTI

Also it would be good to submit it as a false-positive with McAfee Labs to prevent future detections:

https://kc.mcafee.com/corporate/index?page=content&id=KB68030

Otherwise you can go on and add ATP policy exclusion on all machines you have such issue similar to below one or simply disable that DAC rule temporary:

Capture.PNGDAC exclusion

 

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino

Re: McAfee Endpoint security - File deletion issues

Thank you for the tools details. I will check this out and get back to you asap

Re: McAfee Endpoint security - File deletion issues

Hi again on this

Though the tool does not detect my software as suspicious, it was still blocked by McAfee Endpoint security in few systems

my software is digitally signed and contains valid certificate also.But  still it was blocked means McAfee does not check for the valid signature and certificate before blocking the file.

As removing our own created file is a mandatory for our software, is there any other ways to prevent this block ?

 

Highlighted
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: McAfee Endpoint security - File deletion issues

Hello,

Try to submit it for a false positive detection so McAfee could white list that program/application

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community