Our updater is detected as generic malware. Including McAfee
Can you tell us on what base our updater is marker as malware so we can avoid this in the future. Our application is signed by a certificate we paid $120 for, just to avoid this issue, yet it started popping up again.
So, please tell us why it failed and how we can avoid being marked as malware? We don't want this to start again when we update our application.
Attatchment removed until deemed safe by McAfee Labs.
Solved! Go to Solution.
I have unlocked this discussion as the Incident Response Coordinator wants to address your concerns. I hope you find his correspondence most *Helpful*..
"I'm sorry it's been such a bumpy path to resolution. The reason signing the files didn't solve the problem, is because we didn't trust your signature. (Because we didn't know about it, and it's a new signature, so it has no history to draw from) Signing something doesn't make it "good", as malware authors try to sign some of their files too. What it does, is allow us to review an application, and white-list it more broadly, more easily, once we have decided to trust it. It's an extra step for us to trust based upon the digital signature, but one that pays off in the end, for both sides.
This usually would be the responsibility of our white-listing team, so I'll pass the information over to them for review.
Signing the binaries is the first step, but in addition, when you are ready to release new software, you should submit it to us as well, so we can review/white-list before it's posted. This can further avoid some of the back and forth you've seen this time around. "
The white-listing program is outlined here:
McAfee Corporate KB - How to submit your company's software to be considered for validation against ...
And, if it's classified as a PUP, this process here:
Hope this helps, and I'll post back here when I get word back on trusting your digital signature. (it's not a given that we will trust it, it must be reviewed thoroughly, and takes some time)
I also noticed that your zip contained 50mbs, the individual limit is 10 mbs per zipped submission. It may be that you have to submit to VirusTotal.com and possibly provide the hashes to me in a Direct Message. I will follow you just in case. Please hover over my Avatar,and click okay/done and follow me, if needed.
I will also add that once your software has been analyzed/processed and considered clean by McAfee standards. Quite possibly you could submit your software for future references/updates, to McAfee,a *GetClean* program.
I will discuss this with the a McAfee Labs Engineer.
I received your hashes from Virus Total, Please be informed of your escalated ticket number:
Ticket #: AM000882 - Artemis! (User could not submit normally 50mbs zip )
For your information:
This sample has been escalated up to the research team for further analysis.
Please confirm that your software/detection has indeed been suppressed:
The detection for this file has been suppressed.
Excuse me? The reason it was detected is McAfee deemed it as *Suspicious* not necessarily as Malware. Now it is no longer considered as such. So by saying your software is suppressed/clean. It is in my opinion *Answered*. For the sake of me, I cannot understand your logic.
Ok. here is my logic,
I am responsible for the update process for our companies software at our customers site. We have a lot of issues with AV software since they all tend to block our software now and then. To address this we started using "code signing" certificates. That's fine. Now suddenly (since last week or so) our signed executable are marked as "Suspicious* and are put in quarantine and/or scaring our customers with "scary" messages (not only McAfee but also a lot of other major AV solutions).
Its fine that the current executable is not marked as *Suspicious* anymore. But who says that the next version of our updater executable will not suddenly get marked?
We can also build another build of exactly the same code, and then It will also not being detected anymore. But its only a matter of time before it is marked again for no reason.
How can I tell our customer support team that they do not have to expect that suddenly the updates stop working because AV software has started blocking those again?
I just want to make sure that when our support team wants to update our application they don't have to worry about AV software.
You also do not block updates from for example "Google".
It happens as you said with (New Updates) or versions of software not only as you said by McAfee alone. It always is determined by how your downloader/installer/are written. Now I ask you to refer to my post #2, where I suggested that you possibly apply for the *GetClean* program to prevent your future Versions/Updates from being detected.
I have exhausted every avenue in a attempt to appease you.