Two files, nfapi.dll, and nfapinet.dll are triggering false positives and automatic deletion which is breaking my ethernet card drivers in Windows 10.
Unfortunately they don't meet the criteria for a submission, as in they are showing as JTI/Suspect!131076 and not "Artemis", nor do they have a 12 digit number. Therefore I cannot work out how to submit them to McAfee.
McAfee keeps deleting them, even though I have white listed them (File exemption), so it is basically ignoring my exemptions. This is not a tolerable situation.
Please advise.
Solved! Go to Solution.
Hi Allan,
Thanks for replying back. These files are not the ones we classified as clean in the database, so until you are 100% it is clean, the best practice is to treat them as infected.
I did some googling around and found that there are some network drivers using these files which are dropped by a trojan to spy on your connection to the internet.
Next Steps
Go to VirusTotal - Free Online Virus, Malware and URL Scanner
Click Choose File and browse to the files
Click Scan It
Depending if it has been submitted before you will get an option like View Analysis, View Last Analysis. Click one of those.
Copy the URL of that page and paste it in a reply.
Also submit the other file with the same steps.
I can use this info to give to our researchers as they will be able to cross reference the VT data hashes with what we may know about these binaries.
Additional Info
3rd Party Analysis
I see someone else posting these files as Trojan.Virut here, packaged with Spotfluxagent.
https://www.reasoncoresecurity.com/spotfluxagent.exe-319a64ff1a66d6856b43dad667a6bbfeec69a029.aspx
Microsoft Analysis
This is what MSFT says about this variant "
Win32/Virut creates a mutex named VT_3, which it uses to prevent multiple copies of itself from running on your PC. Win32/Virut disables Windows System File Protection (SFP) by injecting code into "WINLOGON.EXE". The injected code patches "sfc_os.dll" in memory, which in turn allows the virus to infect files protected by SFP.
Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. "
McAfee Analysis
We have some info on it as well, but it could be a slightly different variant W32/Virut.n.gen | Virus Profile & Definition | McAfee Inc.
Let's start with the VirusTotal submission and take it from there.
Regards,
Doug Richards
Manager, Support Engineering
McAfee LLC.
This post was actually a request for advice on how to submit it to McAfee, as the files do not get flagged as Artemis, nor are they given a 12 digit number, both of which appear to be pre-requisites for a submission according to the page you link.
I gave Doug the name of those files in that thread. He is a Tier 3.0 Lead Engineer.
Hopefully we will hear something back from Doug today. I wanted you to know I had not forgotten about your issue.
Successfully moved from Artemis Discussion to Home User Assistance > Discussions
Hi Allan,
Thanks for replying back. These files are not the ones we classified as clean in the database, so until you are 100% it is clean, the best practice is to treat them as infected.
I did some googling around and found that there are some network drivers using these files which are dropped by a trojan to spy on your connection to the internet.
Next Steps
Go to VirusTotal - Free Online Virus, Malware and URL Scanner
Click Choose File and browse to the files
Click Scan It
Depending if it has been submitted before you will get an option like View Analysis, View Last Analysis. Click one of those.
Copy the URL of that page and paste it in a reply.
Also submit the other file with the same steps.
I can use this info to give to our researchers as they will be able to cross reference the VT data hashes with what we may know about these binaries.
Additional Info
3rd Party Analysis
I see someone else posting these files as Trojan.Virut here, packaged with Spotfluxagent.
https://www.reasoncoresecurity.com/spotfluxagent.exe-319a64ff1a66d6856b43dad667a6bbfeec69a029.aspx
Microsoft Analysis
This is what MSFT says about this variant "
Win32/Virut creates a mutex named VT_3, which it uses to prevent multiple copies of itself from running on your PC. Win32/Virut disables Windows System File Protection (SFP) by injecting code into "WINLOGON.EXE". The injected code patches "sfc_os.dll" in memory, which in turn allows the virus to infect files protected by SFP.
Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. "
McAfee Analysis
We have some info on it as well, but it could be a slightly different variant W32/Virut.n.gen | Virus Profile & Definition | McAfee Inc.
Let's start with the VirusTotal submission and take it from there.
Regards,
Doug Richards
Manager, Support Engineering
McAfee LLC.
As requested: The urls of the virustotal scans of the relevant files:
Antivirus scan for 6fd9ab5cdd954c9cd857eebecc6e5c1f6c95e5837519680357344b6ee5dd4418 at2017-05-01 18:... nfapinet.dll
Many thanks for your attention.
Wow it looks like you have an infection with nfapi.dll. That explains why when you restore the files it in a detection/quarantine loop. Where did you get those drivers from? Can you see if the card manufacturer has any other versions you could try? This is a common tactic where a malicious user swaps out a legit file in a package from a legit company to trick users into installing their malware. Proceed with caution as that malware has the ability to put anything it wants on your machine. Might want to check if there are any TCP/IP connections to unexplained hosts. (Open cmd.exe as Admin->type netstat -ano )
Regards,
Doug Richards
McAfee
Thanks for your input, Doug. It is appreciated.
However the files came pre-installed on the laptop when it was new, still shrink wrap sealed in the box. The first time it deleted the nfapi.dll file, I downloaded the package afresh from the Asus drivers website. I suppose it is always possible that their website could be compromised.
I can't help but note, in that virustotal scan, there is some.. "contention", with a number of your competitors flagging the file as clean.
I guess the next best step for me to take, is to open a support case with Asus, who provide the files in the first place. Thank you for your assistance so far, and sorry for the late reply. I work nights and now that the Bank Holiday weekend in the UK is over, I'm back at work. I will update you when I get a reply from Asus.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA