cancel
Showing results for 
Search instead for 
Did you mean: 

False Positive: JTI/Suspect!131076

Jump to solution

Two files, nfapi.dll, and nfapinet.dll are triggering false positives and automatic deletion which is breaking my ethernet card drivers in Windows 10.

Unfortunately they don't meet the criteria for a submission, as in they are showing as JTI/Suspect!131076 and not "Artemis", nor do they have a 12 digit number. Therefore I cannot work out how to submit them to McAfee.

McAfee keeps deleting them, even though I have white listed them (File exemption), so it is basically ignoring my exemptions. This is not a tolerable situation.

Please advise.

1 Solution

Accepted Solutions
Highlighted

Re: False Positive: JTI/Suspect!131076

Jump to solution

Hi Allan,

Thanks for replying back. These files are not the ones we classified as clean in the database, so until you are 100% it is clean, the best practice is to treat them as infected.

I did some googling around and found that there are some network drivers using these files which are dropped by a trojan to spy on your connection to the internet.

Next Steps

Go to VirusTotal - Free Online Virus, Malware and URL Scanner

Click Choose File and browse to the files

  • Note: To prevent detection from McAfee you may have to turn off the Real Time Scanning temporarily
  • Note: Make sure it is not the quarantined files you are submitting, as those are encrypted

Click Scan It

Depending if it has been submitted before you will get an option like View Analysis, View Last Analysis. Click one of those.

Copy the URL of that page and paste it in a reply.

Also submit the other file with the same steps.

I can use this info to give to our researchers as they will be able to cross reference the VT data hashes with what we may know about these binaries.

Additional Info

3rd Party Analysis

I see someone else posting these files as Trojan.Virut here, packaged with Spotfluxagent.

https://www.reasoncoresecurity.com/spotfluxagent.exe-319a64ff1a66d6856b43dad667a6bbfeec69a029.aspx

Microsoft Analysis

This is what MSFT says about this variant "

Win32/Virut creates a mutex named VT_3, which it uses to prevent multiple copies of itself from running on your PC. Win32/Virut disables Windows System File Protection (SFP) by injecting code into "WINLOGON.EXE". The injected code patches "sfc_os.dll" in memory, which in turn allows the virus to infect files protected by SFP.

Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. "

McAfee Analysis

We have some info on it as well, but it could be a slightly different variant W32/Virut.n.gen | Virus Profile & Definition | McAfee Inc.

Let's start with the VirusTotal submission and take it from there.

Regards,

Doug Richards

Manager, Support Engineering

McAfee LLC.

9 Replies
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: False Positive: JTI/Suspect!131076

Jump to solution

Refer to this discussion;

You may want to stick to 1 thread if you are referring to your other post.

Cliff
McAfee Volunteer

Re: False Positive: JTI/Suspect!131076

Jump to solution

This post was actually a request for advice on how to submit it to McAfee, as the files do not get flagged as Artemis, nor are they given a 12 digit number, both of which appear to be pre-requisites for a submission according to the page you link.

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 4 of 10

Re: False Positive: JTI/Suspect!131076

Jump to solution

I gave Doug the name of those files in that thread. He is a Tier 3.0 Lead Engineer.

Cliff
McAfee Volunteer
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 5 of 10

Re: False Positive: JTI/Suspect!131076

Jump to solution

Hopefully we will hear something back from Doug today. I wanted you to know I had not forgotten about your issue.

Cliff
McAfee Volunteer
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 6 of 10

Re: False Positive: JTI/Suspect!131076

Jump to solution

Successfully moved from Artemis Discussion to Home User Assistance  > Discussions

Cliff
McAfee Volunteer
Highlighted

Re: False Positive: JTI/Suspect!131076

Jump to solution

Hi Allan,

Thanks for replying back. These files are not the ones we classified as clean in the database, so until you are 100% it is clean, the best practice is to treat them as infected.

I did some googling around and found that there are some network drivers using these files which are dropped by a trojan to spy on your connection to the internet.

Next Steps

Go to VirusTotal - Free Online Virus, Malware and URL Scanner

Click Choose File and browse to the files

  • Note: To prevent detection from McAfee you may have to turn off the Real Time Scanning temporarily
  • Note: Make sure it is not the quarantined files you are submitting, as those are encrypted

Click Scan It

Depending if it has been submitted before you will get an option like View Analysis, View Last Analysis. Click one of those.

Copy the URL of that page and paste it in a reply.

Also submit the other file with the same steps.

I can use this info to give to our researchers as they will be able to cross reference the VT data hashes with what we may know about these binaries.

Additional Info

3rd Party Analysis

I see someone else posting these files as Trojan.Virut here, packaged with Spotfluxagent.

https://www.reasoncoresecurity.com/spotfluxagent.exe-319a64ff1a66d6856b43dad667a6bbfeec69a029.aspx

Microsoft Analysis

This is what MSFT says about this variant "

Win32/Virut creates a mutex named VT_3, which it uses to prevent multiple copies of itself from running on your PC. Win32/Virut disables Windows System File Protection (SFP) by injecting code into "WINLOGON.EXE". The injected code patches "sfc_os.dll" in memory, which in turn allows the virus to infect files protected by SFP.

Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. "

McAfee Analysis

We have some info on it as well, but it could be a slightly different variant W32/Virut.n.gen | Virus Profile & Definition | McAfee Inc.

Let's start with the VirusTotal submission and take it from there.

Regards,

Doug Richards

Manager, Support Engineering

McAfee LLC.

Re: False Positive: JTI/Suspect!131076

Jump to solution

Re: False Positive: JTI/Suspect!131076

Jump to solution

Wow it looks like you have an infection with nfapi.dll. That explains why when you restore the files it in a detection/quarantine loop. Where did you get those drivers from? Can you see if the card manufacturer has any other versions you could try? This is a common tactic where a malicious user swaps out a legit file in a package from a legit company to trick users into installing their malware. Proceed with caution as that malware has the ability to put anything it wants on your machine. Might want to check if there are any TCP/IP connections to unexplained hosts. (Open cmd.exe as Admin->type netstat -ano  )

Regards,

Doug Richards

McAfee

Re: False Positive: JTI/Suspect!131076

Jump to solution

Thanks for your input, Doug. It is appreciated.

However the files came pre-installed on the laptop when it was new, still shrink wrap sealed in the box. The first time it deleted the nfapi.dll file, I downloaded the package afresh from the Asus drivers website. I suppose it is always possible that their website could be compromised.

I can't help but note, in that virustotal scan, there is some.. "contention", with a number of your competitors flagging the file as clean.

I guess the next best step for me to take, is to open a support case with Asus, who provide the files in the first place. Thank you for your assistance so far, and sorry for the late reply. I work nights and now that the Bank Holiday weekend in the UK is over, I'm back at work. I will update you when I get a reply from Asus.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community