cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
allan.preston
Level 8
Report Inappropriate Content
Message 1 of 10
‎04-29-2017 10:10 AM

False Positive: JTI/Suspect!131076

Jump to solution

Two files, nfapi.dll, and nfapinet.dll are triggering false positives and automatic deletion which is breaking my ethernet card drivers in Windows 10.

Unfortunately they don't meet the criteria for a submission, as in they are showing as JTI/Suspect!131076 and not "Artemis", nor do they have a 12 digit number. Therefore I cannot work out how to submit them to McAfee.

McAfee keeps deleting them, even though I have white listed them (File exemption), so it is basically ignoring my exemptions. This is not a tolerable situation.

Please advise.

Reply
1 Solution

Accepted Solutions
Highlighted
dougr_t3_suppor
Level 10
Report Inappropriate Content
Message 7 of 10
‎05-01-2017 10:24 AM

Re: False Positive: JTI/Suspect!131076

Jump to solution

Hi Allan,

Thanks for replying back. These files are not the ones we classified as clean in the database, so until you are 100% it is clean, the best practice is to treat them as infected.

I did some googling around and found that there are some network drivers using these files which are dropped by a trojan to spy on your connection to the internet.

Next Steps

Go to VirusTotal - Free Online Virus, Malware and URL Scanner

Click Choose File and browse to the files

  • Note: To prevent detection from McAfee you may have to turn off the Real Time Scanning temporarily
  • Note: Make sure it is not the quarantined files you are submitting, as those are encrypted

Click Scan It

Depending if it has been submitted before you will get an option like View Analysis, View Last Analysis. Click one of those.

Copy the URL of that page and paste it in a reply.

Also submit the other file with the same steps.

I can use this info to give to our researchers as they will be able to cross reference the VT data hashes with what we may know about these binaries.

Additional Info

3rd Party Analysis

I see someone else posting these files as Trojan.Virut here, packaged with Spotfluxagent.

https://www.reasoncoresecurity.com/spotfluxagent.exe-319a64ff1a66d6856b43dad667a6bbfeec69a029.aspx

Microsoft Analysis

This is what MSFT says about this variant "

Win32/Virut creates a mutex named VT_3, which it uses to prevent multiple copies of itself from running on your PC. Win32/Virut disables Windows System File Protection (SFP) by injecting code into "WINLOGON.EXE". The injected code patches "sfc_os.dll" in memory, which in turn allows the virus to infect files protected by SFP.

Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. "

McAfee Analysis

We have some info on it as well, but it could be a slightly different variant W32/Virut.n.gen | Virus Profile & Definition | McAfee Inc.

Let's start with the VirusTotal submission and take it from there.

Regards,

Doug Richards

Manager, Support Engineering

McAfee LLC.

View solution in original post

Reply
9 Replies
Highlighted
catdaddy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 10
‎04-29-2017 10:15 AM

Re: False Positive: JTI/Suspect!131076

Jump to solution

Refer to this discussion;

You may want to stick to 1 thread if you are referring to your other post.

Cliff
McAfee Volunteer
0 Kudos
Reply
Highlighted
allan.preston
Level 8
Report Inappropriate Content
Message 3 of 10
‎04-29-2017 10:20 AM

Re: False Positive: JTI/Suspect!131076

Jump to solution

This post was actually a request for advice on how to submit it to McAfee, as the files do not get flagged as Artemis, nor are they given a 12 digit number, both of which appear to be pre-requisites for a submission according to the page you link.

0 Kudos
Reply
Highlighted
catdaddy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 10
‎04-29-2017 10:21 AM

Re: False Positive: JTI/Suspect!131076

Jump to solution

I gave Doug the name of those files in that thread. He is a Tier 3.0 Lead Engineer.

Cliff
McAfee Volunteer
0 Kudos
Reply
Highlighted
catdaddy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 10
‎05-01-2017 01:02 AM

Re: False Positive: JTI/Suspect!131076

Jump to solution

Hopefully we will hear something back from Doug today. I wanted you to know I had not forgotten about your issue.

Cliff
McAfee Volunteer
0 Kudos
Reply
Highlighted
catdaddy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 10
‎04-29-2017 10:24 AM

Re: False Positive: JTI/Suspect!131076

Jump to solution

Successfully moved from Artemis Discussion to Home User Assistance  > Discussions

Cliff
McAfee Volunteer
0 Kudos
Reply
Highlighted
dougr_t3_suppor
Level 10
Report Inappropriate Content
Message 7 of 10
‎05-01-2017 10:24 AM

Re: False Positive: JTI/Suspect!131076

Jump to solution

Hi Allan,

Thanks for replying back. These files are not the ones we classified as clean in the database, so until you are 100% it is clean, the best practice is to treat them as infected.

I did some googling around and found that there are some network drivers using these files which are dropped by a trojan to spy on your connection to the internet.

Next Steps

Go to VirusTotal - Free Online Virus, Malware and URL Scanner

Click Choose File and browse to the files

  • Note: To prevent detection from McAfee you may have to turn off the Real Time Scanning temporarily
  • Note: Make sure it is not the quarantined files you are submitting, as those are encrypted

Click Scan It

Depending if it has been submitted before you will get an option like View Analysis, View Last Analysis. Click one of those.

Copy the URL of that page and paste it in a reply.

Also submit the other file with the same steps.

I can use this info to give to our researchers as they will be able to cross reference the VT data hashes with what we may know about these binaries.

Additional Info

3rd Party Analysis

I see someone else posting these files as Trojan.Virut here, packaged with Spotfluxagent.

https://www.reasoncoresecurity.com/spotfluxagent.exe-319a64ff1a66d6856b43dad667a6bbfeec69a029.aspx

Microsoft Analysis

This is what MSFT says about this variant "

Win32/Virut creates a mutex named VT_3, which it uses to prevent multiple copies of itself from running on your PC. Win32/Virut disables Windows System File Protection (SFP) by injecting code into "WINLOGON.EXE". The injected code patches "sfc_os.dll" in memory, which in turn allows the virus to infect files protected by SFP.

Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. "

McAfee Analysis

We have some info on it as well, but it could be a slightly different variant W32/Virut.n.gen | Virus Profile & Definition | McAfee Inc.

Let's start with the VirusTotal submission and take it from there.

Regards,

Doug Richards

Manager, Support Engineering

McAfee LLC.

View solution in original post

Reply
Highlighted
allan.preston
Level 8
Report Inappropriate Content
Message 8 of 10
‎05-01-2017 11:05 AM

Re: False Positive: JTI/Suspect!131076

Jump to solution

As requested: The urls of the virustotal scans of the relevant files:

Antivirus scan for a035dde03f95ad199a74e141089ea94d24abb42f56a9cc14c86c76c6ce6932ec at2017-05-01 17:...  nfapi.dll

Antivirus scan for 6fd9ab5cdd954c9cd857eebecc6e5c1f6c95e5837519680357344b6ee5dd4418 at2017-05-01 18:...  nfapinet.dll

Many thanks for your attention.

0 Kudos
Reply
Highlighted
dougr_t3_suppor
Level 10
Report Inappropriate Content
Message 9 of 10
‎05-01-2017 11:17 AM

Re: False Positive: JTI/Suspect!131076

Jump to solution

Wow it looks like you have an infection with nfapi.dll. That explains why when you restore the files it in a detection/quarantine loop. Where did you get those drivers from? Can you see if the card manufacturer has any other versions you could try? This is a common tactic where a malicious user swaps out a legit file in a package from a legit company to trick users into installing their malware. Proceed with caution as that malware has the ability to put anything it wants on your machine. Might want to check if there are any TCP/IP connections to unexplained hosts. (Open cmd.exe as Admin->type netstat -ano  )

Regards,

Doug Richards

McAfee

Reply
Highlighted
allan.preston
Level 8
Report Inappropriate Content
Message 10 of 10
‎05-02-2017 08:56 PM

Re: False Positive: JTI/Suspect!131076

Jump to solution

Thanks for your input, Doug. It is appreciated.

However the files came pre-installed on the laptop when it was new, still shrink wrap sealed in the box. The first time it deleted the nfapi.dll file, I downloaded the package afresh from the Asus drivers website. I suppose it is always possible that their website could be compromised.

I can't help but note, in that virustotal scan, there is some.. "contention", with a number of your competitors flagging the file as clean.

I guess the next best step for me to take, is to open a support case with Asus, who provide the files in the first place. Thank you for your assistance so far, and sorry for the late reply. I work nights and now that the Bank Holiday weekend in the UK is over, I'm back at work. I will update you when I get a reply from Asus.

0 Kudos
Reply

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC