cancel
Showing results for 
Search instead for 
Did you mean: 
pettel
Level 7

False positive: Artemis!A64384C593E7

I wanted to upload my sample via your website (https://mysupport.mcafee.com/Eservice/Default.aspx),

but i need a "Grant#" to register as a new user - so this is not possible !

I then tried to email the sample to you. As McAfee suggested, i putted the file into a password-protected

zip archive (password: infected) an attached it to my email. But this also failed !!

######################################################################################

Hi. This is the qmail-send program at mailout-de.gmx.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<virus_research@mcafee.com>:
67.97.80.205_failed_after_I_sent_the_message./Remote_host_said:_550_Denied_by_policy./

--- Below this line is a copy of the message.

Return-Path: <######.#######@#####.##>

...

...

...

######################################################################################

The message was probably to long (~18MB). But there is no hint about the maximum size of an email

(http://www.mcafee.com/us/mcafee-labs/resources/how-to-submit-sample.aspx).

So i wrote an email, that contained a link to the file - and got exactly ZERO reponse.

This is a link to the file, that triggers the false alarm.

Please update your scan-engine and improve the support experience. It should be possible for

software developers to do a web-upload.

The "Artemis Technology" looks very odd to me. When i first uploaded the new version of our software

that uses software protection to virus-total, there where only 2 scan-engines that produces false positives.

But 1-2 days later, there where a lot more scan-engines with false positive alarms. Since the file was

not linked anywhere in the web, it's obvious, that virustotal sells the hashes of files, that are detected by

some virus scanners - probably by a faulty heuristic scan - to the vendors of other virus scanners.

Then these vendors include the - probably faulty - hashes in their "virus" database.

Since i want to spend my time improving our software and not dealing with AV-companies and

malware-list-people, it would be helpful to be added to a whitelist. We use a Verisign class 3 certificate -

so that should be pretty easy to do.

regards

pettel

0 Kudos
2 Replies
vinod_r2
Level 11

Re: False positive: Artemis!A64384C593E7

I would request that you register and upload the file sample on www.webimmune.net  and refer back the Analysis Id:

Once done please also upload the sample to this website www.virustotal.com and click on analyze if prompted. ----

Post the Analyis id from webimmune ( if file size is not more than 3 MB) and the virustotal results website link for the file.

If you are a software vendor please refer this link

https://secure.mcafee.com/apps/mcafee-labs/dispute-form.aspx?region=us

Message was edited by: Vinod R on 8/2/11 12:36:00 AM IST
0 Kudos
pettel
Level 7

Re: False positive: Artemis!A64384C593E7

Webimmune is pretty useless as the file this is all about is ~18 Megabytes:

From Webimmune-website

##################################################

When submitting files for                           analysis, remember:

  • - WebImmune will not accept a                                     file greater than 3MB (megabytes).

##################################################

This is the virustotal scan-report:

http://www.virustotal.com/file-scan/report.html?id=6f57771998a134a73fb7b73b8f8e9cf727acac01f973fe23a...

0 Kudos