cancel
Showing results for 
Search instead for 
Did you mean: 
rocky640
Level 7

False positive: where to submit for a fix !

Hello, I'm a form developper, and all my .pdf forms raises a warning by McAffee GW Edition.

I scanned that .pdf on VirusTotal, and out of 44, only 2 antivirus raises warning, McAffee GW Edition and eSafe.

Where can I send this file so that someones doublecheck that heuristic and fixes it so that my users do not get a warning anymore ?

Or at least, know which javascript line(s) (or something else) is causing trouble, I could rewrite it.

Thanks.

0 Kudos
9 Replies
Hayton
Level 18

Re: False positive: where to submit for a fix !

Is this an Artemis detection?

0 Kudos
rocky640
Level 7

Re: False positive: where to submit for a fix !

No.

The warning is: Heuristic.BehavesLike.PDF.Exploit-BAY.O

0 Kudos
Hayton
Level 18

Re: False positive: where to submit for a fix !

That's the detection from McAfee GW-Edition. It corresponds to an Artemis detection - "Artemis!3639F34AD463".

GW-Edition is a Corporate product, and this post is in the Consumer section. Since there's an equivalent Artemis detection though it's been moved to that section where someone will pick it up and respond.

Edit - I can only find one VirusTotal test showing this, done on September 12th, which showed 29 out of 41 products detecting a potential problem.

Message was edited by: Hayton on 05/10/12 15:41:31 IST
0 Kudos
Hayton
Level 18

Re: False positive: where to submit for a fix !

You may need to create a new thread for this with the Artemis name in the subject header.

See https://community.mcafee.com/docs/DOC-1265

0 Kudos
showvik
Level 12

Re: False positive: where to submit for a fix !

Hi,

Artemis!3639F34AD463 is a valid hit. However, not all detections from Gateway product can be related to an Artemis detection. We recommend you to submit the sample files to us so we can investigate this in right direction. Sample submission procedures are explained here. Submitting through e-mail should be suitable in this case. Kindly provide us the submission ID which will be provided to you on making a successful submission. 

Regards,

Showvik

0 Kudos
rocky640
Level 7

Re: False positive: where to submit for a fix !

Analysis ID: 7254200

0 Kudos
nkelly
Level 11

Re: False positive: where to submit for a fix !

Hi,

Thanks for submitting the sample file, it has been reviewed and the 'Heuristic.BehavesLike.PDF.Exploit-BAY.O' detection suppressed. The supression will be included in the next DAT update.

Regards,

Nick

0 Kudos
rocky640
Level 7

Re: False positive: where to submit for a fix !

Thank you Nick, indeed this morning, no more false warning on the submitted pdf, and on simlar ones.

But I still have one form that triggers a false positive.

I just sent it: the new case number is:

Read: 7260381 - False positive (again !)

0 Kudos
nkelly
Level 11

Re: False positive: where to submit for a fix !

Thanks for the confirmation, the form has been reviewed and whitelisted, it should also not be detected after the next DAT update.

Regards,

Nick

0 Kudos