cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
bluem
Level 7
Report Inappropriate Content
Message 1 of 18

McAfee failed to detect .exe within ups.zip file

About 10 days ago a user in our company received an email from help@ups.com with upsxxxxx.zip file that contained a .exe file. Since I was testing McAfee Total Protection for Endpoint I copied the zip file to the test laptop and scanned for threat using McAfee but it did not detected. I thought maybe the problem is with my DAT file. So, I went and updated the Master Repository with ePO and forced the changes to go to the test laptop. After the update I verified that the laptop has the same DAT as the ePO on the server, and when I scanned the upsxxxxx.zip file again McAfee did not detect anything. I continued to scan the upsxxxxx.zip for server days until today, when I scanned the upsxxxxx.zip McAfee came up with the alert.

To be fair to McAfee our current protection program (Symantec Endpoint Protection) did not either detect the initial email that the user received….so both program failed. I am guessing that both companies did not have the right code to pick up trojan contained within the upsxxxxx.zip. Maybe our DAT was not up to date, but I doubt that since all clients on our computer perform daily updates.

Thanks,

B

Tags (2)
17 Replies
rackroyd
Level 16
Report Inappropriate Content
Message 2 of 18

Re: McAfee failed to detect .exe within ups.zip file

Hi,

This is more of a thing for the McAfee Labs team than ePO as it's about detection.

If you have the full name of the Trojan detected now you can look it up via the Threat Library link here:

http://www.mcafee.com/us/threat_center/default.asp

This would give you an idea of when McAfee first detected it and what requirements were necessary for detection and removal.

Failing that you can also submit the sample file to McAfee through the 'submit a malware sample' link on the same web page.

Hopefully the response from McAfee Labs should answer your questions.

Hth,

Rob.

PhilR
Level 12
Report Inappropriate Content
Message 3 of 18

Re: McAfee failed to detect .exe within ups.zip file

Don't forget to submit a sample to virustotal.com and on webimmune.net.


If McAfee has an extra.dat for it, it will be available for download on webimmune.net after your sample's been scanned.

Phil

SamSwift
Level 12
Report Inappropriate Content
Message 4 of 18

Re: McAfee failed to detect .exe within ups.zip file

Hi,

There are literally thousand of new pieces of malware created every day so there will be times where something is so new it won't be included in the current dats. Our Artemis technology does close the detection gaps in many cases. Please submit a sample of the file to http://www.webimmune.net and let us know the analysis ID number you are sent.

Thanks,

Sam

Message was edited by: Samantha Price on 3/11/10 8:40:35 AM CST
bluem
Level 7
Report Inappropriate Content
Message 5 of 18

Re: McAfee failed to detect .exe within ups.zip file

Maybe i posted this under the wrong forum (administrator please move topic to correct forum if possible)...but I thought that system like McAfee suppose to protect from known threats and kind block future attacks based on detection algorithm...etc..  I was testing McAfee to see if we need to switch from Symantec, but now I am not sure if I should switch and go through all the troubles of switching and spending 10 to 20 grand.

Here is the info about the threat found.

FakeAlert-MA.gen

FakeAlert-MA.gen
Type Trojan
SubType Generic
Discovery Date 02/18/2010
Length
Minimum DAT 5896 (02/18/2010)
Updated DAT 5911 (03/05/2010)
Minimum Engine 5.2.00
Description Added 02/18/2010
Description Modified 02/18/2010 12:21 PM (PT)

Message was edited by: John K on 3/11/10 8:47:21 AM CST
rackroyd
Level 16
Report Inappropriate Content
Message 6 of 18

Re: McAfee failed to detect .exe within ups.zip file

Hi,

We can work out the cause if you submit the sample as Sam suggests.

When it comes to Malware detection the detail is everything

It'll help if you know which dat version was first to detect or which was the last not to detect. (same thing really)

I am assuming the AV-Engine version and product scanner settings are constant across this, as they would be a factor too.

Looks like this has been moved off to the right forum now.

handing it over to those who specialise in this field...

Rgds,

Rob.

SamSwift
Level 12
Report Inappropriate Content
Message 7 of 18

Re: McAfee failed to detect .exe within ups.zip file

Hi John,

We do of course detect all the threats we know about, and as I mentioned our Artemis technology does proactively protect our customers against many many new threats (we have around 20million signatures in the cloud). Additionally our heuristic capabilities within the DATs can identifiy and remove new threats. However, no AV vendor in the world is going to offer you 100% detection and cleaning given that the malware writers continually churn out new files and new techniques to try and stay under the radar. Gone are the days of just 'script kiddies' writing bad stuff just or the hell of it - the malware writers of today are in business to make money, and the type of threat that we are talking about is created purely to con customers out of their hard earmed money.

I am sure when you are considering AV vendors that the outcome of any decision you take will not be based on one file. However if you would like provide me with the MD5 of the file, or a sample ID I can investigate if Artemis had detection for it, should you be interested.

Cheers,

Sam

bluem
Level 7
Report Inappropriate Content
Message 8 of 18

Re: McAfee failed to detect .exe within ups.zip file

What kind of data do you need from me? I am willing to provide as much data as possible to see if McAfee failed or if I failed in setting up McAfee.  I downloaded few weeks back McAfee Total Protection for Endpoint and installed on Win2003 server and released to one laptop so that I can test. Like I said before McAfee did not detect the threat until earlier this week on my laptop.

Please let me know what you need and where to locate the info just incase it is something I am not familiar with.

I registered with webimmune and waiting for confirmation email.

Thanks,

B

Message was edited by: John K on 3/11/10 9:40:21 AM CST

Message was edited by: John K on 3/11/10 9:54:58 AM CST
SamSwift
Level 12
Report Inappropriate Content
Message 9 of 18

Re: McAfee failed to detect .exe within ups.zip file

Hi,

Firstly have you still got a copy of the file? If so please send it over to us either via e-mail (virus_research@avertlabs.com) or through http://www.webimmune.net - either way please can you add the file to a password protected .zip with a password of 'infected' (without the quotes).

Thanks,

Sam

bluem
Level 7
Report Inappropriate Content
Message 10 of 18

Re: McAfee failed to detect .exe within ups.zip file

I just emailed the zip file via email since I have not received my webimmune confirmation yet.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community