Yesterday, McAfee Internet Security Real-Time Scan supposedly detected a trojan in my Spybot program. From the McAfee Log:
File: C/\Program files\Spybot-Search & Destroy\SDShred.exe
process description: Windows Problem Reporting
Spybot had just finished a scheduled scan and just then McAfee also completed an update. Before I had a chance to close Spybot, the McAfee alert popped up.
SDShred.exe is part of the Spybot Search & Destroy program, and has been for as long as I have been using it, about 9 years maybe. This is a Shredder program to shred/delete files to oblivian from my computer. I search McAfee Virus Information with zero results.
McAfee, have you deleted part of my program? This appears to be a false positive and has now removed part of my Spybot program. I posted in Spybot's forum yesterday and it appears there are other people affected by this although it seems to have differenct names.
I cannot send the supposed "infected" file to you because you deleted it. (I can't find how to do it anyhow). I haven't used McAfee that long, this is not my computer. I have no choice but to use it.
Can you clarify please?
This is a False Positive. We manage over 1700 systems via McAfee EPO. Have had about 15 systems report this sdshred.exe as being detected as that same trojan. This morning, I submitted the file to McAfee and am still waiting for a response. The problem still exists with todays DAT version 5939.
Thank you. Assumed as much but was hoping to get a confirmation. I've also posted to the Spybot forum and several have posted their McAfee has found this also, although some by a different name but still the same Spybot infected file. I have copied and pasted your reply to that post.
Would really appreciate your posting McAfee's response when you received it. There is someone on Spybot's forum that has submitted the file too and waiting for their response.
Thanks again for your reply. Will await McAfee's response.Message was edited by: memgal on 4/2/10 2:35:51 PM GMT-06:00
It appears that this issue has been fixed with DAT 5940. Logged into work and rescanned the quarantined file SDSHRED on my system. It reported that it was clean which allowed me to reatore it.
The bad thing is that I have yet to receive any email response from McAfee. When I initially submitted the false positve they gave me a case number. This is another failing on McAfee since we have a gold support account with them. Anyhow, at least it is fixed about 2 days after it was detected.
Just want to confirm twenden's findings. I just hope our machines get the 5940 dat update to VSE 8.70i before the On Access Scanner gets sdshred.exe or we will have fun Monday morning. I suspect the Easter holiday has slowed them down somewhat. They usually respond more quickly.
Wow, that's terrible their not answering you especially after 4 days. At least they could have said they were checking on it or something.
I notice I should have posted this in the Malware discussion instead of here but I appreciate your reply. I could not answer you over the weekend from home because this community site kept crashing my browser for some reason. Weird. I was able to go to other security sites as a test, i.e. Symantec, Spybot S&D, Kaspersky, with no problem, so I know it was not infected, and my scan detected nothing Friday night. McAfee sure has its quirks.
I restored SDShred.exe this morning on this work computer and so far it has not been detected again. I submitted this file from my home computer over the weekend to VirusTotal and, of course, it was clean, and McAfee still had a 3/31/10 detection date there too. But why it didn't detect it then is also strange. Oh well.
Thanks again. Sure glad this is over. I didn't think Spybot was infected anyhow.
Have a great day.
I've moved the thread over to the malware discussion area.
The best process to follow with a potential false detection is documented here - however if you are a corporate user with a valid support contract you can use the new corporate submission portal, details for usage can be found here
Ex_brit has posted a way for home users to submit files on this thread - but please make sure you put the word FALSE into the subject line when sending us a sample via email.
Using webimmune to submit a possible false detection is not recommended.
Hope this helps,
Hi Samantha and thank you. I searched for the "trojan" name and clicked that other link in the result and didn't realize it was in that other section. This is a business but they are using the McAfee Internet Security so I guess they don't have a corporate license. Thanks for the links. Not being that familiar with McAfee that will help.
When I submitted the file to VirusTotal over the weekend, McAfee's detection was still 3/31/10 and it was reported as clean. So naturally assumed it a false positive, as did others.
Thanks again for your reply.Message was edited by: memgal on 4/5/10 9:12:10 AM GMT-06:00
I just had the same experience today. I was running Spybot, and McAfee said that it found a Trojan called Generic.dx!rhw and deleted the file SDShred.exe. I did a Google search and found this thread, and thought I would just rescan and restore the file, as twenden had done. Only the rescan still says that the file contains the Trojan. I am running McAfee Virusscan Enterprise + AntiSpyware Enterprise 8.5.0i, scan engine 5400.1158. The original detection was with DAT 5948, the rescan was with 5949. I also ran the "check for false positive" and it's still telling me its a Trojan. The Spybot version is Search & Destroy 188.8.131.52, detections update 4/7/2010.