cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 9

5728 DAT False positive for JS/Exploit-Packed.c.gen

After deploying today's dat 5728 I am receiving quite a few detections for JS/Exploit-Packed.c.gen as users browse the internet. After checking it appears the sites generating this alert are legitimate...the odds of ALL of these sites being hacked at roughly the same time seems unlikely, although possible.

More than likely this is a false positive. The specific file that seems to be detected is polls-js-packed.js which appears to be an open'ish source WordPress plugin, so makes sense that many many sites are using the same script.

Anyone else seeing this? www.metsblog.com is a site that you can use for testing.

Submitted a sample to Avert already as well as notified Platinum support.

JS/Exploit-Packed.c.gen was added in today's dat 5728: http://vil.nai.com/vil/content/v_218755.htm
8 Replies
Highlighted

RE: 5728 DAT False positive for JS/Exploit-Packed.c.gen

I'm also seeing lots of these since DAT 5728 came out in the last few hours. All the ones I've looked at so far have been JS files in users Temp Internet Files and folders (too many file names to mention). I'm also thinking that this is more likely a false positive.
Highlighted

Same Here

www.wunderground.com is displaying this same behavior for me.
Highlighted

Me Four

Getting tired of telling the Help Desk it's nothing they need to freak out about.
Highlighted
Level 7
Report Inappropriate Content
Message 5 of 9

False Positive Confirmed

McAfee Avert Labs has found a false detection with JS/Exploit-Packed.c.gen and will be releasing the 5729 DAT Files to correct this issue. The false detection is being seen on websites containing certain types of javascript obfuscation

http://vil.nai.com/vil/content/v_218755.htm
Highlighted
Level 12
Report Inappropriate Content
Message 6 of 9

RE: False Positive Confirmed

https://kc.mcafee.com/corporate/index?page=content&id=KB66831

These false-positives are becoming way too common!
Highlighted

JS/Exploit-Packed.c.gen

I did a scan yesterday after receiving dat 5728, and McAffee found JS/Exploit.Packed.c.gen and quarantined it, and noted it as a Trojan in the detection Log.

This morning I received dat 5729. Should I leave JS/Exploit.Packed.c.gen in quarantine? what action is necessary on my part?:confused:
Highlighted
Level 7
Report Inappropriate Content
Message 8 of 9

RE: JS/Exploit-Packed.c.gen

It can stay in the quarantine. The next time you visit the website(s) that javascript will be pulled down again.
Highlighted

RE: JS/Exploit-Packed.c.gen



Thanks..this was my first ever quarantine or virus find on McAfee in 2 years of use. I even questioned if it was working correctly. happy
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community