cancel
Showing results for 
Search instead for 
Did you mean: 
bxs
Level 7
Report Inappropriate Content
Message 1 of 9

5728 DAT False positive for JS/Exploit-Packed.c.gen

After deploying today's dat 5728 I am receiving quite a few detections for JS/Exploit-Packed.c.gen as users browse the internet. After checking it appears the sites generating this alert are legitimate...the odds of ALL of these sites being hacked at roughly the same time seems unlikely, although possible.

More than likely this is a false positive. The specific file that seems to be detected is polls-js-packed.js which appears to be an open'ish source WordPress plugin, so makes sense that many many sites are using the same script.

Anyone else seeing this? www.metsblog.com is a site that you can use for testing.

Submitted a sample to Avert already as well as notified Platinum support.

JS/Exploit-Packed.c.gen was added in today's dat 5728: http://vil.nai.com/vil/content/v_218755.htm
8 Replies

RE: 5728 DAT False positive for JS/Exploit-Packed.c.gen

I'm also seeing lots of these since DAT 5728 came out in the last few hours. All the ones I've looked at so far have been JS files in users Temp Internet Files and folders (too many file names to mention). I'm also thinking that this is more likely a false positive.

Same Here

www.wunderground.com is displaying this same behavior for me.

Me Four

Getting tired of telling the Help Desk it's nothing they need to freak out about.
k-ram
Level 7
Report Inappropriate Content
Message 5 of 9

False Positive Confirmed

McAfee Avert Labs has found a false detection with JS/Exploit-Packed.c.gen and will be releasing the 5729 DAT Files to correct this issue. The false detection is being seen on websites containing certain types of javascript obfuscation

http://vil.nai.com/vil/content/v_218755.htm
PhilR
Level 12
Report Inappropriate Content
Message 6 of 9

RE: False Positive Confirmed

https://kc.mcafee.com/corporate/index?page=content&id=KB66831

These false-positives are becoming way too common!

JS/Exploit-Packed.c.gen

I did a scan yesterday after receiving dat 5728, and McAffee found JS/Exploit.Packed.c.gen and quarantined it, and noted it as a Trojan in the detection Log.

This morning I received dat 5729. Should I leave JS/Exploit.Packed.c.gen in quarantine? what action is necessary on my part?:confused:
Highlighted
bxs
Level 7
Report Inappropriate Content
Message 8 of 9

RE: JS/Exploit-Packed.c.gen

It can stay in the quarantine. The next time you visit the website(s) that javascript will be pulled down again.

RE: JS/Exploit-Packed.c.gen



Thanks..this was my first ever quarantine or virus find on McAfee in 2 years of use. I even questioned if it was working correctly. happy
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community