We are using VSE 8.7 P3 and VSE 8.8 P1 with the latest Engine and DAT.
On several machines VSE detects PWS-Zbot.gen.ep in the executable files by Adobe, Dell, even McAfee SuperDAT etc, that look completely legitimate. The funny thing is that the files manually decrypted from Quarantine are considered clean by VSE and VirusTotal. Detections occur randomly and it is impossible to reproduce them. Setting up the OAS action as "Clean>Deny" causes thousands of detections in the same file, but manual scan cannot find anything in it.
Another thing I noticed today on one machine: VSE ran ODS with only "Memory for rootkits" and "Running Processes" checked. It found several instances of PWS-Zbot.gen.ep, 4 of them were the McAfee Agent executables. Action was "continue". The machine did not get rebooted, Agent did not restart or anything. An hour later the same ODS with the same parameters did not find anything. Manual scan of those files says they are clean.
I am also experiencing this same issue, randomly in my environment. I am unable to reproduce the issue myself and when I scan the file locations manually they report no infections.
The detections are coming from the file location of our Lumensions application used to deploy software and software updates. It also threw event detections on the McAfee Agent install folder. I was attempting to perform an initial install of the McAfee Agent on an XP workstation that had been in storage for a while. The system had an older Mcafee Agent (ver 3.6) running on it and I was upgrading it to version 188.8.131.5235. It also had VSE 8.5 installed with no patches and I needed to upgrade it to version 8.8 P2.
The agent deployment task failed remotely and when the user logged in that is when she received multiple Trojan detections. I remoted onto her machine and manually uninstalled VSE and the McAfee Agent. I installed the current versions and ran a full system scan. No infections were detected once the scan completed.
Any help with this problem would be greatly appreciated
We are also experiencing the same detections from Lumension executables, Our detections are also inconsistent in our environment. Can anyone from McAfee please comment on this issue? Do samples need to be submitted as false positives?
I'm seeing this issue. Re-scanning the detected files (unhandled detections) result in no finding. Submission to McAfee Labs results in no finding. Issue occurring for me mainly on Java jusched.exe and now winvnc.exe.