cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Balajir98
Level 8
Report Inappropriate Content
Message 1 of 15
‎11-11-2019 11:44 PM

Require Clarification regarding a quarantined file

Jump to solution

Hi All,

I initiated a full scan in a machine recently. McAfee VSE has captured a file as malicious and the name of the threat is "Exploit-GAD!C6D4C951D19F"

The Threat Target file path as per VSE is :-

D:\Application\2016\Application 18-19.04.16.doc\WordDocument\

When I browse to the directory "D:\Application\2016\" I can only see the file "Application 18-19.04.16.doc".

I dont know what it means "\WordDocument\" at the end of the file detection.. 

I dont know how McAfee detected the file as "Application 18-19.04.16.doc\WordDocument\"

When I try to scan the file again with McAfee VSE, VSE tells there is no malware in the file  & the file is clean. I submitted the sample to McAfee Labs as well, they too claimed that the file "Application 18-19.04.16.doc" is not malicious. We are using VSE 8.8.0 Patch 12.

Can you please help on the the above.. How "\WordDocument\" comes at the end of the file detection ..?

 

 

Reply
3 Solutions

Accepted Solutions
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 15
‎11-13-2019 12:42 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

Thank you for your time and patience with us. Although you have not replied, I wanted to have this notified here so that other community members are also aware of this situation when they stumble upon this one for similar issue.

This detection would require a Service Request raised with us. We have just identified a False positive with a similar detection name and hence Labs have investigated with one of the reported issues and delivered a fix via EXTRA DAT. In order to get the fix via Global update, we request you to wait for 2 to 3 more business days minimum.

Thank you for your kind understanding and patience.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

0 Kudos
Reply
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 15
‎11-13-2019 01:53 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

By looking into the logs and detection name, Yes this matches with the False Positive identified by our labs team. However, Please raise a Service Request to have this verified by our Support team.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

0 Kudos
Reply
betta
Level 7
Report Inappropriate Content
Message 14 of 15
‎11-14-2019 02:23 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Thanks AdithyanT,

resolved with next DAT 9440

View solution in original post

Reply
14 Replies
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 15
‎11-12-2019 12:56 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

Thank you for your post. I would prefer if this was open as a Service Request with us to investigate this issue.

This is an unusual detection name that I have not personally come across. Can you kindly please help us with the log excerpt from your On Demand Scan log where the detection entry is present.

Also, Can you confirm if there was a backup process or possibly VSS (Volume Shadow Service) running in the background when the On Demand Scan was happening? Also if any other process was accessing this while the on demand scan was running on the machine?

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 15
‎11-13-2019 12:42 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

Thank you for your time and patience with us. Although you have not replied, I wanted to have this notified here so that other community members are also aware of this situation when they stumble upon this one for similar issue.

This detection would require a Service Request raised with us. We have just identified a False positive with a similar detection name and hence Labs have investigated with one of the reported issues and delivered a fix via EXTRA DAT. In order to get the fix via Global update, we request you to wait for 2 to 3 more business days minimum.

Thank you for your kind understanding and patience.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

0 Kudos
Reply
Balajir98
Level 8
Report Inappropriate Content
Message 4 of 15
‎11-13-2019 01:02 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi Adithyan,

Many thanks for your response..

Please find the attached logs.. I am checking if any backup operation was going on in these servers. I will update once I get a response.

Many Thanks!!

 

 

0 Kudos
Reply
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 15
‎11-13-2019 01:39 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

Thank you for attaching the logs. As mentioned above, we have a fix for this detection. please contact Technical Support and we shall deliver the fix to you via an EXTRA DAT file. 

The specific detections are made for the objects embedded into the documents (word, Excel,etc).

I sincerely hope this answers your query.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
Balajir98
Level 8
Report Inappropriate Content
Message 6 of 15
‎11-13-2019 01:40 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Thanks Adithyan,

Is this detection a false positive?

 

 

0 Kudos
Reply
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 15
‎11-13-2019 01:53 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

By looking into the logs and detection name, Yes this matches with the False Positive identified by our labs team. However, Please raise a Service Request to have this verified by our Support team.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

0 Kudos
Reply
Balajir98
Level 8
Report Inappropriate Content
Message 8 of 15
‎11-13-2019 04:45 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi Adithyan,

I have a query..

If there is a new malware, McAfee will add the definition for it & will release a new ExtraDAT.

If a malware is identified as false positive & if whitelisted, McAfee has to remove it from database & simply applying new definition should fix the issue right... Why an extra DAT is needed (or) what it has for a whitelisted malware?? can you please explain here??

Can you explain how applying an EXTRA DAT will work for false positive?

0 Kudos
Reply
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 15
‎11-13-2019 04:53 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

Excellent question! Thank you for your response.

So EXTRA DAT covers new detections. Similarly Negative EXTRA DAT (Negative ED) is used to suppress False Positives. Please note that these are merely terminologies used. The files themselves contain codes that are processed by our engines where the end action of adding or removing a detection is understood and proceeded with by them.

So in this case, the right term used by McAfee Support would be Negative ED. However, the file name when it is given to you by support can carry the words SED.DAT, NED.DAT or EXTRA.DAT. The most common file name is EXTRA.DAT. These are merely labels and should not be confused with the purpose of the file.

I sincerely hope this information helps!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Reply
irtech
Level 8
Report Inappropriate Content
Message 10 of 15
‎11-13-2019 06:33 AM

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi,

Can I also get the extra.dat? We also facing the exact issue (false positive) when detecting file embedded inside another file.

 

Thanks,

Redhat

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC