cancel
Showing results for 
Search instead for 
Did you mean: 

Require Clarification regarding a quarantined file

Jump to solution

Hi All,

I initiated a full scan in a machine recently. McAfee VSE has captured a file as malicious and the name of the threat is "Exploit-GAD!C6D4C951D19F"

The Threat Target file path as per VSE is :-

D:\Application\2016\Application 18-19.04.16.doc\WordDocument\

When I browse to the directory "D:\Application\2016\" I can only see the file "Application 18-19.04.16.doc".

I dont know what it means "\WordDocument\" at the end of the file detection.. 

I dont know how McAfee detected the file as "Application 18-19.04.16.doc\WordDocument\"

When I try to scan the file again with McAfee VSE, VSE tells there is no malware in the file  & the file is clean. I submitted the sample to McAfee Labs as well, they too claimed that the file "Application 18-19.04.16.doc" is not malicious. We are using VSE 8.8.0 Patch 12.

Can you please help on the the above.. How "\WordDocument\" comes at the end of the file detection ..?

 

 

2 Solutions

Accepted Solutions
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 3 of 15

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

Thank you for your time and patience with us. Although you have not replied, I wanted to have this notified here so that other community members are also aware of this situation when they stumble upon this one for similar issue.

This detection would require a Service Request raised with us. We have just identified a False positive with a similar detection name and hence Labs have investigated with one of the reported issues and delivered a fix via EXTRA DAT. In order to get the fix via Global update, we request you to wait for 2 to 3 more business days minimum.

Thank you for your kind understanding and patience.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 7 of 15

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

By looking into the logs and detection name, Yes this matches with the False Positive identified by our labs team. However, Please raise a Service Request to have this verified by our Support team.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

14 Replies
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 2 of 15

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

Thank you for your post. I would prefer if this was open as a Service Request with us to investigate this issue.

This is an unusual detection name that I have not personally come across. Can you kindly please help us with the log excerpt from your On Demand Scan log where the detection entry is present.

Also, Can you confirm if there was a backup process or possibly VSS (Volume Shadow Service) running in the background when the On Demand Scan was happening? Also if any other process was accessing this while the on demand scan was running on the machine?

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 3 of 15

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

Thank you for your time and patience with us. Although you have not replied, I wanted to have this notified here so that other community members are also aware of this situation when they stumble upon this one for similar issue.

This detection would require a Service Request raised with us. We have just identified a False positive with a similar detection name and hence Labs have investigated with one of the reported issues and delivered a fix via EXTRA DAT. In order to get the fix via Global update, we request you to wait for 2 to 3 more business days minimum.

Thank you for your kind understanding and patience.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi Adithyan,

Many thanks for your response..

Please find the attached logs.. I am checking if any backup operation was going on in these servers. I will update once I get a response.

Many Thanks!!

 

 

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 5 of 15

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

Thank you for attaching the logs. As mentioned above, we have a fix for this detection. please contact Technical Support and we shall deliver the fix to you via an EXTRA DAT file. 

The specific detections are made for the objects embedded into the documents (word, Excel,etc).

I sincerely hope this answers your query.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

Re: Require Clarification regarding a quarantined file

Jump to solution

Thanks Adithyan,

Is this detection a false positive?

 

 

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 7 of 15

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

By looking into the logs and detection name, Yes this matches with the False Positive identified by our labs team. However, Please raise a Service Request to have this verified by our Support team.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi Adithyan,

I have a query..

If there is a new malware, McAfee will add the definition for it & will release a new ExtraDAT.

If a malware is identified as false positive & if whitelisted, McAfee has to remove it from database & simply applying new definition should fix the issue right... Why an extra DAT is needed (or) what it has for a whitelisted malware?? can you please explain here??

Can you explain how applying an EXTRA DAT will work for false positive?

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 9 of 15

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi @Balajir98,

Excellent question! Thank you for your response.

So EXTRA DAT covers new detections. Similarly Negative EXTRA DAT (Negative ED) is used to suppress False Positives. Please note that these are merely terminologies used. The files themselves contain codes that are processed by our engines where the end action of adding or removing a detection is understood and proceeded with by them.

So in this case, the right term used by McAfee Support would be Negative ED. However, the file name when it is given to you by support can carry the words SED.DAT, NED.DAT or EXTRA.DAT. The most common file name is EXTRA.DAT. These are merely labels and should not be confused with the purpose of the file.

I sincerely hope this information helps!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
irtech
Level 8
Report Inappropriate Content
Message 10 of 15

Re: Require Clarification regarding a quarantined file

Jump to solution

Hi,

Can I also get the extra.dat? We also facing the exact issue (false positive) when detecting file embedded inside another file.

 

Thanks,

Redhat

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community