cancel
Showing results for 
Search instead for 
Did you mean: 
jont717
Level 12

7.0.2 Gateway Anti-Malware issuse

Anyone else having issues where the "Gateway Anti-Malware" throws an error on almost every download?  This includes Firefox download, Safari download, Tax software downloads, etc...   These are trusted downloads.

If I turn off "Gateway Anti-Malware" and select McAfee Anti-Malware, the problems disappear.

01-14-2011 10-11-36 AM.png

0 Kudos
41 Replies
jont717
Level 12

Re: 7.0.2 Gateway Anti-Malware issuse

Anyone else have this list in version 7.0.2.1??  It seems like this list is being used even though it is not checked anywhere in my rule set.

Any of these downloaded media types throw a Malware error. Which is basically ALL .exe files because this list includes application/executables.   When the error comes up there is no Virus Name

download.png

This is downloading Firefox from Mozzila.com

malware.png

Message was edited by: jont717 on 1/18/11 10:15:25 AM CST
0 Kudos
importminded
Level 7

Re: 7.0.2 Gateway Anti-Malware issuse

I had a similar issue of getting to many false positives with the AntiMalware.  My problem came in the misinterpretation of the Mobile Code Behavior settings.  I had the bar slide all the way to the left, thinking that was the lowest setting, when in face this will lead to many false positives.  I noticed in one of your screenshots, the slider was all the way to the left.  Try putting it in the middle or 3/4 of the way to the right.  Per McAfee:

A low value means the risk in proactively scanning the behavior of mobile code and not detecting tha...is malware is low because the scanning methods are applied very strictly. Mobile code will then be classified as malware even if only a few criteria of being potentially malicious have been detected.
This can lead to classifying mobile code as malware that is actually not malicious (“false positives...While more proactive security is achieved with a stricter setting, accuracy in determining which mobile code is really malicious will suffer. Consequently, the appliance might block web objects that you want to get through to your users.
A high value means the risk in not detecting malicious mobile code is high (more “false negatives”),...more accuracy is achieved in classifiying mobile code correctly as malicious or not (fewer “false positives”).
Hope that helps.
0 Kudos
jont717
Level 12

Re: 7.0.2 Gateway Anti-Malware issuse

I moved the slider and it seems to be working now.  I had the slider at 90 before and it didn't work.  Maybe updates fixed it?

slider.png

0 Kudos
jont717
Level 12

Re: 7.0.2 Gateway Anti-Malware issuse

UPDATE:  Still throws Malware Detected on mysql.com when I download .msi files for MySQL 5.5.8.

So it still has issues...

0 Kudos
importminded
Level 7

Re: 7.0.2 Gateway Anti-Malware issuse

I just downloaded the same file without an issue.  Gotta be a misplaced settings somewhere, but its hard to say without knowing your configuration.

0 Kudos
jont717
Level 12

Re: 7.0.2 Gateway Anti-Malware issuse

Thanks for your help.  Anyway you can take a screen shot of your Gateway Antimalware settings?

Do you have heuristic scanning disabled?   I am running 7.0.2.1 (9319)

0 Kudos
importminded
Level 7

Re: 7.0.2 Gateway Anti-Malware issuse

Here you go.  Running 7.0.2.2.0 (9451)

Steve

0 Kudos
dstraube
Level 11

Re: 7.0.2 Gateway Anti-Malware issuse

The MSI installation files are often blocked by Mobile Code Scanning. In your case the resposible setting should be Potentially Unwanted: Suspicious activity.

We are already looking into this issue (especially with the mysql installer packages). We try to find out if it's a False Positive by the antivirus engine or if it has something to do with the Archive Handler (which extracts the files from the installer package and feeds them to the AV engine).

0 Kudos
dstraube
Level 11

Re: 7.0.2 Gateway Anti-Malware issuse

Sorry, turned out it wasn't all that easy. When testing with the mysql download I was only able to download the file when I disabled Mobile Code Scanning altogether. Everything else leads to a block message with a "Heuristic.BehavesLike.Exploit.CodeExec.EOO" detection message.

This seems to come from the AV engine itself and is not related to the Archive Handler. The blocked file inside the package is libmysql.obj, which will be blocked even if it's downloaded on it's own.

The download is not blocked in MWG 6.x, as the archive handler there can not look into  .a/.lib files.

I've submitted the file to the Virus Research team, so that they can look into this.

Message was edited by: Dirk Straube on 1/19/11 10:12:24 AM CST
0 Kudos