cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12

Anyone else getting a huge uptick in heuristic Flash detections from gateway anti-malware engine?

Over the past few days I'm seeing a deluge of  detections from


McAfeeGW: BehavesLike.Flash.Exploit.zl

McAfeeGW: BehavesLike.Flash.Exploit.xg


And common sites serving them up include (defanged with DOT and xx's) :

hxxps://secure.DOT.insightexpressai.com/adserver/fscookie/fscookie.swf

hxxps://s.DOT.adnxtr.com/2/4.11.1/chx.swf

hxxp://s.DOT.update.rubiconproject.com/2/4.11.1/chx.swf

hxp://choices.DOT.truste.com/get?name=jw.swf&cb=__tvcb__

hxxp://s.DOT.tagsrvcs.com/2/4.11.1/chx.swf

hxxp://files.DOT.provenpixel.com/video/sdk/px/OVVBeacon.swf?id=ovv491684515&index=13

Virustotal is non-plussed by the URL's I've checked.   False positives, I presume?

0 Kudos
5 Replies
Regis
Level 12

Re: Anyone else getting a huge uptick in heuristic Flash detections from gateway anti-malware engine?

Still getting hammered with these.  

And I've learned that the submission process for potential falses has become quite a bit more of a customer PITA since you can't just forward a URL and a detection name to virus_research_gateway@avertlabs.com anymore.  

Another one entered my life today.  Apparently openjdk is falsing (or there's a real problem with Ubuntu's primary repository):

"McAfeeGW: BehavesLike.Java.Suspicious.xm" "http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-7/openjdk-7-jre-headless_7u79-2.5.6-0ubuntu1.1..."

0 Kudos
Regis
Level 12

Re: Anyone else getting a huge uptick in heuristic Flash detections from gateway anti-malware engine?

Well, they stopped on July 30th somehow.    I strongly suspect the rules got changed up or disabled.       No one on the MWG support ticket I opened asking for Avert escalation could say what or why, but we returned to pre-July 23rd levels of heuristic detections  on July 30.     That week was kinda ugly with apparently FP's on Flash goodies from common sites though.

0 Kudos
McAfee Employee

Re: Anyone else getting a huge uptick in heuristic Flash detections from gateway anti-malware engine?

Hi friend!

Changes were made on Friday to address some of the false positives that were being detected. This was fixed in DAT 3831. This seemed to be related to the new engine and a signature to detect the latest flash vulnerabilities.

I let the case owner know about this.

Best Regards,

Jon

Regis
Level 12

Re: Anyone else getting a huge uptick in heuristic Flash detections from gateway anti-malware engine?

Cool.  Thanks Jon.  We're still batting this back and forth a bit in the ticket as our observations don't entirely match what research has told our support tech.  We have all the GTI goodies on ... so I guess we should still have the Flash goodies being detected if they exist.  Our number of detections has dropped to 0 ever since 7/30  in terms of Flash stuff.    That could mean they fixed false positives or  the detections have just been disabled.   *shrug*.

I'll post whatever we learn.  Surprised other folks weren't affected unless my jocular interactions with support have somehow put my client on a special early adopter bleeding edge list for such rollouts.  8-)

0 Kudos
jbmartin6
Level 9

Re: Anyone else getting a huge uptick in heuristic Flash detections from gateway anti-malware engine?

We're still seeing lots of them, on various Flash signatures:


McAfeeGW: BehavesLike.Flash.Exploit.pb

McAfeeGW: BehavesLike.Flash.Exploit.lb

McAfeeGW: BehavesLike.Flash.XSS.zg


and probably more


0 Kudos