Over the past few days I'm seeing a deluge of detections from
And common sites serving them up include (defanged with DOT and xx's) :
Virustotal is non-plussed by the URL's I've checked. False positives, I presume?
Still getting hammered with these.
And I've learned that the submission process for potential falses has become quite a bit more of a customer PITA since you can't just forward a URL and a detection name to email@example.com anymore.
Another one entered my life today. Apparently openjdk is falsing (or there's a real problem with Ubuntu's primary repository):
"McAfeeGW: BehavesLike.Java.Suspicious.xm" "http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-7/openjdk-7-jre-headless_7u79-2.5.6-0ubuntu1.1..."
Well, they stopped on July 30th somehow. I strongly suspect the rules got changed up or disabled. No one on the MWG support ticket I opened asking for Avert escalation could say what or why, but we returned to pre-July 23rd levels of heuristic detections on July 30. That week was kinda ugly with apparently FP's on Flash goodies from common sites though.
Changes were made on Friday to address some of the false positives that were being detected. This was fixed in DAT 3831. This seemed to be related to the new engine and a signature to detect the latest flash vulnerabilities.
I let the case owner know about this.
Cool. Thanks Jon. We're still batting this back and forth a bit in the ticket as our observations don't entirely match what research has told our support tech. We have all the GTI goodies on ... so I guess we should still have the Flash goodies being detected if they exist. Our number of detections has dropped to 0 ever since 7/30 in terms of Flash stuff. That could mean they fixed false positives or the detections have just been disabled. *shrug*.
I'll post whatever we learn. Surprised other folks weren't affected unless my jocular interactions with support have somehow put my client on a special early adopter bleeding edge list for such rollouts. 8-)
We're still seeing lots of them, on various Flash signatures:
and probably more