cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12

Does anyone actually put up with heuristic AV detections being enabled?

Am I the only person getting buried in user issues caused by what appear to be false positives on AV heuristic detections?   

The gem of this morning was the GotoMeeting client g2m_download.exe getting flagged. "MGW:Heuristic.BehavesLike.Win32.ModifiedUPX.F"  Their test meeting is available at http://support.citrixonline.com/en_US/GoToMeeting/help_files/GTM140010?title=Test+Your+GoToMeeting+C...}   and I encountered this upon downloading the client. 

Another one that ambled by just this morning that looked harmless was http://support.dell.com/support/dpp/ajax/productsupport.aspx?c=us&l=en&s=dhs&cs=19&servicetag=&Syste...  as MGW: Heuristic.BehavesLike.JS.Suspicious.A

Another I was seeing lots of was http://images.bbystatic.com/   and various favicon-[random].ico  files there getting caught up as McAfeeGW:Heuristic.BehavesLike.Exploit.CodeExec.FFL  but I think they actually fixed that after I sent it to AVert.

Another I was dealing with a false on skillport.com/[some path i can't disclose]  detecting as MGW: Heuristic.BehavesLike.JS.Suspicious.A   but... it didn't seem to for the user's followon testing.  

I see that heuristics can be disabled in 7.2.0.1 under Policy> settings> engines>anti-malware> gateway antimalware > advanced settings>  uncheck enable heuristic scanning,  but is changing the Classification threshhold on mobile code behavior a better place to do it?     I know the good soldier thing would be to send all of these lovingly to the Avert team for review, but they're 1 for 2 and it's not exactly quick turnaround...


0 Kudos
4 Replies
jspanitz
Level 7

Re: Does anyone actually put up with heuristic AV detections being enabled?

Regis,

I am really curious as to how you have your AV setup.  I've attached screenshots of our settings.  While we do see quite a few false positives, most of them go unreported by our end users as they appear to be single elements on the page and do not block the actual content.

Not that I am condoning the false detections.

MWG7 Gateway Anti-Malware1.png

MWG7 Gateway Anti-Malware2.png

MWG7 Gateway Anti-Malware3.png

0 Kudos
eelsasser
Level 15

Re: Does anyone actually put up with heuristic AV detections being enabled?

I use conditional settings based on the trust reputation fo the site.

For minimal risk sites, I use  more relaxed settings, but for Unverified and above sites, i use tighter settings.

This seems to alleviate a whole lot of issues.

Capture.jpg

I'm also thinking about what I want to do with un-categorized sites.

Additionally (to address the other other thread about virus submissions), i'm trying to find the best way to integrate the quarantine rules into this work flow. There is a rule set in the online library that describes how to do it. But i'm deciding the best way to implement it in my config. Should I block and quarantine some samples or all samples, or allow and quarantine them if it comes from a specific workstation, or what.

Regis
Level 12

Re: Does anyone actually put up with heuristic AV detections being enabled?

We're at what I believe are/were defaults,  with Mcafee Full Protection  (recommended settings). 

This morning   another face palmer: 

"MGW: Heuristic.BehavesLike.JS.Suspicious.A""http://www.avis.com/car-rental/avisHome/home.ac?mpch=ads"

0 Kudos
eelsasser
Level 15

Re: Does anyone actually put up with heuristic AV detections being enabled?

I just installed a fresh build of 7.2.0.2, waited for the updates to complete, and went to the Avis URL.

I get absolutely no block on that site whatsoever.

I've attached the default rules here (which could also be imported from the rules library if you wanted)

0 Kudos