Am I the only person getting buried in user issues caused by what appear to be false positives on AV heuristic detections?
The gem of this morning was the GotoMeeting client g2m_download.exe getting flagged. "MGW:Heuristic.BehavesLike.Win32.ModifiedUPX.F" Their test meeting is available at http://support.citrixonline.com/en_US/GoToMeeting/help_files/GTM140010?title=Test+Your+GoToMeeting+C...} and I encountered this upon downloading the client.
Another one that ambled by just this morning that looked harmless was http://support.dell.com/support/dpp/ajax/productsupport.aspx?c=us&l=en&s=dhs&cs=19&servicetag=&Syste... as MGW: Heuristic.BehavesLike.JS.Suspicious.A
Another I was seeing lots of was http://images.bbystatic.com/ and various favicon-[random].ico files there getting caught up as McAfeeGW:Heuristic.BehavesLike.Exploit.CodeExec.FFL but I think they actually fixed that after I sent it to AVert.
Another I was dealing with a false on skillport.com/[some path i can't disclose] detecting as MGW: Heuristic.BehavesLike.JS.Suspicious.A but... it didn't seem to for the user's followon testing.
I see that heuristics can be disabled in 184.108.40.206 under Policy> settings> engines>anti-malware> gateway antimalware > advanced settings> uncheck enable heuristic scanning, but is changing the Classification threshhold on mobile code behavior a better place to do it? I know the good soldier thing would be to send all of these lovingly to the Avert team for review, but they're 1 for 2 and it's not exactly quick turnaround...
I am really curious as to how you have your AV setup. I've attached screenshots of our settings. While we do see quite a few false positives, most of them go unreported by our end users as they appear to be single elements on the page and do not block the actual content.
Not that I am condoning the false detections.
I use conditional settings based on the trust reputation fo the site.
For minimal risk sites, I use more relaxed settings, but for Unverified and above sites, i use tighter settings.
This seems to alleviate a whole lot of issues.
I'm also thinking about what I want to do with un-categorized sites.
Additionally (to address the other other thread about virus submissions), i'm trying to find the best way to integrate the quarantine rules into this work flow. There is a rule set in the online library that describes how to do it. But i'm deciding the best way to implement it in my config. Should I block and quarantine some samples or all samples, or allow and quarantine them if it comes from a specific workstation, or what.
We're at what I believe are/were defaults, with Mcafee Full Protection (recommended settings).
This morning another face palmer: