cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Good day.

The no-sense behavior from McAfee - please, explane the reasons.

We used NSIS Installer

here is code used

Unicode true

RequestExecutionLevel admin

Section xxxxxxxxxx

SectionEnd

McAfee is reacting on empty pack - BehavesLike.Win32.Dropper.nh !!!

Here is https://www.virustotal.com/en/file/755f5eb13371bf03b5e8d4398869e0b1a19b189b7214d8cfe516bda9b951748b/...

Please expane the detection type and why empty pack is reacting??????????????????????

Regards

Removed Possibly Malicious Attatchment- Moderator

43 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 44

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

This is not an artemis detection, and this is not McAfee support - for help, you would be best served by speaking to your platinum support team.

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Moved to Web Gateway - Moderator

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 44

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Please follow the instruction in this KB article to submit samples to us for analysis: https://kc.mcafee.com/corporate/index?page=content&id=kb62662

thanks,

Michael

Michael Schneider
Lead Product Manager for Web Protection
(•‿•)
Highlighted

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Here is reply - please explane how the empty container from NSIS installer can be a virus in virustotal scan?????

McAfee Labs - Beaverton 
Current Scan Engine Version:5600.1067 
Current DAT Version:7584.0000 
Thank you for your submission.

Analysis ID: 9163833

File Name Findings Detection Type Extra
--------------------|------------------------------|----------------------------|------------|-----
exp.exe |inconclusive | | |no

inconclusive [exp.exe] 

Automated analysis was not able to determine that this file is malware. This file is
being sent for further processing and the DAT files will potentially be updated if
detection of this sample is warranted.

Note –

Due to the prevalence of network gateway AV products, it is important that all
submissions be zipped and the zip file password-protected (password - infected). Some
products will reject an email that contains a virus that is not sent in this way. In
addition, often we receive a file that appears not to have been infected, to find
later that the file was infected when it left the sender, and was cleaned somewhere
along the line.

Regards,

McAfee Labs

https://www.virustotal.com/en/file/755f5eb13371bf03b5e8d4398869e0b1a19b189b7214d 8cfe516bda9b951748b...

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 44

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

As other people noted, this is not support or McAfee Labs. You might want to contact your SAM for further details.

However, an executable is not an empty container. An executable is containing data. Therefore it might look like as if it was using a packer that is used for malware.

To be clear: a 0 byte size file is empty and executable with size is not empty ans this is containing code, which from a behavioral standpoint might equal a malware.

thanks,

Michael

Michael Schneider
Lead Product Manager for Web Protection
(•‿•)
Highlighted

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Tuchkina,

Seeing as the virus name being displayed contains behaveslike. This leads me to believe that what ever device is doing the virus analysis is looking at the the file and saying this files signature looks awfully close to Win32.Dropper.nh lets block it. How is the file being determined as a virus? Is it being sent through a McAfee Appliance/Software or are you just sending it through virus total and it is being detected as such? If it is being sent through a McAfee Appliance/Software, you should open a ticket with support.

Cheers,

Brandon

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 44

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition


tuchkina wrote:



Here is reply - please explane how the empty container from NSIS installer can be a virus in virustotal scan?????




Well, I have no idea - maybe you should ask Virustotal?

The bottom line is that this is NOT a virus detection, it's a behavioural detection - we know this because your result was not "Win32.dropper", it was "behaveslike.Win32.Dropper"

i.e. what you submitted has the same characteristics as known malware.

I would argue that the installer you created, with no payload, is extremely suspicious and I am happy McAfee GW picked it out - it seems to serve no practical purpose. Thus, it's getting identified as something suspicious (which in my mind it is).

Perhaps you can tell us what you are trying to achieve with your zero payload installer? Or is this just an academic exercise with no practical purpose?

Highlighted

Re: Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

I think using an empty installer is a great way to prove that even harmless files are detecting as a threat, in this case a suspicious behavioural detection.However I am glad that tuchkinastarted this thread and pointed this out because all other virus guards seem to have the ability to scan more thoroughly and say it's not a threat. in my opinion instead of being happy that Mcafee picked it up, you should rather be asking the question why it picks up a file with nothing init. To support this claim I simply ask you to download nsis installer and scan it yourself, even the nsis setup itself is detected as a threat.

Highlighted

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Well, McAfee official support and Virus Lab unfortunatelly ignore those things!

I was knocking in all the ways - solution 1-3, mail request, service portal application - there is no any real attention on my problem!

When McAfee will watch at real problem - NSIS is one of the oldest insrument in soft development!

Try it yourself and you ll catch McAfee allerts!

Download - NSIS

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community