Moved to Web Gateway - Moderator

As other people noted, this is not support or McAfee Labs. You might want to contact your SAM for further details.

However, an executable is not an empty container. An executable is containing data. Therefore it might look like as if it was using a packer that is used for malware.

To be clear: a 0 byte size file is empty and executable with size is not empty ans this is containing code, which from a behavioral standpoint might equal a malware.

thanks,

Michael

Tuchkina,

Seeing as the virus name being displayed contains behaveslike. This leads me to believe that what ever device is doing the virus analysis is looking at the the file and saying this files signature looks awfully close to Win32.Dropper.nh lets block it. How is the file being determined as a virus? Is it being sent through a McAfee Appliance/Software or are you just sending it through virus total and it is being detected as such? If it is being sent through a McAfee Appliance/Software, you should open a ticket with support.

Cheers,

Brandon

tuchkina wrote:


Here is reply - please explane how the empty container from NSIS installer can be a virus in virustotal scan?????

Well, I have no idea - maybe you should ask Virustotal?

The bottom line is that this is NOT a virus detection, it's a behavioural detection - we know this because your result was not "Win32.dropper", it was "behaveslike.Win32.Dropper"

i.e. what you submitted has the same characteristics as known malware.

I would argue that the installer you created, with no payload, is extremely suspicious and I am happy McAfee GW picked it out - it seems to serve no practical purpose. Thus, it's getting identified as something suspicious (which in my mind it is).

Perhaps you can tell us what you are trying to achieve with your zero payload installer? Or is this just an academic exercise with no practical purpose?

I think using an empty installer is a great way to prove that even harmless files are detecting as a threat, in this case a suspicious behavioural detection.However I am glad that tuchkinastarted this thread and pointed this out because all other virus guards seem to have the ability to scan more thoroughly and say it's not a threat. in my opinion instead of being happy that Mcafee picked it up, you should rather be asking the question why it picks up a file with nothing init. To support this claim I simply ask you to download nsis installer and scan it yourself, even the nsis setup itself is detected as a threat.

Well, McAfee official support and Virus Lab unfortunatelly ignore those things!

I was knocking in all the ways - solution 1-3, mail request, service portal application - there is no any real attention on my problem!

When McAfee will watch at real problem - NSIS is one of the oldest insrument in soft development!

Try it yourself and you ll catch McAfee allerts!

Download - NSIS