Good day.
The no-sense behavior from McAfee - please, explane the reasons.
We used NSIS Installer
here is code used
Unicode true
RequestExecutionLevel admin
Section xxxxxxxxxx
SectionEnd
McAfee is reacting on empty pack - BehavesLike.Win32.Dropper.nh !!!
Please expane the detection type and why empty pack is reacting??????????????????????
Regards
Removed Possibly Malicious Attatchment- Moderator
This is not an artemis detection, and this is not McAfee support - for help, you would be best served by speaking to your platinum support team.
Moved to Web Gateway - Moderator
Please follow the instruction in this KB article to submit samples to us for analysis: https://kc.mcafee.com/corporate/index?page=content&id=kb62662
thanks,
Michael
Here is reply - please explane how the empty container from NSIS installer can be a virus in virustotal scan?????
McAfee Labs - Beaverton
Current Scan Engine Version:5600.1067
Current DAT Version:7584.0000
Thank you for your submission.
Analysis ID: 9163833
File Name Findings Detection Type Extra
--------------------|------------------------------|----------------------------|------------|-----
exp.exe |inconclusive | | |no
inconclusive [exp.exe]
Automated analysis was not able to determine that this file is malware. This file is
being sent for further processing and the DAT files will potentially be updated if
detection of this sample is warranted.
Note –
Due to the prevalence of network gateway AV products, it is important that all
submissions be zipped and the zip file password-protected (password - infected). Some
products will reject an email that contains a virus that is not sent in this way. In
addition, often we receive a file that appears not to have been infected, to find
later that the file was infected when it left the sender, and was cleaned somewhere
along the line.
Regards,
McAfee Labs
As other people noted, this is not support or McAfee Labs. You might want to contact your SAM for further details.
However, an executable is not an empty container. An executable is containing data. Therefore it might look like as if it was using a packer that is used for malware.
To be clear: a 0 byte size file is empty and executable with size is not empty ans this is containing code, which from a behavioral standpoint might equal a malware.
thanks,
Michael
Tuchkina,
Seeing as the virus name being displayed contains behaveslike. This leads me to believe that what ever device is doing the virus analysis is looking at the the file and saying this files signature looks awfully close to Win32.Dropper.nh lets block it. How is the file being determined as a virus? Is it being sent through a McAfee Appliance/Software or are you just sending it through virus total and it is being detected as such? If it is being sent through a McAfee Appliance/Software, you should open a ticket with support.
Cheers,
Brandon
tuchkina wrote:
Here is reply - please explane how the empty container from NSIS installer can be a virus in virustotal scan?????
Well, I have no idea - maybe you should ask Virustotal?
The bottom line is that this is NOT a virus detection, it's a behavioural detection - we know this because your result was not "Win32.dropper", it was "behaveslike.Win32.Dropper"
i.e. what you submitted has the same characteristics as known malware.
I would argue that the installer you created, with no payload, is extremely suspicious and I am happy McAfee GW picked it out - it seems to serve no practical purpose. Thus, it's getting identified as something suspicious (which in my mind it is).
Perhaps you can tell us what you are trying to achieve with your zero payload installer? Or is this just an academic exercise with no practical purpose?
I think using an empty installer is a great way to prove that even harmless files are detecting as a threat, in this case a suspicious behavioural detection.However I am glad that tuchkinastarted this thread and pointed this out because all other virus guards seem to have the ability to scan more thoroughly and say it's not a threat. in my opinion instead of being happy that Mcafee picked it up, you should rather be asking the question why it picks up a file with nothing init. To support this claim I simply ask you to download nsis installer and scan it yourself, even the nsis setup itself is detected as a threat.
Well, McAfee official support and Virus Lab unfortunatelly ignore those things!
I was knocking in all the ways - solution 1-3, mail request, service portal application - there is no any real attention on my problem!
When McAfee will watch at real problem - NSIS is one of the oldest insrument in soft development!
Try it yourself and you ll catch McAfee allerts!
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA