cancel
Showing results for 
Search instead for 
Did you mean: 
tuchkina
Level 7

False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Good day.

The no-sense behavior from McAfee - please, explane the reasons.

We used NSIS Installer

here is code used

Unicode true

RequestExecutionLevel admin

Section xxxxxxxxxx

SectionEnd

McAfee is reacting on empty pack - BehavesLike.Win32.Dropper.nh !!!

Here is https://www.virustotal.com/en/file/755f5eb13371bf03b5e8d4398869e0b1a19b189b7214d8cfe516bda9b951748b/...

Please expane the detection type and why empty pack is reacting??????????????????????

Regards

Removed Possibly Malicious Attatchment- Moderator

43 Replies
SafeBoot
Level 21

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

This is not an artemis detection, and this is not McAfee support - for help, you would be best served by speaking to your platinum support team.

exbrit
Level 21

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Moved to Web Gateway - Moderator

0 Kudos
McAfee Employee

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Please follow the instruction in this KB article to submit samples to us for analysis: https://kc.mcafee.com/corporate/index?page=content&id=kb62662

thanks,

Michael

tuchkina
Level 7

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Here is reply - please explane how the empty container from NSIS installer can be a virus in virustotal scan?????

McAfee Labs - Beaverton 
Current Scan Engine Version:5600.1067 
Current DAT Version:7584.0000 
Thank you for your submission.

Analysis ID: 9163833

File Name Findings Detection Type Extra
--------------------|------------------------------|----------------------------|------------|-----
exp.exe |inconclusive | | |no

inconclusive [exp.exe] 

Automated analysis was not able to determine that this file is malware. This file is
being sent for further processing and the DAT files will potentially be updated if
detection of this sample is warranted.

Note –

Due to the prevalence of network gateway AV products, it is important that all
submissions be zipped and the zip file password-protected (password - infected). Some
products will reject an email that contains a virus that is not sent in this way. In
addition, often we receive a file that appears not to have been infected, to find
later that the file was infected when it left the sender, and was cleaned somewhere
along the line.

Regards,

McAfee Labs

https://www.virustotal.com/en/file/755f5eb13371bf03b5e8d4398869e0b1a19b189b7214d 8cfe516bda9b951748b...

0 Kudos
McAfee Employee

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

As other people noted, this is not support or McAfee Labs. You might want to contact your SAM for further details.

However, an executable is not an empty container. An executable is containing data. Therefore it might look like as if it was using a packer that is used for malware.

To be clear: a 0 byte size file is empty and executable with size is not empty ans this is containing code, which from a behavioral standpoint might equal a malware.

thanks,

Michael

0 Kudos
bgartama
Level 9

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Tuchkina,

Seeing as the virus name being displayed contains behaveslike. This leads me to believe that what ever device is doing the virus analysis is looking at the the file and saying this files signature looks awfully close to Win32.Dropper.nh lets block it. How is the file being determined as a virus? Is it being sent through a McAfee Appliance/Software or are you just sending it through virus total and it is being detected as such? If it is being sent through a McAfee Appliance/Software, you should open a ticket with support.

Cheers,

Brandon

0 Kudos
SafeBoot
Level 21

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition


tuchkina wrote:



Here is reply - please explane how the empty container from NSIS installer can be a virus in virustotal scan?????




Well, I have no idea - maybe you should ask Virustotal?

The bottom line is that this is NOT a virus detection, it's a behavioural detection - we know this because your result was not "Win32.dropper", it was "behaveslike.Win32.Dropper"

i.e. what you submitted has the same characteristics as known malware.

I would argue that the installer you created, with no payload, is extremely suspicious and I am happy McAfee GW picked it out - it seems to serve no practical purpose. Thus, it's getting identified as something suspicious (which in my mind it is).

Perhaps you can tell us what you are trying to achieve with your zero payload installer? Or is this just an academic exercise with no practical purpose?

Re: Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

I think using an empty installer is a great way to prove that even harmless files are detecting as a threat, in this case a suspicious behavioural detection.However I am glad that tuchkinastarted this thread and pointed this out because all other virus guards seem to have the ability to scan more thoroughly and say it's not a threat. in my opinion instead of being happy that Mcafee picked it up, you should rather be asking the question why it picks up a file with nothing init. To support this claim I simply ask you to download nsis installer and scan it yourself, even the nsis setup itself is detected as a threat.

tuchkina
Level 7

Re: False Positive BehavesLike.Win32.Dropper.nh NON-SENSE by McAfee-GW-Edition

Well, McAfee official support and Virus Lab unfortunatelly ignore those things!

I was knocking in all the ways - solution 1-3, mail request, service portal application - there is no any real attention on my problem!

When McAfee will watch at real problem - NSIS is one of the oldest insrument in soft development!

Try it yourself and you ll catch McAfee allerts!

Download - NSIS