cancel
Showing results for 
Search instead for 
Did you mean: 
jeff_es
Level 7

False Positive: BehavesLike.Win32.Suspicious.rc

Hello,

I am the developer of an email notifier (to add context to the filename) and each release has several distribution packages.  Inevitably, one or two are always reported by McAfee-GW-Edition on VirusTotal as BehavesLike.Win32.Suspicious.rc

Samples:

https://www.virustotal.com/en/file/340af5293ac17c5f8f95d0c02bd235b6392c491b66716bcc0b02b7f9e0e9ed2f/...

https://www.virustotal.com/en/file/d37a57abca43183132aedf1437b65a4e980c3aabf4b2b0f9bfaad1ef83a779ae/...

The above files use NSIS installer (and are digitally signed).  The zip distributions, containing the same files, usually pass clean:

https://www.virustotal.com/en/file/5532597dc9357ae2a9f3c224b68187eac7234008583477bf9a6d1e4419d1082a/...

https://www.virustotal.com/en/file/a8c1183f0dd7a0a8ae8a5c0ae74b69d08438fe98acc62f936d9ae9ab5a1df861/...

Please let me know what I need to do to get a clean bill of health, now and in the future!

thanks,

Jeff

0 Kudos
9 Replies
Peacekeeper
Level 20

Re: False Positive: BehavesLike.Win32.Suspicious.rc

I assume best to read and follow what was suggested here

not same detection but a virustotal GW one

0 Kudos
jeff_es
Level 7

Re: False Positive: BehavesLike.Win32.Suspicious.rc

Thanks for the link to the related topic.  I read through it, and the news is not optimistic considering it's from over a year ago.  But let's put that aside as I still have a problem.  In that link it referenced 2 possible actions to report a FP:

1) https://kc.mcafee.com/corporate/index?page=content&id=KB62662

- which requires "Access to the Web Gateway GUI interface" which I do not have

2) https://secure.mcafee.com/apps/mcafee-labs/dispute-form.aspx?region=us

- which I have used before and I have never gotten a response.  I'm not sure if it was the case on previous attempts (earlier this year), but when I tried it a few days ago, I noticed that it didn't even ask for the sample to be uploaded.  I went through it again, and I still don't see any field to indicate the sample.

0 Kudos
Peacekeeper
Level 20

Re: False Positive: BehavesLike.Win32.Suspicious.rc

Usually we get the software developer to submit the files but with the nsis installer involved I am loathe to suggest that way as it is above my experience and the posts in the threads to the left (More like this) do not suggest this. I will however ping the tech who did solve 1 user's issue and see if he can visit here.

0 Kudos
Peacekeeper
Level 20

Re: False Positive: BehavesLike.Win32.Suspicious.rc

My contact will look into this it may take a while as the main person who handles such issues is out of the office .

0 Kudos
jeff_es
Level 7

Re: False Positive: BehavesLike.Win32.Suspicious.rc

Thanks, Peacekeeper, I appreciate your help.

0 Kudos
Peacekeeper
Level 20

Re: False Positive: BehavesLike.Win32.Suspicious.rc

If no solution in say 1 week post back and I will ask him how it is going.

0 Kudos
dmeier
Level 13

Re: False Positive: BehavesLike.Win32.Suspicious.rc

We're working with the app developers on that signature to see what can be done to avoid this particular false, and still provide the protection it was designed for.  It will take some time, since we can't really tackle this one file at a time, so please bear with us.

- David

Peacekeeper
Level 20

Re: False Positive: BehavesLike.Win32.Suspicious.rc

Thanks David

0 Kudos
jeff_es
Level 7

Re: False Positive: BehavesLike.Win32.Suspicious.rc

I assume that by "app developers" you mean the NSIS and/or McAfee-Gateway developers, but I would be happy to help in anyway I can.  It would certainly be beneficial to me in the long-run to get this taken care of.  And, after all, we are apparently long-lost cousins...

A couple of things to note:

1) I had to build new installs this morning and I just submitted them to VT.  The same 2 installations still have a problem:

https://www.virustotal.com/en/file/7dcd5fdd157c41afed3e3bbbe192ca1f6e700817ae332ed41e1a0c1c36ae8d60/...

https://www.virustotal.com/en/file/e4e716230e935372ecb8fcddb7f81c42636361f4aebc35e14bb18ea64b840d55/...

In case it helps for comparison, I have 2 other NSIS builds that don't have a FP (neither this time nor the previous time, which I didn't mention above):

https://www.virustotal.com/en/file/5734d480dea25344fd0a2c44d41b4903145507d7a31dae6c3aa54f06c3c1a421/...

https://www.virustotal.com/en/file/e03e77bab87eaa92d27c630e4839429b06e8b27228e6d952353e632d7c7b7a0d/...

(for the sake of whitelisting, the hashes referenced in the earlier post are no longer used)

2) I'm using NSIS v2.46 (the last official build), but yesterday I downloaded the latest beta (v3.0b2) for testing purposes only.  I had to gut some of the incompatible script just to get quick results.  The lines I removed had to do with the capability to run the installer with elevated privileges (which is standard for installers) but allow the installed program itself (at the end of installation) to launch with normal user privileges.  I wasn't sure if this would cause a different analysis, but McAfee-GW still came up with the suspicious result.

0 Kudos