cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jeff_es
Level 7
Report Inappropriate Content
Message 1 of 10

False Positive: BehavesLike.Win32.Suspicious.rc

Hello,

I am the developer of an email notifier (to add context to the filename) and each release has several distribution packages.  Inevitably, one or two are always reported by McAfee-GW-Edition on VirusTotal as BehavesLike.Win32.Suspicious.rc

Samples:

https://www.virustotal.com/en/file/340af5293ac17c5f8f95d0c02bd235b6392c491b66716bcc0b02b7f9e0e9ed2f/...

https://www.virustotal.com/en/file/d37a57abca43183132aedf1437b65a4e980c3aabf4b2b0f9bfaad1ef83a779ae/...

The above files use NSIS installer (and are digitally signed).  The zip distributions, containing the same files, usually pass clean:

https://www.virustotal.com/en/file/5532597dc9357ae2a9f3c224b68187eac7234008583477bf9a6d1e4419d1082a/...

https://www.virustotal.com/en/file/a8c1183f0dd7a0a8ae8a5c0ae74b69d08438fe98acc62f936d9ae9ab5a1df861/...

Please let me know what I need to do to get a clean bill of health, now and in the future!

thanks,

Jeff

9 Replies

Re: False Positive: BehavesLike.Win32.Suspicious.rc

I assume best to read and follow what was suggested here

not same detection but a virustotal GW one

jeff_es
Level 7
Report Inappropriate Content
Message 3 of 10

Re: False Positive: BehavesLike.Win32.Suspicious.rc

Thanks for the link to the related topic.  I read through it, and the news is not optimistic considering it's from over a year ago.  But let's put that aside as I still have a problem.  In that link it referenced 2 possible actions to report a FP:

1) https://kc.mcafee.com/corporate/index?page=content&id=KB62662

- which requires "Access to the Web Gateway GUI interface" which I do not have

2) https://secure.mcafee.com/apps/mcafee-labs/dispute-form.aspx?region=us

- which I have used before and I have never gotten a response.  I'm not sure if it was the case on previous attempts (earlier this year), but when I tried it a few days ago, I noticed that it didn't even ask for the sample to be uploaded.  I went through it again, and I still don't see any field to indicate the sample.

Re: False Positive: BehavesLike.Win32.Suspicious.rc

Usually we get the software developer to submit the files but with the nsis installer involved I am loathe to suggest that way as it is above my experience and the posts in the threads to the left (More like this) do not suggest this. I will however ping the tech who did solve 1 user's issue and see if he can visit here.

Re: False Positive: BehavesLike.Win32.Suspicious.rc

My contact will look into this it may take a while as the main person who handles such issues is out of the office .

jeff_es
Level 7
Report Inappropriate Content
Message 6 of 10

Re: False Positive: BehavesLike.Win32.Suspicious.rc

Thanks, Peacekeeper, I appreciate your help.

Re: False Positive: BehavesLike.Win32.Suspicious.rc

If no solution in say 1 week post back and I will ask him how it is going.

dmeier
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: False Positive: BehavesLike.Win32.Suspicious.rc

We're working with the app developers on that signature to see what can be done to avoid this particular false, and still provide the protection it was designed for.  It will take some time, since we can't really tackle this one file at a time, so please bear with us.

- David

Re: False Positive: BehavesLike.Win32.Suspicious.rc

Thanks David

jeff_es
Level 7
Report Inappropriate Content
Message 10 of 10

Re: False Positive: BehavesLike.Win32.Suspicious.rc

I assume that by "app developers" you mean the NSIS and/or McAfee-Gateway developers, but I would be happy to help in anyway I can.  It would certainly be beneficial to me in the long-run to get this taken care of.  And, after all, we are apparently long-lost cousins...

A couple of things to note:

1) I had to build new installs this morning and I just submitted them to VT.  The same 2 installations still have a problem:

https://www.virustotal.com/en/file/7dcd5fdd157c41afed3e3bbbe192ca1f6e700817ae332ed41e1a0c1c36ae8d60/...

https://www.virustotal.com/en/file/e4e716230e935372ecb8fcddb7f81c42636361f4aebc35e14bb18ea64b840d55/...

In case it helps for comparison, I have 2 other NSIS builds that don't have a FP (neither this time nor the previous time, which I didn't mention above):

https://www.virustotal.com/en/file/5734d480dea25344fd0a2c44d41b4903145507d7a31dae6c3aa54f06c3c1a421/...

https://www.virustotal.com/en/file/e03e77bab87eaa92d27c630e4839429b06e8b27228e6d952353e632d7c7b7a0d/...

(for the sake of whitelisting, the hashes referenced in the earlier post are no longer used)

2) I'm using NSIS v2.46 (the last official build), but yesterday I downloaded the latest beta (v3.0b2) for testing purposes only.  I had to gut some of the incompatible script just to get quick results.  The lines I removed had to do with the capability to run the installer with elevated privileges (which is standard for installers) but allow the installed program itself (at the end of installation) to launch with normal user privileges.  I wasn't sure if this would cause a different analysis, but McAfee-GW still came up with the suspicious result.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community