cancel
Showing results for 
Search instead for 
Did you mean: 

False Positive from McAfee-GW-Edition

Hello,

My Dropbox account has been suspended due to this scan report on a file which is definitely not malicious. It was a homemade program which takes the song from Spotify and opened a url (in the style of xfire?message=song-name-etc) in order to display the song in the Xfire chat client status area.

Is there any way that you can remove my file from the registry (after confirming that it's not malicious) in order to aid me regaining full control of my Dropbox account? Whilst the 4/41 positives are showing, they're definitely false.

Thanks

6 Replies
Hayton
Level 18
Report Inappropriate Content
Message 2 of 7

Re: False Positive from McAfee-GW-Edition

Have you got McAfee GW Edition? That's not a Consumer product, so this might need to be moved to another section.

Re: False Positive from McAfee-GW-Edition

Thanks for your reply.

No I don't, I'm going by the Virus Total file scan report (which I linked to in the main post). https://www.virustotal.com/file/1bbd4a7affc21e385190e78809eb21f93d453e7a860adbb964c43b871868ba55/ana...

I found a decompiler for the AHK script, so have got the source code for what the program is.

; <COMPILER: v1.0.48.5>

SetTitleMatchMode 2

#WinActivateForce

#singleinstance force

#persistent

SetTimer, RefreshTrayTip, 1000

playingsave := ""

Gosub, RefreshTrayTip

SetTimer, RefreshTrayTip2, 1000

Gosub, RefreshTrayTip2

RefreshTrayTip:

DetectHiddenWindows, On

WinGetTitle, now_playing, ahk_class SpotifyMainWindow

StringTrimLeft, playing, now_playing, 10

if(playing != playingsave) {

  Run, xfire:status?text= %playing%

  SetTimer, RemoveTrayTip, -5000

}

playingsave := playing

return

RemoveTrayTip:

    TrayTip

    return

RefreshTrayTip2:

WinGetTitle, title, ahk_class SpotifyMainWindow

Menu, Tray, Tip, %title%

return

I don't know where else to put this, but after a fortnight of going nowhere with Dropbox support, I need to sort this out with someone here somehow. If you know of a more appopriate forum for it, please move it.

(Virus Total gives the result of "Heuristic.BehavesLike.Win32.ModifiedUPX.C!87")

exbrit
Level 21
Report Inappropriate Content
Message 4 of 7

Re: False Positive from McAfee-GW-Edition

Moved to Web Gateway as it's that finding the infection.  maybe someone with knowledge of that product can help.

Hayton
Level 18
Report Inappropriate Content
Message 5 of 7

Re: False Positive from McAfee-GW-Edition

Yes, I saw that VirusTotal report. It's a year old - there's a recent one here (5 out of 44 detections) with a different filename but same MD5 and SHA1.

Looking at that code I couldn't say what would trigger the heuristic detection. It does something the heuristics doesn't like, obviously.

There's a webpage for submitting a program that gets wrongly detected -

https://secure.mcafee.com/apps/mcafee-labs/dispute-form.aspx?region=us

But the page assumes you've got McAfee installed on your system. It asks for details of the McAfee installation, and those are required fields. You can't submit the form without them.

Otherwise you might try emailing the Labs - see

http://www.mcafee.com/us/mcafee-labs/contact-mcafee-labs.aspx

Again though it assumes you've got McAfee installed. You could always download a trial.

Message was edited by: Hayton on 15/11/12 03:16:14 GMT

Re: False Positive from McAfee-GW-Edition

Thanks again Hayton.

I think I might try to send an email first and go from there. I assume that I might as well get in contact with the UK one, as I am from the UK?

exbrit
Level 21
Report Inappropriate Content
Message 7 of 7

Re: False Positive from McAfee-GW-Edition

McAfee Labs are in the UK anyway.