cancel
Showing results for 
Search instead for 
Did you mean: 
Level 8
Report Inappropriate Content
Message 1 of 4

False positive Agzrt on VirusTotal

Jump to solution

Hello.

I have a problem with installer: http://auth.zakazrf.ru/Scripts/CryptoURL/AgzrtCryptProvider.Setup.exe

Your antivirus McAfee-GW-Edition thinks, that it is BehavesLike.Win32.AdwareFileTour.tc

https://www.virustotal.com/gui/file/a8ff9aeb3153395416da0dcb95b038278e7f6ec6d80669c5a82fa9a23954487b...

Please fix false positive.

With respect, Andrew
Software developer

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: False positive Agzrt on VirusTotal

Jump to solution

1. okay I misunderstood this. But my test tested both, the URL (category, reputation) as well as complete download + scan of it.

2. okay, but what is then exactly the issue you are facing if you even have not installed our antivirus?
This sounds like you are complaining that virustotal report is showing McAfee GW edition showing "BehavesLike.Win32.AdwareFileTour.tc" but do not really face an issue since you do not use our product/engine!?
This executable file is just clean when testing through Web Gateway Policy with GAM engine (with and without GTI lookups enabled), the category/reputation is just fine and it is also seen as clean from McAfee Endpoint protection.

So I do not face any single issue with this URL/file.

Further, I do not have details about virustotal's testing procedure, so I do not know how they test and with which products/engine versions.

Regards,
Marcel Kutrieba
Technical Support Engineer

View solution in original post

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: False positive Agzrt on VirusTotal

Jump to solution

Hello,

 

I can absolutely not reproduce this issue (tried with GTI enabled/disabled, local URL filter DB disabled, etc.). Due to trustedsource.org, it has category "Internet Services" and reputation "Minimal Risk" which is also fine.

 

In this case debug data is definitively required since the root cause can also be policy related. In order to check this, please open a SR with below information. This data should not be uploaded here because of sensitive information.

To troubleshoot a potential false positive, we need the following debug data:
-feedback file (to double-check your configuration and policy and to perform tests with it)
-rule trace (to double-check which rules and settings were applied for this specific request/response)
-password protected sample as described in “Virus To File.pdf” in KB62662
-download URL and/or blocked URL
-screenshot of error message in browser

Further information here:
https://kc.mcafee.com/corporate/index?page=content&id=KB62662

Once I have received this information, I can try to reproduce the issue with given sample/URL and check whether your policy is configured as recommended. In case, it is a false positive which can be reproduced and is not caused by a mis-configuration in policy, I can use the provided information and contact our Labs team for further analysis.

Feedback file:
To create a feedback file, navigate to "Troubleshooting" > "Feedback". Then click the "Create Feedback File" button. This provides us with your configuration as well as debug information to help troubleshoot any issues you may be experiencing.

Via CLI:
/opt/mwg/bin/feedback.sh -l 2

Rule trace:
Please navigate to "Troubleshooting" > "Rule tracing central". Enter the client IP you are testing with. Press the "Go" button and reproduce the issue. Afterwards, press the "Stop" button and export all visible traces.

Regards,
Marcel Kutrieba
Technical Support Engineer
Highlighted
Level 8
Report Inappropriate Content
Message 3 of 4

Re: False positive Agzrt on VirusTotal

Jump to solution

1. Problem not with URL, but with file AgzrtCryptProvider.Setup.exe
2. Problem only with VirusTotal, I do not have your antivirus installed.
3. VirusTotal says, that I must ask you first before they can helps me.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: False positive Agzrt on VirusTotal

Jump to solution

1. okay I misunderstood this. But my test tested both, the URL (category, reputation) as well as complete download + scan of it.

2. okay, but what is then exactly the issue you are facing if you even have not installed our antivirus?
This sounds like you are complaining that virustotal report is showing McAfee GW edition showing "BehavesLike.Win32.AdwareFileTour.tc" but do not really face an issue since you do not use our product/engine!?
This executable file is just clean when testing through Web Gateway Policy with GAM engine (with and without GTI lookups enabled), the category/reputation is just fine and it is also seen as clean from McAfee Endpoint protection.

So I do not face any single issue with this URL/file.

Further, I do not have details about virustotal's testing procedure, so I do not know how they test and with which products/engine versions.

Regards,
Marcel Kutrieba
Technical Support Engineer

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community