cancel
Showing results for 
Search instead for 
Did you mean: 
itflyer
Level 7

False positive Heuristic.BehavesLike.JS.Suspicious.A

Jump to solution

I administrate several PHPBB3 forum sites on different servers. I have been inundated with email from users today who are unable to access the sites. When they attempt to access the sites, they are shown this error:

Request Blocked by Proactive Scanning

Your request to URL "http://goldwingdocs.com/forum/index.php/" has been Blocked by McAfee Web Gateway Proactive Scanning. The program could potentially perform operations, which is not allowed by your administrator at this time.

Malware Name:

McAfeeGW: Heuristic.BehavesLike.JS.Suspicious.A

URL:

http://goldwingdocs.com/forum/index.php

File:

http://goldwingdocs.com/forum/index.php/

File Type:

-

Reputation Level:

Neutral

The version of the scanner is McAfee-GW-Edition2010.1D.

Utilizing http://www.virustotal.com to examine a large number of PHPBB3 forum sites, it appears that this version of McAfee is reporting virtually every PHPBB3 board with this false positive - including the PHPBB home site forum at http://phpbb.com/community/index.php

Please fix this false positive problem quickly!

0 Kudos
1 Solution

Accepted Solutions
itflyer
Level 7

Re: False positive Heuristic.BehavesLike.JS.Suspicious.A

Jump to solution

I did submit a sample, along with a note that this was happening to EVERY current PHPBB site in the world.

They replied with "thank you, we detected no malware, and have whitelisted your site."

That's great, what about my other three sites, as well as the thousands of other PHPBB sites that were still being blocked?

I resubmitted a sample again, this time with a more strongly-worded note regarding the problem.

I did not receive a reply to this one, but the next version of the data files (McAfee-GW-Edition2010.1E) no longer detected the false positives on PHPBB sites, so I guess they have fixed the problem.

0 Kudos
4 Replies
Proximus
Level 7

Re: False positive Heuristic.BehavesLike.JS.Suspicious.A

Jump to solution

This would be greate, because of this our Whitelist is getting unnecessarly bigger...

Message was edited by: Proximus on 10/12/11 09:49:19 CST

on 10/12/11 09:49:27 CST
0 Kudos
exbrit
Level 21

Re: False positive Heuristic.BehavesLike.JS.Suspicious.A

Jump to solution

I moved this provisionally from Malware Discussion > Corporate User Assistance to Web Gateway for better attention.

0 Kudos
asabban
Level 17

Re: False positive Heuristic.BehavesLike.JS.Suspicious.A

Jump to solution

Hello,

I am sorry but I don´t think that any of the community members can quickly solve false positive detections. False detections should be reported directly to Support/Labs. To do so, please go to

https://mysupport.mcafee.com

Login with your account and then check Interactive Support -> Submit a Sample.

Sorry for the inconvenience.

best,

Andre

0 Kudos
itflyer
Level 7

Re: False positive Heuristic.BehavesLike.JS.Suspicious.A

Jump to solution

I did submit a sample, along with a note that this was happening to EVERY current PHPBB site in the world.

They replied with "thank you, we detected no malware, and have whitelisted your site."

That's great, what about my other three sites, as well as the thousands of other PHPBB sites that were still being blocked?

I resubmitted a sample again, this time with a more strongly-worded note regarding the problem.

I did not receive a reply to this one, but the next version of the data files (McAfee-GW-Edition2010.1E) no longer detected the false positives on PHPBB sites, so I guess they have fixed the problem.

0 Kudos