cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12

Heuristics ... on a Monday (seriously, does anyone actually live with these things?)

Dear McAfee Web Gateway,

For the 20th time,  https://ssl.gstatic.com/analytics/20130611/web/analytics.js  probably isn't freakin' malware.     You think it's  "MGW: Heuristic.BehavesLike.JS.BufferOverflow.O" again, but I strongly suspect it's not.   No more than it was the other 19 times I've reported it going back to November of 2012.

See, here's the problem:    The people that monitor google analytics for our enterprise's web properties get really cheesed every time Heuristics re-detects analytics.js   (because it does frequently change apparently).  When they login to the analystics site, blocking that file breaks the entire site.   And those nearly useless checksum based whitelist entries the Virus_research_gateway@avertlabs.com  team puts in every time I repeatedly report the false positive.... cease to be effective when that file changes.   You're wasting a lot of people's time.   I've had to whitelist that thing in policy now.  I hope you're happy. 

So,  McAFee Web Gateway, if we're going to continue to be friends,  could you figure out a way  to deal with AV heuristics in a more sustainable fashion than whitelisting specific files by checksum?    Because I'm this close to turning heuristics off, much as support urges me not to and assures me that Heuristics are what makes you so special, and I've seen one, at most two things it actually caught that were a threat in the year I've been running them.   See also the enhancement request that's been logged for you for several months on this issue.  

Sincerely,

Regis

0 Kudos
10 Replies
btlyric
Level 12

Re: Heuristics ... on a Monday (seriously, does anyone actually live with these things?)

We use Heuristics. With a couple dozen configured exceptions...

0 Kudos
Regis
Level 12

Re: Heuristics ... on a Monday (seriously, does anyone actually live with these things?)

For all the false positive chasing you've had with it,  can you cite any true positive success stories?   I'm seeking inspiration and I'm hopeful they're out there.

0 Kudos
mdc
Level 8

Re: Heuristics ... on a Monday (seriously, does anyone actually live with these things?)

yes it caught an Blackhole exploit kit on a major site used by our users.  The admins of the site were not aware and subsequently started their cleanup of the site

Re: Heuristics ... on a Monday (seriously, does anyone actually live with these things?)

I just looked into that thing. It didn't trigger anything for me (today...). May I ask you for the following - if this happens again, preserve evidence by saving the file and send it to me (mailto will follow in a PM).

thanks,

M.

0 Kudos
Regis
Level 12

Re: Heuristics ... on a Monday (seriously, does anyone actually live with these things?)

michael_schneider wrote:

I just looked into that thing. It didn't trigger anything for me (today...). May I ask you for the following - if this happens again, preserve evidence by saving the file and send it to me (mailto will follow in a PM).

thanks,

M.

Hi Michael,

I could cc when I submit them to the virus research folks going forward.  

The more general issue is that the virus_research_gateway folks only seem to have one arrow in their quiver:   to whitelist by checksum.     They don't seem to be able to say "this google analytics URL changes a lot, seems to run afoul of heuristics every time it does... but things from them are very very unlikely to be malware -- let's not flag heuristics on ssl.gstatic.com or fix the heuristic detection."

Right now for these problem URL's  I've had to whitelist them on my end by URL, so I'll not know when they run afoul again.      Perhaps some interlock with the Virus_research_gateway@avertlabs.com    and a dialog with them might provide the data you seek and divine a better way to make this easier for customers.    

McAfeeGW: Heuristic.BehavesLike.Exploit.CodeExec   in various flavors seems to be very false prone on  some URL's that are ephemeral for us, but very common.  There are at least 10 such a day I have to ignore.  I believe they are streaming video related and all in the IP block of Akamai or  Limelight networks   and have /idle/[randomalphanumeric]/XXXX   where XXXX is a 2 to 4 digit number      e.g.
http://68.142.74.132/idle/yz_mbD8x4V1fij4Z/241

http://90.84.52.150:1935/idle/Wscndz02ySL-iAxZ/1329


0 Kudos
Regis
Level 12

Re: Heuristics ... on a Monday (seriously, does anyone actually live with these things?)

Oh, on a lighter note,  I do have a story of a good thing coming from a heuristic detection today.  I learned that a coworker at this location is also a musician when a likely false positive MGW: Heuristic.BehavesLike.JS.Unwanted rolled through on http://www.guitarcenter.com/Includes/GuitarCenter/scripts/minified/cartpage.min.js?version=22.00     

I reported it to the research folks earlier today so YMMV.

0 Kudos
DBO
Level 9

Re: Heuristics ... on a Monday (seriously, does anyone actually live with these things?)

Today for us it's Verisign...

http://evsecure-ocsp.verisign.com/

http://evsecure-ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9...

Virus : McAfeeGW: Heuristic.BehavesLike.Exploit.CodeExec.C

Généré 10/Jul/2013:08:26:44 -0400 by LQ500-SW01 (McAfee Web Gateway 6.9.3 Build 13514 - [3])

I have submit to both sites@mcafee.com et TrustedSource

0 Kudos
McAfee Employee

Re: Heuristics ... on a Monday (seriously, does anyone actually live with these things?)

Hi DBO,

Virus detections should not be submitted to sites@mcafee.com, they are used for site categorization issues.

Refer to KB62662 for virus false positives (https://kc.mcafee.com/corporate/index?page=content&id=KB62662).

I shall take a look and submit it myself as well.

Best,

Jon

0 Kudos
DBO
Level 9

Re: Heuristics ... on a Monday (seriously, does anyone actually live with these things?)

You are right...  I skiedp too much of the KB to find the correct info.

Thank you

0 Kudos