cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12

Ode to Heuristic.BehavesLike.JS.Exploit.A (and other false positives that have brightened my week)

Anyone else visit McAfee platinum partner http://accuvant.com/  through an MWG today?  

Anyone in a position to fix that?

I'd also enjoy if Heuristic.BehavesLike.Win32.ModifiedUPX.C wouldn't fire on GotoAssistStarter.exe   down under broker.gotoassist.com.     Time to go manually grab, encrypt, scp, and try to find where to submit false positives in the way McAfee mandates.

on 1/31/13 3:00:10 PM CST
0 Kudos
4 Replies
eelsasser
Level 15

Re: Ode to Heuristic.BehavesLike.JS.Exploit.A (and other false positives that have brightened my week)

Well, it's pretty understandable why it would trigger on malware when the redirect page is using highly obfuscated code.

Do they really, really need to to put in a ton of javascript just to redirect from accuvant.com to www.accuvant.com?

Capture.png

It seems a little excessive for a simple 302 redirect.

And keep in mind, these are the same techniques that real exploit pages use, so i'd rather have it blocked.

0 Kudos
Regis
Level 12

Re: Ode to Heuristic.BehavesLike.JS.Exploit.A (and other false positives that have brightened my week)

That's above our pay grade.  The point is it's highly likely to be a false positive, or McAfee's preferred quickstart consulting partner for web gateway is... owned?   

I almost forgot to add to my false positive rant of the quarter:

The venerable fiddler2  interactive debugging web proxy is also getting caught up in a heuristic detection (or at least it was yesterday) despite nothing on virustotal saying a word about it.  Irony of course is that this tool is indispensible in figuring out what/when/why MWG is blocking a given bit of client web traffic.

http://www.getfiddler.com/dl/Fiddler2Setup.exe

McAfeeGW: Heuristic.BehavesLike.Win32.Suspicious-PKR.G

https://www.virustotal.com/file/64ee0eb10775bb1d314f3f3461d2d023c6253eb948f1e7f7cffba16ecca6b109/ana...

But I suppose the onus is on us customers to report all those back. 

on 1/31/13 3:55:06 PM CST
0 Kudos
fwmonitor
Level 7

Re: Ode to Heuristic.BehavesLike.JS.Exploit.A (and other false positives that have brightened my week)

this ajax code redirects to an incapsula CDN network, which is outside of accuvant.com responsibility. The url is calculated during a runtime on a user side in the browser and cannot be statically set on the accuvaint's web server side with a 30x redirect :-(

0 Kudos
Regis
Level 12

Re: Ode to Heuristic.BehavesLike.JS.Exploit.A (and other false positives that have brightened my week)

So, was the heuristic actually blocking something malicious from the CDN?

Some time today, Accuvant apparently changed their web page code so this issue no longer exists.    

0 Kudos