Who Me Too'd this topic

cancel
Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

How to "White List" False Positives Manually?

Part 1

McAfee VirusScan has a huge problem with "False Positives", if the computer contains a lot of executables that are compressed with exe-packers/crypters like UPX (http://upx.sourceforge.net/), KKrunchy (http://www.farbrausch.de/~fg/kkrunchy/), UPack or similar tools and  also with unpacker/decrypter tools/plug-ins (including DLLs) for the mentioned packers like PEiD and similar tools.

There is based on my personal observation almost a 1/10 chance that McAfee VirusScan will believe that it detected a Trojan from either the "Artemis!xxxx" or "Generic.dx" family when it encounters any files of that type.

It then moves the presumably infected file automatically into Quarantine, without the option for the user to prevent this from happening, even if the user (me) is absolutely certain, that the file in question is not infected by a virus, nor being Spyware, or even a PUP (potentially unwanted program). Some files that VirusScan detected were compiled by myself and are not just coming from a trusted source (I really trust myself, really).

The program/tool with the alleged infection stops working after that of course. I have to go to Restore\Files, check the file(s) in question and select "Restore". So far so good, but next time I come only near to the restored file or run a full scan of the system, the file is being flagged by VirusScan again as infected and moved to quarantine immediately. I have to turn off McAfee SystemGuard and AntiVirus protection entirely, then restore the NOT infected files from the Quarantine to be able to execute and run them. When I am done and turn McAfee back on I don't have to wait for long and the same files end up in the quarantine once more.

It never ever provides the option to "trust" any of those files or any other means (that I know of), which would prevent VirusScan to quarantine those not infected files again and again. I am sick and tried of manually restoring those files for the same reasons over and over again.

I even started to leave the McAfee SystemGuards protection OFF entirely, because of the hassles, which defeats the purpose of having the McAfee software in the first place and opens my system up for potential "REAL" threats.

Under Configure\Computer & Files\SystemGuards -> Advanced\Virus Protection\Trusted Lists\Drop-down "Trusted Programs" is no option to add any files manually. What also bugs me, is that I have a few entries in that trusted list, that must have been added to it in cases where something was not flagged as "Infected" and only as "PUP", where I must have selected "Trust". The problem with this list is that it does not show the files or other things (like registry entries) that I flagged as "trusted". It shows for the most part only the names of Trojans. (Exception here would be the entry "Kkrunchy Packed"). It seems that those McAfee settings mean that I trust any file that is infected by Trojans, Spyware, Adware "xyz" and not just that I am trusting a certain file on my hard disk, which has characteristics/finger print of a certain Trojan. It does not show anything else in the details for those entries so I have to believe that my assumptions are correct, but that is also not what I intended to happen. Only because I am trusting a file from a trusted source with a finger print of a known threat, I am not trusting any other file from any other source with such a finger print.

Summary

I would like to be able to make decisions about what is trusted and not being quarantined for a specific reason on an individual file basis, meaning that I want to be be able to tell VirusScan to let a specific file alone, if it finds a particular signature match of a specific trojan in a specific file at a specific location on my computer, but don't want to exclude the file from any other further scans (if the file suddenly matches the signature of another threat, it should alert me and ask me what to do, because even false positives could be infected by something real). I do not want to white list a threat itself across my entire system to open it up if the "real one" comes along my way one day.

How do I do that with McAfee SystemGuards and AntiVirus?

Any tips, suggestions and ideas that might help to solve my dilema are welcome and appreciated. Thanks.

Part 2

Somewhat Related Suggestions

1) Every time when I click on the link for the "Detection Name" of the threat in the Files Restore screen details, it takes me to http://home.mcafee.com/VirusInfo/ThreatSearch.aspxwith an "empty" search for '' performed instead of the name of the Trojan, Virus etc.

Furthermore, in most of those false positives cases do not exist any kind of useful information about the alleged threat in McAfee's database (if you search for it by yourself). Take for example "Generic.dx" http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=141693

The provided information do not help me to make an educated decision about, if the file could may be really be infected, even if it came from a trusted source or if it is just another false positive. It does not show anything that the alleged Trojan does to the system (creating/changing/deleting (system)files, registry modifications, system behavior if infected, purpose and features of the Trojan/Spyware/Virus (collects xyz, tries to do abc, wants to destroy, harvest information (theft) or take control over certain system function (to become a mindless bot in a hacker spam/DOS-attack bot-net etc.)

2) - Please allow to select and copy text from within the McAfee software, e.g. lists and detail windows. It is a pain in the neck to start doing your own personal research about what alleged threat McAfee found on my computer, if you cannot copy and paste vital information from McAfee to another application such as a web browser. Writing down/typing names like "Artemis!00600d7e2405" by hand into Google's search box is cumbersome and also prone to typos, because of the cryptic nature of most threat names.

Who Me Too'd this topic

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community