1 2 Previous Next 14 Replies Latest reply on Jan 15, 2010 2:50 AM by Cumbrowski

    How to "White List" False Positives Manually?

      Part 1

       

      McAfee VirusScan has a huge problem with "False Positives", if the computer contains a lot of executables that are compressed with exe-packers/crypters like UPX (http://upx.sourceforge.net/), KKrunchy (http://www.farbrausch.de/~fg/kkrunchy/), UPack or similar tools and  also with unpacker/decrypter tools/plug-ins (including DLLs) for the mentioned packers like PEiD and similar tools.

       

      There is based on my personal observation almost a 1/10 chance that McAfee VirusScan will believe that it detected a Trojan from either the "Artemis!xxxx" or "Generic.dx" family when it encounters any files of that type.

       

      It then moves the presumably infected file automatically into Quarantine, without the option for the user to prevent this from happening, even if the user (me) is absolutely certain, that the file in question is not infected by a virus, nor being Spyware, or even a PUP (potentially unwanted program). Some files that VirusScan detected were compiled by myself and are not just coming from a trusted source (I really trust myself, really).

       

      The program/tool with the alleged infection stops working after that of course. I have to go to Restore\Files, check the file(s) in question and select "Restore". So far so good, but next time I come only near to the restored file or run a full scan of the system, the file is being flagged by VirusScan again as infected and moved to quarantine immediately. I have to turn off McAfee SystemGuard and AntiVirus protection entirely, then restore the NOT infected files from the Quarantine to be able to execute and run them. When I am done and turn McAfee back on I don't have to wait for long and the same files end up in the quarantine once more.

       

      It never ever provides the option to "trust" any of those files or any other means (that I know of), which would prevent VirusScan to quarantine those not infected files again and again. I am sick and tried of manually restoring those files for the same reasons over and over again.

      I even started to leave the McAfee SystemGuards protection OFF entirely, because of the hassles, which defeats the purpose of having the McAfee software in the first place and opens my system up for potential "REAL" threats.

       

      Under Configure\Computer & Files\SystemGuards -> Advanced\Virus Protection\Trusted Lists\Drop-down "Trusted Programs" is no option to add any files manually. What also bugs me, is that I have a few entries in that trusted list, that must have been added to it in cases where something was not flagged as "Infected" and only as "PUP", where I must have selected "Trust". The problem with this list is that it does not show the files or other things (like registry entries) that I flagged as "trusted". It shows for the most part only the names of Trojans. (Exception here would be the entry "Kkrunchy Packed"). It seems that those McAfee settings mean that I trust any file that is infected by Trojans, Spyware, Adware "xyz" and not just that I am trusting a certain file on my hard disk, which has characteristics/finger print of a certain Trojan. It does not show anything else in the details for those entries so I have to believe that my assumptions are correct, but that is also not what I intended to happen. Only because I am trusting a file from a trusted source with a finger print of a known threat, I am not trusting any other file from any other source with such a finger print.

       

      Summary

       

      I would like to be able to make decisions about what is trusted and not being quarantined for a specific reason on an individual file basis, meaning that I want to be be able to tell VirusScan to let a specific file alone, if it finds a particular signature match of a specific trojan in a specific file at a specific location on my computer, but don't want to exclude the file from any other further scans (if the file suddenly matches the signature of another threat, it should alert me and ask me what to do, because even false positives could be infected by something real). I do not want to white list a threat itself across my entire system to open it up if the "real one" comes along my way one day.

       

      How do I do that with McAfee SystemGuards and AntiVirus?

       

      Any tips, suggestions and ideas that might help to solve my dilema are welcome and appreciated. Thanks.

       

       

      Part 2

       

      Somewhat Related Suggestions

       

      1) Every time when I click on the link for the "Detection Name" of the threat in the Files Restore screen details, it takes me to http://home.mcafee.com/VirusInfo/ThreatSearch.aspxwith an "empty" search for '' performed instead of the name of the Trojan, Virus etc.

      Furthermore, in most of those false positives cases do not exist any kind of useful information about the alleged threat in McAfee's database (if you search for it by yourself). Take for example "Generic.dx" http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=141693

      The provided information do not help me to make an educated decision about, if the file could may be really be infected, even if it came from a trusted source or if it is just another false positive. It does not show anything that the alleged Trojan does to the system (creating/changing/deleting (system)files, registry modifications, system behavior if infected, purpose and features of the Trojan/Spyware/Virus (collects xyz, tries to do abc, wants to destroy, harvest information (theft) or take control over certain system function (to become a mindless bot in a hacker spam/DOS-attack bot-net etc.)

       

      2) - Please allow to select and copy text from within the McAfee software, e.g. lists and detail windows. It is a pain in the neck to start doing your own personal research about what alleged threat McAfee found on my computer, if you cannot copy and paste vital information from McAfee to another application such as a web browser. Writing down/typing names like "Artemis!00600d7e2405" by hand into Google's search box is cumbersome and also prone to typos, because of the cryptic nature of most threat names.

        • 1. Re: How to "White List" False Positives Manually?

          Oh, I forgot to mention the McAfee product versions and the OS(s) that I am using.

           

          - McAfee SecurityCenter V9.15 Build 9.15.135 AffId 108
          - VirusScan V13.15 Build 13.15.102 AffId 108
          - Engine Version: 5301.4018
          - DAT Version: 5797.0000
          - Personal Firewall V10.15 Build 10.15.103 AffId 108

           

          I have a Win XP Pro SP3 32 Bit System and a Win Vista Ultimate SP1 64 Bit System.

          I have the same problems on both machines.

           

          Thanks.

          • 2. Re: How to "White List" False Positives Manually?
            Peter M

            Carsten,

             

            Excellent points and ones that we have been proposing for years but obviously such 'improvments" are low on the priority list.

             

            The best way to be effective in moulding how products are designed is to participate in McAfee's Beta programmes where one can file bug reports and feedback all the time on the proposed products.

             

            Of course one would need to have a spare system sitting around to test these on.  I wouldn't recommend doing it on your work machine or your main home machine.

             

            Whitelisting false positives can't be done withing the interface itself.  You would have to follow the procedures outlined here:  http://community.mcafee.com/message/88173#88173

             

            The Beta programmes is outlined here: http://community.mcafee.com/message/64611#64611

            1 of 1 people found this helpful
            • 3. Re: How to "White List" False Positives Manually?

              Hi Peter,

               

              thanks for your reply. There is no way to flag "false positives" as such and prevent the software from making this false positive decision over and over again?

               

              I checked out the post that you referred to.  I used Webimmune.net again (I already used them in the past for something else) to submit the stuff where I am darn certain that the software is wrong.

              I sent 3 files, the original "kkrunchy_023a.zip" archive as I downloaded it from the official Farbrausch.de web site (the guys who wrote the tool). You can download it here http://www.farbrausch.de/~fg/kkrunchy/

               

               

              Analysis ID: 5640215 https://www.webimmune.net/ViewAnalysis.asp?AnalysisID=5640215

              Name Findings Detection Type Extra
              kkrunchy.exe current detection generic.dx Trojan no

              current detection [ kkrunchy.exe ]

               

              The file received is infected and can be detected and removed with our current DAT files and engine. It is recommended that you update your DAT and engine files and scan your computer again.
              If you are not seeing this with the product you are using, please speak with technical support so that they can help you determine the cause of this discrepancy.

               

              Great... no, it's not, what now?  Speak with a tech support guy? I have currently 64 files that get more or less moved in and out of quarantine. Even text files and plain source code of mine. Various tools, some DLLs and a bunch of personal stuff that is none of McAfee’s business (for example the plain text documents and source codes). I don't know, but I have also much better things to do than to discuss how good of a friend my friends are to trust them and how trustworthy trusted sources can or cannot be. And even if I am going to do that, how does McAfee solve the problem with the false positive (especially when it comes to files that are unique to my PC)?

               

               

              Another example... "Ghostwriter" a tool written by a friend of mine in Germany (can be downloaded here http://forum.deltaforceteam.de/forum/viewtopic.php?f=1&t=222)

               

               

              Analysis ID: 5640208 https://www.webimmune.net/ViewAnalysis.asp?AnalysisID=5640208
              Name Findings Detection Type Extra
              gw.exe heuristic detection new malware.n Trojan no

              heuristic detection [ gw.exe ]

               

              Well, the only solution for those seems to be:  "Scan for unknown Viruses" Disabled for real-time scanning and custom scans

               

              The third submission was a DLL plug-in for the exe-UNpacker PEiD  (which can be downloaded here http://www.peid.info/BobSoft/Plugins.html)

              VirusScan quarantined it because of an alleged infection with "Artemis!1C8C2A30DEFF0"

               


              Analysis ID: 5640213 https://www.webimmune.net/ViewAnalysis.asp?AnalysisID=5640213

               

              Name Findings Detection Type Extra
              imploder.dll inconclusive   no

              inconclusive [ imploder.dll ]

              Upon analysis the file submitted does not appear to contain one of the 200,000 known threats in the AutoImmune database. The file may contain a new threat, or no code capable of being infected. Your submission is being forwarded to an Avert Labs Researcher for further analysis. You will be contacted by AVERT through e-mail with the results of that analysis.


              Interesting.. there it’s inconclusive. Mmhh.

               

              Removing security center is not the solution. No Anti-Virus software might be able to take care of my issues with the Anti-Virus software, but creates other issues that are the reason for getting the Anti-Virus software in the first place.

              I cannot believe that there is no other way. This kind of stuff makes me vulnerable for attacks. You cannot trust your anti-virus solution, turn it off when you should not and maybe ignore a vital alert that is actually a real threat to your system.

               

              My problems might not be the problems of Joe Everybody, but they are certainly also not unique.  Gosh, I am longing for the time when McAfee was just a "scan.exe", "clean.exe" and a DAT file and even provided options for the user to do stuff themselves until the software was updated again (in this case the option to search for custom patterns that are unknown to the current version of the software, a god-send when a local dudes "programming experiment" was on the loose and spreading like a ... yeah, virus hehe. weeks before McAfee got to know about it. Well, pre-Internet times) .

               

              Are there some "unofficial options" maybe? A registry setting or a value that can be added to a text or XML config file or something?

               

              • 4. Re: How to "White List" False Positives Manually?
                Peter M

                Cumbrowski wrote:

                 

                Hi Peter,

                 

                thanks for your reply. There is no way to flag "false positives" as such and prevent the software from making this false positive decision over and over again?

                 

                I checked out the post that you referred to.  I used Webimmune.net again (I already used them in the past for something else) to submit the stuff where I am darn certain that the software is wrong.

                I sent 3 files, the original "kkrunchy_023a.zip" archive as I downloaded it from the official Farbrausch.de web site (the guys who wrote the tool). You can download it here http://www.farbrausch.de/~fg/kkrunchy/

                 

                 

                Analysis ID: 5640215 https://www.webimmune.net/ViewAnalysis.asp?AnalysisID=5640215

                Name Findings Detection Type Extra
                kkrunchy.exe current detection generic.dx Trojan no

                current detection [ kkrunchy.exe ]

                 

                The file received is infected and can be detected and removed with our current DAT files and engine. It is recommended that you update your DAT and engine files and scan your computer again.
                If you are not seeing this with the product you are using, please speak with technical support so that they can help you determine the cause of this discrepancy.

                 

                Great... no, it's not, what now?  Speak with a tech support guy? I have currently 64 files that get more or less moved in and out of quarantine. Even text files and plain source code of mine. Various tools, some DLLs and a bunch of personal stuff that is none of McAfee’s business (for example the plain text documents and source codes). I don't know, but I have also much better things to do than to discuss how good of a friend my friends are to trust them and how trustworthy trusted sources can or cannot be. And even if I am going to do that, how does McAfee solve the problem with the false positive (especially when it comes to files that are unique to my PC)?

                 

                 

                Another example... "Ghostwriter" a tool written by a friend of mine in Germany (can be downloaded here http://forum.deltaforceteam.de/forum/viewtopic.php?f=1&t=222)

                 

                 

                Analysis ID: 5640208 https://www.webimmune.net/ViewAnalysis.asp?AnalysisID=5640208
                Name Findings Detection Type Extra
                gw.exe heuristic detection new malware.n Trojan no

                heuristic detection [ gw.exe ]

                 

                Well, the only solution for those seems to be:  "Scan for unknown Viruses" Disabled for real-time scanning and custom scans

                 

                The third submission was a DLL plug-in for the exe-UNpacker PEiD  (which can be downloaded here http://www.peid.info/BobSoft/Plugins.html)

                VirusScan quarantined it because of an alleged infection with "Artemis!1C8C2A30DEFF0"

                 


                Analysis ID: 5640213 https://www.webimmune.net/ViewAnalysis.asp?AnalysisID=5640213

                 

                Name Findings Detection Type Extra
                imploder.dll inconclusive   no

                inconclusive [ imploder.dll ]

                Upon analysis the file submitted does not appear to contain one of the 200,000 known threats in the AutoImmune database. The file may contain a new threat, or no code capable of being infected. Your submission is being forwarded to an Avert Labs Researcher for further analysis. You will be contacted by AVERT through e-mail with the results of that analysis.


                Interesting.. there it’s inconclusive. Mmhh.

                 

                Removing security center is not the solution. No Anti-Virus software might be able to take care of my issues with the Anti-Virus software, but creates other issues that are the reason for getting the Anti-Virus software in the first place.

                I cannot believe that there is no other way. This kind of stuff makes me vulnerable for attacks. You cannot trust your anti-virus solution, turn it off when you should not and maybe ignore a vital alert that is actually a real threat to your system.

                 

                My problems might not be the problems of Joe Everybody, but they are certainly also not unique.  Gosh, I am longing for the time when McAfee was just a "scan.exe", "clean.exe" and a DAT file and even provided options for the user to do stuff themselves until the software was updated again (in this case the option to search for custom patterns that are unknown to the current version of the software, a god-send when a local dudes "programming experiment" was on the loose and spreading like a ... yeah, virus hehe. weeks before McAfee got to know about it. Well, pre-Internet times) .

                 

                Are there some "unofficial options" maybe? A registry setting or a value that can be added to a text or XML config file or something?

                 

                 

                By submitting files, and then when they reply saying it's infected, you reply saying no it's not.and they will re-evaluate their findings.  That's how you stop it.  That's the only way.   Trying to do registry edits or altering scripts will cause problems.

                • 5. Re: How to "White List" False Positives Manually?

                  While the present "Quarantine" procedure is, in some ways, an improvement over the "outright automatic deletion" of earlier VirusScan releases, the lack of choice of action by the user is more than a shortcoming.  The lack of end-user resultant action (aka "whitelisting") is a definite deficiency.  From the selection of an Anti-Virus or any other software product, through installation and implementation, the control of the user's ("customer's") PC(s) ultimately devolves to that user, and should never be usurped by the software product or the developers.

                   

                  It is regrettable that, even in the face of repeated occurrences and requests, the "whitelist" functionality remains absent.  This leads to a set of recourses that are not in the best interests of anyone.  The user (customer) may, as aforementioned, disable "System Guards" to prevent an undesired action.  The resultant effect opens the proverbial "barn door" to other infection(s).  While the user is encouraged to "submit" the questionable detection for review,  the detection items remain "quarantined" and the review process makes "watching paint dry" a short-term event.

                   

                  The user (customer) may run in a restricted or deficient configuration due to full or partial disablement of other products, or may simply uninstall the Anti-Virus/Security software product/suites.  While the user may (hopefully) install alternative products/suites, the resultant action(s) cannot be construed, in any way, to be in the greater interests to McAfee.

                   

                  I would welcome, no, strongly encourage, the implementation of more expansive user control of the detection and resultant actions of all the products under the aegis of the McAfee line.  As a start, a simple "operating mode" would offer automatic detection and quarantine (perhaps even as the "default"), while providing one or more modicums of user control akin to the options currently used for PUP's ("potentially unwanted products/programs").  This "whitelisting" functionality would greatly ameliorate the effects of "false positives" (the politically-correct term for an errant determination) on end users ("customers").  While implementing such, the option to have the user request automatic submission of the offending item with McAfee's determinations would enable a more rapid and productive feedback of detection information.

                   

                  I am reluctant to cite other products illustrative of this user ("customer") control and management of detections.  Unless one is living in a bubble, one has most likely installed and used the other products, particularly during the "anti-spyware" fashion era.  I personally experienced the "false detection" of a single module in another vendors product (in fact, a known and reputable anti-spyware company), crippling the product for 47 days before the "DAT" update that finally removed the false detection.

                   

                  Perhaps the time is now for reconsideration of this capability in all the McAfee products.

                   

                  .... I must look for my tin-hat ....

                   

                  (Edits for grammar and punctuation)

                   

                  Message was edited by: SeanMc98 on 11/16/09 7:32 AM

                   

                  (Second edit for parentheses closure)

                   

                   

                  Message was edited by: SeanMc98 on 11/16/09 7:35 AM
                  1 of 1 people found this helpful
                  • 6. Re: How to "White List" False Positives Manually?
                    Peter M

                    We've asked over and over again for this feature to be reintroduced (to be able to ignore files and/or folders and approve detections) & they say that they are considering our requests.   It used to be a feature of the home products a few years ago and still is in the Enterprise (Corporate) products.

                     

                    You best way of getting your voice across is to beta test products and file lots of Bug Reports and Feature Requests.   It's also a neat way of getting free protection if one doesn't mind the odd quirk and/or crash.  Useful if you have a spare system as in a mutli-boot scenario as on my machine where I boot 2 Vista and 2 Windows 7 systems.

                     

                    See: http://community.mcafee.com/message/64611#64611

                    • 7. Re: How to "White List" False Positives Manually?

                      "reply saying no it's not"

                       

                      How do you do that? I did not see any option to do that, except for the message "please speak with technical support" without details how to do that, but I am sure that this information is burried on the WebImune website somewhere.

                      • 8. Re: How to "White List" False Positives Manually?

                        "We've asked over and over again for this feature to be reintroduced (to be able to ignore files and/or folders and approve detections) & they say that they are considering our requests.   It used to be a feature of the home products a few years ago and still is in the Enterprise (Corporate) products."

                         

                        The thing is that I need the software that is quarantined incorrectly by McAfee so I need to disable McAfee, and then restore the files from the Quarantine to be able to use them.

                        This has the effect that I keep McAfee more and more OFF instead of on, which defeats the purpose of having the software installed on the computer in the first place.

                         

                        So there are 3 options now. If you see any other options than those, please let me know.

                         

                        1) Switch the anti-virus software provider. Write off the investment in time and money into the current one and make another investment hoping for the best.

                         

                        2) Wait that McAfee fixes their software (It's not a feature, it's a fix of an essential option that should have been there and never removed. I am still somewhat in a state of disbelieve about your statement that they removed it. They removed the lights from your car, because they think that you won't want to drive your car at night.)

                         

                        3) Get a cracked version of the corporate product and run it on your home network and If McAfee comes after you, point to your Home License and say "Sue Me" and let a judge decide. Then countersue them for neglecting their obligations to their customers (you and me) that forced you to take things into your own hands and take drastic steps that were unfortunately necessary to compensate for the failures of the service/software provider, which was still cheaper and less time consuming than switching the vendor entirely though.

                         

                        Unbelievable!

                        • 9. Re: How to "White List" False Positives Manually?
                          Peter M

                          Until that option is introduced in the Consumer products I have already given a link to what to do much earlier on.

                           

                          http://community.mcafee.com/message/88173#88173

                           

                          Regarding that remark I was referring to the email submission described in that link....if their reply doesn't agree with you, you reply to that email disputing their findings.

                          1 of 1 people found this helpful
                          1 2 Previous Next