7 Replies Latest reply on Dec 16, 2009 6:40 AM by SamSwift

    Super QM!:::::False Positive xerces-c_2_7.dll in GSE 6.0.3

      I wonder about the lot of False Positives in the last view month.

      There are DLLs from Microsoft VS2003, Boundschecker, BeyondCompare 2.0, BullseyeCoverage,

      and now today xerces-c_2_7.dll (a DLL from Apache) in GSE 6.0.3.

      All these False Positives are in Software package from the Top Market Leadern.

       

      The questions is: What's about the QM division of McAfee ? Are they on vacation ?

      or on Christmas shopping ?

       

      Waspy

        • 1. Re: Super QM!:::::False Positive xerces-c_2_7.dll in GSE 6.0.3

          Good afternoon

           

          I understand your frustration and would strongly urge you to report this:

           

           

           

          Message was edited by: Sjoerd Grimmelijkhuizen on 15/12/09 16:12:52 GMT

           

           

          on 15/12/09 16:22:27 GMT
          • 2. Re: Super QM!:::::False Positive xerces-c_2_7.dll in GSE 6.0.3
            SamSwift

            Just to clarify - KB66642 is not for false positive reporting - KB67411 is the one you need. I'd also recommend logging a case with support to have this escalated.

             

            Also - GSE 6.0.3 is end of life so requires upgrading please. We do not test any of our software/update files against EOL products.

             

            Kind regards,

             

            Sam

             

             

            Message was edited by: SamPrice on 12/15/09 11:38:50 AM CST
            • 3. Re: Super QM!:::::False Positive xerces-c_2_7.dll in GSE 6.0.3

              Hi

               

              With regards to xerces-c_2_7.dll file, Our Senior Virus Research Engineers have examined the file and suppressed the false..

               

              This detection has been corrected in the current DAT set.

               

              Solution -

               

              Please update your DAT files to correct detection of these files.

               

              If you utilize the McAfee VirusScan Online or VirusScan Retail products, and do not have the Dat File Version specified, please send an e-mail to extradat@avertlabs.com to request an extra.dat for your product. You must include the Analysis ID number found in the subject line of this message to receive the extra.dat file.

               

              Regadrs

              Neha

              • 4. Re: Super QM!:::::False Positive xerces-c_2_7.dll in GSE 6.0.3

                Hello Neha,

                 

                sorry yesterday for my heavy hint.

                But I was really really angry about the many false postives in the last month.

                xerces-c_2_7.dll is a very old DLL from Apache Foundation and is used by many products, (also the oudated GSE 6.0).

                I get yesterday about 13 false positives messages from different products...!

                 

                Thank you, that you push up the thread analyse,

                because since yet (12/16/09 10:00am CET) I get no reply to

                 

                 

                Analysis ID: 5687188

                Name

                Findings

                Detection

                Type

                Extra

                xerces-c_2_7.dll

                detection   escalated

                generic!bg.gvr

                Trojan

                no


                Webimmune is the other nightmare....

                 

                 

                 

                 

                 

                best regards

                Waspy

                 

                 

                Message was edited by: Waspy on 12/16/09 4:37:02 AM CST
                • 5. Re: Super QM!:::::False Positive xerces-c_2_7.dll in GSE 6.0.3
                  SamSwift

                  Hi,

                   

                  The  best way to submit potential falses is as follows:

                  If you believe a false detection or misclassification has occurred with a particular file, use the steps below to submit the sample in question to McAfee Labs for review. 

                  When analysis of the sample is complete, one of the following will occur:

                  • The sample is considered clean, detection is suppressed and will be updated in the earliest DAT release.
                  • The sample is misclassified, reclassification will occur and detection will be updated in the earliest DAT release.
                  • Analysis of the file determines that the sample is properly detected. The customer will be notified of the results.

                  False Positive Submission Procedure:

                  1. When submitting a sample, send it to the McAfee Labs Virus Research mailbox: virus_research@avertlabs.com
                  2. All false positive samples should have the word FALSE in the subject line. Example subject line:

                  FALSE: In-house file being detected by McAfee

                  1. Ensure that you include the On Access / On Demand Scan log files of the McAfee product along with the DAT and engine versions in use at the time. Also, include any other relevant information regarding why you believe the file has been incorrectly detected. This information will be helpful during our analysis of the sample. Example email message:

                  Hello,

                  Please review the attached file as we believe this is a false detection.

                  Product: VirusScan Enterprise 8.7
                  DAT version: 5427
                  Engine: 5300
                  Description of issue: This application has been developed as an in-house tool for cleaning our databases. Please see the attached OAS/ODS log file showing this detection by VirusScan.

                  Thanks,

                  NOTE: Failure to supply all of the information requested above may result in delays in the analysis process.

                   

                  Hope this helps!

                   

                  Sam

                  1 of 1 people found this helpful
                  • 6. Resolved!

                    Thank you Sam for your clarification.

                    This means, since seven years I use the wrong way to submit false positives.

                    And I thougt, Webimmune.net is always the best way....

                    We're all creatures of habit.

                    • 7. Re: Resolved!
                      SamSwift

                      No probs - happy to help!

                       

                      Sam