0 Replies Latest reply: Mar 12, 2015 10:30 PM by Ex_Brit RSS

    What To Do When McAfee Detects Legitimate Software As An Infection - How to Submit To McAfee Labs & Appeal

    Ex_Brit

      This only applies to to the Windows-based software - there are no published procedures yet for MAC or for Mobile applications.  Although it could be adapted for MAC I believe.

       

      This outlines what to do when something is wrongly detected as being malware by your McAfee software.  This applies whether it is detected as regular malware or given the generic title 'Artemis' (given to "unknowns").

       

      Files can be quarantined as regular malware or if they are currently unknown to the database, they will be labelled "Artemis", which I will deal with first.

       

      Artemis (or McAfee 'Global Threat Intelligence' technology) is the enhanced heuristic detection component of McAfee SecurityCenter's virus protection module.

       

      It works by adding an extra layer to the detection engine, but instead of just detecting something it actually "calls home" to the virus database to double-check before labelling something as a possible threat.

       

      If something is identified, maybe wrongly as "Artemis" then send an email to virus_research@mcafee.com with the Artemis detection name and the words "False Artemis!++++++++++++" as the subject line (minus the "", ++++++++++++ is the 12-digit code given to it).  Also post  in the Artemis forum with the Artemis number as the header and put an explanation in the body of the post.  That gives you a double chance at getting it dealt with quickly.

       

      However, if you still want to submit the file......the following is for Consumers only but could give Enterprise people pointers  (Sorry not familiar with Enterprise).

       

      You should go to the Restore tab in Security Center and make sure that it is forwarded to the Threat Center (Avert Laboratories) as, if it is harmless, it will then be excluded from the database automatically.

      Lately this procedure is often blocked by ISP's because of the protocol the software utilizes, so do the following:

       

      To send it to the Threat Center outside of Security Center.....

       

      First disable your virus protection:

       

      Double-click the taskbar icon to open SecurityCenter

       

      Click Virus and Spyware Protection

       

      Click Real Time Protection

       

      Click the Turn Off button and tell it for how long to stay that way.

       

      Then click Navigation (top right)

       

      Click Quarantined and Trusted Items (below) & restore the item.

       

      See....How to Submit a file to the Labs for analysis: http://www.mcafee.com/us/threat-center/resources/how-to-submit-sample.aspx

       

      If you are the owner of the software being detected see:  Detection Dispute Submission | McAfee Labs

       

      Email file to: virus_research@mcafee.com and make the header of the email start with the word FALSE - for example FALSE:  In-house file being detected by McAfee

       

      When submitting samples via E-mail all samples must be packaged in a .ZIP file.

      Additionally, any .ZIP file created must be password-protected (encrypted) using the password "infected" (minus the "") - using the basic or default zipping level - some compression software offers varying degrees.  Failure to follow these guidelines will cause your submission to be rejected.

      If you've done that properly an automated response should be received almost immediately, followed by a manual one, usually within 24 - 48 hours.

      If you don't receive anything it either means the file was submitted incorrectly or the response is sitting in your Junk or Spam mail folders.

       

      **If they respond that it is an infection and you are sure it is not, reply to that email immediately ( to virus_research@mcafee.com ) and insert the word 'False' (minus the '') in front of the header, but keep the rest of the header intact.

       

      To be on the safe side scan with an outside anti-malware agent such as MalwareBytes (Free)  or SuperAntispyware (Free). Let them clean everything they find.

       

      NOTE:  Due to the large volume of detections on a daily basis (150,000 or more) please allow 4-5 business days for the submission to be analyzed & processed.

      Also there is a limit of 10Mb file size on submissions so if your file is bigger post in the artemis or malware forums and provide a link to it and a mod will forward the file's link to Mcafee.

      If you do get a reply post the analysis Id number in the thread.

       

      GetSusp

       

       

      Another way of submitting files is to use the new GetSusp tool's Upload tab.  The tool is downloadable here:  GetSusp and support for it is in that Group which is free to join.

      Don't forget to add your email address in Preferences to obtain a response. The file size limits are lower than email submission.

       

      Capture.JPG

       

       

       

      Note:  The restore and trust feature used to be included in the home products and still is in the Enterprise/Business products - it has been reinstated in the 2011 consumer products (VirusScan 11 and up), in the scheduled and manual scan settings only but not in real-time scanning settings yet.


      Also submit the file to VirusTotal to see what other antivirus makers say about it:  VirusTotal - Free Online Virus, Malware and URL Scanner