0 Replies Latest reply: Aug 25, 2015 8:51 AM by Ex_Brit RSS

    What To Do When McAfee Detects Legitimate Software As An Infection - How to Submit To McAfee Labs & Appeal


      This only applies to to the Windows-based software - there are no published procedures yet for MAC or for Mobile applications.  Although it could be adapted for MAC I believe.


      This outlines what to do when something is wrongly detected as being malware by your McAfee software.  This applies whether it is detected as regular malware or given the generic title 'Artemis' (given to "unknowns").

      Files can be quarantined as regular malware or if they are currently unknown to the database, they will be labelled "Artemis", which I will deal with first.

      Artemis (or McAfee 'Global Threat Intelligence' technology) is the enhanced heuristic detection component of McAfee SecurityCenter's virus protection module.

      It works by adding an extra layer to the detection engine, but instead of just detecting something it actually "calls home" to the virus database to double-check before labelling something as a possible threat.

      If something is identified, maybe wrongly as "Artemis" then send an email to virus_research@mcafee.com with the Artemis detection name and the words "False Artemis!++++++++++++" as the subject line (minus the "", ++++++++++++ is the 12-digit code given to it).  Also post  in the Artemis forum with the Artemis number as the header and put an explanation in the body of the post.  That gives you a double chance at getting it dealt with quickly.

      However, if you still want to submit the file......the following is for Consumers only but could give Enterprise people pointers  (Sorry not familiar with Enterprise).

      You should go to the Restore tab in Security Center and make sure that it is forwarded to the Threat Center (Avert Laboratories) as, if it is harmless, it will then be excluded from the database automatically.

      Lately this procedure is often blocked by ISP's because of the protocol the software utilizes, so do the following:


      To send it to the Threat Center outside of Security Center.....


      First disable your virus protection:

      Double-click the taskbar icon to open SecurityCenter

      Click Virus and Spyware Protection

      Click Real Time Protection

      Click the Turn Off button and tell it for how long to stay that way.

      Then click Navigation (top right)

      Click Quarantined and Trusted Items (below) & restore the item.

      See....How to Submit a file to the Labs for analysis: http://www.mcafee.com/us/threat-center/resources/how-to-submit-sample.aspx


      If you are the owner of the software being detected see:  Detection Dispute Submission | McAfee Labs


      Email file to: virus_research@mcafee.com and make the header of the email start with the word FALSE - for example FALSE:  In-house file being detected by McAfee


      When submitting samples via E-mail all samples must be packaged in a .ZIP file.

      Additionally, any .ZIP file created must be password-protected (encrypted) using the password "infected" (minus the "") - using the basic or default zipping level - some compression software offers varying degrees.  Failure to follow these guidelines will cause your submission to be rejected or ignored.

      If you've done that properly an automated response should be received almost immediately, followed by a manual one, usually within 24 - 48 hours.

      If you don't receive anything it either means the file was submitted incorrectly or the response is sitting in your Junk or Spam mail folders.


      **If they respond that it is an infection and you are sure it is not, reply to that email immediately ( to virus_research@mcafee.com ) and insert the word 'False' (minus the '') in front of the header, but keep the rest of the header intact.


      To be on the safe side scan with an outside anti-malware agent such as MalwareBytes (Free)  or SuperAntispyware (Free). Let them clean everything they find.


      NOTE:  Due to the large volume of detections on a daily basis (150,000 or more) please allow 4-5 business days for the submission to be analysed & processed.

      Also there is a limit of 10Mb file size on submissions so if your file is bigger post in the Artemis or malware forum and provide a link to it and a mod will forward the file's link to McAfee.


      If you do get a reply post the analysis Id number in the thread.





      Another way of submitting files is to use the new GetSusp tool's Upload tab.  The tool is downloadable here:  GetSusp and support for it is in that Group which is free to join.

      Don't forget to add your email address in Preferences to obtain a response. The file size limits are lower than email submission.






      Note:  The Excluded Files feature has been reinstated in the consumer products, but, should that file be found in the database as possible malware, it will still end up being quarantined.

      Also submit the file to VirusTotal to see what other antivirus makers say about it:  VirusTotal - Free Online Virus, Malware and URL Scanner



      Message was edited by: ex_brit General details updated.