8 Replies Latest reply on Feb 10, 2010 8:48 AM by pammirab

    VirusScan doesn't detect a malware that is in McAfee's database

      Hello!

       

      I came across a suspicious file on my computer and scanned it with McAfee VirusScan. The result was clean but it did not impress me, so I uploaded it to Virustotal. This was the result:

       

      McAfee58842010.02.06New Malware.d
      McAfee+Artemis58842010.02.06Artemis!0E449ECE5E20

       

      I use McAfee Total Protecton and the very same DAT version. I also have the options "search for unknown viruses" and "connect to McAfee Online Threat Intelligence Web community (Artemis technology)" marked on (and I was connected to Internet at the time). I repeated the scan a couple of times and got the same result. And this is not the first time.

      It may be due to the scan engine version I use (5301.4018) but I haven't found a newer version:

      http://www.mcafee.com/apps/downloads/security_updates/engines.asp?region=us&segm ent=enterprise

       

      Does any of you have ideas why this keeps happening? If so, please send an answer below.

       

      Thank you in advance!

       

      Discussion moved from VirusScan 14 - 2010 to Artemis Discussion for better attention - Moderator

       

       

      Message was edited by: Ex_Brit on 06/02/10 3:34:43 EST PM
        • 1. Re: VirusScan doesn't detect a malware that is in McAfee's database

          The new malware detection is a heuristic detection so that means we would need the sample to be submitted to us for further review.  Please send the sample to virus_research@avertlabs.com or else submit via the Webimmune (www.webimmune.net) portal.

           

          Once we receive your sample, we will be able to analyze it and provide a solution as needed.

          • 2. Re: VirusScan doesn't detect a malware that is in McAfee's database

            Thanks for the reply.

            Yes, I submitted it yesterday. The result was:

            NameFindingsDetectionTypeExtra
            files_name.exevariant detectionnew malware-dTrojanno

            variant detection [ files_name.exe ]
            The file received may  contain a potential virus or trojan threat identified heuristically.   This potential threat was   identified with our most powerful set of heuristic DAT drivers.   Heuristic drivers can cause false-positive   identifications, as such, this issue is being escalated to Avert Labs  for a thorough review.  You will be contacted   through e-mail with the results of our analysis.


            So, WebImmune detected it, but VirusScan didn't. I've had same this sort of problem a couple of times before. I sent a suspicious file through WebImmune and got a reply via e-mail confirming that the file contained a new malware. Now, when the dat file I received via e-mail, is out-of-date, VirusScan doesn't detect it anymore, though it is in Artemis database. Why is that?

            • 3. Re: VirusScan doesn't detect a malware that is in McAfee's database

              Hello,

               

              Thanks for submitting your suspicious file for analysis.

               

              When you submitted your sample, you should have received confirmation of your submission that included an assigned Analysis ID number identifying your escalation.  Please respond to this message with that Analysis ID number so that we may expedite this issue to our researchers as necessary.

               

              Regards,

               

              Patty Ammirabile
              McAfee Labs

              • 4. Re: VirusScan doesn't detect a malware that is in McAfee's database

                Okay,

                today, I received an email confirming that the file contained a new malware and VirusScan automatically removed the infection after installing the newest dat file.

                (The analyse ID for this file is: 5788387)

                 

                The problem is that I've discovered many infections of a certain malware that I have already once got rid of. Now I have the same infection. I've scanned my computer several times but without any success. I uploaded one of these files to Virustotal and here's the result:

                 

                McAfee58862010.02.08-
                McAfee+Artemis58862010.02.08Artemis!440BEA0DC500

                 

                So, I need to delete these files manually but the snag is that I don't know where all these files exist.

                The Issue Number for this detection is 5724445.

                 

                I currently use VirusScan engine version 5301.4018, is that the latest version?

                 

                %pepez

                • 5. Re: VirusScan doesn't detect a malware that is in McAfee's database

                  Hello Pepez,

                   

                  I replied to your mail, as this malware can be identified and removed with our current scanners (Engine 5.3.00 + the current DAT).

                   

                  Detection Name: Generic.dx!moc

                   

                  Thanks

                  • 6. Re: VirusScan doesn't detect a malware that is in McAfee's database

                    Thank you!

                    Now I've got rid of that infection with dat version 5886.

                     

                    Still, VirusScan won't detect "Artemis!CCFE6B8B3DB0 trojan !!!" and "Generic.TRA!440bea0dc500"

                                                                                                                                (analysis ID fot Generic.TRA: 5724445)

                    I detected these infections by using Stinger and online scanner.

                     

                     

                    Message was edited by: pepez on 2/9/10 2:06:11 PM CST
                    • 7. Re: VirusScan doesn't detect a malware that is in McAfee's database

                      Hello Pepez,

                       

                      Thanks for the information.
                      I'll take a look at the Analysis ID 5724445 and will get back to you soon.

                       

                      Regards,

                       

                      Patty Ammirabile
                      McAfee Labs

                      • 8. Re: VirusScan doesn't detect a malware that is in McAfee's database

                        Hi Pepez,

                         

                        We analysed the file further and a detection for the file submitted as ID 5724445 has been added as BackDoor-ARY. A response has been sent to your email, as well as an Extra.dat file for extra detection, which will be included in a future DAT set.

                         

                        Best Regards,

                         

                        Patty Ammirabile
                        McAfee Labs