1 2 Previous Next 10 Replies Latest reply on Jun 18, 2011 5:02 AM by Peacekeeper

    Why so many Artemis False Positives?

      If I run "fakealertstinger" accross a machine, enabling Artemis as "Very Sensitive". It detects a large number of false positives as Artemis detections, including core Microsoft files, parts of popular applications etc. It even detected McAfee's own 5300 Superdat as a threat (now resolved as discussed in the fake alert stinger thread).

       

      While this technology is very promising, I still can't see how Corporates can trust it for production use with the fear of false positives. Even when using Artemis in the core products (which is implemented differently and isn't as sensitive as the "fakealertstinger" implementation is), I still see false positives - especially when files are compressed in installers and the extensions changed as a result.

       

      Also I can't work out how Artemis detections can exist as detections in Artemis, but never get rolled up into the production dat files. Isn't the purpose of Artemis only to provide "gap" coverage only until the next dat release? Rather than have an Artemis detection stick around for months?

       

      Here's a list of the Artemis detections on one machine. It is extensive, and I've made comments in various places about the files themselves. So these are the types of False positives I'm talking about....

       

      a2uploader.exe    Found the Artemis!5A82D12A277A trojan !!!

       

      * Flashing software for mobile phones.

       

      Beyond Compare 3\BCShellEx.dll    Found the Artemis!4C3BFC83D6BA trojan !!!

       

      * Shell Extension for Beyond Compare 3.


      COMODO\COMODO Internet Security\cfplogvw.exe    Found the Artemis!D003C2476C18 trojan !!!
      COMODO\COMODO Internet Security\cfpupdat.exe    Found the Artemis!529BBCE8CC06 trojan !!!
      COMODO\COMODO Internet Security\crashrep.exe    Found the Artemis!94CDBDECA6C3 trojan !!!
      COMODO\COMODO Internet Security\scanners\mach32.dll    Found the Artemis!0B57D498D388 trojan !!!

       

      * Comodo Firewall application files.


      Dial\Uninstal.exe    Found the Artemis!A51925362BD4 trojan !!!

       

      * Uninstall program for an application called DTMF Dial


      frhed\uninstall.exe    Found the Artemis!98AA0352EAB8 trojan !!!

       

      * Uninstaller for a hex editor called FRHED.

       

      Malwarebytes' Anti-Malware\mbam.dll    Found the Artemis!87271E7CECE9 trojan !!!

       

      * Application file for Malwarebytes' anti-malware.


      Data1.cab\TX11_OBJ.DLL.32ADD05F_B364_4642_A2DA_A4C7E2CB37CA    Found the Artemis!CB3A130D2AEA trojan !!!

       

      * Installer file for commercial application.


      MyPhoneExplorer_Setup_1.6.7.exe    Found the Artemis!557B7643C467 trojan !!!
      MyPhoneExplorer_Setup_1.6.7.exe.part    Found the Artemis!557B7643C467 trojan !!!
      MyPhoneExplorer_Setup_1.7.2.exe    Found the Artemis!A483B99D1CAE trojan !!!
      MyPhoneExplorer_Setup_1.7.2\$SYSDIR\$PLUGINSDIR\FixPermissions.exe    Found the Artemis!BBFD77CCDD40 trojan !!!
      MyPhoneExplorer_Setup_1.7.3.exe    Found the Artemis!8A7568161B23 trojan !!!
      MyPhoneExplorer_Setup_1.7.3\$COMMONFILES\MyPhoneExplorer\$PLUGINSDIR\eBay_shortc uts_1025_EPE.exe\2.nsis    Found the Artemis!3897FA9C3CB7 trojan !!!
      MyPhoneExplorer_Setup_v1.7.4.exe\191.nsis\2.nsis    Found the Artemis!3897FA9C3CB7 trojan !!!
      MyPhoneExplorer_Setup_v1.7.4\$PLUGINSDIR\eBay_shortcuts_1025_EPE.exe\2.nsis    Found the Artemis!3897FA9C3CB7 trojan !!!

       

      * Application files for MyPhoneExplorer. eBay_shortcuts_1025_EPE.exe (Artemis!3897FA9C3CB7) shares similarities with Generic.dx!kus (already detected), so I presume this should also be detected as the same.
      * Fixpermissions probably shouldn't be detected.


      ndis.sys    Found the Artemis!1DF2F6476559 trojan !!!
      ntkrnlpa.exe    Found the Artemis!F8B0D1EDD4C6 trojan !!!
      ntoskrnl.exe    Found the Artemis!73D555659AD8 trojan !!!
      winload.exe    Found the Artemis!EE73B43FC89D trojan !!!
      memtest.exe    Found the Artemis!5E5F306E623B trojan !!!

       

      * Windows system files (located outside of the Windows/ Windows/System32 path.

       

      filterconfig1.dll    Found the Artemis!529FF115C402 trojan !!!
      OOo_3.2.0_Win32Intel_install_wJRE_en-US.exe\9.nsis\FILTERCONFIG1.DLL    Found the Artemis!F2655A7E65AB trojan !!!
      OOo_3.2.0_Win32Intel_install_wJRE_en-US.exe\9.nsis\PYEXPAT.PYD    Found the Artemis!F0B62D781C72 trojan !!!
      OOo_3.2.0_Win32Intel_install_wJRE_en-US.exe\9.nsis\SQLITE3.DLL    Found the Artemis!D6257B2C4F85 trojan !!!

       

      * Sun Open Office application files.


      pwsafe-3.14.exe    Found the Artemis!7DDFF4FCB1F9 trojan !!!

       

      * Installer for Password Safe.application.


      Regmon.exe\0003c628.EXE    Found the Artemis!7F10E5B49825 trojan !!!
      Regmon.exe\00043fa0.EXE    Found the Artemis!D912966F6FDA trojan !!!

       

      * SysInternals Registry Monitor.

       

      SelfTest\FM.exe    Found the Artemis!E4733DCF836C trojan !!!

       

      * Application file for Self Test Software.

       

      Skype\Plugin Manager\ezPMUtils.dll    Found the Artemis!6CD38AF95917 trojan !!!

       

      * Plugin installed with Skype by default.

       

      sp41862.exe    Found the Artemis!CF0A70A984C5 trojan !!!

       

      * HP Support Battery monitor installer.


      wireshark-win32-1.2.6.exe\188.nsis    Found the Artemis!7139034C80A2 trojan !!!
      wireshark-win32-1.2.6.exe\20.nsis    Found the Artemis!E19F03A5DB6D trojan !!!

       

      * Wireshark Installer files.

        • 1. Re: Why so many Artemis False Positives?

          Hi

           

          We request you to please open SR (Service Request ), kindly contact our Technical Support team

           

          Please use the following links to reach our technical support group for McAfee products.

           

          Corporate Customers:
          <https://support.mcafee.com>

           

          Single User/Retail Customers:
          <http://service.mcafee.com/default.aspx>

           

          The next step, if you are still having problems, is for you to send us a sample of the suspiciously behaving file in a password-protected ZIP file (password - infected).  You can find detailed instructions for how to do this at
          <http://vil.mcafeesecurity.com/vil/submit-sample.aspx>

           

          In order to get the fastest possible response, you may wish to submit virus-samples to <http://www.webimmune.net>. In most cases it can respond almost instantly with a solution.  This may also be the best option if you're having a problem with a gateway scanner stripping your file-sample.

           

          If you submit your file-sample by email, please be sure to include the description below of why you believe your computer has been infected with this virus. Include the version number of your AV Product (Engine/DAT numbers for McAfee Products) and results of the scan.

           

          Note -

           

          Due to the prevalence of network gateway AV products it is important that all submissions be zipped and the zip file password protected (password - infected). Some products will reject an email that contains a virus that is not sent in this way. In addition, often we receive a file that appears not to have been infected, to find later that the file was infected when it left the sender, and was cleaned somewhere along the line.

           

          Regards

          • 3. Re: Why so many Artemis False Positives?
            Attila Polinger

            Hi,

             

            I may be too simplistic, but I do not see these as a sign of malfunction, rather, a result of the combination of the very sensitive level of detection, and the common manoeuvres that a trojan and a valid executable both can execute.

            Trojans are not unlike legitim drivers that use the same steps to install themselves, so on a very sensitive Artemis level these two will be caught for the same reasons.

             

            Did you try setting it on Medium level (to my knowledge this is the level McAfee recommends)  abnd see how it performs for the same files?

             

            Attila

            • 4. Re: Why so many Artemis False Positives?

              apoling wrote:

              I may be too simplistic, but I do not see these as a sign of malfunction, rather, a result of the combination of the very sensitive level of detection, and the common manoeuvres that a trojan and a valid executable both can execute.

              Trojans are not unlike legitim drivers that use the same steps to install themselves, so on a very sensitive Artemis level these two will be caught for the same reasons.

               

              While I agree that setting it to "Very High" and running a scan is probably akin to waving a red flag at a bull and not expecting it to come chasing me ... I still don't believe that legitimate files should be detected even at that high setting.

               

              McAfee has a huge resource of known good files that they should be utilising to prevent FP's. I just don't see them being applied to prevent Artemis FP's. And some of the detections are suss to say the least. Why on earth should McAfee detect their own installer files as a trojan?

               

              I will try again later and see what a Medium scan will FP on. But I still see this as no different to enabling "Heuristics" at the scanner level. It is McAfee's job to ensure that files are no falsely detected.

               

              Oh, and I am very disappointed with the response from AVERT (McAfee Labs) on my emails about False Positives. It seems they disappear into the trash can. Much worse response than my submissions, which normally get a response within two weeks.

              • 5. Re: Why so many Artemis False Positives?

                I totally agree with what Mal09 said.  The whole False Positive thing is getting out of hand.  A quick Google search shows just how big the problem is, and the problem today (4/21) just confirms it even more.

                 

                And, responses from AVERT promise a response, but seem to never arrive.

                 

                If a program is going to label a program as malicious, there should be an easy, fast way to correct any errors, especially if the labeling technology is so prone to them.

                 

                Things really need to change.

                • 6. Re: Why so many Artemis False Positives?
                  SamSwift

                  Artemis false positives are very quick and easy to turn around, and we don't necessarily need a sample to be able to do it either. 

                   

                  Which process are you following today to notifiy us of any false positives you are seeing?

                   

                  Sam

                  • 7. Re: Why so many Artemis False Positives?

                    SamPrice wrote:

                     

                    Artemis false positives are very quick and easy to turn around, and we don't necessarily need a sample to be able to do it either.


                     

                    Haven't submitted any FP reports for a little while, but have tried:

                     

                    Email with Artemis detection names and a description of the files.

                    As above, with samples of the files attached.

                     

                    I've learnt a lot about Artemis through my own testing, and know that McAfee don't have samples for all Artemis detections - some are heuristic based on packers etc. It is a shame that Fp reports don't get followed through properly.

                     

                    Also, someone at AVERT/McAfee Labs needs to run an Artemis scan (at High Sensitivity), ignoring file extensions, against the entire dat test rig, and resolve any false positives. I see way too many FP's in commercial software - files which should be in the dat test rig.

                    • 8. Re: Why so many Artemis False Positives?

                      I recently joined, but this Artemis thing is really annoying.

                      All of my friends tell me that McAfee is horrible being so

                      sensitive. I'm starting to doubt my reliability on McAfee

                      telling me which is safe or not. I don't even get to

                      decide what gets to be deleted. In the "Help" section, I

                      found absolutely nothing that can help me. There's only

                      "Remove" and "Review" trusted items. How do I add things?

                      :< I end up turning McAfee OFF.

                      • 9. Re: Why so many Artemis False Positives?

                        I agree @khitoe. I've lost three games: Music Catch; Atlantis Quest; and Turtle Odyssey (for which I paid good money for) because they all supposedly had trojans. I even went after the game site and wanted my money back because my antivirus software detected a trojan soon after downloading it onto my new computer.

                         

                        I should NOT have to contact McAfee to ask them if they would please fix the problem, I should be able to fix it myself. And from what I've read on these boards, at one time I would have been able to.

                         

                        I've since turned McAfee OFF and am looking for better antivirus software. I'd be willing to bet McAfee is making their antivirus software more for corporate use (where you are less likely to see games and other software for personal computers) and less for individual use.

                        1 2 Previous Next