1 2 Previous Next 17 Replies Latest reply on May 11, 2010 6:50 AM by SamSwift

    McAfee failed to detect .exe within ups.zip file

      About 10 days ago a user in our company received an email from help@ups.com with upsxxxxx.zip file that contained a .exe file. Since I was testing McAfee Total Protection for Endpoint I copied the zip file to the test laptop and scanned for threat using McAfee but it did not detected. I thought maybe the problem is with my DAT file. So, I went and updated the Master Repository with ePO and forced the changes to go to the test laptop. After the update I verified that the laptop has the same DAT as the ePO on the server, and when I scanned the upsxxxxx.zip file again McAfee did not detect anything. I continued to scan the upsxxxxx.zip for server days until today, when I scanned the upsxxxxx.zip McAfee came up with the alert.


      To be fair to McAfee our current protection program (Symantec Endpoint Protection) did not either detect the initial email that the user received….so both program failed. I am guessing that both companies did not have the right code to pick up trojan contained within the upsxxxxx.zip. Maybe our DAT was not up to date, but I doubt that since all clients on our computer perform daily updates.





        • 1. Re: McAfee failed to detect .exe within ups.zip file



          This is more of a thing for the McAfee Labs team than ePO as it's about detection.

          If you have the full name of the Trojan detected now you can look it up via the Threat Library link here:




          This would give you an idea of when McAfee first detected it and what requirements were necessary for detection and removal.

          Failing that you can also submit the sample file to McAfee through the 'submit a malware sample' link on the same web page.


          Hopefully the response from McAfee Labs should answer your questions.





          • 2. Re: McAfee failed to detect .exe within ups.zip file

            Don't forget to submit a sample to virustotal.com and on webimmune.net.


            If McAfee has an extra.dat for it, it will be available for download on webimmune.net after your sample's been scanned.



            • 3. Re: McAfee failed to detect .exe within ups.zip file



              There are literally thousand of new pieces of malware created every day so there will be times where something is so new it won't be included in the current dats. Our Artemis technology does close the detection gaps in many cases. Please submit a sample of the file to http://www.webimmune.net and let us know the analysis ID number you are sent.







              Message was edited by: Samantha Price on 3/11/10 8:40:35 AM CST
              • 4. Re: McAfee failed to detect .exe within ups.zip file

                Maybe i posted this under the wrong forum (administrator please move topic to correct forum if possible)...but I thought that system like McAfee suppose to protect from known threats and kind block future attacks based on detection algorithm...etc..  I was testing McAfee to see if we need to switch from Symantec, but now I am not sure if I should switch and go through all the troubles of switching and spending 10 to 20 grand.


                Here is the info about the threat found.



                Type Trojan
                SubType Generic
                Discovery Date 02/18/2010
                Minimum DAT 5896 (02/18/2010)
                Updated DAT 5911 (03/05/2010)
                Minimum Engine 5.2.00
                Description Added 02/18/2010
                Description Modified 02/18/2010 12:21 PM (PT)



                Message was edited by: John K on 3/11/10 8:47:21 AM CST
                • 5. Re: McAfee failed to detect .exe within ups.zip file



                  We can work out the cause if you submit the sample as Sam suggests.

                  When it comes to Malware detection the detail is everything


                  It'll help if you know which dat version was first to detect or which was the last not to detect. (same thing really)

                  I am assuming the AV-Engine version and product scanner settings are constant across this, as they would be a factor too.


                  Looks like this has been moved off to the right forum now.

                  handing it over to those who specialise in this field...





                  • 6. Re: McAfee failed to detect .exe within ups.zip file

                    Hi John,


                    We do of course detect all the threats we know about, and as I mentioned our Artemis technology does proactively protect our customers against many many new threats (we have around 20million signatures in the cloud). Additionally our heuristic capabilities within the DATs can identifiy and remove new threats. However, no AV vendor in the world is going to offer you 100% detection and cleaning given that the malware writers continually churn out new files and new techniques to try and stay under the radar. Gone are the days of just 'script kiddies' writing bad stuff just or the hell of it - the malware writers of today are in business to make money, and the type of threat that we are talking about is created purely to con customers out of their hard earmed money.


                    I am sure when you are considering AV vendors that the outcome of any decision you take will not be based on one file. However if you would like provide me with the MD5 of the file, or a sample ID I can investigate if Artemis had detection for it, should you be interested.





                    • 7. Re: McAfee failed to detect .exe within ups.zip file

                      What kind of data do you need from me? I am willing to provide as much data as possible to see if McAfee failed or if I failed in setting up McAfee.  I downloaded few weeks back McAfee Total Protection for Endpoint and installed on Win2003 server and released to one laptop so that I can test. Like I said before McAfee did not detect the threat until earlier this week on my laptop.


                      Please let me know what you need and where to locate the info just incase it is something I am not familiar with.


                      I registered with webimmune and waiting for confirmation email.






                      Message was edited by: John K on 3/11/10 9:40:21 AM CST



                      Message was edited by: John K on 3/11/10 9:54:58 AM CST
                      • 8. Re: McAfee failed to detect .exe within ups.zip file



                        Firstly have you still got a copy of the file? If so please send it over to us either via e-mail (virus_research@avertlabs.com) or through http://www.webimmune.net - either way please can you add the file to a password protected .zip with a password of 'infected' (without the quotes).





                        • 9. Re: McAfee failed to detect .exe within ups.zip file

                          I just emailed the zip file via email since I have not received my webimmune confirmation yet.

                          1 2 Previous Next