5 Replies Latest reply on Mar 26, 2010 10:58 AM by Mal09

    False detection , yet again !!!

      Hi ,

       

      Earlier I started a thread about how the good old CCleaner was being flagged as a trojan by McAfee.

       

      Now it is the turn of the poor Winrar.exe to bear the brunt of an excited and aggressive McAfee.

       

      I have stated this in the past and I reiterate again. I am a big fan of Artemis but the false detections gotta stop getting more and more in number instead of being reduced with time. It is fine if the false alarm happens to be in one detection before the DATs come out. But please dont give me the same detection with a DAt which releases even 15 days later. I always assumed that there is a dedicated team to take into consideration what heuristic detections are taking place. Please dont expect the users to keep sending each and every sample after getting frustrated with McAfee's false detections.

       

      There must be a way out so that McAfee can decide for itself whether a particular setup file if legit or not !!!

       

       

      Sameer

        • 1. Re: False detection , yet again !!!

          Hi Sameer,

           

          Thank you for bringing this to our notice.

           

          I understand that this Artemis false has re-occurred. Sometimes, an update might upgrade a file to a new version in a way which adds to its suspicious behavior. Kindly send us the detection name (if Artemis!abcdef123456) or the sample so that we can investigate exactly what caused this issue and have it resolved at the earliest.

           

          Thanks and Regards,

          Showvik

          • 2. Re: False detection , yet again !!!

            Which version of WinRar? I couldn't replicate the detection with the latest version.

             

            I am a big fan of Artemis but the false detections gotta stop getting more and more in number instead of being reduced with time. It is fine if the false alarm happens to be in one detection before the DATs come out. But please dont give me the same detection with a DAt which releases even 15 days later.

             

             

            My views are similar. It's a great technology, but there are some issues with it and I don't really have a high confidence of the technology. I believe that there are heuristic type Artemis detections where McAfee Labs don't have the samples - which is one of the reasons these detections never make it into the dat files, and remain falsely detected.

             

            The other point I'll make is that the technology deciding that a file with the wrong extension needs an Artemis check can be seriously flawed - eg some web browsers download files with the incorrect extension and then rename them back to their correct extension, and installers often rename extensions as part of their compression/packaging scheme.

            • 3. Re: False detection , yet again !!!

              Mal09 wrote:

               

              Which version of WinRar? I couldn't replicate the detection with the latest version.

               

              And strangely enough I am now seeing this with the latest version (WinRar 3.9.3 installer).

               

              wrar393.exe\DEFAULT.SFX    Artemis!5A880D3217A0 (Trojan)

              • 4. Re: False detection , yet again !!!

                Dear customer,

                 

                Thank you for your submission. However, I could not reproduce the issue with latest Artemis setup. Could you please send us the sample for further research in a password-protected ZIP file (password - infected)  in an email to virus_research@avertlabs.com

                 

                Thanks and Regards,

                Jiju Kurian
                McAfee Labs

                • 5. Re: False detection , yet again !!!

                  jkurian wrote:

                  Thank you for your submission. However, I could not reproduce the issue with latest Artemis setup.


                   

                  It appears one of your McAfee Labs colleagues has already resolved the FP issue. Thanks for checking it out though.