I am not a product expert but I have moved your post to our VirusScan Enterprise area. Hopefully someone can help you soon.
I'm now having the same type of issue with another script (ironically this script is supposed to repair broken McAfee installs). Is there a way that we can at least "white list" this script via EPO or something?
Can you please upload your On-Access log file so I can see how exactly it was detected?
It should be there: C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
I copied all the data from the time I started seeing this issue. I also changed the name of the domain and the username.
You will see several likes like "Script execution blocked username PrimalScript.exe Script executed by PrimalScript.exe New Script (Virus)". Those appeared when I would simply try to edit the script within PrimalScript. I am guessing that it has something to do with the way the software keeps track of the "undo" data. I also tried with UltraEdit and had the same results when saving the script.
At one point I stopped the McShield service, saved the script, started the McShield service, and then tried running the script, and it didn't like that either. :-)
I'm not the guy who manages McAfee for our company, but I work pretty closely with the guy who does. So if you have any suggestions for "white listing" this script, or tweaking policies, I can pass them on (or just point him to this thread).
I'm also open to other possible ways to uninstall and reinstall the McAfee agent. My biggest challenge is trying to make sure that the reinstall happens after the removal and reboot. If we can do the reinstall without needing to reboot, that would help me work around the "NewScript.ext" issue too.
OnAccessScanLog.txt.zip 1.0 K
I can see in your logs two types of detections.
1-) Detections made by the ScriptScan component, specific for scripts:
12/20/2010 2:21:44 PM Script execution blocked username PrimalScript.exe Script executed by PrimalScript.exe New Script (Virus)
12/21/2010 11:29:22 AM Script execution blocked username WScript.exe("C:\WINDOWS\System32\WScript.exe" "\\DOMAIN\eb\eco\mike\vb scripts\McAfeeRepair\McAfeeRepair.vbs" ) Script executed by WScript.exe New Script (Virus)
2-) Detections made by the normal On-Access scanner (the one that scans for malwares in general):
12/20/2010 2:20:16 PM Deleted (Clean failed because the detection isn't cleanable) DOMAIN\username C:\Program Files\SAPIEN Technologies, Inc\PrimalScript 2009\PrimalScript.exe C:\Documents and Settings\username\My Local Data\Working\McAfeeRepair\McAfeeRepair.vbs New Script (Virus)
I would proceed as follow:
1-) I'd exclude this script temporary. To exclude this script you can use the KBs below:
2-) Also you should exclude the file itself named McAfeeRepair.vbs from the OAS. Instructions can be found here:
After performing the procedures above you should no longer see detections when running this script.
Then I'd submit this script to McAfee labs for analysis. You will have to zip the script with a password "infected" and then submit via email@example.com or via service portal (service portal would be better). After that, raise a call to tech support and let they know about your analysis ID (you will receive it after submiting your file to McAfee Labs). They will help you with the escalation procedure with McAfee Labs. After analyzing your script they might give you an negative extra.dat or a more detailed analysis about what's going on.
Hope this helps.
Thanks for taking a look at it for me Bruno.
I will give it a try.