7 Replies Latest reply on Dec 22, 2010 6:58 PM by bcaseiro

    New Script.ext?

    mkmcgui5

      I have a script that I have written to update Java each time a new update is available.  The script enumerates the HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall keys to find all installed versions of Java and then it removes the old versions before installing the new versions.

      As I save this script, the McAfee agent detects it as a New Script.ext threat and deletes my file.

      Is there anything that I can do to keep this from happening?

        • 1. Re: New Script.ext?

          I am not a product expert but I have moved your post to our VirusScan Enterprise area. Hopefully someone can help you soon.

          • 2. Re: New Script.ext?
            mkmcgui5

            I'm now having the same type of issue with another script (ironically this script is supposed to repair broken McAfee installs).  Is there a way that we can at least "white list" this script via EPO or something?

            • 3. Re: New Script.ext?

              Hello,

               

              Can you please upload your On-Access log file so I can see how exactly it was detected?

               

              It should be there: C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection

               

              Regards,
              Bruno

              • 4. Re: New Script.ext?
                mkmcgui5

                Hi Bruno,

                     I copied all the data from the time I started seeing this issue.  I also changed the name of the domain and the username.

                You will see several likes like "Script execution blocked  username PrimalScript.exe Script executed by PrimalScript.exe New Script (Virus)".  Those appeared when I would simply try to edit the script within PrimalScript.  I am guessing that it has something to do with the way the software keeps track of the "undo" data.  I also tried with UltraEdit and had the same results when saving the script.

                At one point I stopped the McShield service, saved the script, started the McShield service, and then tried running the script, and it didn't like that either.  :-)

                 

                I'm not the guy who manages McAfee for our company, but I work pretty closely with the guy who does.  So if you have any suggestions for "white listing" this script, or tweaking policies, I can pass them on (or just point him to this thread).

                I'm also open to other possible ways to uninstall and reinstall the McAfee agent.  My biggest challenge is trying to make sure that the reinstall happens after the removal and reboot.  If we can do the reinstall without needing to reboot, that would help me work around the "NewScript.ext" issue too.

                • 5. Re: New Script.ext?

                  Hello Mkmcgui5,

                   

                  I can see in your logs two types of detections.


                  1-) Detections made by the ScriptScan component, specific for scripts:

                  12/20/2010 2:21:44 PM Script execution blocked  username PrimalScript.exe Script executed by PrimalScript.exe New Script (Virus)

                   

                  12/21/2010 11:29:22 AM Script execution blocked  username WScript.exe("C:\WINDOWS\System32\WScript.exe" "\\DOMAIN\eb\eco\mike\vb scripts\McAfeeRepair\McAfeeRepair.vbs" ) Script executed by WScript.exe New Script (Virus)

                   

                  2-) Detections made by the normal On-Access scanner (the one that scans for malwares in general):

                  12/20/2010 2:20:16 PM Deleted (Clean failed because the detection isn't cleanable)  DOMAIN\username C:\Program Files\SAPIEN Technologies, Inc\PrimalScript 2009\PrimalScript.exe C:\Documents and Settings\username\My Local Data\Working\McAfeeRepair\McAfeeRepair.vbs New Script (Virus)

                   

                  I would proceed as follow:

                  1-) I'd exclude this script temporary. To exclude this script you can use the KBs below:

                  https://kc.mcafee.com/corporate/index?page=content&id=KB60263&actp=search&viewlo cale=en_US&searchid=1293036269170

                  https://kc.mcafee.com/corporate/index?page=content&id=KB65382&actp=search&viewlo cale=en_US&searchid=1293036269170

                   

                  2-) Also you should exclude the file itself named McAfeeRepair.vbs from the OAS. Instructions can be found here:

                  https://kc.mcafee.com/corporate/index?page=content&id=KB50998&actp=search&viewlo cale=en_US&searchid=1293036953802

                   

                  After performing the procedures above you should no longer see detections when running this script.

                   

                  Then I'd submit this script to McAfee labs for analysis. You will have to zip the script with a password "infected" and then submit via virus_research@mcafeelabs.com or via service portal (service portal would be better). After that, raise a call to tech support and let they know about your analysis ID (you will receive it after submiting your file to McAfee Labs). They will help you with the escalation procedure with McAfee Labs. After analyzing your script they might give you an negative extra.dat or a more detailed analysis about what's going on.

                   

                  Hope this helps.


                  Regards,

                  Bruno

                  • 6. Re: New Script.ext?
                    mkmcgui5

                    Thanks for taking a look at it for me Bruno.

                    I will give it a try.

                     

                    Thanks,

                    Mike

                    • 7. Re: New Script.ext?

                      you're welcome.