6 Replies Latest reply on Apr 21, 2010 10:56 PM by bbi

    No response after False Positive submission



      I recently submitted two samples -- 5949534 and 5957310 of in-house developed software which our customers are telling us are being flagged by Mcafee.  The only response I have received from Mcafee is that the results were "inconclusive" and that someone would look into it.


      What's worse, is that it seems that it the latest versions of some Mcafee products, there is no way to set exclusions -- and the files in question are simply deleted from their location on the user's system.  Many of our users are switching to other AV products which do not exhibit this behavior, but we would like it not to be an issue at all.


      As you can imagine, this is causing a lot of pain, for both ourselves and our users, and we really need to get you to correct this as soon as possible.


      Could someone please help find the status of these submissions?  And the best way to make sure this doesn't happen in the future?


      Thank you very much!

        • 1. Re: No response after False Positive submission



          How did you submit the files? Sending them to webimmune will never get you an answer on a false without a support escalation.


          Either submit them via the customer submission page in service portal, or call support to have them raise an escalation.


          Hope this helps!



          • 2. Re: No response after False Positive submission

            Thank you very much for the response.


            I e-mailed the files to virus_research@avertlabs.com.


            I have pasted part of the response below, which sure indicates that they will be contacting me, although no one ever has  I don't own any Macafee products -- I am simply trying to stop them from mis-labeling software as trojans when they are not.


            Thank you very much!


            McAfee Labs - Beaverton                                                                
            Current Scan Engine Version:5400.1158                                                  
            Current DAT Version:5957.0000                                                          
            Thank you for your submission.                                                         
            Analysis ID: 5957310                                        
               Upon analysis the file submitted does not appear to contain one of the 200,000 known   
            threats in the AutoImmune database. The file may contain a new threat, or no code      
            capable of being infected. Your submission is being forwarded to an McAfee Labs        
            Researcher for further analysis. You will be contacted by McAfee through e-mail with   
            the results of that analysis.                                                          
            • 3. Re: No response after False Positive submission

              Dude, Like Sam said, GO to Mcafee Service Portal and log a case!


              In my experience, AVERT will definitely not entertain your query as anybody could be a member of AVERT and submit any suspicious files. BUT AVERT are not obliged to reply to each and every person who submitted a query / sample. If you want your submission to be checked and monitored. Go to the Service Portal (only MCAFEE customers can log-in) and log a case then an engineer will contact you and ask him/her to follow-up the submission that you made. Dont forget to include the AVERT analysis ID.

              • 4. Re: No response after False Positive submission

                Thanks for the reply, but I am not a Mcafee customer.  I am just trying to get them to stop incorrectly flagging my files.


                And, out of curiosity, why would they state in their response that I will be contacted by Mcafee with the results of their analysis.


                The bottom line is that Mcafee is incorrectly labeling some of our software as malicious; they should have an easy way to correct / prevent this.


                The whole False Positive thing has really gotten out of hand.

                • 5. Re: No response after False Positive submission

                  Thanks for the reply, but I am not a Mcafee customer

                  - Now we know why they aren't contacting you for status updates. Even i an enterprise customer who supports 8000 nodes are having a hard time during escalation and "follow-ups" before when we're submitting suspicious sample files.Because having an undetected malware is as painful as your false positive issue.


                  I am just trying to get them to stop incorrectly flagging my files.

                  - Well, most of the people here are from Mcafee Technical Support. Perhaps one of them will be kind enough to follow-up your query.

                  Although i disagree with you when you said the latest versions has no settings for EXCLUSIONS..i highly doubt that...im not sure with the consumer products as i am an enterprise user. And the one we're using even the oldest versions has settings for EXCLUSIONS. Our homegrown apps are all indicated on the exclusions to prevent false positives.

                  • 6. Re: No response after False Positive submission

                    Thanks again for your reply.  I hope you are right in that someone from Technical Support will follow up with me.


                    And I think you are right about the latest consumer products being the ones with the inability to add exceptions.  I am hearing this from users, who are familiar with setting exceptions.  If this is true this should DEFINITELY be changed.


                    Maybe I'll post this in the home products section as well.


                    Thanks again!