6 Replies Latest reply on Aug 16, 2010 4:10 AM by Corne

    False positive on old Setup.exe files  DAT 6051-6057  W32/Autorun.worm.c

      McAfee VirusScan Enterprise 8.7.0i deleted a large number of setup.exe files on our server.


      Some of these files have been on our server for 10 years.

      They include old Oracle ODBC Drivers, and copies of recent IMF IFS install CD's.


      It appears to be a false positive that started with the dat 6051 version,

      and still exists with Today's 6057 version.


      McAfee thinks the .jpg and .chm files within the .exe's are W32/Autorun.worm.c .

      The common element seems to be that they were created with InstallShield.



      23/07/2010 7:27:04 AM  Engine version                          = 5400.1158
      23/07/2010 7:27:04 AM  AntiVirus   DAT version                 = 6051.0
      23/07/2010 7:27:04 AM  Number of detection signatures in EXTRA.DAT = None
      23/07/2010 7:27:04 AM  Names of detection signatures in EXTRA.DAT  = None


      23/07/2010 8:43:05 AM Deleted (Clean failed)  \IFS_Apr_2010\Setup.EXE\Setup.EXE\DOCUMENT.JPG    .EXE W32/Autorun.worm.c (Virus)


      23/07/2010 9:14:44 AM Deleted (Clean failed)  \ODBC250\WIN32\INSTALL\SETUP.EXE\DOCUMENT.CHM   .EXE W32/Autorun.worm.c (Virus)