8 Replies Latest reply on Sep 4, 2010 3:00 AM by alexei

    OCSlogon.exe - false positive after the last update

      Can you confirm that?

      I mean, can McAfee confirm that the latest update falsely recognizes valid file OCSlogob.exe as "generic downloader" trojan? It's 3 year old installation utility from "OCS Inventory" http://www.ocsinventory-ng.org/

        • 1. Re: OCSlogon.exe - false positive after the last update

          Please let us know about the details of the file that you are trying to download from http://www.ocsinventory-ng.org/ also about the version details of the McAfee programs that you have installed it on the computer

          • 2. Re: OCSlogon.exe - false positive after the last update

            I am experiencing the same problem. My scanner .dat is from Aug 30th, the same problem happened with yesterdays .dat.

            To reproduce the problem, download version 1.02RC2 of the OCSNG windows client from sourceforge (OCSNG_WINDOWS_AGENT_1.02_RC2.zip / go to http://www.ocsinventory-ng.org/index.php?page=old-release and click on "OCS Inventory NG File releases") and scan the contents. This produces a trojan alarm for OcsLogon.exe contained in the .zip file.

             

            The version number of the executables inside the .zip is 4.0.4.8

             

            Please advise if this is a false alarm.

            • 3. Re: OCSlogon.exe - false positive after the last update

              I just downloaded the OCS exe file in my computer and everything seems to be fine, so please check the version details of your McAfee programs and if they are not up-to-update, please check for updates and then check the status

               

              OCS.JPG

              • 4. Re: OCSlogon.exe - false positive after the last update

                Aldrin, you checked OCS.exe, though Kyle referred you to OCSlogon.exe from OCSNG_WINDOWS_AGENT_1.02_RC2.zip.

                Yoo should download OCSNG_WINDOWS_AGENT_1.02_RC2.zip, not OCS.exe.


                 

                 

                Message was edited by: alexei on 9/1/10 1:08:53 AM CDT

                 

                 

                Message was edited by: alexei on 9/1/10 1:09:24 AM CDT
                • 5. Re: OCSlogon.exe - false positive after the last update

                  Note that, as I already wrote in my previous message, the problem occurrs with a certain version of the windows client. Apparrently, what you downloaded was the server!

                  Again, please check version 1.02RC2 of the windows client. Download OCSNG_WINDOWS_AGENT_1.02_RC2.zip and check the contents.

                  To be sure, here are some md5sums:

                   

                  4f62d6d11481cda2239d18d964b9aee9 *OCSNG_WINDOWS_AGENT_1.02_RC2.zip

                  c3efadb668a034658f90687e954794d3 *OcsLogon.exe

                  • 6. Re: OCSlogon.exe - false positive after the last update

                    Oh ok, will check it out and let you know...

                    • 7. Re: OCSlogon.exe - false positive after the last update
                      Dinz

                      Hello there,

                       

                      When a file is scanned, VirusScan compares it to known threats. VirusScan also uses heuristic techniques to detect unusual behavior. When a file cannot be matched to a known threat, but exhibits unusual and possibly threatening behavior, VirusScan utilizes Artemis technology to evaluate the threat of the unknown file. If the file is deemed unsafe, VirusScan will quarantine the file to protect your computer.

                       

                      If you feel that VirusScan has incorrectly quarantined a file you know to be safe, you can recover that file using the steps below.


                      Email: All files submitted via email must be packaged in a .ZIP archive. The archive must be less than 3 megabytes in size and can contain no more than 30 files. Additionally, you must password-protect the archive with the password infected. Failure to follow these guidelines will cause your submission to be rejected.

                       

                      NOTE: If you are submitting a Spyware sample, the subject of the email must be MAS Content.

                      Email submissions should be sent to virus_research@avertlabs.com. If you submit a sample via email, include the additional information below to help speed the sample review process:

                       


                      > A list of all files contained in the sample submission, including a brief description of where or how the files were found.
                      > What symptoms cause you to suspect that your computer is infected.
                      > Whether any products detected a virus or spyware (version number, company, virus/spyware name given).
                      > Your McAfee Product information (Product, Engine and DAT versions).
                      > System details that may be relevant (Operating System, Service Packs).
                      > Your name, company name, phone number and email address if possible.

                       

                       

                      Regards,

                      Dinesh K

                      McAfee Online Community Moderator

                      • 8. Re: OCSlogon.exe - false positive after the last update

                        When a file is scanned, VirusScan compares it to known threats.

                        The problem is that after the update VirusScan stopped comparing correctly. As a result, an old helthy file began being recognized as Trojan. That's a bug that is supposed to be fixed ASAP.

                         

                        VirusScan also uses heuristic techniques to detect unusual behavior.

                        I don't think heuristics are involved here, but even if they are, it's only the new version that makes mistake.The file was scanned many times and it was OK with McAfee for at least a year.