I like the new red colouring for "Suspected Dirty" files. Here's an example I saw today:
ASSUMED_DIRTY 9fc816ce4ddcd5edf5d71e3137894bfe C:\Documents and Settings\All Users\Application Data remove.exe AH 49,878 09/13/2010 11:52 03/30/2009 07:50 Process
And yes, it was a threat that was currently undetected by McAfee production dats (although an extra.dat was created in seconds after I submitted it ... presume it's already a known threat).
Glad you like it
The sample was detected in the beta dats at the time of submission.
Got this suspicious detection after running getsusp 184.108.40.206:
Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type Scan Error UNKNOWN dc2a833082802b59500d4639ed7708f9 C:\Program Files (x86)\McAfee\Common Framework boost_thread-vc80-mt-1_32.dll A 65,536 10/15/2010 16:05 10/15/2010 16:05 Module
And this (unkown files):
UNKNOWN 09db1bbed520315e38c86c1eed7138e9 C:\Program Files\McAfee\Endpoint Encryption Agent MfeEpeCoreEncryptionPlugin.dll A McAfee Endpoint Encryption Core Encryption Plugin 1, 0, 2, 2 1, 0, 2, 2 1,916,928 08/19/2010 11:35 08/19/2010 11:35 Module UNKNOWN 41936b8eae023d8dde73d22471e98f38 C:\Program Files\McAfee\Endpoint Encryption Agent MfeEpeEpoPlugin.dll A McAfee Endpoint Encryption ePO Plugin 1, 0, 2, 2 1, 0, 2, 2 2,334,720 08/19/2010 11:40 08/19/2010 11:40 Module UNKNOWN 248320e7ea0bc21a5e98607a1213a8ea C:\Program Files\McAfee\Endpoint Encryption Agent MfeEpeHost.exe A McAfee Endpoint Encryption Agent Host Service 1, 0, 2, 2 1, 0, 2, 2 1,216,512 08/19/2010 11:33 08/19/2010 11:33 Process UNKNOWN dddeccd0c694aa4bd12002c3cce0271a C:\Program Files\McAfee\Endpoint Encryption Agent MfeEpeHostInterface.dll A McAfee Endpoint Encryption Agent Host Interface 1, 0, 2, 2 1, 0, 2, 2 126,976 08/19/2010 11:31 08/19/2010 11:31 Module UNKNOWN 1437823d660b557309b16465dc8ae17c C:\Program Files\McAfee\Endpoint Encryption Agent MfeEpeProductDetectionPlugin.dll A McAfee Endpoint Encryption Product Detection Plugin 1, 0, 2, 2 1, 0, 2, 2 1,814,528 08/19/2010 11:36 08/19/2010 11:36 Module UNKNOWN f7e023ceb92bd1ce6e35195e15adee86 C:\Program Files\McAfee\Endpoint Encryption for PC v6 EpePcEncryptionProviderPlugin.dll A McAfee Endpoint Encryption Encryption Provider Plugin 6, 0, 2, 6 6, 0, 2, 6 2,494,464 10/04/2010 11:41 10/04/2010 11:41 Module UNKNOWN 1454b596415db57aa92277c987c9997a C:\Program Files\McAfee\Endpoint Encryption for PC v6 EpePcMonitor.exe A McAfee Endpoint Encryption Encryption Monitor 6, 0, 2, 6 6, 0, 2, 6 200,704 10/04/2010 11:41 10/04/2010 11:41 Process
Doesn't McAfee know it's own files?
Thanks for reporting. They've been validated and whitelisted.
I have also previously reported McAfee files being listged as unknown. Why does it take your customers reporting this to get them whitelisted? Doesn't McAfee proactively identify McAfee files? This I hope is a little embarrassing for McAfee so that that McAfee gets its own house in order.
Could the following unknown files also be whitelisted?
Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type UNKNOWN 9a4c4af833512f42a2011035afe9a09c C:\program files (x86)\filezilla ftp client filezilla.exe A FileZilla Project FileZilla FTP Client 3, 3, 4, 1 3, 3, 4, 1 7,588,864 08/16/2010 00:08 08/16/2010 00:08 Windows-Firewall UNKNOWN 722f5357c7355535591d5604d1973fff C:\Program Files\McAfee\Endpoint Encryption Agent EpeTrayPlugin.dll A McAfee, Inc. McAfee Endpoint Encryption ePO Tray Plugin 1, 0, 2, 2 1, 0, 2, 2 1,220,608 08/19/2010 11:44 08/19/2010 11:44 Module
Sure. They've been validated and whitelisted.
On a related note, we are developing a tool christened GetClean which is an initiative to collect and upload clean files from software vendors and large customers for purposes of mass whitelisting.
Samples and their meta data currently unclassified in our database would be uploaded to McAfee using the GetClean tool that customers can deploy to submit information on their clean file repositories. Customers will have option to submit only meta data or sample + meta data to McAfee Labs. After validating and scrutiny, McAfee’s SampleDB is then populated with meta data about these clean samples and the harvested intel can be shared across McAfee Labs tools and systems.
We'll be reaching out to regular users of GetSusp/Artemis initially to help improve our whitelisting. The benefits for customers to trial this are:
1. By whitelisting files in your environment- we prevent future Artemis or DAT false happening on COE images.
2. In the event of an infection - whenever the GetSusp tool is run, only foreign, malware or newly introduced files on machines will come up in their report and can be easily spotted.
3. While using GetSusp, noise/clean files from a infected machine won't get submitted to McAfee Labs.