2 Replies Latest reply on Feb 7, 2011 1:33 PM by pettel

    False positive: Artemis!A64384C593E7

      I wanted to upload my sample via your website (https://mysupport.mcafee.com/Eservice/Default.aspx),

      but i need a "Grant#" to register as a new user - so this is not possible !

       

      I then tried to email the sample to you. As McAfee suggested, i putted the file into a password-protected

      zip archive (password: infected) an attached it to my email. But this also failed !!

       

      ################################################################################ ######

      Hi. This is the qmail-send program at mailout-de.gmx.net.
      I'm afraid I wasn't able to deliver your message to the following addresses.
      This is a permanent error; I've given up. Sorry it didn't work out.

       

      <virus_research@mcafee.com>:
      67.97.80.205_failed_after_I_sent_the_message./Remote_host_said:_550_Denied_by_po licy./

       

      --- Below this line is a copy of the message.

       

      Return-Path: <######.#######@#####.##>

      ...

      ...

      ...

      ################################################################################ ######

       

      The message was probably to long (~18MB). But there is no hint about the maximum size of an email

      (http://www.mcafee.com/us/mcafee-labs/resources/how-to-submit-sample.aspx).

       

      So i wrote an email, that contained a link to the file - and got exactly ZERO reponse.

       

      This is a link to the file, that triggers the false alarm.

       

      Please update your scan-engine and improve the support experience. It should be possible for

      software developers to do a web-upload.

       

      The "Artemis Technology" looks very odd to me. When i first uploaded the new version of our software

      that uses software protection to virus-total, there where only 2 scan-engines that produces false positives.

      But 1-2 days later, there where a lot more scan-engines with false positive alarms. Since the file was

      not linked anywhere in the web, it's obvious, that virustotal sells the hashes of files, that are detected by

      some virus scanners - probably by a faulty heuristic scan - to the vendors of other virus scanners.

      Then these vendors include the - probably faulty - hashes in their "virus" database.

       

      Since i want to spend my time improving our software and not dealing with AV-companies and

      malware-list-people, it would be helpful to be added to a whitelist. We use a Verisign class 3 certificate -

      so that should be pretty easy to do.

       

      regards

       

      pettel