9 Replies Latest reply on May 24, 2011 9:38 AM by Nitin Kumar

    Encrypted file vs. trojan

      I am trialling encryption software called Advanced Encryption Package Professional v. 5.51 ('AEPPRO') which creates self-extracting files.  These files have a double extension which Mcafee detects as a trojan and Mcafee then quarantines my files.  I have tried Mcafee support (five times) and sent to their labs for testing which confirms that my files are trojans and...well that's it, I don't seem to be able to tell anyone that it's not a trojan, it's a file that I created and want.  Question: is it a trojan? I don't think so as the software AEPPRO is widely available and I downloaded my trial from cnet.com.  I have successfully created the encrypted file on a USB stick and transferred it to another computer from which  have been able to open and unlock the file successsfully, but that computer has other virus protection, not Mcafee.  Has anyone else used AEPPRO and successsfully solved this issue because Mcafee don't seem to be able to.

        • 1. Re: Encrypted file vs. trojan
          Peacekeeper

          Will point someone here as this is deeper than we go.

           

          Usually when they reply you reply to that email adding False detection and name of detection.

           

          In body email add Please review as I think this is a false detection.

           

          I have PM'd an engineer

           

          Message was edited by: Peacekeeper on 20/05/11 7:23:45 PM
          • 2. Re: Encrypted file vs. trojan
            Nitin Kumar

            Hi,

             

            Could you please post the sample ID here which you have submitted to McAfee.

             

            Regards,

            Nitin

            • 3. Re: Encrypted file vs. trojan

              McAfee Labs - Beaverton

              Current Scan Engine Version:5400.1158

              Current DAT Version:6350.0000

              Thank you for your submission.

               

              Analysis ID: 6635584

              NameFindingsDetectionTypeExtra
              briony gadget helpline.pdf.execurrent detectiongeneric malware.ckTrojanno

               

              current detection [ briony gadget helpline.pdf.exe ]

              The file submitted is malware that can be detected with curred DAT files. It is recommended that you update your DAT and engine files and scan your computer again.

               

               

              Regards,

               

               

               

              McAfee Labs

              • 4. Re: Encrypted file vs. trojan
                Hayton

                Malware writers use the double-extension trick to get users to click on a malicious download. If the hide-extensions flag is set - or if an initial exploit sets it - all the user sees is an innocent pdf or doc file. When the file is opened the executable runs and executes the malware. What your encryption software is producing bears all the hallmarks of malware, so if other vendors are giving the files the all-clear perhaps the McAfee testing needs to be tweaked to analyse the file contents more thoroughly.

                 

                As a test, I suggest you upload a couple of files to VirusTotal and see how many AV vendors flag them as suspect.

                • 5. Re: Encrypted file vs. trojan

                  0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

                  File name:

                  Briony Gadget Helpline.pdf.exe

                  Submission date:

                  2011-05-20 18:17:01 (UTC)

                  Current status:


                  Result:
                  0/ 42 (0.0%)

                  VT Community


                  not reviewed
                  Safety score: -

                  Print results

                  AntivirusVersionLast UpdateResult
                  AhnLab-V32011.05.21.002011.05.20-
                  AntiVir7.11.8.852011.05.20-
                  Antiy-AVL2.0.3.72011.05.20-
                  Avast4.8.1351.02011.05.20-
                  Avast55.0.677.02011.05.20-
                  AVG10.0.0.11902011.05.20-
                  BitDefender7.22011.05.20-
                  CAT-QuickHeal11.002011.05.20-
                  ClamAV0.97.0.02011.05.20-
                  Commtouch5.3.2.62011.05.20-
                  Comodo87722011.05.20-
                  Emsisoft5.1.0.52011.05.20-
                  eSafe7.0.17.02011.05.19-
                  eTrust-Vet36.1.83382011.05.20-
                  F-Prot4.6.2.1172011.05.20-
                  F-Secure9.0.16440.02011.05.20-
                  Fortinet4.2.257.02011.05.20-
                  GData222011.05.20-
                  IkarusT3.1.1.104.02011.05.20-
                  Jiangmin13.0.9002011.05.20-
                  K7AntiVirus9.103.46932011.05.20-
                  Kaspersky9.0.0.8372011.05.20-
                  McAfee5.400.0.11582011.05.20-
                  McAfee-GW-Edition2010.1D2011.05.20-
                  Microsoft1.69032011.05.20-
                  NOD3261392011.05.20-
                  Norman6.07.072011.05.20-
                  nProtect2011-05-20.012011.05.20-
                  Panda10.0.3.52011.05.20-
                  PCTools7.0.3.52011.05.19-
                  Prevx3.02011.05.20-
                  Rising23.58.04.032011.05.20-
                  Sophos4.65.02011.05.20-
                  SUPERAntiSpyware4.40.0.10062011.05.20-
                  Symantec20111.1.0.1862011.05.20-
                  TheHacker6.7.0.1.2022011.05.20-
                  TrendMicro9.200.0.10122011.05.20-
                  TrendMicro-HouseCall9.200.0.10122011.05.20-
                  VBA323.12.16.02011.05.19-
                  VIPRE93372011.05.20-
                  ViRobot2011.5.20.44702011.05.20-
                  VirusBuster13.6.365.02011.05.20-
                  Additional information

                  MD5   : 36648a023061bbc026af78add696379d
                  SHA1  : a5fc24ad2106cd2a4e186fa8efe6e3d0cc38b703
                  SHA256: a2999da32ff2c5fb721c43f1aa102ba45c19596f7fb23866c2ee54e1856af46e

                  VT Community

                  This file has never been reviewed by any VT Community member. Be the first one to comment on it!
                  • 6. Re: Encrypted file vs. trojan
                    Peacekeeper

                    Maybe nownitin has fixed it retry detection on your pC.

                    • 7. Re: Encrypted file vs. trojan


                      Mcafee does not detect the creation of the encrypted file.  It is the real-time scanning that quarantines my file when I try to attach it to an email.

                       

                      I must admit I don't know what the VirusTotal results (above) are telling me - there is no explanation nor summary.

                       

                      The end result is that Mcafee has again deleted my file. GRRRR.

                      • 8. Re: Encrypted file vs. trojan
                        Peacekeeper

                        Best to await nownitin's comment.

                         

                        Real time scanner uses same dats so unsure why will see what he says

                        • 9. Re: Encrypted file vs. trojan
                          Nitin Kumar

                          Hi firbury,

                           

                          when real time scanning happens, does it show Artemis!0AAF63234E86 detection?, if that is the case Artemis detection should be resolved in another 30-45 minutes.

                          Detection Generic Malware.ck is also fixed and should be in in real time DATs2 in 2-3 days.

                          since malware writers use the double-extension trick to get users to click on a malicious download and if you still want to use these files, you can either change the file name limited to one extension only or add the file name based exclusion from the product.

                           

                          Regards,

                          Nitin Kumar

                          McAfee SME