5 Replies Latest reply on Dec 8, 2011 4:12 PM by Regis

    Quest software - qwer.exe false positive Generic.dx!bbxl, noticed in dat 6550

    Regis

      Just a heads up - if you have Quest software in your shop (for SQL interaction),  I'm seeing false positive detections of Generic.dx!bbxl on qwer.exe, one of their remote execution plugins.

       

      I'll be able to pull samples and report them to avert tomorrow.

        • 1. Re: Quest software - qwer.exe false positive Generic.dx!bbxl, noticed in dat 6550

          Been noticing issues with 6550/6551 as well. 

           

          OPCTest.exe is detected as a false positive.  It looks like some RSLinx dll might be as well.

          1 of 1 people found this helpful
          • 2. Re: Quest software - qwer.exe false positive Generic.dx!bbxl, noticed in dat 6550

            JGS -

             

            I am seeing this issue also with OPCTest.exe which is part of Rockwell Software RSLinx.   McAfee detects OPCtest.exe as containing a trojan, and subsequently there is an error starting RSLinx and/or attempting to do a "Who" in RSLinx.   This all just started yesterday (12/06/11) with an update to the McAfee AntiVurus Plus data file.

             

            Have you found a solution to this?   Our customers will not allow our notebooks onto the plant floor without working virus protection.

            • 3. Re: Quest software - qwer.exe false positive Generic.dx!bbxl, noticed in dat 6550

              I called in to McAfee support, and they recommended creating an exclusion of **\OPCTEST\** for On-Access.  I also received an extra.dat file which will suppress the OPCTest detection.  I can provide the file, but as usual it's better to get it directly from the trusted source.

               

              I can't confirm that this worked for me, right now we have On-Access disabled.  The tech I talked to said these instructions solved the issue for a couple other call-ins, so they should work.

               

              Hope this helps,

               

              Message was edited by: jgs -Fixed my horrible grammar... on 07/12/11 3:04:36 CST PM
              • 4. Re: Quest software - qwer.exe false positive Generic.dx!bbxl, noticed in dat 6550

                JGS -

                 

                Thanks.   We ended up installing a different release of RSLinx (which contains a different OPCTest.exe file) and that is currently working for us.

                • 5. Re: Quest software - qwer.exe false positive Generic.dx!bbxl, noticed in dat 6550
                  Regis

                  I too engaged mcafee support, and it seems mcafee has followed 13 other vendors over the cliff on this one.  

                   

                  Research's first response was "13 other vendors agree--we won't call it a false positive."  Which of course would be a reasonable response if they thought I were reporting this for my health and didn't know what I was talking about.     Correspondingly, support was obliged to encourage me to add it to on access scan exceptions (relatively easy and in fact we'd already done this) as well as the multiple places where I have various on demand scan tasks (which is where this new one bit us--okay, now I'm irritated).  It's irritating because the qwer.exe I'm seeing on a few systems here that are affected by this false positive was shipped with a 2005 release of Quest Central 5.0.1 and unchanged in several succeeding releases.   This software has been around for 6 years.  It's not malware.   And no, first assigned support tech, it's not okay to close this case with this information because you haven't solved my problem (okay now I'm angry).   *sigh*  

                   

                  Furthermore, the software is old enough that it's out of support with Quest, so even the vendor couldn't give me md5/sha1 sum's on it which left me to spin up a virgin vm  and dug up install media to gather up the info as the software vendor themselves calls it long out of support and couldn't help me with an md5sum.   And no, gentle Mcafee,  we're not going to pay additional support to Quest to upgrade functional  6 year old software with no public vulnerabilities just to work around your recently broken signature on Generic.dx!bbxl.  

                   

                  And so, I've sent the original file to mcafee for an escalation back to research.  And they're working it back through the process.  And monitoring this thread, perhaps.

                   

                  Here are the checksums of the original Quest qwer.exe as installed by Quest Central 5.0.1  (and stayed the same apparently for several releases thereafter).

                   

                  $ sha1sum.exe *.exe

                  b83b2c29dcae40690994d1ee253ba2b4beb3939c *qwer.exe

                   

                  $ md5sum.exe *.exe

                  b0690f1904043af64f90f45e948d95d5 *qwer.exe