7 Replies Latest reply on Dec 18, 2011 10:46 PM by Hayton

    False Positive for Vagex.exe

      Dear McAfee,


      A few of our members using McAfee have reported our software (Vagex.exe) being detected as a virus.


      I had a look on Virustotal and it seems you are flagging our software as a "Generic.tfr!bb"

      http://www.virustotal.com/file-scan/report.html?id=20277a72937ce92abc69670b8948f f5eb9ae591254df5298c241e37f86326ea9-1324113059


      May I please request our software to be re-scanned?


      I have attached the software, or you can download directly from here:



      Also we have had reports that McAfee siteadvisor has put our website (vagex.com) in the red zone.


      Can you please look into why this is happening?


      Kind Regards,


      Vagex Admin


      Message was edited by: vagex on 12/17/11 3:27:08 AM CST
        • 1. Re: False Positive for Vagex.exe
          Peter M

          I moved this provisionally to Malware Discussions > Home User Assistance for better assistance although I'm not sure if it should be Corporate Assistance.  If it's home users that are having the problems then this is the right spot.


          False positives should be submitted to the labs for analysis, there is nothing we can do here.


          For home users instructions are here:  https://community.mcafee.com/thread/2016


          Corporate users should follow the same procedures except temporarily disabling antivirus is different and you would have to ask Support if there are problems with that.


          As far as your website http://vagex.com/ being marked red by SitAdvisor.  Please start a new thread just for that problem here:  https://community.mcafee.com/community/home/web_email/siteadvisor

          • 2. Re: False Positive for Vagex.exe



            Thanks for the fast reply.


            I have submitted a thread in the siteadvisor discussions and also sent the software to the virus research email address.


            They replied instantly with the following email:




            McAfee Labs - Beaverton                                                              
            Current Scan Engine Version:5400.1158                                                
            Current DAT Version:6563.0000                                                        
            Thank you for your submission.                                                       

            Analysis ID: 6827009

            File Name            Findings                       Detection                    Type         Extra
            --------------------|------------------------------|---------------------------- |------------|-----
            vagex.exe           |current detection             |generic.tfr!bb              |Trojan      |no 

            current detection [vagex.exe]                                                                          

               The file submitted is malware that can be detected with curred DAT files. It is      
            recommended that you update your DAT and engine files and scan your computer again.  





            So I replied back with the word 'False' in the subject.


            How long can I expect to receive a reply?


            Kind Regards,


            Vagex Admin

            • 3. Re: False Positive for Vagex.exe
              Peter M

              Right now they seem to be backlogged as I have a similar case almost a week old now.   I'm bringing up the subject of these delays on our weekly conference call with McAfee on Monday.

              • 4. Re: False Positive for Vagex.exe

                The VirusTotal report shows that nine other AV vendors detect this exe file as suspect : it's not just McAfee. If the program incorporates the bot code contributed by one of the Blackhat SEO crowd (see the SiteAdvisor thread) then it may indeed be ever so slightly suspect.  Blackhat SEO techniques do tend to err on the side of danger and excitement; if you have ever had dealings with these people before you will know what I mean. I would advise that you get hold of the code (if that is possible) and try to see what it is actually doing.

                • 5. Re: False Positive for Vagex.exe

                  Thank you very much Ex_Brit.


                  Dear Hayton,

                  Thank you for the response.

                  I'm not sure why there are so many AV vendors detecting the exe as suspect. There is no preconfigured bot code from any Blackhat website. It was coded from scratch.


                  I have also contacted other antivirus vendors about the false positives and they corrected it straight away.





                  Kind Regards,


                  Vagex Admin

                  • 6. Re: False Positive for Vagex.exe

                    It may be possible because they have developed such a source code that to eliminate any virus that have the same characteristics,but what happens here in the .exe code it detects as the same characteristics so this detects as virus.

                    • 7. Re: False Positive for Vagex.exe

                      I saw that BitDefender removed the false positive detection very promptly. McAfee may be slightly slower - unfortunately I can't give you a timeframe. There is (or was) a document explaining the whole process but all I got was a broken link when I tried to access it. I've asked to be notified of its current location, but for now all I got was the document summary (below).

                      SiteAdvisor and TrustedSource Site Rating dispute resolution process (TS100806)

                      Retesting downloads on a site takes up to five days after we ensure that McAfee can receive all downloads and can verify the status of the files with the McAfee Avert Labs Malware Research Team. If the dispute specifically concerns the actual detection status of a file, please submit the file to virus_research@avertlabs.com



                      Edit - The thread that Ex_Brit pointed you towards (https://community.mcafee.com/thread/2016) has some extra detail about submitting files to Avert Labs.


                      Message was edited by: Hayton on 19/12/11 04:46:23 GMT