7 Replies Latest reply on Mar 17, 2012 9:31 AM by penalvch

    False Positive Detection of PortableApps Version of LibreOffice 3.5.0?



      I'm interested to see if anyone else is experiencing false positive detection of Ransom-G.a while attempting to run the install of LibreOffice 3.5.0 Portable (LibreOfficePortable_3.5.0_MultilingualNormal.paf.exe) using McAfee VirusScan Enterprise v8.5.0.781 and Virus Definitions file v6624.0000.  The real time detection flags the extracted file filterconfiglo.dll as being infected with the Ransom-G.a trojan, and deletes it.  Worse, it also alters multiple registry settings and system configurations, though some of that might be due to the triggering of a rollback to default enterprise policies.


      From what I can determine, the following statements are a correct:

      1. This is indeed a false positive, supported by other anti-virus products showing the file as clean and feedback on the PortableApps support site.
      2. While incomplete and somewhat anecdotal, it appears that other, but not all, users of McAfee anti-virus products have also received this identification.


      With I don't know what the overall functionality this file provided, with this DLL deleted none of the LibreOffice components will launch and open.  Can anyone suggest what might trigger such a false positive and how to resolve this issue?  While the system claims that the signature files are up to date and I have tried to force the system to check for new updates (which the log file says succeeded), I am not certain this is true as the VirusScan Enterprise configuration appears to state that it communicates back to the ePO server every 6 hours and the last communication shows as occurring at 2/17/2012 14:47 (it is currently 02/19/2012 13:12).  Is this issue likely due to a bad virus signature and, if so, has anyone heard of an update being issued?  I have tried searching the McAfee site, but have found no recent mentions of either LibreOffice or Ransom-G.a.  If an update is issued, can that be updated directly from the McAfee site, as implied, or does it have to be downloaded from the ePO server within our Intranet?


      Any constructive feedback, information, or suggestions would be greatly appreciated.