4 Replies Latest reply on Aug 27, 2012 10:48 AM by eelsasser

    Does anyone actually put up with heuristic AV detections being enabled?

    Regis

      Am I the only person getting buried in user issues caused by what appear to be false positives on AV heuristic detections?   

       

      The gem of this morning was the GotoMeeting client g2m_download.exe getting flagged. "MGW:Heuristic.BehavesLike.Win32.ModifiedUPX.F"  Their test meeting is available at http://support.citrixonline.com/en_US/GoToMeeting/help_files/GTM140010?title=Tes t+Your+GoToMeeting+Connection}   and I encountered this upon downloading the client. 

       

      Another one that ambled by just this morning that looked harmless was http://support.dell.com/support/dpp/ajax/productsupport.aspx?c=us&l=en&s=dhs&cs= 19&servicetag=&SystemID=studio1745&~lt=bodyonly  as MGW: Heuristic.BehavesLike.JS.Suspicious.A

       

      Another I was seeing lots of was http://images.bbystatic.com/   and various favicon-[random].ico  files there getting caught up as McAfeeGW:Heuristic.BehavesLike.Exploit.CodeExec.FFL  but I think they actually fixed that after I sent it to AVert.

       

      Another I was dealing with a false on skillport.com/[some path i can't disclose]  detecting as MGW: Heuristic.BehavesLike.JS.Suspicious.A   but... it didn't seem to for the user's followon testing.  

       

      I see that heuristics can be disabled in 7.2.0.1 under Policy> settings> engines>anti-malware> gateway antimalware > advanced settings>  uncheck enable heuristic scanning,  but is changing the Classification threshhold on mobile code behavior a better place to do it?     I know the good soldier thing would be to send all of these lovingly to the Avert team for review, but they're 1 for 2 and it's not exactly quick turnaround...