9 Replies Latest reply on Feb 20, 2013 12:39 PM by christopherprice

    Potential False Positive / x86 Bug

      Hi, I have an installed APK that is being flagged as having trojan Android/GinMaster.c!n on an x86-based Android device running McAfee Mobile Security

       

      When I copy the APK to an SD card and test on an ARM device, the trojan reports no virus detected. Of course, I did not install the APK on this device.

       

      I'm not aware of any place to upload an Android vector for McAfee to evaluate. Can someone please point me in the right direction to analyze if this file is infected, and how to possibly regress if this is a false positive or not. Thanks.

        • 1. Re: Potential False Positive / x86 Bug
          exbrit

          You'd have to submit it to the labs as a false positive.   Maybe using a computer for that if there is no tab for that in the mobile product.

           

          See:  https://community.mcafee.com/thread/2016

          • 2. Re: Potential False Positive / x86 Bug

            Wiped the device, reinstalled false positive, McAfee now declares virus free on the x86 device.

             

            I'm thinking McAfee is not yet tested/certified on x86 devices, as it crashes a lot. I downloaded it on my RAZR i (Intel Medfield phone by Motorola) from the Amazon Appstore.


            Perhaps McAfee may want to flag the app as incompatible for x86 on Amazon or add an install check on the APK until it is tested further for the architecture.

             

            Regardless, I'm off to go change all the passwords that I fed the device... can't be 100% sure it wasn't contaminated somehow with an unknown exploit. Sigh...

            • 3. Re: Potential False Positive / x86 Bug
              exbrit

              Not sure if they read this section so best to report this to Technical Support if you want to.  It's a free phone call or online chat and linked under Useful Links at the top of this page.

              • 4. Re: Potential False Positive / x86 Bug

                It's not free. It takes time (and effort) to do things in duplicate/triplicate. McAfee darn well better be reading their own forums.

                 

                Message was edited by: christopherprice on 2/20/13 8:44:37 AM CST
                • 5. Re: Potential False Positive / x86 Bug
                  exbrit

                  The forums are mainly peer-to-peer support.   Rarely a technician or developer will look in, and for that we can only hope they do.

                   

                  What is this x86 device?   x86 usually refers to a Windows installation.

                   

                  Message was edited by: Ex_Brit on 20/02/13 10:30:24 EST AM
                  • 6. Re: Potential False Positive / x86 Bug

                    I'll leave it at this, if your forum (like the Mobile Products forum) is only getting a few posts per week, it's a common industry practice to make sure it's read by someone on the team.

                     

                    Message was edited by: christopherprice on 2/20/13 9:14:36 AM CST
                    • 7. Re: Potential False Positive / x86 Bug
                      exbrit

                      It's not my forum as I'm only a volunteer here but I'll send an email to someone at McAfee to see if I can get a mobile person to look in.

                       

                      The time taken typing here could have been well spent with Support, but then that's just my thought on the matter.

                       

                      I can't promise anything but I'll try.

                      • 8. Re: Potential False Positive / x86 Bug
                        dougr_t3_support

                        Hello christopherprice,

                         

                        Thank you for posting your concerns about the validity of this file. Outside of our McAfee Labs team, we (Support) treat any detection as malware until given the all clear. I think the fact that there was a specific detection should be a red flag, and you have made a good decision to not take a chance installing it.

                         

                        I have emailed the team asking if you can use the standard process in the link above. One thing you might also try is submitting it to www.virustotal.com and replying back with the MD5 hash or test results URL. This will also show you if other AV companies are flagging the file.

                         

                        Regards,

                        • 9. Re: Potential False Positive / x86 Bug

                          Here's the hash: 07e76dce4cbbee20df20e94284c3f6bbf2c25ac10b4523b48d3c85da5041cfcb

                           

                          Part of the problem with Android malware is that an APK runs in an altered state on the device. But, my expectation is that it's a false positive since re-scanning the file after reinstalling McAfee reports no infection. This application was supplied by Google, so it is not likely it was infected.

                           

                          My main concern is that bugs in the scanning process on McAfee when on an x86 Android device might be triggering false positives, simply based on the number of force close errors I encountered when looking at the logs. If McAfee has been tested/approved for x86 devices, I'd be happy to regress further with McAfee, if not I'd suggest simply flagging on Amazon/GooglePlay that the Android version of McAfee Mobile Security is not yet x86-compatible.