9 Replies Latest reply on Aug 29, 2013 2:09 PM by Jonesthemilk

    "Malware detected and not handled"

    dtsteinb

      Does McAfee not handle Malware?  I keep geting these email and then have to run malwarebytes to clean.  I shouldn't need 2 product.  Is there something I need to setup in EPO that I am missing in order for McAfee to clean these?

      Examples:

      Threat Names: RDN/Generic PWS.y!ua

      Detecting Product Names: VirusScan Enterprise

      Threat Names: ZeroAccess-FBI!A31AA84A91E0 Detecting Product Names: VirusScan Enterprise

      Threat Names: FakeRean-FAD!2361DCE87806 Detecting Product Names: VirusScan Enterprise

        • 1. Re: "Malware detected and not handled"
          Ranz HAT

          Hi dtsteinb,

           

          ZeroAccess-FBI!A31AA84A91E0 threat is come under rootkit stealth trojan..I recommanded that remove the machien from network , reimage the machine and  reset the user roaming profile/pwd.

           

          Mcafee has updated this fix in 7177 DAT.

          • 2. Re: "Malware detected and not handled"
            SergeM

            Hi,

             

            dtsteinb wrote:

             

            Does McAfee not handle Malware?  I keep geting these email and then have to run malwarebytes to clean.  I shouldn't need 2 product.  Is there something I need to setup in EPO that I am missing in order for McAfee to clean these?


            Some malware just cannot be (easily or automatically) removed.

            We get a lot of these "Malware detected and not handled".  Quite often, it's simply because the malware was detected (and blocked) on a CD or DVD and no antivirus can delete or fix a CD...

            Then, there are the cases where the AV showed a warning to the user and the user clicked on "ignore" or just didn't click on "delete" or "repair"... so the AV and ePO are warning you (the ePO admin) that there was an issue.

            As for solutions, we don't know how you've configured VSE (I suppose you use VSE as antivirus), you may want -- I know I wouldn't -- to configure VSE so it doesn't ask for permission before "fixing" an infection, then you'll probably see less of those "not handled". 

            But then, some infections cannot be fixed while the system is running...

             

            Serge

            • 3. Re: "Malware detected and not handled"
              dtsteinb

              SergeM,

               

              Where is that option to in VSE not to ask.  I am not changing it to that but do not see where that option is.

               

              Thanks.

              • 4. Re: "Malware detected and not handled"
                dcobes

                dsteinb,

                 

                Just a word of caution...Malwarebytes is NOT a good method to remove remnants of malware. We've done extensive testing in our malware lab and found the standard viruses usually modifies around 30ish registry entries. When running malwarebytes to "clean", malwarebytes would only remove about 8 of those entries.  As mentioned by Ranz HAT, the best option is to remove from network and reimage.

                • 5. Re: "Malware detected and not handled"
                  dtsteinb

                  Malwarebytes is the only thing that removes the problem.  Again McAfee is not doing anything.  I have been using Malwarebytes for years with no issues.  I also use another program to fix the registry.  I would like to use just 1 but McAfee just keeps reporting the Malware and cant do anything.

                  • 6. Re: "Malware detected and not handled"
                    Jonesthemilk

                    I am afraid I must agree with dcobes

                    I have found MB to be a liability in the Enterprise!

                    Whilst not being an expert with MB, I find that its lack of granularity does not help.

                    I have had instances where cosha applications have been trashed as a result of running it.

                    Usually down to Heuristic scans.

                    While Mcafee, with correctly configured exclusions via ePO Policy, it leaves them untouched.

                    • 7. Re: "Malware detected and not handled"
                      dtsteinb

                      As I have stated I would prefer to use just 1 product but McAfee does not seem to remove the malware.  It just reports detected and not handled.  If I need to configure something in EPO let me know.

                      Malwarebytes has been nothing but a life saver at this point for me.  I have used it at all my job locations and I never had an issue with applications crashing or anything else.   It removes the malware and the PC is back to normal.  It is just frustrating when I get a bunch of Emails from EPO stating Malware detected and not handled.

                      • 8. Re: "Malware detected and not handled"
                        dcobes

                        If you're going to use just one tool to "fix" malware, then it should only be wiping the drive and re-imaging (while not a tool, it's a 100% full-proof method). You are never going to find a single product that will find and remove every piece of malware. If you find a company that advertises that, they are lying. Malware changes too much and too often for anyone technology to "fix" every piece of malware. Now, in your case for the pieces being detected and not handled you'd have to do some detective work on the systems to determine why it wasn't removed. OR Try and obtain a sample of the malware and submit it McAfee Labs stating McAfee is not able to remove it. They will usually turnaround within 24 horus - 5 business days a new extradat which will resolve the issue.

                         

                        In addition, to what Jonesthemilk was saying regarding Malwarebytes crashing applications...If you read every detection that malwarebytes says it's removing, I can guarantee you will find at least one false-positive that your customer's systems needs. When I've run this before, Malwarebytes wanted to remove serveral registry settings we use for basic applications. Also, if you are using it in an enterprise environment, it goes against the EULA (not that they'd know, but just thought I'd put that out there)

                         

                        Our environment also suffers from this issue and we grab samples of what we can to submit, but our goto process is currently wipe & re-image. I'm developing a tool I'll later share in the tool exchange to perform log and sample extraction to automate the gathering of data for submissions to mcafee labs.

                         

                        I know it's not the answer you were probably hoping for, but know you aren't the only one suffering.

                         

                        -d

                        • 9. Re: "Malware detected and not handled"
                          Jonesthemilk

                          I  would say that at least VirusScan is detecting it and letting you know it cannot handle it. Not many others admit that. It is unlikely to be a day zero infection and more than likely an heuristic detection or actually located on an inaccessible drive as previously mentioned.

                          After such a notification,  Our process is to track down a sample and a) submit to McAfee  and b) VirusTotal.com where 45+ different vendors scan engines will also check it out. Finally, we trash the machine and re-build anyway, if  the results indicate an infection.

                          HTH

                          Jtm