7 Replies Latest reply: Aug 22, 2014 11:41 AM by Hayton RSS

    False Artemis!B3C9153F06E6

    Artemys

      False Artemis!B3C9153F06E6

       

      The file in question is a popular third-party program for the eSports online game League of Legends which is located here:
      http://www.elophant.com/download/ElophantClient.zip

       

      I never had any issues with this until I installed it on my PC with McAfee, which automatically removes it as soon as I extract the Zip. I've been using it forever, even RiotGames the company that owns League of Legends has said it's a safe program to use in terms of maliciousness.

       

      I've already followed the instructions here: What To Do When McAfee Detects Legitimate Software As An Infection - How to Submit To McAfee Labs & Appeal and sent the e-mail to virus_research@mcafee.com

      It advised I also post here, which is why i did.



      (Edit  : Attached exe file removed after analysis; see below. Hayton.)

        • 1. Re: False Artemis!B3C9153F06E6
          catdaddy

          @  Artemys,

                         What that meant was to after the appropriate amount of time, to post back the Analysis Id #, if not resolved in a timely manner. Please refer to this thread which similarly pertains to the subject;

           

          False Artemis!175F8585A987

           

                         It also is not safe to post publically quite possibly files that could be considered Suspicious/Unknown/or Malicious.

           

          Wishing you all the best,

          Regards,

          Catdaddy

          Volunteer Moderator 1

          • 2. Re: False Artemis!B3C9153F06E6
            Hayton

            Their website acknowledges that the download is going to be flagged as malicious by Google Chrome as well as by a number of anti-virus products. It says, "Ignore the warnings and go ahead and install the file".

             

            If you can't login with the Elophant Client open, BitDefender may be the cause.

            Either add an exception to "Active Virus Control" or disable it completely.

            Note: Other antivirus programs may also cause problems.

             

            What sort of product is this that it sets off warnings everywhere? And why do you think that it's safe? Just because the site says it is? I'd rather have it analysed for malicious content before it gets used.

             

            .... so I had it analysed and it turns out it uses DLL injection, which is a classic malware technique. That's why it keeps getting flagged. As to whether it really is malware, or suspicious : I went to the fount of all knowledge, that is to the LOL forums, to check what others had to say. A lot of people note that Elophant keeps getting flagged by AV software, but one or two of them actually explain why this happens.

             

            See the forum threads at

            is the elophant client a keylogger? : leagueoflegends

            http://forums.na.leagueoflegends.com/board/showthread.php?t=3337202

             

            You're going to have to explain this really clearly to the McAfee Labs people, because as far as they're concerned it's likely to be a legitimate detection.

             

            Oh, and I've removed the .exe file that you attached. Just in case, you understand.

            FYI : HERE are the current VirusTotal detections of that EXE file.

            • 3. Re: False Artemis!B3C9153F06E6
              Artemys

              That explains a lot, as on my laptop I had Norton, i noticed that VirusTotal Detection you posted, Symentec doesn't flag it but McAfee does.
              As for those threads, they explain what it does in a good indepth way most people would understand. I can see why McAfee would think it's not a safe program.

              As for your questions "And why do you think that it's safe? Just because the site says it is" At a convention I wasked one of the workers at RiotGames (Creators/Owners of the Game client that Elophant is used for)  about this particular client and if it was safe to use. I was told while they don't endorse third party software, their engineers have looked at it and thus why they allow that site to remain up,

               

              Thanks alot for that post though ^^

              • 4. Re: False Artemis!B3C9153F06E6
                catdaddy

                @ Artemys,

                              With all due respect, you even stipulated that the engineers did not endorse (3rd Party) software. speaks volumes in itself. Although (Norton) may have it,s own opinion. Judging by the numerous other Anti-Virus engines, Like McAfee deems it as not safe.

                 

                               Of course I am biased, in regards to McAfee..for in comparison to other Security Solutions..Has had my best interests at heart... Just saying...

                 

                                Regards,

                                 Catdaddy

                Volunteer Moderatr 1

                • 5. Re: False Artemis!B3C9153F06E6
                  Artemys

                  Basically, they said they aren't responsible for whatever happens by using third party software (I'm aware of this, it's the same with any company), but that they've check/analyzed the software in response to fan reaction and deemed it safe and that there's nothing it does that compromises our accounts. I've met some who even say they use this particular software or other's like it (this isn't the only one). So yes in that sense you're right, if McAfee deems it unsafe it has to act in it's own interest/reputation. I can understand that.

                   

                  I completely agree McAfee > Norton ^^
                  My laptop came bundle with Norton for a year so i didn't get McAfee for it, I wish I had though as I've had McAfee on my PC for years, and it's definitely better in my opinion. Just here I've hit a bump in the road. I still love McAfee ^^ and I appreciate everyone's replys.

                  • 6. Re: False Artemis!B3C9153F06E6
                    Peacekeeper

                    So did you get an analysis id number in a reply email that would have came immediately you sent the submission. If not retry the submission ensuring the file is zipped and pass-worded with password infected.

                    When you get the reply reply back changing subject to Possible false detection and name of the detection. Say why you feel it should be passed and therefore it is up to Mcafee techs to assess the risks.

                    Post that analysis id number  here

                    If no answer in 4 days from the submission post here and we will get a tech to look into it asap

                    • 7. Re: False Artemis!B3C9153F06E6
                      Hayton

                      Artemys wrote:

                       

                      As for your questions "And why do you think that it's safe? Just because the site says it is"

                       

                      I was going all rhetorical. Shame there isn't one of those emoticon things that says "rhetorical flourish".