3 Replies Latest reply on Nov 20, 2014 10:47 AM by dshock

    Increased Heuristic False Positives MWG 7.5.0

    trevorw2000

      Hello,


      Since upgrading to McAfee Web Gateway 7.5.0 (running locally on a VM) I've seen the number of anti-malware false positives increase by almost 400%.  This includes common things such as display drivers from Intel.  The most common detection is for Heuristic.BehavesLike.Win32.Suspicious.H!70.  Running these links through VirusTotal.com never shows any detections.  The files (once they've been excluded from scanning and downloaded) are then scanned by McAfee VirusScan which doesn't trigger any detections.  For example:  https://www.virustotal.com/en/file/413b3e07b7b31d3a748e833a755ba15b9496d35ae5968 d46f25db204759e5c39/analysis/1414613660/

       

      I've noticed a few discussions about odd behavior of the anti-malware engine on the MWG recently and I'm wondering if there's a trend and this is something we should be aware of...and of course what the recommended remediation for the issue would be from McAfee's perspective.

       

      Anybody have any thoughts on this?  If you've found this discussion because you're having similar issues, please chime in as well. 

       

      Thanks,

       

      Trevor

        • 1. Re: Increased Heuristic False Positives MWG 7.5.0
          asabban

          Hi Trevor,

           

          some of the threads which are active right now are all about the same issue but it seems your case is a little different.

           

          It is possible that with 7.5.0 a newer version of the Antivirus/Antimalware engines was released and pushed to your MWG, which could explain why you see a different behaviour. While we could use this thread to collect the observations of other customers (e.g. did you notice a similar behavior?) I recommend to file a Service Request with Support and provide them with a handful of sample files and a feedback of your MWG installation. They will be able to replicate the issue and see if this is really a problem with the newer version or maybe independent. Also they are able to escalate the false detections if required.

           

          Note: Please exactly state that you saw increasing the number of false positives after the upgrade of MWG. If you simply state "false positives" you might be send to labs directly, which is not the group you need to talk to.

           

          For other customers could you please summarize how you detected the "400%" increase? Maybe by looking at some dashboard graphs (which ones exactly?)? This would make it easier for other people to quickly look onto their installation and see if they have a similar problem or not.

           

          Best,

          Andre

          • 2. Re: Increased Heuristic False Positives MWG 7.5.0
            trevorw2000

            Hello Andre,

             

            Thanks for the response.  For the other customers investigating a possible similar issue, I used a couple resources to get the "400%" increase statistic.  Turns out it's actually a much higher increase.  I based my statistic off the e-mail alerts I have being generated when Malware is reported.  I used to get 1-2 of these a day.  Immediately after upgrading to 7.5.0 I started getting 8-10+ alerts per day.

             

            The Web Gateway also has a built in dashboard that illustrates this perfectly.  Go to Dashboard -> Charts and Tables -> Executive Summary

             

            From there if you turn off all other indicators and just leave on the "Blocked by Anti-Malware" indicator they might see a large jump following the upgrade.  Here's what mine looks like after the upgrade I performed late evening on the 26th:

             

            malware-urls.PNG

             

            Notice the drastic increase...It never went above 25 in a day and after the upgrade it peaked over 175.  We have very little traffic over the weekend which explains the 2-day decline after the increase.

             

            These detections are all Heuristic detections, but no changes were made to the system aside from the upgrade itself.

             

            Thanks,

             

            Trevor

            • 3. Re: Increased Heuristic False Positives MWG 7.5.0

              Hi Trevor --

               

              Can you tell me what your Mobile Code Behavior threshold is set to? I've copied mine below for reference:

               

              mobilecode.png