You should get a tech popin here soon if not ask and I will stir him up. best to give it a couple days till you ask.
Your original name was unsuitable it was renamed to hkisit to avoid the censors.
You will need to logout and relogin
Ok see this is a corporate program detection as well as you have safeboot installed you will have enterprise as well i assume.
The file (calc.exe) can be a legitimate Windows file. However can also be disguised as Malware depending on where you have Downloaded from. See this Site and the detections, scroll down to where the different Anti-Virus engines have detected it, to include McAfee. calc.exe | ThreatExpert statistics
As with all Malware/PUPS they have different variants. I recommend running the Latest McAfee Stinger/McAfee Rootkit Remover (Read how to use). Followed up by Malwarebytes (Free) for a second opinion.
To keep Malwarebytes (Free) DO NOT accept any Free Trial Offers/or Activate the Pro Version all throughout the Download/Installation Process. The Free Version will suffice.
You can obtain these Free Superb Tools here: Anti-Spyware/Malware & Hijacker Tools
You may find the following articles most informative, as to how this may have arrived on your system:
All the very best,
McAfee Volunteer Moderator
Just noticed that you are possibly running Enterprise Software,if so they have different methods compared to the Consumer Software to address these certain Detections. The above recommendations are for the Consumer McAfee Applications.
Thanks for your reply.
Yes, I have been aware of potential infected / disguised file issue.
The file checksum is the same with file from sourceforge.net.
On the same date of submission (5-Nov), I got reply from "Virus_Research(at)avertlabs.com" that automated analysis is not able to determine it.
So I wait.
Still on the same date (5-Nov) I downloaded GetSusp. After scan, a few files (including calc.exe) were submitted with WorkItemID: 1496085.
3 minutes later, I received a email attached EXTRA.DAT saying that "ID Number: 1496085 Identified: Generic.TRA" and only calc.exe is listed.
Does that mean the file calc.exe confirmed malicious ? Or I need to wait ?
Today (11-Nov) I just found manual Scan On Demand will detect it as Artemis Trojan if I set Artemis sensitivity to "very high".
If the sensitivity is "high" or lower, no detection is found. (DAT version 7618.0000)
The detection ratio from virustotal.com is 2/53. Database update is on 20141110 or 20141111.
McAfee and McAfee-GW-edition both state not detected.
- F-Prot : W32/AutoIt.BQ.gen!Eldorado
- Thehacker : Trojan/Dropper.gen
The file calc.exe was compiled by Microsoft AutoIt. The author has also include the source code in sourgeforge.net (just around 10 lines of code).
I suspect that by default AutoIt may include some sensitive dll not actually called in calc.exe, which may be considered "dangerous" by some engine?
I will try to compile it again myself and see any unnecessary resources linkage I can eliminate. See if this will make any difference.
Thanks for reading this long story!
Asked a tech to comment
Artemis means it's a behavioural detection, not a known/unknown condition. So, you need to submit it as a false if indeed the file has no malicious behaviour.
It's triggering on a number of detections which usually are only seen in malware (don't ask what, I am not going to tell) - this might just be bad luck, or it might be an indication that things are not what they seem.
As Safeboot suggested, I would resubmit just in case. I might add ,I have contacted a McAfee Labs Technician/Engineer to take a look at your Work Item ID # after your submittal through Getsusp. To include your Analysis ID # as well.
All the best,
McAfee Volunteer Moderator
After further web search, I found AutoIt compiled exe is quite well known for false positive by AntiVirus.
In AutoIt Wiki it reads "The most common cause is an AntiVirus engine has found a set of instructions in an AutoIt EXE and deemed it malicious, took the general signature of the file, and has now flagged all (or most) AutoIt EXE's."
The Labs seem to have no concern about false positive though ...
Some other forum members mentioned it could have a different AntiVirus detection result for different AutoIt compile options used. I decompiled the original calc.exe. The script has no obfuscation and clearly it just does a simple task of passing an arithmetic expression for calculation and return the result. I then compile the exe with different options (compression level, pack / no pack with UPX, ...). Now I have a few candidates and pitifully wait to see who can "survive".
Scan on demand (Artemis sensitivity: Very high) reports Artemis detection for one or two exe (I do not remember which and may be those packed with UPX) and no detection for the others. Interestingly, they all report a higher detection ratio by virustotal.com than the original calc.exe ( 4/53 or 5/53 against 2/53).
One or two days later, they (including the original calc.exe) are quarantined by background scan. Re-scan states they are all actually clean. I speculate Artemis detection does not care about definition file update. What's the use of appeal for false positive indeed?
Now I have only one candidate (look "nice" enough?) that is not ever detected by Artemis yet.
Still the same source script but this one I assign an icon to it when compiled ... Yes this silly thing makes a difference!
I will wait for one week and if this candidate is never quarantined, I deem my problem solved.
Information written above for reference to folk who meet similar trouble.