9 Replies Latest reply on Nov 27, 2014 10:30 PM by sheridan

    NSIS forum reply to Mcafee false positives

    heatheralexea123

      I have noticed that in several threads moderators were asking that NSIS itself should ask Mcafee to white list. However I have posted a thread on NSIS forum and the reply from their moderators is located here

       

      http://forums.winamp.com/showthread.php?p=3013548#post3013548

       

      Hopefully an action will be taken sooner rather than later 

        • 1. Re: NSIS forum reply to Mcafee false positives
          sheridan

          Hmm good and sending every installer is hopeless indeed.

          • 2. Re: NSIS forum reply to Mcafee false positives
            heatheralexea123

            It is surprising that there are 55 views and no body from Mcafee replies

            • 3. Re: NSIS forum reply to Mcafee false positives
              asabban

              Not really surprising: As I indicated in a different thread in regards to this topic this is a community of volunteers who try to share some knowledge apart from the default support utilities, such as the ticketing system and KB articles.

               

              Even the McAfee employees in this community are volunteers. In this specific space there are technical experts for the Web Gateway product but there is noone participating here who

               

              - can solve the false positive issues

              - can or will make any official statement in regards to this topic

               

              You need to go through the official channels in order to escalate the problem to a.) reach people who actually CAN do anything about this problem b.) raise awareness in higher management areas.

               

              As mentioned earlier this area is a place where volunteers (employees, customers, partners) are trying to provide help. There are items the people here cannot help with - that is when the official support channels are the best way to move forward.

               

              While I am sorry that progress in regards to this issue seems to be slow I am afraid there is nothing we can do for you here in the communities.

               

              Best,

              Andre

              • 4. Re: NSIS forum reply to Mcafee false positives
                sheridan

                We have been submitting to the official channels as mentioned in previous threads and still having no responses from a responsible staff. However if you can simply point this person is, or this department is where we should consult regarding this matter, we can simply try that because with Mcafee it is very complicated to address an issue and get it solved at the end of the day.

                 

                i do not want to brag anything but other communities and false positive labs respond within hours and get things fixed. Programs simply do not need to be white listed but everyone would appreciate, if Mcafee can send a reply saying this is the reason we cannot white list your program weather it is an empty installer or a massive program. It at is not an answer when you say and i quote "You need to go through the official channels in order to escalate the problem to a.) reach people who actually CAN do anything about this problem b.) raise awareness in higher management areas" because you should be able to notify the right place since this problem persists with not one user but many users apparently.

                 

                For me it is indeed surprising when comparing other AV communities to Mcafee when it comes to solving an issue.

                • 5. Re: NSIS forum reply to Mcafee false positives
                  alexhilda

                  What you are saying is true, in a similar thread I saw that one person said the he complained even over service portal where a service request was generated, there also he hasn't got a reply from Mcafee. It would be really good if there is a person who can redirect people's problems to right staff rather than providing various solutions that might lead nowhere. 

                  • 6. Re: NSIS forum reply to Mcafee false positives

                    Asking us to whitelist "NSIS" is impossible - There's already malware built using it, so looking at the NSIS "stub" and saying, "well, it must be ok then." - seriously?

                     

                    The very nature of anti-malware is a combination of signature and behavioural based detection. Generally for performance reasons most people use signature based with behavioural backup. It's this which is causing NSIS problems - unique, new NSIS programs are not known, so have no signature based "blessing", but exhibit behaviour similar to known malware. Thus, they are flagged.

                     

                    It's not EVERY NSIS installer which is getting flagged, it's ones with particular characteristics. I'm not going to tell you what those are as it would only help malware authors game the system, but tiny files with minimal content like the one people mentioned on this forum are of course a good example.

                     

                    There's lots of posts on how to submit programs to McAfee for evaluation/whitelisting - just create an account and follow the rules and your application will be evaluated.

                    • 7. Re: NSIS forum reply to Mcafee false positives
                      heatheralexea123

                      "I did not say that detecting a NSIS stub means it is harmless, I said that they need to focus on the data that is unique to each installer. Mcafee probably know how to unpack NSIS installers and should be able to look at the included files and possibly the NSIS scripting code.

                       

                      I call ******** on this behavior excuse, an executable that does no harm is clearly harmless and if their product believes otherwise then their detection system is buggy/broken by design.

                       

                      It is unlikely that we (NSIS developers) can make any changes that will make it seem less suspicious. NSIS installers are script based and at run-time it uses a small instruction decoder that reads and executes each instruction and it also contains code to decompress data to memory/disk. This is a common thing for installers to do..."


                      (NSIS Moderator)

                      • 8. Re: NSIS forum reply to Mcafee false positives
                        alexhilda

                        If you think NSIS is built upon malware then there are countless programs out there not getting detected by Mcafee whatsoever. Even Visual Studio should get flagged as a virus too. The surprising thing is only Mcafee detects most of the programs made with NSIS, no other AVs do so, even if they detect they have a very sophisticated white listing procedure where their labs respond accordingly and quickly. I have to say that there are people here on this community really frustrated because of this NSIS related issue. 

                        • 9. Re: NSIS forum reply to Mcafee false positives
                          sheridan

                          Not to mention that NSIS is an open source very comfortable tool for start up programmers, when Mcafee starts to put countless detection to almost every simple program that use NSIS, it really is frustrating.