4 Replies Latest reply on Jan 9, 2016 9:17 AM by giunghi

    Sumatra PDF reader detected as false positive

    giunghi

      At my office all in a sudden McAfee freezes SumnatraPDF.exe because "it tries to stop McAfee". IThe logs actually detect the installation files (sumatraPDF_install.exe" as the cause of this, which seems ridicuolous. I am on Windows 7 pro, McAfee Agen 4.8.0, McAfee virusScan Agent 8.8.0

       

      Does anybody know what i can suggest to the IT securuty guys who don't want to add Sumatra to the white list?

       

      Thanks, Marco

       

      31/12/201511:40:05 AMBlocked by Access Protection ruleS02003048-10615\tuserC:\Users\v10615\Downloads\SumatraPDF-3.1.1-64-install (1).exeC:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
      31/12/201511:40:05 AMBlocked by Access Protection ruleS02003048-10615\tuserC:\Users\v10615\Downloads\SumatraPDF-3.1.1-64-install (1).exeC:\Program Files (x86)\McAfee\Common Framework\McTray.exeCommon Standard Protection:Prevent termination of McAfee processesAction blocked : Terminate
        • 1. Re: Sumatra PDF reader detected as false positive
          Peacekeeper

          So this is enterprise I will move it tp virusscan enterprise there you will get better assistance than in the consumer area. IF you feel another area better please let me know

          1 of 1 people found this helpful
          • 2. Re: Sumatra PDF reader detected as false positive
            giunghi

            Oh, Hi. This sounds like a very good suggestion. please go ahead.

             

            Thanks, Marco

            • 3. Re: Sumatra PDF reader detected as false positive
              tomz2

              Hi Marco,

               

              What you are seeing here is not that your app is being detected as a false positive, persay. The VSE component that is showing an issue with this EXE is Access Protection. Access Protection provides a set of pre-defined rules that can be used to prevent applications from taking actions that could destabilize a system through such actions as uninstalling AV, terminating certain Windows processes, etc.

               

              In this case, C:\Users\v10615\Downloads\SumatraPDF-3.1.1-64-install (1).exe is seen "attempting" to terminate two McAfee processes. This behavior is often a false positive due to an improper access mask. SCCM's agent is an example of this. The other end of the spectrum is that this particular installer is malicious and is actually trying to do damage and terminate AV. If there is concern, your IT security team should have access to ServicePortal and can submit the exe as a sample for analysis.

               

              The question that needs to be answered is - Is the installation / use of SumatraPDF prevented? In the log snippet you provided, it simply looks like the installer is potentially impacted. If the installer executes and the app then works correctly, no whitelisting should be needed. If the installer fails to launch or the app is impacted, then your IT security team may need to review policies and tune to allow the app to function while ensuring security.

              • 4. Re: Sumatra PDF reader detected as false positive
                giunghi

                Hi tomz2,

                thanks for the detailed answer. I fill forward it to the IT security guys. Of course their first answer was "don't use the software!" :-(

                 

                Your question is right on. I cannot understand what the install files have to do with the sumatra.exe file that is being blocked. I used Sumatra for ages without problems. Only recently I a having this problem. the files have been there for months  but McAfee still blocks sumatra after i deleted them.

                 

                Anyway, hopefully they'll send it over to the ServicePortal.

                 

                Lots of thanks, Marco