1 2 3 Previous Next 22 Replies Latest reply on Apr 27, 2016 1:02 PM by catdaddy

    Whitelisting False Positive BehavesLike.Win32.FakeAlertSecurityTool.cc

    rokapublish

      Dear McAfee Team,

       

      I tried few times to add our files on the whitelist.

      https://www.virustotal.com/en/file/ab1f0bcf437bafce8c627fc93813bfea61fc364a1209e 74dc955d95077e8d95e/analysis/1460976958/

       

      It's whitelisted on the "McAfee" but not on "Gate Way". We try it since days to get the "Go".

      Could somebody help me who we can do it easily?

        • 1. Re: Whitelisting False Positive
          Troja

          Hi rokapublish,

          have you sent the file where GAM is blocking to the AVert Team? Whitelisting with GAM is different to the normal signature based engine. because GAM does behavior based detection.

          Finally, if your application has a similar behavior to a known threat the easiest way is to

          a) make a rule in MWG to whitelist the detection name with a given URL.

          b) open a ticket an upload the file to McAfee to whitelist.

           

          Hope this helps,

          Cheers

          1 of 1 people found this helpful
          • 2. Re: Whitelisting False Positive
            rokapublish

            Hi Troja,

             

            we got a "process sheet" who we schould submitt it and use the GetSusp software.

            http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx

            We submitted it and get a "we received the mail" but until now nothing.

            • 3. Re: Whitelisting False Positive BehavesLike.Win32.FakeAlertSecurityTool.cc
              Peter M

              I've added the detection name to your header in order to draw more attention to it and have moved this to Corporate User Assistance.

              The software developer has to submit the software using this form:  https://secure.mcafee.com/apps/mcafee-labs/dispute-form.aspx?region=us

              It takes quite a long time sometimes for software to be cleared.

              ---

              Peter

              Moderator

              • 4. Re: Whitelisting False Positive
                Troja

                Hmmm,

                i do not understand what you mean with "process sheet".

                GetSusp does not help if GAM blocke somthing. You need to upload the original file to McAfee Support opening a Support ticket.

                Cheers

                • 5. Re: Whitelisting False Positive
                  Troja

                  Hi,

                  is this a new form, i have not seen it before.

                  Cheers

                  • 6. Re: Whitelisting False Positive
                    rokapublish

                    Hi got the following instruction from the McAfee Support. Btw: We don't use McAfee inhouse.

                     

                    How to submit virus samples and false positives to McAfee Labs

                    Consumer KnowledgeBase ID:  TS102053
                    Last Modified:  10/27/2015

                     


                     

                    Environment

                    Summary

                    This article describes how to submit virus samples and false positives to McAfee Labs. There are two possible reasons you might need to submit a file. Use the appropriate Solution for your issue:

                    • Solution 1: You suspect you have malware but nothing was detected, or malware was detected but you were unable to clean it.
                    • Solution 2: You suspect a malware detection is a false positive.

                      Solution 1 

                    Possibly Infected File Submissions
                    You can submit samples to McAfee Labs if you have located a file:

                    • that you believe is infected but was not detected by your McAfee software
                    • that was detected, but was not cleaned

                     
                    There are two methods for submitting potentially infected files:
                     

                    • GetSusp: McAfee recommends that you use GetSusp as a first tool of choice to analyze a computer you suspect has malware.

                      To download GetSusp, go to http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx.

                      IMPORTANT: The submitted file cannot be larger than 10 MB.
                    • Email: You can submit samples directly to McAfee Labs by emailing virus_research@avertlabs.com and attaching the file(s) for review.

                      When submitting samples via email, ensure your attachments are contained in password-protected .zip files with the password infected (all lowercase). If the automated system is unable to determine if there is a valid threat, your submission will be escalated for further analysis. For more information on creating a .zip file, see:

                     
                    Regular Technical Support cannot assist in malware removal. If you prefer support assistance, contact McAfee Virus Removal Services (http://home.mcafee.com/root/stdlandingpage.aspx?LPName=vrs_v2&affid=0&culture=en -us&mm_campaign=905652cc39caaa3e7b5e6e4837f0b0be&aco=0&cid=99724).
                     

                    Solution 2

                    False Positive Submissions
                    If you think that a file has been falsely detected or incorrectly classified, follow this process to submit the sample to McAfee Labs. 

                    Email submissions
                    To submit a sample via email, zip the file (using the procedure described in Solution 1) and send it to McAfee Labs Virus Research at:

                    virus_research@mcafee.com.


                    IMPORTANT:
                    Prefix the email subject line with the word FALSE. For example, "FALSE: file being detected by McAfee."

                    Include the Product and version, DAT version, Engine version, and a short description (including any other relevant information regarding why you think the file has been incorrectly detected). You can find all of the product information inside your McAfee Security suite by clicking About.

                    Sample email:

                    Please review the submitted file as we believe this is a false detection.
                    Product: McAfee Security Center 12.8
                    DAT version: 6587
                    Engine: 5600
                    Description of issue: This file has been detected as malware, but is part of my game.


                    After the sample has been analyzed, one of the following occurs:

                    • The sample is considered clean. Detection is suppressed, and will be updated in the next DAT release.
                    • The sample is incorrectly classified. It will be reclassified, and detection will be updated in the next DAT release.
                    • Analysis of the file determines that the sample is properly detected. You will be notified of the results.
                    • 7. Re: Whitelisting False Positive BehavesLike.Win32.FakeAlertSecurityTool.cc
                      Peter M

                      Troja wrote:

                       

                      Hi,

                      is this a new form, i have not seen it before.

                      Cheers

                      I assume you are asking me?  No it's been around for a while.  We were told that software developers should use that form.

                      If the OP isn't the software developer but only a user of it then the KB article you refer to would apply.

                      • 8. Re: Whitelisting False Positive
                        Troja

                        Hi rokapublish,

                        the GetSusp Tool is a tool that can be used on a Windows Endpoint It inspects your System and is able to upload a suspicious file to McAfee.

                        This tool does not help when the GAM engine (this is another engine completely different to the engine on endpoint) detects a false/positives.

                         

                        So, when following the instrusctions you posted, take the file, zip it with Password and send it to McAfee.

                        Cheers

                        • 9. Re: Whitelisting False Positive
                          rokapublish

                          Yes, I used both ways. But still no feedback. I'll submit it again and maybe the McAfee Team will whitelist it.

                          1 2 3 Previous Next