PDA

View Full Version : McAfee VirusScand and Safer Networking



OldRebel
2006-04-11, 18:24
I'm not sure if I should post this in this forum, but here goes: McAfee VirusScan detected Regalyzer and Filealyzer by Safer Networking as a PUP(potentially unwanted program) on April 10,2006. Specifically it detected the files unis000.exe as belonging to SysProtect, a program sometimes associated with the Vundo trojan. I believe that this was a false positive and reported it to McAFee. I am concered that if I tell McAfee to allow those files in Regalyzer and Filealyzer, it would not detect the real threat if the actual SysProtect program was somehow downloaded by a trojan. In McAfee's description of that PUP, one of the file names is the same as ones used by Safer Networking. Is having the same file name a danger, or should proper detection by McAfee by able to differentiate between the Safer Networking files and the SysProtect files? I believe that this is McAfee's problem, but could the renaming of these files by Safer Networking prevent confusion with that other program which is a potential malware? I don't quite understand how all this works, so any insights would be helpful. I intend to reinstall the Safer Networking programs as soon as McAfee corrects this detection. I find those 2 programs very helpful, espcially Regalyzer.

md usa spybot fan
2006-04-11, 19:03
OldRebel:

The file unis000.exe is common to many programs. The virus scan signature should not be looking just for a file name. It should also be looking for length, hash values, etc. so that it is detecting (when ever possible) just the offending file.


I believe that this was a false positive and reported it to McAFee.
Did you send the actual files to McAfee using these instructions?
http://vil.nai.com/vil/submit-sample.aspx

OldRebel
2006-04-11, 19:12
No, I wish I had submitted them, but didn't think of it until after I uninstalled. I checked the McAfee forums and there were other reports of the same dectection. I believe some of them have already submitted the files to Avert.BTW- after the uninstall, the McAfee on access scanner also detected another file in my %temp% folder but I forgot to make a note of its name. I had driven all day with only 2 /12 hours sleep and was not up to par when dealing with this last night. I'll reinstall both programs in a few days and see what happens.

md usa spybot fan
2006-04-12, 00:30
OldRebel:

It looks like the problem with the McAfee detections of the following may be resolved:
FileAlyzer - unins000.exe
RegAlyzer - unins000.exe (which you did not indicate that you had a problem with)
RunAlyzer - unins000.exe
The following update does not seem to detect the problems with the above that were detected by DAT 4737 (04-10-2006):
Bld. 10.0.27 Eng. 4400 DAT 4738 (04-11-2006)
Let’s hope that they in their exuberance to fix a possible false positive did not eliminate a real detection that may come back to bite us.

OldRebel
2006-04-12, 00:40
Yes, apparently so. I just updated and found an extra DAT to address this detection in my Event Viewer log:

Event Type: Information
Event Source: McLogEvent
Event Category: None
Event ID: 5000
Date: 4/11/2006
Time: 4:55:24 PM
User: NT AUTHORITY\SYSTEM
Computer: XXXXXX
Description:
McAfee McShield service started - scanning for 186526 viruses.
Engine version : 4.4.00
.DAT version : 4738

EXTRA.DAT name : EXTRA.DAT
Number of virus signatures in EXTRA.DAT : 1
Names of viruses that EXTRA.DAT can detect : SysProtect

Now I need to reinstall my programs!