McAfee whitelist request

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

McAfee whitelist request

nrjank
Administrator
can someone with a system currently not having virusscan issues, and whose email won't block the attachment, follow the instructions below for sending the libsqlite3_0.dll from the currently uploaded windows 5.2.0_1 installers to McAfee's automated white-list request system? I guess respond here before sending so they don't get a pile of emails.

full instructions for the curious: https://kc.mcafee.com/corporate/index?page=content&id=KB85567

Email needs to have subject below, starting with FALSE.  dll needs to be zipped (they say 7z is okay, but zip seems preferred for their automated system), password protected with "infected" (no quotes) as the password, no encryption,  and attached to the email.

--------------------------
Subject:   FALSE: GNU Octave dll detected by McAfee

the attached zip contains a file in a recent build of GNU Octave v5.2.0_1 that is triggering what we believe to be false positives on systems using McAfee Viruscan products after a recent definition update.

Detecting Product Name:             VirusScan Enterprise

Detecting Product Version:          8.8

DAT Version:      9536.0000

Engine Version: 6010.8670

Description of issue: A recent release of GNU Octave, downloadable from https://www.gnu.org/software/octave/download.html, has started triggering Trojan virus alerts in McAfee products. The log file indicates: libsqlite3-0.dll RDN/Generic.dx (Trojan) 699a782fc1bd6bf6450bb720ae5ed901 (MD5) Zipped file attached. 


--------------------
Reply | Threaded
Open this post in threaded view
|

Re: McAfee whitelist request

Andreas Weber-6
Am 21.02.20 um 16:56 schrieb Nicholas Jankowski:
> the attached zip contains a file in a recent build of GNU Octave
> v5.2.0_1 that is triggering what we believe to be false positives on
> systems using McAfee Viruscan products after a recent definition update.

Sent to "[hidden email]" after making sure Johns signature
matches for the archive.

I got an automated reply:
------------------------------------------------------------------
McAfee Labs - Beaverton

Current Scan Engine Version:6000.8403

Current DAT Version:9538.0000

Thank you for your submission.


Analysis ID: 10915218

File Name            Findings                       Detection
         Type         Extra
--------------------|------------------------------|----------------------------|------------|-----
libsqlite3-0.dll    |current detection             |rdn/generic.dx
        |Trojan      |no

current detection [libsqlite3-0.dll]


   The file submitted is malware that can be detected with current DAT
files. It is
recommended that you update your DAT and engine files and scan your
computer again.

Note –


Due to the prevalence of network gateway AV products, it is important
that all
submissions be zipped and the zip file password-protected (password -
infected). Some
products will reject an email that contains a virus that is not sent in
this way. In
addition, often we receive a file that appears not to have been
infected, to find
later that the file was infected when it left the sender, and was
cleaned somewhere
along the line.


Regards,
------------------------------------------------------------------

What about the other false detections?
https://www.virustotal.com/gui/file/e1656cdb03908796a9c90eb7409ca44f8e859ab73f44a498cadc68c00a3b5ff8/details

-- Andy

Reply | Threaded
Open this post in threaded view
|

Re: McAfee whitelist request

nrjank
Administrator
Thanks!
 
current detection [libsqlite3-0.dll]


   The file submitted is malware that can be detected with current DAT
files. It is
recommended that you update your DAT and engine files and scan your
computer again.

and of course the website says "if the submission response shows a detection and you believe the detection to still be invalid, contact Technical Support",  and the only way to do that is through the Paid Registration only support portal... 

 
------------------------------------------------------------------

What about the other false detections?
https://www.virustotal.com/gui/file/e1656cdb03908796a9c90eb7409ca44f8e859ab73f44a498cadc68c00a3b5ff8/details

-- Andy

Hey, at least it's 10 not 11. someone must have whitelisted it already!  They of course have a paid account tool for submitting software for broad whitelisting. 

Here's the list for all their tool companies:


Ones I found quickly:
Cyren - 

Trendmicro - similar upload through:  https://success.trendmicro.com/smb-new-request
Issue Type:  Threat Issue
Issue Category: File False Positive

Avast :

the other 7 my corporate firewall won't let me visit.  ¯\_(ツ)_/¯

Reply | Threaded
Open this post in threaded view
|

Re: McAfee whitelist request

nrjank
Administrator
Hey, at least it's 10 not 11. someone must have whitelisted it already!  They of course have a paid account tool for submitting software for broad whitelisting. 


And this morning 17 scanners are flagging it.



Reply | Threaded
Open this post in threaded view
|

Re: McAfee whitelist request

nrjank
Administrator
In reply to this post by nrjank

just an FYI, I have done manual submissions to Avast, Symantec, TrendMicro, and Microsoft. Some are rather painful, others notsomuch.  I haven't re'visited McAfee, and I don't have access to a mode of email that will permit a dll or zipped attachment. no feedback on any yet, and the current status from virustotal is more or less the same.  Seems some scanners timeout causing fluctuation in the totals
 
Reply | Threaded
Open this post in threaded view
|

Re: McAfee whitelist request

nrjank
Administrator
On Mon, Mar 2, 2020, 12:05 PM Nicholas Jankowski <[hidden email]> wrote:

just an FYI, I have done manual submissions to Avast, Symantec, TrendMicro, and Microsoft. Some are rather painful, others notsomuch.  I haven't re'visited McAfee, and I don't have access to a mode of email that will permit a dll or zipped attachment. no feedback on any yet, and the current status from virustotal is more or less the same.  Seems some scanners timeout causing fluctuation in the totals
 

Microsoft replied with an all clear notice

Submission details Refresh

libsqlite3-0.dll

Submission ID: 8f0fc783-54a7-441d-8f2f-0fbe5d0c88ce

Status: Completed

Submitted by: [hidden email]

Submitted: Mar 2, 2020 11:58:07 AM

User Opinion: Incorrect detection

Analyst comments:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.


...

Showing 1 of 1 entries
ProtectionCurrent detectionDefinition version
Tree View libsqlite3-0.dll
/
Not malwareMalware  Cloud
Not malware  Client
Program:Win32/Uwasson.A!ml
No malware detected
Online
1.311.413.
Reply | Threaded
Open this post in threaded view
|

Re: McAfee whitelist request

nrjank
Administrator
On Mon, Mar 2, 2020 at 1:45 PM Nicholas Jankowski <[hidden email]> wrote:
On Mon, Mar 2, 2020, 12:05 PM Nicholas Jankowski <[hidden email]> wrote:

just an FYI, I have done manual submissions to Avast, Symantec, TrendMicro, and Microsoft. Some are rather painful, others notsomuch.  I haven't re'visited McAfee, and I don't have access to a mode of email that will permit a dll or zipped attachment. no feedback on any yet, and the current status from virustotal is more or less the same.  Seems some scanners timeout causing fluctuation in the totals
 

Microsoft replied with an all clear notice

and just got a reply back that McAfee is whitelisting it.  progress!   

If anyone can navigate the Chinese websites for Qihoo-360 and Rising, that would be helpful. Almost all of the others have been requested.