False Positive on Software (Generic.Dx) by McAfee Today: McAfee Response and Fix

[mouser]

Today's update of McAfee virus definitions has suddenly started alerting people that there is the Generic.Dx trojan found, whereupon the program exe is automatically deleted.

There is absolutely no malware in any of our programs -- it's a false alarm by an over eager antivirus company, which has a history of doing this software authors (see the funny articles in the linked thread).

We've gotten an official reply today confirming that it's a false alarm and there is no virus/trojan:

AVERT(tm) Labs, APAC
Thank you for submitting your suspicious file.
Synopsis -
Our Senior Virus Research Engineers have examined the file in question
and no virus was found.
Solution -
Attached is an extra.dat with correct detection.  This correction will
be included in the next DAT update.

Hopefully a new update will be pushed through to users very soon.


If you can't bear to wait i'm attaching the Extra.DAT update file I was sent, and instructions for installing it can be found here: http://vil.mcafeesec...lpdocs/extradat.aspx

[mouser]

I can confirm that using the Extra.DAT file it seems to stop alerting on all of our programs, so at least their temporary fix works -- and hopefully their new definitions will go out with fix this right away.

[mouser]

If you ever get a virus alert, you should know that it is very common to get false positives from over-aggressive antivirus tools which aren't very concerned about falsely identifying something as a virus.

I've complained a lot in the past about the failure of antivirus tools to usefully inform users when some new detection is more of a guess than a sure thing.  In cases where a brand new update detects something, it should be a no-brainer that the user should be told a little more about the possibility that it's a false alarm, and given more help and information for how to figure out if the threat is real.

If you get a virus alert one thing you can do is visit a few of the very cool free websites which will scan the file using a wide variety of different antivirus engines.  If your antivirus is the only one that detects something then chances are it's probably a false alarm.

Here are the reports for a file that McAfee started alarming on today:

From virustotal.com:

(the annotation is mine)

And another from http://virusscan.jotti.org/:

[iphigenie]

maybe they are all wrong and mcafee is the lone ranger, and you are the most cunning virus writer ever, creating a whole persona over several years to fool the entire world into trusting your software 

(couldnt resist)

[xcopy]

Thanks for the quick cure, mouser. Running Launchbar Commander with the new Extra.dat works fine. 

[app103]

Sometimes I wonder about these daily updates issued by most antivirus vendors.

How possible is it that most antivirus vendors only issue protection from new threats once a week and spend the rest of the week issuing fixes for all the false positives from them?

The attitude of the antivirus vendors is that a false positive is better than a false negative, and to a certain degree I would have to agree with them on that, but when a certain particular antivirus has a track record of more false positives than just about any other and it's a big name that is trusted & used by so many, it creates a situation where users believe the alerts and it can ruin a coder's reputation in a single day, especially a young one that hasn't released much yet.

About 3 years ago, a kid from my chatroom that was just learning C created a really cool little utility and I released it on my group's site. There was nothing wrong with it...it was clean.

About a week later, people came flooding into the chatroom accusing my group of releasing malware, and this kid in particular. All of them had something in common...they were all McAfee users.

I sent a copy of the file to McAfee, along with the source, and never heard from them about it beyond an email confirming that I had sent them the file and that they would look into it.

This kid had no idea what in his code could have set off the false positive so he had no idea how to fix it. What ended up happening is another member of my group created their own version of the utility, an almost clone of the original, and we replaced the one on the site with that one. Sad, really, because to this day I feel the original is the better version. I wish I could have left the original on the site, but McAfee doesn't care about fixing their crap to protect the reputation of an unknown beginning coder.

Mouser, consider yourself lucky that they responded and issued any kind of fix at all. It means they think you are important enough to the world of software to do so. If you were a complete unknown and LBC was your first release, you'd be waiting a long long time.

[kelibeck]

Thanks for the info but the link detailing how to install EXTRA.DLL only applies to the Enterprise edition of McAfee. I have the Home/Home Office edition, and after a lot of hastle managed to get the following advice from McAfee

How to install an EXTRA.DAT
Summary: This document will explain how to apply an EXTRA.DAT file.


Affected Suites: Affected Products: Affected Operating Systems:
Total Protection
Internet Security Suite
PC Protection Plus
VirusScan Plus
 VirusScan
 Windows 2000
Windows XP
Windows Vista

 

Description
EXTRA.DAT files contain information that is used by VirusScan to detect new viruses. When a major virus is discovered, and extra detection is required, an EXTRA.DAT file is made available until the normal VirusScan update is released.

EXTRA.DATs can be downloaded from the the Newly Discovered Threats page, the Recently Updated Threats page, or the Removal Instructions section of the description for the major virus. When an EXTRA.DAT file is added to the VirusScan folder on your hard drive, it is used by the product, in addition to the normal DAT files, to detect the new virus. This enables VirusScan to protect your computer from the new virus until the official update is released that contains the virus detection/removal information. After the official update is released and installed, the EXTRA.DAT file is no longer necessary.

EXTRA.DAT files are good for 14 days, at which time they disable themselves. McAfee recommends you keep your VirusScan up to date by downloading and installing the official daily updates.

Solution
EXTRA.DAT instructions
EXTRA.DAT should be copied into the same directory where avvclean.dat, avvnames.dat, and avvscan.dat are.

For example:
C:\Program Files\McAfee\VirusScan\DAT\xxxx.x
(where xxxx.x is the DAT version number)

Note: For Windows Vista 64-bit computers, the directory is: C:\Program Files (x86)\McAfee\VirusScan\DAT\xxxx.x.


Restart your computer.
Additional information can be found at the McAfee Threat Center: http://vil.nai.com/v...lpdocs/extradat.aspx.



Last Modified: 12/05/07
Modified by: asj


Once installed the EXTRA.DLL worked fine

[cranioscopical]

WOW!

Today, the Generic.dx Trojan that I run on my machine informed me that McAfee Virus Scan has screwed up again.

Thank goodness for Generic.dx.  Thanks to its timely warning I was able to deploy the MVS-removal tool in time to
prevent every executable on my machine from being moved into quarantine.

 

[mouser]

 

[mouser]

To follow up, it looks like McCafee pushed out an update as promised that stops labels the programs as having generic.dx infection.

McAfee users can now reinstall the same programs, or even just restore them from quarantine area of McAfee control center (Restore->Files).

[drpeterharris]

This has hit me big-time!

Last Wednesday,  while on holiday,  I started getting notifications that McAfee had been deleting my applications (3 of them) and I had very unhappy customers.   

OK - McAfee have released a new DAT file that has "fixed" the problem but not the damage that has been done.  I supply software to the rather sensitive healthcare industry and although I immediately released a statement explaining what had happened, I dread to think what this has done to my reputation (no smoke without fire etc).  This is compounded by the fact that we have just launched a marketing campaign aimed at a new group of potential customers.

On top of this is the support load of getting all our customers back up and running again.

The whole episode has made me absolutely livid and has spoilt what should have been a relaxing skiing holiday.

Has anyone ever succeeded in getting any form of legal compensation in these circumstances?  I am sure that the McAfee EULA is watertight in respect of their responsibility to their end users but the way this has affected me and the implication that my software is a Trojan seems much like defamation.

Any lawyers out there?

Peter

[mouser]

Hi Peter,

Welcome to the site, and welcome to the club of coders who are having their reputations damaged by this outrageous behavior.

This episode was particularly grevious because not only did it tell people that there was this virus but then automatically deleted files without warning or question.  Can you imagine if the program was actually performing some critical function? Not cool.

The only think I know to do is try to get information out there to the users so that the blame and anger is properly focused on these antivirus companies and not us!

-mouser

[f0dder]

Christ, antivirus apps deleting what it thinks are viruses? How lame is that... at least the default action should be "block access" or "quarantine", not frigging delete. Seems like the guys are smoking too many bad floppies, and spend too little time on creating signatures when they find a new piece of malware >_<

[mouser]

well delete = quarantine.  it auto deletes the file but keeps a copy in its quarantine safe that you can restore (but only after the virus update declares it clean a few days after the original detection).

but the main thing that needs to change is:
1. the antivirus programs have to be honest about how confident the program is that it has found something dangerous
2. it has to give the user useful info and allow them to decide what to do.

[drpeterharris]

The problem is that many of my customers have managed AV solutions and they have no options for restoring files or modifying the behaviour of the scanner themselves.

Peter

[vlastimil]

Sorry for the late post, I just got to this thread from the newsletter and it caught my eye, because I was having these problems too. Twice.

First, I was using a VB script in an .msi installer to customize folder icon - to set folder attributes to readonly, because only readonly folders display custom icon (ask microsoft why...). I received complains from users that their AV said that it has detected a malicious script and whether they want to stop it. You can imagine how such a thing affects a first impression of an application. I think it is just outrageous. Not a "potentially malicious script" explaining the situation to the user, but a false and aggressive message. I can understand that when a script in a .doc file tries to access file system, it looks suspicious. But this was a .msi installer, it is supposed to access files. It is really that hard to detect a valid use of a script or are the Norton AV authors that lazy and their law department that good?

Second time, my cursor editor was affected. The animated cursor (.ani) files can contain several frames and if a frame is used multiple times it is not necessary to store it multiple times and instead a vector of frame indices can be used. Well, I took the time to auto-detect duplicate frames to have the smallest .ani files. Unfortunately, there was a exploitable bug in Windows and involving a the vector of frames. Norton AV just considered every .ani cursor with a custom frame vector a virus. A pissed off user gave me lowest rating on download.com because of this false positive and this is just a tip of the iceberg.

So, I have serious issues with AVs, especially with Norton AV. If anyone starts any initiative to improve the situation and force them to be more responsible, I am in. Needless to say I tried to contact them with the first problem, but got no response at all.

[Zoomie]

Uh-oh...I had what I thought was a false positive from Antivir when I downloaded the Screamer Radio Menu on my GF's computer over the weekend. I have forgotten exactly what it said now but I think it was Trojan/Spy.Agentxxxx.  Antivir had no explanation other than it may have been a trojan. I got it partially ignored by Antivr but Antivir just wouldn't give up. I thought perhaps a corrupted file and did it over again - same result so I had to delete it.  I downloaded the Menu on my pc this AM and my Antivir does not report anything.  Now I'm really confused. Anyone have any suggestions?

[mouser]

keep in mind that the virus definitions get updated regularly after people complain about these things, so what is falsely detected one day may be fixed and not alarm the next day.

[jinkerz7]

After today's McAfee DAT file update (#5271), it reported that Screenshot Captor contained the MalWarrior trojan.  I'm hoping this is just another false-positive.  Has anyone else experienced this issue?

I would have taken a screenshot of the actual error, but it had already deleted Screenshot Captor!

[mouser]

OK NOW I HAVE TO STRANGLE SOMEONE AT MCAFEE.

Thank you for the report, i will complain to mcafee.  again.  this is getting damned ridiculous.

[mouser]

Here's the support email of the mcafee antivirus labs where they deal with false positive issues:

• Virus Research <[email protected]>

I encourage everyone to email them and let them know how unhappy they are with the sloppiness and irresponsibility of McAfee, with regard to these regular false positive things.

[mouser]

One thing is clear.. McAfee is garbage.  I suggest people using it find a better antivirus.

These episodes have proven that McAffee:
1) Is sloppy and untrustworthy -- they clearly are not putting any care into adding antivirus signatures.
2) Has a horrible policy of deleting files that they have the slightest suspicion about.
3) Have no interest in treating users with the slightest intelligence (they dont tell you why they are doing what they are doing, nor give you any options, nor tell you the difference between a high and low confidence detection).

[mouser]

Reply from McAfee:

  Thank you for your email. We are aware of this issue and it should be
resolved in tomorrows DAT release. In the meantime I am escalating your
issue to our senior researchers. Please use the attached Extra.dat to
possibly negate any identification on your system. I tried downloading
the file for Screenshot Captor, but was unable to reproduce detection on
the file. If this extra.dat does not work, I request you to please
submit the file which is causing a mis-detection.

I've attached the latest extra.dat file.

EXTRA.zip (0.26 kB - downloaded 1253 times.)

And instructions from kelibeck above:

How to install an EXTRA.DAT
Summary: This document will explain how to apply an EXTRA.DAT file.


Affected Suites: Affected Products: Affected Operating Systems:
Total Protection
Internet Security Suite
PC Protection Plus
VirusScan Plus
 VirusScan
 Windows 2000
Windows XP
Windows Vista

 

Description
EXTRA.DAT files contain information that is used by VirusScan to detect new viruses. When a major virus is discovered, and extra detection is required, an EXTRA.DAT file is made available until the normal VirusScan update is released.

EXTRA.DATs can be downloaded from the the Newly Discovered Threats page, the Recently Updated Threats page, or the Removal Instructions section of the description for the major virus. When an EXTRA.DAT file is added to the VirusScan folder on your hard drive, it is used by the product, in addition to the normal DAT files, to detect the new virus. This enables VirusScan to protect your computer from the new virus until the official update is released that contains the virus detection/removal information. After the official update is released and installed, the EXTRA.DAT file is no longer necessary.

EXTRA.DAT files are good for 14 days, at which time they disable themselves. McAfee recommends you keep your VirusScan up to date by downloading and installing the official daily updates.

Solution
EXTRA.DAT instructions
EXTRA.DAT should be copied into the same directory where avvclean.dat, avvnames.dat, and avvscan.dat are.

For example:
C:\Program Files\McAfee\VirusScan\DAT\xxxx.x
(where xxxx.x is the DAT version number)

Note: For Windows Vista 64-bit computers, the directory is: C:\Program Files (x86)\McAfee\VirusScan\DAT\xxxx.x.


Restart your computer.
Additional information can be found at the McAfee Threat Center: http://vil.nai.com/v...lpdocs/extradat.aspx.

[bassclarinetl2]

Mcafee isnt the only one,  Kaspersky just flagged one of skrommel's utilities as having a backdoor. 

Well I downloaded v136  and kaspersky seems to like is so who knows what up with that.

[xcopy]

Thanks a lot mouser for going through all the trouble for us. 

I had that false positive today with Launchbar Commander.
But this is developing into a workflow: Starting the PC, checking what McAffee killed today, visiting this forum, feeling with you, loading the extra.dat file, restarting the system, resinstalling the deleted program, feeling warm and cozy again and thinking of the good old days when I used F-Secure.