Author Topic: False Positive on Software (Generic.Dx) by McAfee Today: McAfee Response and Fix (Read 74499 times)

mouser · « **Reply #25 on:** April 11, 2008, 03:56 AM »

I encourage everyone to email McAfee and complain about these mistakes.

If you own a blog or participate in another forum, please spread the word about how McAfee is being irresponsible in their antivirus updates.

Something *has* to change in how they are updating their signatures or dealing with heuristic new detections.

Their email is: [email protected]>

Their are many ways they could address this problem:

Being more careful about the patterns they use in their signature
Being more honest when reporting a detection, and saying clearly that a brand new, possibly false-alarm incorrect detection has taken place. This seems down right obvious to me -- if you just update your signature database and suddenly thousands of people have a virus detection in a 6 month old program then there is a high likelyhood it's a false alarm.
Give people some choice about what to do when a virus is detected.

McAfee are doing harm to software authors with their sloppy irresponsible behavior -- please help spread the word so that they are forced to take some corrective action.

And by all means demonstrate your dis-sastisfaction by demanding a refund and boycotting their software until they address this.

mouser · « **Reply #26 on:** April 11, 2008, 03:58 AM »

I just had a thought.. should we actually try to organize a "official" boycott/protest against McAfee?
We've never done such a thing before -- I don't expect we would have much luck maybe we should try?

The goal would be to bring attention to this false alarm issue and insist that they come up with a more sensible way of dealing with it.

drpeterharris · « **Reply #27 on:** April 11, 2008, 04:35 AM »

My software has been hit again by this. 3 completely separate apps have been wiped from end-users PCs without a by-your-leave.

This happened a month ago and we were just recovering from the damage that had done. It has now happened again. McAfee just say "it will be fixed in the next DAT" but that quite frankly is not good enough

I write software for the healthcare industry and many end-users have managed AV solutions so they cannot add exclusions themselves.

This has done incalculable damage to my companies reputation (not to mention my blood pressure)

Peter

mouser · « **Reply #28 on:** April 11, 2008, 04:51 AM »

bassclarinet, it's yet another false alarm on all Autohotkey programs.. You can download the ahk source code for the tool and compile it yourself if you are concerned.

cranioscopical · « **Reply #29 on:** April 11, 2008, 01:59 PM »

The problem's wider than just McAfee's fun and games, though isn't it?

AVG Free is one of the scanners that I use.
It has happily scanned and passed executable files belonging to PECompact for ages.
Then, suddenly, the identical files all are suspect and quarantined. Next... oops they're OK again.

Annoying though this is, I suppose, from a user's point of view, I'd rather have it this way round
-- better safe than sorry -- than fall foul of something nasty.

OTOH, were a product of mine left with mud sticking to it due to some innuendo I'd be hopping mad.

mouser · « **Reply #30 on:** April 11, 2008, 02:12 PM »

No one expects 100% perfect detection.

What i do expect is:
1) a reasonable amount of care and intelligence when adding new signatures.
2) an appropriate message to the user, something like:
"A file on your computer which was previously reported as fine has matched a brand new untested pattern in our database. There is a reasonable chance that this is a false alarm on our part. If you are confident that the program is safe, press this button to keep using it. If you are unsure, press this button to quarantine the program and be informed in a few days when we determine for sure whether the program is dangerous or not. Click here to view detailed information about the pattern found."

drpeterharris · « **Reply #31 on:** April 11, 2008, 02:56 PM »

I agree. However I suspect that McAfee will say that what happens when a suspected virus is found is up to the user. There are usually options to be alerted/quarantine/delete permanently.

They will then hide behind the fact that what happens is the responsibility of the end user

No comfort to me though as the end users don't quite see it like that

Another interesting point is that the risk identified in my files by McAfee this time is "MalWarrior". However searching the risk database at McAfee doesnt find it and googling shows that MalWarrior is actually a rogue anti-spyware application. I cannot quite see how any of my applications can be confused with an antispyware application (rogue or otherwise)

Peter

Dormouse · « **Reply #32 on:** April 11, 2008, 03:21 PM »

I just had a thought.. should we actually try to organize a "official" boycott/protest against McAfee?
-mouser (April 11, 2008, 03:58 AM)

But doesn't anyone with any sense/knowledge avoid McAfee anyway?

drpeterharris · « **Reply #33 on:** April 11, 2008, 03:51 PM »

Sadly we are talking about the UK NHS IT project here. £14bn ($27bn) spent on the largest IT project in the world. It doesnt work properly and as you have so correctly observed it uses C**p software.

The project is so advanced that it doesnt work with IE7 and everyone has to use IE6 or it crashes.

So everyone has managed McAfee installed which then makes a dogs dinner of the job it's meant to do

Sigh . . .

Peter

cranioscopical · « **Reply #34 on:** April 11, 2008, 03:55 PM »

But doesn't anyone with any sense/knowledge avoid McAfee anyway?
-Dormouse (April 11, 2008, 03:21 PM)

Speaking as one who is ill equipped to enter a battle of wits, I must protest on behalf of myself and the rest of the WOODen tops.
We in the World Organization Of Dopes fail to see why people without sense and/or knowledge in this area should be penalized.

We're the very people most likely to be spooked into turning away in fear from perfectly respectable, legitimate, safe software.
More importantly, we are the most susceptible to inheriting items such as McAfee through slick marketing techniques.

It's also true that this kind of issue emanates from most, if not all, A-V vendors at some point.

Perhaps it's because I've seen a few issues lately, but I have a sense that the problem is increasing.
Maybe it's just that more and more insidious stuff is being released into the wild...?

Deozaan · « **Reply #35 on:** April 11, 2008, 05:28 PM »

But doesn't anyone with any sense/knowledge avoid McAfee anyway?
-Dormouse (April 11, 2008, 03:21 PM)

I'd say a big no on that. Everyone I know who buys a Dell has McAfee bundled on their system. They don't care because they need an anti-virus, and they got it "free" for a year.

In fact, just before I married my wife, she renewed her subscription to McAfee.

I've been trying to get her to let me format all that crap off her laptop and put some good applications on there, but thus far she's been resistant.

cranioscopical · « **Reply #36 on:** April 11, 2008, 05:44 PM »

just before I married my wife, she renewed her subscription to McAfee
-Deozaan (April 11, 2008, 05:28 PM)

What, and you went ahead with the wedding?

Deozaan · « **Reply #37 on:** April 11, 2008, 05:50 PM »

just before I married my wife, she renewed her subscription to McAfee
-Deozaan (April 11, 2008, 05:28 PM)

What, and you went ahead with the wedding?
-cranioscopical (April 11, 2008, 05:44 PM)

Yeah, another one of these was involved:

Curt · « **Reply #38 on:** April 12, 2008, 03:24 AM »

I felt strange when reading how people will install this dat fix instead of installing a trustworthy Antivirus...

-

Edited:
Oh, I didn't notice before posting that this thread has two pages..

But speaking of trustworthiness and some kind of campaign against McAfee, my feeling is that such demonstartion would have to come from users of the relevant programs, wouldn't it. Or do 'you' think we could all participate?

drpeterharris · « **Reply #39 on:** April 12, 2008, 05:38 AM »

I know that a number of my users have emailed McAfee already. I am following this up with a letter that I am currently writing

Doubt if it will do any good but it makes me feel better

Deozaan · « **Reply #40 on:** April 12, 2008, 02:58 PM »

But speaking of trustworthiness and some kind of campaign against McAfee, my feeling is that such demonstartion would have to come from users of the relevant programs, wouldn't it. Or do 'you' think we could all participate?
-Curt (April 12, 2008, 03:24 AM)

That's what I was thinking. We can't really boycott the product if we're not using it already. And it's not like you can just cancel your subscription half-way through and get your money back if you are using McAfee. It would require some major campaign that spans a couple of years before McAfee would noticed anything from people no longer subscribing. And I'm afraid that, as I said, McAfee being bundled with all Dell hardware I'm aware of, they wouldn't notice a thing anyway.

Curt · « **Reply #41 on:** April 12, 2008, 05:42 PM »

- so now we are going after Dell!!

Well, if I was president...

No, civilization, culture and industrialisation has only little to do with genuine progress!

Deozaan · « **Reply #42 on:** April 12, 2008, 08:10 PM »

- so now we are going after Dell!! Well, if I was president...
-Curt (April 12, 2008, 05:42 PM)

My point I'm trying to make is that I don't think a boycott would be a very effective way for us to communicate our distaste for McAfee's practices. We'll have to think of other means to get their attention.

app103 · « **Reply #43 on:** April 12, 2008, 08:25 PM »

It's not just Dell...McAfee has a partnership with AOL and some other ISP's to promote their stuff, and in some cases to give it away for free to all their customers.

vlastimil · « **Reply #44 on:** April 15, 2008, 05:25 AM »

If there is to be a boycott, I am 100% supporting it. (see my compaint on the previous page of this thread)

Emailing McAfee may not be enough, they'll just ignore it, we are not their customers anyway and I suppose it even may be their strategy to report the false positives on purpose to appear "useful" to the end user. The truth is, an antivirus is not a replacement for common sense and the virus threat is not that big if you are behind firewall and have OS properly updated.

I'll try to write a blog post about my experiences and give them some bad PR, but I am not sure how effective it would be. I anyone joins the effort it has much better chance to succeed.

drpeterharris · « **Reply #45 on:** April 22, 2008, 02:57 AM »

Thought you may be interested in this reply I just received from McAfee. It came as a result of a letter I wrote to the US, UK and European headquarters. It seems to have hit the right button:

First of all I wish to express my regret in the inconvenience you and your customers may have experienced with the reported incidents. I’ve contacted Mr. Mann, Sr. Manager Avert Labs and he suggests the following:

GP-IT can work with McAfee to get copies of their applications added to our False Testing Rigs, systems that contain known good files that we verify against on every dat release test. If this is something GP-IT is interested in, have them provide us with the contact phone number for someone within GP-IT for us to work with and Avert Labs will contact them to get this process started.

I’d appreciate if you could forward the name and contact details of your liaison with McAfee to me so that similar occurrences may be avoided in the future.

With kind regards

Ronald Rosbergen
Manager Customer Service EMEA
McAfee, Inc.

Peter

mouser · « **Reply #46 on:** April 22, 2008, 03:00 AM »

Go Peter!!

f0dder · « **Reply #47 on:** April 22, 2008, 05:27 AM »

...I wonder how much that's going to cost you?

vlastimil · « **Reply #48 on:** April 22, 2008, 05:58 AM »

"...expressed regret in the inconvenience" and allowed you to help them fix their problems...hmmm. $:-\$ That's the right business attitude.

Sorry for sounding so ironic. You have managed to do much more than many of us in similar position.

drpeterharris · « **Reply #49 on:** April 22, 2008, 06:28 AM »

I am trying hard not to be cynical and am prepared to give them the benefit of the doubt. I will keep you all posted.

Peter