FYI: McAfee AV Signature File Mistakes Legitimate Software for Trojan

[Jeffrey A. Setaro]

From SANS NewsBites:

--McAfee AV Signature File Mistakes Legitimate Software for Trojan
(7 September 2004)
A September 1st antivirus signature file update from McAfee
incorrectly identifies an Australian software developer's Internet
setup program wizard as a Trojan horse program. Because McAfee's
antivirus software automatically removes the program from machines it
scans, people have been unable to connect to their ISPs. McAfee has
not yet addressed the problem; it may be late this week before a new
signature file is released.

<http://www.theregister.co.uk/2004/09/07/mcafee_false_alarm/>

Cheers-

Jeff Setaro
jasetaro@SPAM_ME_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Ian Kenefick (Ireland)]

Hey,

Nobody is perfect

 

[Ian Kenefick (Ireland)]

From SANS NewsBites:

--McAfee AV Signature File Mistakes Legitimate Software for Trojan
(7 September 2004)
A September 1st antivirus signature file update from McAfee
incorrectly identifies an Australian software developer's Internet
setup program wizard as a Trojan horse program. Because McAfee's
antivirus software automatically removes the program from machines it
scans, people have been unable to connect to their ISPs. McAfee has
not yet addressed the problem; it may be late this week before a new
signature file is released.

Signature based scanning is an inexact science. Not as inexact as
Heuristics but still inexact. McAfee isn't alone though! It doesn't
happen a lot but McAfee has in the past had major DAT file cock-ups. See
Windows NT 4 and McAfee case.

Ian.

 

[Sanjaya]

From SANS NewsBites:

--McAfee AV Signature File Mistakes Legitimate Software for Trojan
(7 September 2004)
A September 1st antivirus signature file update from McAfee
incorrectly identifies an Australian software developer's Internet
setup program wizard as a Trojan horse program. Because McAfee's
antivirus software automatically removes the program from machines it
scans, people have been unable to connect to their ISPs. McAfee has
not yet addressed the problem; it may be late this week before a new
signature file is released.

<http://www.theregister.co.uk/2004/09/07/mcafee_false_alarm/>

Cheers-

Jeff Setaro
jasetaro@SPAM_ME_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

Not funny for those unable to connect, but isn't it ironic that the page you
refer to contains an ad bar on the right that has 5 links for McAfee antivirus stuff?

 

[David H. Lipman]

Too bad that the following is ONLY true "...antivirus software automatically removes the
program..." If the user chooses this option. The file could have just as easily have been
quarantined.

Dave




| From SANS NewsBites:
|
| --McAfee AV Signature File Mistakes Legitimate Software for Trojan
| (7 September 2004)
| A September 1st antivirus signature file update from McAfee
| incorrectly identifies an Australian software developer's Internet
| setup program wizard as a Trojan horse program. Because McAfee's
| antivirus software automatically removes the program from machines it
| scans, people have been unable to connect to their ISPs. McAfee has
| not yet addressed the problem; it may be late this week before a new
| signature file is released.
|
| <http://www.theregister.co.uk/2004/09/07/mcafee_false_alarm/>
|
| Cheers-
|
| Jeff Setaro
| jasetaro@SPAM_ME_NOT_mags.net
| http://people.mags.net/jasetaro/
| PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34