McAfee is moving program's exe into Quarantine folder

[its_faiz]

Hi All,

We have a program developed in VB6 and installed on hundreds of users
scattered around the world. This program is automatically run by an NT
service once a day. It's been running fine for the last 4-5 years.

Please note that all the users have exactly the same operating
environment, i.e. McAfee virus scan 8.0, OS is Windows XP SP2 and MS
office 2003 SP1.

Now SOME of the users have experienced a problem. The McAfee Virus
scan is moving the program's exe into C:\Quarantine folder and
renaming it to *.vir

Can you please advise why this problem is caused?

Regards,

FK

 

[Marcin Domaslawski]

Hi,

McAfee detected an malware code inside your file. Question is if on every
system file is detected or only on some.
First case is caused by similiar malware signature in McAfee's database -
you can contact with McAfee and register a false positive
2nd case: can be caused by incorrect work of antivirus e.g. by damaged virus
signatures database. I met with that situation with Kaspersky AV. Try
re-download all database.

Marcin Domaslawski

 

[David H. Lipman]

From: <[email protected]>

| Hi All,

| We have a program developed in VB6 and installed on hundreds of users
| scattered around the world. This program is automatically run by an NT
| service once a day. It's been running fine for the last 4-5 years.

| Please note that all the users have exactly the same operating
| environment, i.e. McAfee virus scan 8.0, OS is Windows XP SP2 and MS
| office 2003 SP1.

| Now SOME of the users have experienced a problem. The McAfee Virus
| scan is moving the program's exe into C:\Quarantine folder and
| renaming it to *.vir

| Can you please advise why this problem is caused?

| Regards,

| FK



Assuming your author created a good ptrogram and not malware, submit the files being
falsely detected to McAfee via the email addtress (e-mail address removed) and in the
subject of the email use "False Positive on VB6 software" and in the body of the email
state your case why you believe the attached files are not malware.

Attach all the files deemed malware (and you haven't posted what they were declared as) in
password protected ZIP file with the password being; infected { password = infected }

 

[its_faiz]

Hi,

McAfeedetected an malware code inside your file. Question is if on every
system file is detected or only on some.
First case is caused by similiar malware signature inMcAfee'sdatabase -
you can contact withMcAfeeand register a false positive
2nd case: can be caused by incorrect work of antivirus e.g. by damaged virus
signatures database. I met with that situation with Kaspersky AV. Try
re-download all database.

Marcin Domaslawski

Uzytkownik <[email protected]> napisal w wiadomosci







- Show quoted text -

I have just come to know that the executable is being detected as
malware just because it is using "RegCreateKeyEx" API to add a value
under "RunOnce" registry key.

Can you please tell a solution to this? I need to enter an entry under
"RunOnce" key.

Regards,

FK

 

[Zephyr]

Hello,

Assuming the program is not malware I would not attempt to make any changes
to it.

Instead, follow David's advice and contact McAfee. If the program is not
malware they should be willing to update their definitions so the program is
no longer being flagged as malware.

 

[David H. Lipman]

From: "Zephyr" <[email protected]>

| Hello,
|
| Assuming the program is not malware I would not attempt to make any changes
| to it.
|
| Instead, follow David's advice and contact McAfee. If the program is not
| malware they should be willing to update their definitions so the program is
| no longer being flagged as malware.
|

Correct. They can create a negative Extra DAT that will disable the false declaration as
well subsequently update the next DAT revision to correct the mistaken identification.

 

[mybest]

It is my best shot.
(e-mail address removed)

 

[Segolene]

I think Soooo

Hello,

Assuming the program is not malware I would not attempt to make any
changes to it.

Instead, follow David's advice and contact McAfee. If the program is not
malware they should be willing to update their definitions so the program
is
no longer being flagged as malware.