You are here

McAfee Total Protection 2010 persistently detects Artemis Trojan and quarantines Portable Office 3.2.english.paf.exe

15 posts / 0 new
Last post
nickel0
Offline
Last seen: 14 years 9 months ago
Joined: 2010-03-03 20:23
McAfee Total Protection 2010 persistently detects Artemis Trojan and quarantines Portable Office 3.2.english.paf.exe

when downloaded direct from Portable Apps.com or from CNet Downloads ( latter virus and malware checked ). When installed onto USB, McAfee quarantines gdiplus.dll in the APP/OPENOFFICE/PROGRAM/ folder as the offending executable. Notes: program installed from XP Intel dual core machine with latest MS & McAfee updates onto Kingston 4gb USB, detected using McAfee heurisitic analysis option. A squared free and Malwarebytes AntiMalware detected nothing even with heuristic option. Has any Portable Open Office 3.2 user / potential user had similar experience or can anyone explain this detection as false positive? Total Protection wont permit file upload to McAfee for checking - file size too large!!! Pardon

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 8 months ago
Joined: 2006-06-18 13:55
First, try a scan with

First, try a scan with heuristics turn off.
Heuristics can be good at catching new viruses, but they are more prone to False Positives.
If the detection is still there with heuristics turned off it gets more complicated.

Upload the file to our 2 recommended test sites:
http://www.virustotal.com/en/indexx.html
and
http://virusscan.jotti.org/

and see what they report
I am surprised you are having trouble uploading, how big is the file ?

Tim

Things have got to get better, they can't get worse, or can they?

computerfreaker
computerfreaker's picture
Offline
Last seen: 13 years 3 months ago
Developer
Joined: 2009-08-11 11:24
Based on the original post's

Based on the original post's title (... detects and quarantines Portable Office 3.2.paf.exe), I think he tried uploading the entire PA installer - approximately 100 MB.

Try uploading just the "infected" DLL; that should go through, although I don't have McAfee to check.

"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."

nickel0
Offline
Last seen: 14 years 9 months ago
Joined: 2010-03-03 20:23
McAfee TP10 & GDIPLUS.DLL

Thanks for suggestion Tim. McAfeeTP10 refuses to upload GDIPLUS.DLL (error on upload) so took your advice. Unfortunately virustotal.com gave it 4 bad hits/42 tests. Two - with McAfee, one - with Symantec and one with -PrevX. Data below. Can you confirm/refute my experience with copy of GDIPLUS.DLL from Portable Open Office3.2? Note: McAfee also identified wininst-9.0.exe in App\openoffice\Basis\program\python-core-2.6.1\lib\distutils\command as a trojan, scoring 2/42 on virustotal.com! Will scan with no heuristics next.

McAfee 5907 2010.03.01 Suspect-02!703E4DC1675A
McAfee+Artemis 5907 2010.03.01 Suspect-02!703E4DC1675A
McAfee-GW-Edition 6.8.5 2010.03.01 -
Microsoft 1.5502 2010.03.01 -
NOD32 4906 2010.03.01 -
Norman 6.04.08 2010.03.01 -
nProtect 2009.1.8.0 2010.03.01 -
Panda 10.0.2.2 2010.02.28 -
PCTools 7.0.3.5 2010.02.28 -
Prevx 3.0 2010.03.01 Medium Risk Malware
Rising 22.37.00.04 2010.03.01 -
Sophos 4.50.0 2010.03.01 -
Sunbelt 5716 2010.03.01 -
Symantec 20091.2.0.41 2010.03.01 Suspicious.Insight

http://virusscan.jotti.org/ gives clean bill of health to both files.
Overall indicates false +ve's. Yet to rule out presence of Artemis rootkit
- Ed Bott ZDNet http://blogs.zdnet.com/Bott/?p=1817&tag=nl.e539. NickelO

Noel_I

computerfreaker
computerfreaker's picture
Offline
Last seen: 13 years 3 months ago
Developer
Joined: 2009-08-11 11:24
False positives, you're OK

yep, those are false positives.
Notice that the McAfee detections are both "Suspicious" - heuristics are picking those up, and heuristics are frequently wrong.
I don't have any faith in Symantec's heuristics either - it seems to flag everything as "Suspicious.Insight".
Prevx also seems to be using heuristics; notice there's no specific threat name, just "Medium Risk Malware". That seems to happen mainly with files that have been UPX'd; Prevx flagged one of my own apps after I used UPX, but not before.

You might want to report those FP's to the appropriate AV companies.

"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."

nickel0
Offline
Last seen: 14 years 9 months ago
Joined: 2010-03-03 20:23
about false positives from McAfee TP10

Thanks computerfreaker, confirmed my suspicions re McAfee's analysis. In order to upload GDIPLUS.EXE I had to nuke McAfee Real Time protection because it instantly re-quarantined the restored file! After uploading GDIPLUS.EXE & WININST.EXE to virustotal.com and virusscan.com sites resp., and reinstating Real Time via its 15min schedule, McAfee re-quarantined the same copies** of Portable Open Office 3.2 - but re-labelled them - as containing the Ransom-Ga trojan! This has to be a scare tactic or misbegotten analysis, as there was no change in the files apart from their quarantine status and no further info available from McAfee.com on either trojan incarnation of the same entity, yet McAfee changed its description?. McAfee even declared HouseCall's HTML report page to be an exploit. Panda & TrendMicro's HouseCall indepth online activeX scans, found no trojans present in those files or anywhere on my PC. Kaspersky's online scanner is offline for time being. Subsequent scanning without heuristics didn't alter outcome of the scan, because McAfee had diagnosed the files as containing a trojan, it just couldn't decide which!

**( copies downloaded from different sources to reduce chance of an infected server / hop corrupting the executables being downloaded ).

Noel_I

computerfreaker
computerfreaker's picture
Offline
Last seen: 13 years 3 months ago
Developer
Joined: 2009-08-11 11:24
Did you update McAfee at all

Did you update McAfee at all between the two detections? It's possible something in their heuristics changed, which could explain the different detections. If you didn't update McAfee, watch out. There's no logical reason for it to report two different viruses in the same file, which means the file was most likely not the same as the original - be very, very careful (a VirusTotal upload for the second copy of GDIPLUS.dll would probably be a good idea).

"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."

Jackobli
Offline
Last seen: 14 years 9 months ago
Joined: 2010-03-05 06:48
There is definitively

There is definitively something wrong with McAfee.
I am getting Ransom-G.a Trojan warnings on installation of OO Portable 3.2.0 in german language for the wininst-9.0.exe of phyton-core-2.6.1\lib\distutils\command
I am on my managed office client and cannot catch the exes because McAfee On-access ist instantly removing the file.

computerfreaker
computerfreaker's picture
Offline
Last seen: 13 years 3 months ago
Developer
Joined: 2009-08-11 11:24
Try reporting the false

Try reporting the false positive to McAfee; you'll probably need to e-mail them if McAfee is deleting the files before you can access them.

"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."

dxmca
Offline
Last seen: 14 years 9 months ago
Joined: 2010-03-18 18:02
McAfee Total Protection 2010

I have had the exact same problem. McAfee Total Protection detects 2 Open Office portable files as being infected with artemis, however scans by Malwarebytes Anti-Malware do not confirm this. I sent one file, a small .dll file, to McAfee but the other file, which is an executable, is too large. And no, I did not try to send the entire installer. The 2 files are OpenOfficePortable_3.2.0_English.PAF(2).Exe, and OpenOfficePortable\App\OpenOffice\Program\MSVCR80.dll. I installed the program from a CD which came with a recent issue of Maximum PC. I ran the scan because I have had considerable performance problems recently which roughly coincide with the installation of Portable Apps. Although these may be false positives my inclination is to ditch the program because, contrary to what some have suggested, I have found the McAfee AV to be generally reliable and I have not yet encountered any false positives with it.While I would like to use PortableApps, and while I think it is a great program, I think every user who encounters this problem must exercise their best judgment. The fact that this result is coming up consistently with different users is noteworthy, I think, and I think that Portable Apps is a product which should probably be avoided, or at least the OpenOffice component.

John T. Haller
John T. Haller's picture
Online
Last seen: 11 min 49 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
McAfee Issue, Fixed

McAfee confirmed it themselves that they had an issue in their last antivirus definitions and corrected it within 48 hours. They've been having issue lately and their online false positive submission system (for publishers) has been down. If you encounter a false positive, it should be reported to both them and to us within the forums here.

OpenOffice.org Portable is packaged in conjunction with Sun's OpenOffice.org team and is the only portable OpenOffice.org package that is. It's as reliable as you can get. And, as always, the installer and launcher are digitally signed by Rare Ideas, LLC (the legal entity behind PortableApps.com) so you know the package you have is genuine.

Sometimes, the impossible can become possible, if you're awesome!

computerfreaker
computerfreaker's picture
Offline
Last seen: 13 years 3 months ago
Developer
Joined: 2009-08-11 11:24
"Best judgement", my toe

dxmcaI think every user who encounters this problem must exercise their best judgment.

dxmcaI think that Portable Apps is a product which should probably be avoided, or at least the OpenOffice component.

Says who?
The current estimate says that PortableApps has 3-5 million users, many of whom are doubtless McAfee customers. Nobody but you has expressed anything but frustration towards McAfee.
I don't really care how reliable you've found McAfee; I also found it reliable when I used it (I no longer do, since I got a new PC), but facts are facts and this is plain: McAfee is at fault. McAfee is actually at fault multiple times here:
* Their definitions database is broken
* Their online submission form is broken
* John had to wait on hold for four hours to get to talk to the correct person(s) to get these issues resolved

PortableApps.com has an incredibly high reputation, and with good reason. Please don't make wild FUD statements about it without absolute proof. One scanner, or even 4 of 41 scanners, is not positive proof by any stretch of the imagination, especially when you consider that antivirus vendors frequently share most, if not all, of their databases with each other.

I apologize if my post is offensive to you; I'm not trying to be a troll, but I must admit your statements made my blood boil, and I feel obliged to respond.

"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."

dboki89
Offline
Last seen: 9 years 11 months ago
Joined: 2009-11-30 20:44
@dxmca: McAfee great? You must be joking

This post is totally directed at dxmca

Take a look at this news article before reading further!

http://www.theregister.co.uk/2009/07/03/mcafee_false_positive_glitch/ and
http://www.itpro.co.uk/612412/mcafee-mess-as-anti-virus-attacks-brings-d...

Now that you've seen that, I agree totally with all the posters who commented back to you (John, computerfreaker and Darkbee). I'm posting this as a little addition to what computerfreaker said.

If you think that McAfee is a good software solution, then simply Google for "mcafee issues false positives" or whatever similar. You'll find that McAfee has in past been responsible for ruining many Windows installations by detecting perfectly necessary and clean Windows components as "viruses" (those links above speak of it). Take a look at Wikipedia (http://en.wikipedia.org/wiki/McAfee_VirusScan#Criticism) to see that McAfee has way to many FPs (false positives), and is poor in catching real ones. I'll be good enough to quote them:

In tests by Virus Bulletin and other independent consumer organizations, McAfee virus scan has not fared well, frequently failing to detect some common viruses.[2]

A review of VirusScan 2006 by CNET criticized the product due to "pronounced performance hits in two of our three real-world performance tests"[3] and some users reviewing the same product reported encountering technical problems.[4]

Some older versions of the VirusScan engine use all available CPU cycles.[5]

Current McAfee virus scanning products do not handle false positives well, repeatedly removing or quarantining files which are known to be clean, even after the user restores them.[6]

Customer support for McAfee products is consistently described as lacking, with support staff slow to respond and unable to answer many questions.[7][8]

And, take a look at how McAfee compares to other AVs (it doesn't even come close) at AV-Comparatives (http://www.av-comparatives.org/)!
More accurately (http://www.av-comparatives.org/images/stories/test/summary/summary2009.pdf)!

If you want to see a list of what just one McAfee virus definition messed up before, go to http://vil.nai.com/images/CTX_file_list.pdf

- If you Google for what I said, you'll find that among all others, McAfee has detected "viruses" in:
Adobe (downloader and installer), Microsoft Office (mostly Excel, but others as well), Compaq/HP drivers, Mozilla Thunderbird, OpenOffice, ... and so many others that I just changed my mind about listing them... There's just way to many. If you want to see some list of McAfee's FPs, take a look at the PDF file I linked above.

To conclude, I completely agree with "I think every user who encounters this problem must exercise their best judgment.", but YOU don't seem to be using your best judgment about McAfee (note that I'm only judging you about your thought on McAfee, not in any sense am I trying to say that your habits or anything is bad; treating everything as it might be bad until proven otherwise is the best solution)! For anything you want to claim, you should search for references and cross-references to prove your statements. I know I try to do so, and obviously ottosykora is doing it since his posts are always very elaborate and correct. Also, you should have gotten more informed about the programs you're using, since many of those you are paying for have either just as good or even better free/open source alternatives. McAfee isn't the only AV program that sucks too much to be worth it even if it were free. But, I see you do have more common sense than most Windows users I know - you ARE using Malwarebytes! That is one of the good and free solutions, but should not be used alone! Take a look at this post (https://portableapps.com/node/22977#comment-144997) and it's comments to see some of the free AV alternatives.

I will repeat myself - treating everything that might be bad as it is bad until it's proven to be good is the best solution, and I'm only commenting on the use of McAfee and your remark of it as "generally reliable". It was good that you posted here about having a FP, but McAfee??? I mean...come on!.. I'll stop now, and I'm sorry if you find any part of this post as offensive, but "McAfee=good" was just asking for it...

My posts are old and likely no longer relevant.

John T. Haller
John T. Haller's picture
Online
Last seen: 11 min 49 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Civil

Come on guys, let's keep this civil. Remember, people get attached to antivirus products, especially if they have used it for a while. So, they are quick to blame a piece of software they've used less. It's human nature. Same reason when your call drops on a cell phone, you assume it was the person on the other end's fault, even though it was your carrier that had the issue.

I'm not going to take offense to his remarks. I just laid out the logical response of why it can be trusted over McAfee's broken set of definitions (which I believe have been fixed now).

Sometimes, the impossible can become possible, if you're awesome!

Darkbee
Darkbee's picture
Offline
Last seen: 4 years 7 months ago
Joined: 2008-04-14 09:41
Thanks for playing

I can't do it... I can't write a decent response. I'm just going to come off as sarcastic, arrogant and rude.

Sorry you have such a low opinion of PortableApps. Good luck with McAfee.

Log in or register to post comments