McAfee 4368 Virus Definitions detects Spywareblaster components as a virus

I just install the McAfee 4368 Definitions and they detect the following as a virus (and it deletes them):
sbautoupdate.exe
a0017034.exe

Running McAfee VirusScan 7.1 Enterprise with Engine version 4.3.20 and 4368 Virus Definitions.

http://bellsouthpwp.net/h/a/hammerta...areblaster.jpg

I got the same thing today, testing the new beta of McAfee's virus scanner engine. It also detected another exe as infected.

6/23/2004 12:49:21 PM Scan Started E0 Scan All Fixed Disks
6/23/2004 12:51:24 PM Deleted c:\New Text Document.html Exploit-Mailto(Trojan)
6/23/2004 12:56:41 PM Deleted c:\Program Files\Hotfix Manager\HotfixManager.exe W32/Gaobot.worm.gen.e(Virus)
6/23/2004 1:00:32 PM Deleted c:\Program Files\SpywareBlaster\sbautoupdate.exe W32/Gaobot.worm.gen.e(Virus)
6/23/2004 1:04:13 PM Deleted c:\System Volume Information\_restore{A7A45CDB-4543-49B1-A892-9DD5E72FCCE8}\RP327\A0028705.exe W32/Gaobot.worm.gen.e(Virus)
6/23/2004 1:04:13 PM Deleted c:\System Volume Information\_restore{A7A45CDB-4543-49B1-A892-9DD5E72FCCE8}\RP327\A0028708.exe W32/Gaobot.worm.gen.e(Virus)

I just talked with corporate support and they assured me that it is not a false alert. I would like to hear something official from the vendor.

It is a flase positive. My main problem is that is deleted these files without prompting me, even though it is set to first clean and then quarentine second.

[javacool]

Hi,

While I do not have a version of McAfee here to test this, it looks like a false positive. (If you reinstall SpywareBlaster again and it still detects this, it definitely is a false-positive detection.)

Could someone who has McAfee please report it to them so it can be fixed in the next virus database update?

Thanks,

-Javacool

[flyrfan111]

That's good old McCrappy for you!

Hello !


I just came out here to report on what evidently is this very same problem. Or at least I think it is.

I am on AOL and I have the AOL/McAfee virus scanner. It just did an update, and after I got off-line, I re-started my computer. As soon as it re-started and I had logged on, McAfee's "Virus Alert" window popped up in the lower right-hand corner and "alerted" me that a virus had been detected and deleted.

I am not sure if it is a false positive or a real problem. Heck, I'm not sure if it's McAfee's fault, or AOL's !

When I clicked on more info, here's what it showed me :

File: sbautoupdate.exe
Virus name: W32/Gaobot.worm.gen.e
File Path: C:\Program Files\Spyware Blaster
Status: deleted

That's all I have for now. Hope someone understands it.

Right now I'm going to see if there is a thread for AOL's Spyware Protection wiping out Spyware Blaster's and SpyBot's detection base. I'm just thankful that I clicked "block" instead of "delete", if you know what I mean...

Thanks Everybody !!!

Robin20152

[bigc73542]

Quote:

Originally Posted by flyrfan111

That's good old McCrappy for you!

Mcafee is a very good av and it is not the first av to give a false positive and it for sure won't be the last.

[flyrfan111]

Quote:

Originally Posted by bigc73542

Mcafee is a very good av and it is not the first av to give a false positive and it for sure won't be the last.

Yes from a pure detectoin view NAI/McAfee is one of the best programs out there, however from the viewpoint of stability of it's own software as well as compatibility with other software it is far from the top. Additionally, NAI is about be scarfed up by M$, in the same manner as RAV, possibly as soon as July 1st.

[bigc73542]

I used mcafee for many years with no problems on several os's. but I don't use it anymore. I still beleive it is one of the best but since I don't use it, Ms might as well have it. If it is for sale someone has to buy it. But since I took this thread a little off topic, I quit.

[drbillie]

McAfee virus scanner did an update, it re-started my computer. As soon as it re-started and I had logged on, McAfee's "Virus Alert" window popped up in the lower right-hand corner and "alerted" me that a virus had been detected and deleted.

When I clicked on more info, here's what it showed me :

File: sbautoupdate.exe
Virus name: W32/Gaobot.worm.gen.e
File Path: C:\Program Files\Spyware Blaster
Status: deleted

I checked autoupdater, and it had been deleted by McAfee, as had my registration. When I tried to manually update it said a file was corrupted and to download spyblaster again. I went to add/ remove program, removed spyblaster, restarted computer, downloaded spyblaster from maojor geeks. When I try to install now, it fails, move file fails, error code 5

Any ideas?? I scanned the download with McAfee first and it found no worm. How do I get spyblaster to load again.

Thanks jim

[LowWaterMark]

The McAfee detection is pretty obviously a false-positive from their new definitions, so it'll probably just keep deleting the file until they fix their detections.

Error code 5 usually is a 'file locked' error. If you've got the downloaded SB install kit handy on your system, then reboot and try installing before you do anything else. It should install without the error code 5, but, I suspect McAfee will just trigger again.

[drbillie]

I just restarted in safe mode, installed and then got deleted on restart by McAfee again just like before. I just emailed McAfee tech support to inform them of the problem. Must be bad dat 4368 file. Thanks jim

[LowWaterMark]

Thanks drbillie! McAfee needs customers to report this otherwise they'll never fix it. It'd be great if you can follow up with them and let us know what they say. Hopefully others will do this, also.

[drbillie]

I will. Just for kicks I tried safe mode again, and McAfee got it again. jim

[pants]

I have the same issue, FWIW:

; SlavaSoft Optimizing Checksum Utility - fsum 2.5 <www.slavasoft.com>
;
; Generated on 06/24/04 at 10:33:34
;
9a3452567c8ed145433cc288f1b38d30 *sbautoupdate.exe
9d9145ed4699bf2c2350269c6d440004 ?MD4*sbautoupdate.exe
1e6d51c2 ?CRC32*sbautoupdate.exe

I've submitted sbautoupdate.exe to McAfee and the auto reply from them said it was infected with w32/gaobot.worm.gen.e <shocking!>. Here is part of the reply:

> The file received may contain a potential virus or trojan threat. Due to
> the nature of this detection this issue is being escalated to AVERT for a
> thorough review.
> You will be contacted through e-mail with the results of our analysis.

I'll post the results of their reply once I hear back from them.

BTW, it seems it's the July 23 virus defs (4368) that detect this "virus" in the sbautoupdate.exe file. I've not seen a problem with earlier definitions.

[ricari]

I got the same thing after downloading Dat 4368.

I put a notice in McAfee forum for McAfee Virus Pro 7.03.

Waiting for an answer from McAfee.

[WorkForFood]

I also got the same message for the same virus on the same spyware update program. I also received a message that the same virus had infected bearshare.exe. After uninstalling Bearshare, spyware and turning off my recovery points and deleting everything under "System Volume Information", and rebooting. McAfee reported everything OK.

I then redownloaded Bearshare from the Bearshare website and during the installation McAfee message said a virus had been found in a temporary file and would be deleted. After the installation finished I checked the bearshare.exe file was missing from the installation directory.

This could be a false positive, and I know nothing about virus scanning, but isn't unusual to get false postiives from two different programs? I sent a message to the Bearshare folks to see what they have to say. I'll let you know what there response is, and I'll check back to see what others are saying.

I've tried sending messages to McAfee and it's a black hole. I think it is up to the vendors whose products who are affected to pound on McAfee to get this fixed, if it is indeed a false positive. In addition, if the vendors work with McAfee, then it is more likely that if it is not a false postiive that it will be corrected in a timely fashion.

[MikeBCda]

McAfee's gonna have to wake up and fix this issue in a hurry, or else they're dead commercially. They'll wind up with the same reputation as NAV, which is now in the situation of having warnings against using it spread far and wide because of how it interferes with -- or prevents -- the use of other legitimate security products.

[mastman]

Although VS has detected and deleted the file as described above, SpywareBlaster itself appears unaffected. It looks like only the autoupdate portion is the "problem" for VS. Sorry for those that have paid for the upgrade and this functionality, but the bottom line is that SB still works for me - just got new downloads (6/23 database version) with no difficulties. I do want to see McAfee fix this and have sent an email as well. - mm

[Xaq]

Hmm, I know McAfee has an anti-spyware program as well. Could I since some crafty tactics by McAfee against SWB??

[Peeved McAfee User]

I just sent the following to McAfee at 15:30 GMT on 24Jun2004:

Problem Description:

After updating to DAT 4.0.4368, I ran a virus scan and got:
C:\Program Files\SpywareBlaster\sbautoupdat.exe
The file was deleted to com…
Virus Name: W32/Gaobot.worm.gen.e

SpywareBlaster 3.1 is a product of Javacool Software.

This program has been on my system in it current form since 4/8/2004. Now with DAT 4.0.4368 you blow it away. Your virus Information on W32/Gaobot.worm.gen.e indicates that it added 4/15/2004 in DAT 4323. Why all of a sudden are you detecting the alleged problem now? Is it an error of some kind?

Specific Questions:
(1) Is this a false detection?
(2) If so how do I get the program back (see “Troubleshooting steps taken” – below)?
(3) Why aren’t I notified before programs are deleted?
(4) Why isn’t there a backup file or quarantine file that that holds that programs for restore or investigation purposes?
(5) How do I turn your virus detection off so that I can successfully complete item (1) in “Troubleshooting steps taken” below?

Troubleshooting steps taken:

(1) I attempted to restore the program to a back-up drive using Retrospect 6.0 to see the properties and possibly send you folks a copy. McAfee deletes the program before I can take a look at it.

(2) I attempted to reinstall SpywareBlaster and get:
C:\Program Files\SpywareBlaster\sbautoupdat.exe
An error occurred while trying to rename a file in the destination directory:
MoveFile failed; code 5.
Access is denied.

**************************************************
I am awaiting an intelligent reply (yea - I'm sure that will happen - but I'm not holding my breath).

I will post it if I get a reply.

Peeved McAfee User

[dread]

Xaq thats a joke. I am on the mcafee forums to. From one of the post which several has been posted including me, a admin says the avert research team is looking into and are asking for samples to be submitted.