McAfee 4368 Virus Definitions detects Spywareblaster components as a virus

Discussion in 'SpywareBlaster & Other Forum' started by Hammertail, Jun 23, 2004.

Thread Status:
Not open for further replies.
  1. Hammertail

    Hammertail Guest

    I just install the McAfee 4368 Definitions and they detect the following as a virus (and it deletes them):
    sbautoupdate.exe
    a0017034.exe

    Running McAfee VirusScan 7.1 Enterprise with Engine version 4.3.20 and 4368 Virus Definitions.
     
  2. Hammertail

    Hammertail Guest

  3. Billy Bob

    Billy Bob Guest

    I got the same thing today, testing the new beta of McAfee's virus scanner engine. It also detected another exe as infected.

    6/23/2004 12:49:21 PM Scan Started E0 Scan All Fixed Disks
    6/23/2004 12:51:24 PM Deleted c:\New Text Document.html Exploit-Mailto(Trojan)
    6/23/2004 12:56:41 PM Deleted c:\Program Files\Hotfix Manager\HotfixManager.exe W32/Gaobot.worm.gen.e(Virus)
    6/23/2004 1:00:32 PM Deleted c:\Program Files\SpywareBlaster\sbautoupdate.exe W32/Gaobot.worm.gen.e(Virus)
    6/23/2004 1:04:13 PM Deleted c:\System Volume Information\_restore{A7A45CDB-4543-49B1-A892-9DD5E72FCCE8}\RP327\A0028705.exe W32/Gaobot.worm.gen.e(Virus)
    6/23/2004 1:04:13 PM Deleted c:\System Volume Information\_restore{A7A45CDB-4543-49B1-A892-9DD5E72FCCE8}\RP327\A0028708.exe W32/Gaobot.worm.gen.e(Virus)
     
  4. Oak

    Oak Guest

    I just talked with corporate support and they assured me that it is not a false alert. I would like to hear something official from the vendor.
     
  5. Billy Bob

    Billy Bob Guest

    It is a flase positive. My main problem is that is deleted these files without prompting me, even though it is set to first clean and then quarentine second.
     
  6. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Hi,

    While I do not have a version of McAfee here to test this, it looks like a false positive. (If you reinstall SpywareBlaster again and it still detects this, it definitely is a false-positive detection.)

    Could someone who has McAfee please report it to them so it can be fixed in the next virus database update? :)

    Thanks,

    -Javacool
     
  7. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    That's good old McCrappy for you!
     
  8. Robin20152

    Robin20152 Guest

    Hello !


    I just came out here to report on what evidently is this very same problem. Or at least I think it is.

    I am on AOL and I have the AOL/McAfee virus scanner. It just did an update, and after I got off-line, I re-started my computer. As soon as it re-started and I had logged on, McAfee's "Virus Alert" window popped up in the lower right-hand corner and "alerted" me that a virus had been detected and deleted.

    I am not sure if it is a false positive or a real problem. Heck, I'm not sure if it's McAfee's fault, or AOL's !

    When I clicked on more info, here's what it showed me :

    File: sbautoupdate.exe
    Virus name: W32/Gaobot.worm.gen.e
    File Path: C:\Program Files\Spyware Blaster
    Status: deleted

    That's all I have for now. Hope someone understands it.

    Right now I'm going to see if there is a thread for AOL's Spyware Protection wiping out Spyware Blaster's and SpyBot's detection base. I'm just thankful that I clicked "block" instead of "delete", if you know what I mean...

    Thanks Everybody !!!

    Robin20152
     
  9. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Mcafee is a very good av and it is not the first av to give a false positive and it for sure won't be the last.
     
  10. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Yes from a pure detectoin view NAI/McAfee is one of the best programs out there, however from the viewpoint of stability of it's own software as well as compatibility with other software it is far from the top. Additionally, NAI is about be scarfed up by M$, in the same manner as RAV, possibly as soon as July 1st.
     
  11. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I used mcafee for many years with no problems on several os's. but I don't use it anymore. I still beleive it is one of the best but since I don't use it, Ms might as well have it. If it is for sale someone has to buy it. ;) But since I took this thread a little off topic, I quit. :D ;)
     
  12. drbillie

    drbillie Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    5
    McAfee virus scanner did an update, it re-started my computer. As soon as it re-started and I had logged on, McAfee's "Virus Alert" window popped up in the lower right-hand corner and "alerted" me that a virus had been detected and deleted.

    When I clicked on more info, here's what it showed me :

    File: sbautoupdate.exe
    Virus name: W32/Gaobot.worm.gen.e
    File Path: C:\Program Files\Spyware Blaster
    Status: deleted

    I checked autoupdater, and it had been deleted by McAfee, as had my registration. When I tried to manually update it said a file was corrupted and to download spyblaster again. I went to add/ remove program, removed spyblaster, restarted computer, downloaded spyblaster from maojor geeks. When I try to install now, it fails, move file fails, error code 5 o_O

    Any ideas?? I scanned the download with McAfee first and it found no worm. How do I get spyblaster to load again.

    Thanks jim
     
  13. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    The McAfee detection is pretty obviously a false-positive from their new definitions, so it'll probably just keep deleting the file until they fix their detections.

    Error code 5 usually is a 'file locked' error. If you've got the downloaded SB install kit handy on your system, then reboot and try installing before you do anything else. It should install without the error code 5, but, I suspect McAfee will just trigger again.
     
  14. drbillie

    drbillie Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    5
    I just restarted in safe mode, installed and then got deleted on restart by McAfee again just like before. I just emailed McAfee tech support to inform them of the problem. Must be bad dat 4368 file. Thanks jim
     
  15. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Thanks drbillie! McAfee needs customers to report this otherwise they'll never fix it. It'd be great if you can follow up with them and let us know what they say. Hopefully others will do this, also.
     
  16. drbillie

    drbillie Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    5
    I will. Just for kicks I tried safe mode again, and McAfee got it again. jim
     
  17. pants

    pants Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    1
    Location:
    UK
    I have the same issue, FWIW:

    ; SlavaSoft Optimizing Checksum Utility - fsum 2.5 <www.slavasoft.com>
    ;
    ; Generated on 06/24/04 at 10:33:34
    ;
    9a3452567c8ed145433cc288f1b38d30 *sbautoupdate.exe
    9d9145ed4699bf2c2350269c6d440004 ?MD4*sbautoupdate.exe
    1e6d51c2 ?CRC32*sbautoupdate.exe
     
  18. Doh!

    Doh! Guest

    I've submitted sbautoupdate.exe to McAfee and the auto reply from them said it was infected with w32/gaobot.worm.gen.e <shocking!>. Here is part of the reply:

    > The file received may contain a potential virus or trojan threat. Due to
    > the nature of this detection this issue is being escalated to AVERT for a
    > thorough review.
    > You will be contacted through e-mail with the results of our analysis.

    I'll post the results of their reply once I hear back from them.

    BTW, it seems it's the July 23 virus defs (436:cool: that detect this "virus" in the sbautoupdate.exe file. I've not seen a problem with earlier definitions.
     
  19. ricari

    ricari Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    14
    Location:
    Farnham, Quebec
    I got the same thing after downloading Dat 4368.

    I put a notice in McAfee forum for McAfee Virus Pro 7.03.

    Waiting for an answer from McAfee.
     
  20. WorkForFood

    WorkForFood Registered Member

    Joined:
    Apr 19, 2004
    Posts:
    15
    I also got the same message for the same virus on the same spyware update program. I also received a message that the same virus had infected bearshare.exe. After uninstalling Bearshare, spyware and turning off my recovery points and deleting everything under "System Volume Information", and rebooting. McAfee reported everything OK.

    I then redownloaded Bearshare from the Bearshare website and during the installation McAfee message said a virus had been found in a temporary file and would be deleted. After the installation finished I checked the bearshare.exe file was missing from the installation directory.

    This could be a false positive, and I know nothing about virus scanning, but isn't unusual to get false postiives from two different programs? I sent a message to the Bearshare folks to see what they have to say. I'll let you know what there response is, and I'll check back to see what others are saying.

    I've tried sending messages to McAfee and it's a black hole. I think it is up to the vendors whose products who are affected to pound on McAfee to get this fixed, if it is indeed a false positive. In addition, if the vendors work with McAfee, then it is more likely that if it is not a false postiive that it will be corrected in a timely fashion.
     
  21. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    McAfee's gonna have to wake up and fix this issue in a hurry, or else they're dead commercially. They'll wind up with the same reputation as NAV, which is now in the situation of having warnings against using it spread far and wide because of how it interferes with -- or prevents -- the use of other legitimate security products.
     
  22. mastman

    mastman Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    1
    Although VS has detected and deleted the file as described above, SpywareBlaster itself appears unaffected. It looks like only the autoupdate portion is the "problem" for VS. Sorry for those that have paid for the upgrade and this functionality, but the bottom line is that SB still works for me - just got new downloads (6/23 database version) with no difficulties. I do want to see McAfee fix this and have sent an email as well. - mm
     
  23. Xaq

    Xaq Registered Member

    Joined:
    Mar 5, 2004
    Posts:
    33
    Location:
    My House, it's on that street with the thing
    Hmm, I know McAfee has an anti-spyware program as well. Could I since some crafty tactics by McAfee against SWB??
     
  24. Peeved McAfee User

    Peeved McAfee User Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    76
    I just sent the following to McAfee at 15:30 GMT on 24Jun2004:

    Problem Description:

    After updating to DAT 4.0.4368, I ran a virus scan and got:
    C:\Program Files\SpywareBlaster\sbautoupdat.exe
    The file was deleted to com…
    Virus Name: W32/Gaobot.worm.gen.e

    SpywareBlaster 3.1 is a product of Javacool Software.

    This program has been on my system in it current form since 4/8/2004. Now with DAT 4.0.4368 you blow it away. Your virus Information on W32/Gaobot.worm.gen.e indicates that it added 4/15/2004 in DAT 4323. Why all of a sudden are you detecting the alleged problem now? Is it an error of some kind?

    Specific Questions:
    (1) Is this a false detection?
    (2) If so how do I get the program back (see “Troubleshooting steps taken” – below)?
    (3) Why aren’t I notified before programs are deleted?
    (4) Why isn’t there a backup file or quarantine file that that holds that programs for restore or investigation purposes?
    (5) How do I turn your virus detection off so that I can successfully complete item (1) in “Troubleshooting steps taken” below?

    Troubleshooting steps taken:

    (1) I attempted to restore the program to a back-up drive using Retrospect 6.0 to see the properties and possibly send you folks a copy. McAfee deletes the program before I can take a look at it.

    (2) I attempted to reinstall SpywareBlaster and get:
    C:\Program Files\SpywareBlaster\sbautoupdat.exe
    An error occurred while trying to rename a file in the destination directory:
    MoveFile failed; code 5.
    Access is denied.

    **************************************************
    I am awaiting an intelligent reply (yea - I'm sure that will happen - but I'm not holding my breath).

    I will post it if I get a reply.

    Peeved McAfee User
     
  25. dread

    dread Registered Member

    Joined:
    May 18, 2004
    Posts:
    195
    Xaq thats a joke. I am on the mcafee forums to. From one of the post which several has been posted including me, a admin says the avert research team is looking into and are asking for samples to be submitted.
     
Loading...
Thread Status:
Not open for further replies.