McAfee is moving program's exe into Quarantine folder

On Apr 13, 1:12 pm, "Marcin Domaslawski" wrote:
> Hi,
>
> McAfeedetected an malware code inside your file. Question is if on every
> system file is detected or only on some.
> First case is caused by similiar malware signature inMcAfee'sdatabase -
> you can contact withMcAfeeand register a false positive
> 2nd case: can be caused by incorrect work of antivirus e.g. by damaged virus
> signatures database. I met with that situation with Kaspersky AV. Try
> re-download all database.
>
> Marcin Domaslawski
>
> Uzytkownik napisal w wiadomoscinews:1176448629.245440.276850@e65g2000hsc.googlegroups.com...
>
>
>
> > Hi All,
>
> > We have aprogramdeveloped in VB6 and installed on hundreds of users
> > scattered around the world. Thisprogramis automatically run by an NT
> > service once a day. It's been running fine for the last 4-5 years.
>
> > Please note that all the users have exactly the same operating
> > environment, i.e.McAfeevirus scan 8.0, OS is Windows XP SP2 and MS
> > office 2003 SP1.
>
> > Now SOME of the users have experienced a problem. TheMcAfeeVirus
> > scan ismovingtheprogram'sexeintoC:\Quarantinefolderand
> > renaming it to *.vir
>
> > Can you please advise why this problem is caused?
>
> > Regards,
>
> > FK- Hide quoted text -
>
> - Show quoted text -

I have just come to know that the executable is being detected as
malware just because it is using "RegCreateKeyEx" API to add a value
under "RunOnce" registry key.

Can you please tell a solution to this? I need to enter an entry under
"RunOnce" key.

Regards,

FK

From:

| Hi All,

| We have a program developed in VB6 and installed on hundreds of users
| scattered around the world. This program is automatically run by an NT
| service once a day. It's been running fine for the last 4-5 years.

| Please note that all the users have exactly the same operating
| environment, i.e. McAfee virus scan 8.0, OS is Windows XP SP2 and MS
| office 2003 SP1.

| Now SOME of the users have experienced a problem. The McAfee Virus
| scan is moving the program's exe into C:\Quarantine folder and
| renaming it to *.vir

| Can you please advise why this problem is caused?

| Regards,

| FK



Assuming your author created a good ptrogram and not malware, submit the files being
falsely detected to McAfee via the email addtress virus_research.TakeThisOut@avertlabs.com and in the
subject of the email use "False Positive on VB6 software" and in the body of the email
state your case why you believe the attached files are not malware.

Attach all the files deemed malware (and you haven't posted what they were declared as) in
password protected ZIP file with the password being; infected { password = infected }



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Hello,

Assuming the program is not malware I would not attempt to make any changes
to it.

Instead, follow David's advice and contact McAfee. If the program is not
malware they should be willing to update their definitions so the program is
no longer being flagged as malware.

--
Zephyr


wrote in message

> On Apr 13, 1:12 pm, "Marcin Domaslawski" wrote:
>> Hi,
>>
>> McAfeedetected an malware code inside your file. Question is if on every
>> system file is detected or only on some.
>> First case is caused by similiar malware signature inMcAfee'sdatabase -
>> you can contact withMcAfeeand register a false positive
>> 2nd case: can be caused by incorrect work of antivirus e.g. by damaged
>> virus
>> signatures database. I met with that situation with Kaspersky AV. Try
>> re-download all database.
>>
>> Marcin Domaslawski
>>
>> Uzytkownik napisal w
>> wiadomoscinews:1176448629.245440.276850@e65g2000hsc.googlegroups.com...
>>
>>
>>
>> > Hi All,
>>
>> > We have aprogramdeveloped in VB6 and installed on hundreds of users
>> > scattered around the world. Thisprogramis automatically run by an NT
>> > service once a day. It's been running fine for the last 4-5 years.
>>
>> > Please note that all the users have exactly the same operating
>> > environment, i.e.McAfeevirus scan 8.0, OS is Windows XP SP2 and MS
>> > office 2003 SP1.
>>
>> > Now SOME of the users have experienced a problem. TheMcAfeeVirus
>> > scan ismovingtheprogram'sexeintoC:\Quarantinefolderand
>> > renaming it to *.vir
>>
>> > Can you please advise why this problem is caused?
>>
>> > Regards,
>>
>> > FK- Hide quoted text -
>>
>> - Show quoted text -
>
> I have just come to know that the executable is being detected as
> malware just because it is using "RegCreateKeyEx" API to add a value
> under "RunOnce" registry key.
>
> Can you please tell a solution to this? I need to enter an entry under
> "RunOnce" key.
>
> Regards,
>
> FK
>

From: "Zephyr"

| Hello,
|
| Assuming the program is not malware I would not attempt to make any changes
| to it.
|
| Instead, follow David's advice and contact McAfee. If the program is not
| malware they should be willing to update their definitions so the program is
| no longer being flagged as malware.
|

Correct. They can create a negative Extra DAT that will disable the false declaration as
well subsequently update the next DAT revision to correct the mistaken identification.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

It is my best shot.
inf0.TakeThisOut@sofutoinc.com

wrote in message

> Hi All,
>
> We have a program developed in VB6 and installed on hundreds of users
> scattered around the world. This program is automatically run by an NT
> service once a day. It's been running fine for the last 4-5 years.
>
> Please note that all the users have exactly the same operating
> environment, i.e. McAfee virus scan 8.0, OS is Windows XP SP2 and MS
> office 2003 SP1.
>
> Now SOME of the users have experienced a problem. The McAfee Virus
> scan is moving the program's exe into C:\Quarantine folder and
> renaming it to *.vir
>
> Can you please advise why this problem is caused?
>
> Regards,
>
> FK
>

I think Soooo
"Zephyr" wrote in message

> Hello,
>
> Assuming the program is not malware I would not attempt to make any
> changes to it.
>
> Instead, follow David's advice and contact McAfee. If the program is not
> malware they should be willing to update their definitions so the program
> is
> no longer being flagged as malware.
>
> --
> Zephyr
>
>
> wrote in message
>
>> On Apr 13, 1:12 pm, "Marcin Domaslawski" wrote:
>>> Hi,
>>>
>>> McAfeedetected an malware code inside your file. Question is if on every
>>> system file is detected or only on some.
>>> First case is caused by similiar malware signature inMcAfee'sdatabase -
>>> you can contact withMcAfeeand register a false positive
>>> 2nd case: can be caused by incorrect work of antivirus e.g. by damaged
>>> virus
>>> signatures database. I met with that situation with Kaspersky AV. Try
>>> re-download all database.
>>>
>>> Marcin Domaslawski
>>>
>>> Uzytkownik napisal w
>>> wiadomoscinews:1176448629.245440.276850@e65g2000hsc.googlegroups.com...
>>>
>>>
>>>
>>> > Hi All,
>>>
>>> > We have aprogramdeveloped in VB6 and installed on hundreds of users
>>> > scattered around the world. Thisprogramis automatically run by an NT
>>> > service once a day. It's been running fine for the last 4-5 years.
>>>
>>> > Please note that all the users have exactly the same operating
>>> > environment, i.e.McAfeevirus scan 8.0, OS is Windows XP SP2 and MS
>>> > office 2003 SP1.
>>>
>>> > Now SOME of the users have experienced a problem. TheMcAfeeVirus
>>> > scan ismovingtheprogram'sexeintoC:\Quarantinefolderand
>>> > renaming it to *.vir
>>>
>>> > Can you please advise why this problem is caused?
>>>
>>> > Regards,
>>>
>>> > FK- Hide quoted text -
>>>
>>> - Show quoted text -
>>
>> I have just come to know that the executable is being detected as
>> malware just because it is using "RegCreateKeyEx" API to add a value
>> under "RunOnce" registry key.
>>
>> Can you please tell a solution to this? I need to enter an entry under
>> "RunOnce" key.
>>
>> Regards,
>>
>> FK
>>
>
>
>