×
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Hayton
Reliable Contributor
Reliable Contributor
Message 11 of 27

Re: mfewfpk.sys issue

Not so fast. I checked this and there does seem to be a problem with that URL. I'm running some more checks but it's Saturday night, I've got things to do. I'll report back later.

exbrit
MVP
MVP
Message 12 of 27

Re: mfewfpk.sys issue

Well it worked for me and downloaded the wfc tool that Jayadeep mentions.,   I have no idea whta that tool does mind you.  He can explain.

Capture.JPG

Here it is zip format if you'd prefer:

Message was edited by: Ex_Brit on 17/05/14 2:29:39 EDT PM
cad_techniche
Contributor
Message 13 of 27

Re: mfewfpk.sys issue

My browser is not redirecting me anywhere because I simply won't entertain attempting to access any site ending in .ee WHICH IS the country code for Estonia; of this I am not mistaken.

If this is genuinely a legitimate McAfee website, then I seriously recommend that they change the URL to something other than ending with the .ee country code.

exbrit
MVP
MVP
Message 14 of 27

Re: mfewfpk.sys issue

It's a shortened URL - it's in the USA and is the McAfee Short URL service.  If you don't believe me Google McAfee Short URL.  There is no country code attached to it at all because it's abbreviated on purpose.  I agree they perhaps could have put the '.' in another spot, such as mc.afee or similar.   That would be a good suggestion for a product change here:  https://community.mcafee.com/community/home/ideas

Anyway my previous post has the wfc tool attached as a zip and believe me I have run it and it's harmless.

Hayton
Reliable Contributor
Reliable Contributor
Message 15 of 27

Re: mfewfpk.sys issue

Hold off please on the .ee stuff, I'll give you both the analysis later. I'm not missing a Raymond Chandler for this.

exbrit
MVP
MVP
Message 16 of 27

Re: mfewfpk.sys issue

Shortened URL's do not have domains by design....that's how they work & why they are called that.   McAfee simply chose to put a . where they did to differentiate between the name of that service and the regular website.

SafeBoot
MVP
MVP
Message 17 of 27

Re: mfewfpk.sys issue

It's a genuine McAfee service - it's been around for years. You don't have to trust it, like you don't have to trust any domain, but seeing as we deliver 300,000 clicks a day through it, I can assure you it's safe. We also deploy our mobile products through it - tens of thousands of users a day.

As to calling it mc.afee - there is no .afee TLD.

Bit.ly is a Lybian domain - do you object to that?

Oh, and the user info for the site is actually here on community - https://community.mcafee.com/groups/mcafee-public-beta  and the root servers for the .ee domain are managed by IANA.org.

Just because a site has a particular TLD does not mean its geographically, or even logically based or controlled by that TLD/Country - that's a massive oversimplification of how the Internet works.

Message was edited by: SafeBoot on 5/17/14 9:41:42 PM EDT
Hayton
Reliable Contributor
Reliable Contributor
Message 18 of 27

Re: mfewfpk.sys issue

@everyone posting in this thread,

Again, please hold off. The thread originator (cad_techniche) has inadvertently noted something which I am still investigating. I have reason to believe that the short URL provided by Jayadeep may not be safe, but why that should be so is proving difficult to unravel. I will post what I have found; SafeBoot may then need to make some enquiries. I haven't got a case to make just yet.

Hayton
Reliable Contributor
Reliable Contributor
Message 19 of 27

Re: mfewfpk.sys issue

All right, here we go. I haven't necessarily finished with this, but here are some findings.

1.  Let's start with the short URL question first. These were introduced so that site links could display on small screens with limited space. McAfee has its own short url service, which is "mcaf.ee" and which has nothing at all to do with Estonia. Those short URLs are mapped to full-length URLs of the kind we're more used to. Using a short URL has the unfortunate side-effect that you can't see which website the URL is pointing to : it's just a meaningless code. That is why I don't like them, don't use them myself, and am very wary about clicking on one when I see it.

There are add-ons and extensions available for some browsers which will expand a short URL into its fully-qualified domain name. I've found two for Chrome, and there are others for Firefox. They're worth installing if you don't trust short URLs.

Everything depends on the mapping of the short URL to the full URL, so the domain name servers doing the mapping must be trusted. McAfee's short URL service ought to be among the most trustworthy. So if there's a problem with a short URL then it should be investigated to find the reason for the problem.

2. Jayadeep provided a link to an executable available from a site with a mcaf.ee short URL : http://mcaf.ee/pi9vd

This link opens the following page -

Short URL expanded to full site.PNG

I downloaded the file - passed as okay by Chrome - and scanned it with McAfee and Malwarebytes. Neither found a problem. But then, by mistake, I double-clicked the downloaded file, and got this warning -

Jayadeep

A file from an unknown publisher, without a valid digital certificate? Experience has taught me to pay attention to little details like that. So I uploaded the file to VirusTotal : their report is HERE. To summarise : that file was detected as malicious by 13 out of 52 anti-malware programs including Trend Micro and Symantec. Microsoft and McAfee passed it as okay. The file may be packed, which increases the suspicion level. It may still be safe, but the report notes

The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.

Maybe that is perfectly legitimate, but it's worth noting. Next I checked for anything reported for that filename (wfc.exe). According to systemexplorer.net wfc.exe is Windows Firewall Control from BiniSoft.org and is rated safe.

So far so good. Then I looked again at the page that displayed when the short-URL link was clicked, and saw the "original URL" was http://mfevr.com, which is rated Green by SiteAdvisor and TrustedSource. I went to the site, and found this :

mfevr site under construction.PNG

"Site under construction" but downloading an executable? I decided to investigate further.

DomainTools shows that the site was registered by McAfee Support in Chennai last August.

From the IP address (192.184.83.206) it's easy to discover (here) that it resides on a RamNode server in Georgia (that's Georgia USA, not Georgia in the Caucasus).

The site is not listed in hphosts.

Previously this site provided a download of an executable, "perses.exe", which was flagged as malicious according to VirusTotal reports HERE and HERE.

A few more checks on this site produced the following negative results :

- urlvoid shows the site blacklisted by Dr Web and one other

- VirusTotal confirms the Dr Web blacklisting

- the site is flagged by Google Safe Browsing

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days


the last time suspicious content was found on this site was on 2014-04-10

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 1 domain(s), including mcaf.ee/.

Google Safe Browsing's report for mcaf.ee also flags mfevr.com :

The last time Google visited this site was on 2014-05-17, and the last time suspicious content was found on this site was on 2014-03-02.

Malicious software includes 3 exploit(s), 1 trojan(s).

Malicious software is hosted on 1 domain(s), including mfevr.com/.

There are other checks I could carry out but it seems clear that the site looks decidely fishy yet is a legitimate vehicle for McAfee Support to host downloads from time to time. What gives cause for concern is that these downloads are being detected as malicious by other anti-virus companies' products, leading to the site itself being suspect. One question is, where do these downloads come from, and why do they not have a valid digital certificate to identify the software publisher?

If I have any further thoughts on this, or any more relevant material, I'll have to edit this post tomorrow to include it.

Message was edited by: Hayton - clarifying Georgia - on 18/05/14 08:13:20 IST
exbrit
MVP
MVP
Message 20 of 27

Re: mfewfpk.sys issue

Maybe support are using that site ro store tools and maybe they should try another method?   A discussion on our conference call may be in order on that score.

Anway did you actually try running the WFC tool?   It merely checks security status as far as I could see.   Runs a Command Prompt window for a few seconds that's all.

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community