I am trialling encryption software called Advanced Encryption Package Professional v. 5.51 ('AEPPRO') which creates self-extracting files. These files have a double extension which Mcafee detects as a trojan and Mcafee then quarantines my files. I have tried Mcafee support (five times) and sent to their labs for testing which confirms that my files are trojans and...well that's it, I don't seem to be able to tell anyone that it's not a trojan, it's a file that I created and want. Question: is it a trojan? I don't think so as the software AEPPRO is widely available and I downloaded my trial from cnet.com. I have successfully created the encrypted file on a USB stick and transferred it to another computer from which have been able to open and unlock the file successsfully, but that computer has other virus protection, not Mcafee. Has anyone else used AEPPRO and successsfully solved this issue because Mcafee don't seem to be able to.
Will point someone here as this is deeper than we go.
Usually when they reply you reply to that email adding False detection and name of detection.
In body email add Please review as I think this is a false detection.
I have PM'd an engineerMessage was edited by: Peacekeeper on 20/05/11 7:23:45 PM
McAfee Labs - Beaverton
Current Scan Engine Version:5400.1158
Current DAT Version:6350.0000
Thank you for your submission.
Analysis ID: 6635584
|briony gadget helpline.pdf.exe||current detection||generic malware.ck||Trojan||no|
current detection [ briony gadget helpline.pdf.exe ]
The file submitted is malware that can be detected with curred DAT files. It is recommended that you update your DAT and engine files and scan your computer again.
Malware writers use the double-extension trick to get users to click on a malicious download. If the hide-extensions flag is set - or if an initial exploit sets it - all the user sees is an innocent pdf or doc file. When the file is opened the executable runs and executes the malware. What your encryption software is producing bears all the hallmarks of malware, so if other vendors are giving the files the all-clear perhaps the McAfee testing needs to be tweaked to analyse the file contents more thoroughly.
As a test, I suggest you upload a couple of files to VirusTotal and see how many AV vendors flag them as suspect.
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:Briony Gadget Helpline.pdf.exe
Submission date:2011-05-20 18:17:01 (UTC)
Current status:queued (#40)queuedanalysingfinished
Result:0/ 42 (0.0%)
Safety score: -
|MD5 : 36648a023061bbc026af78add696379d|
|SHA1 : a5fc24ad2106cd2a4e186fa8efe6e3d0cc38b703|
|File size : 204003 bytes|
|First seen: 2011-05-20 18:17:01|
|Last seen : 2011-05-20 18:17:01|
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
publisher....: InterCrypto Ltd
copyright....: Copyright (C) 2010
product......: Self-Extracting (Encrypted) Module built by AEP PRO www.aeppro.com
original name: Self-Extracting (Encrypted) Module built by AEP PRO www.aeppro.com
internal name: Self-Extracting (Encrypted) Module built by AEP PRO www.aeppro.com
file version.: 5, 50, 13901, 6563
signing date.: -
|packers (F-Prot): UPX|
|PEInfo: PE structure information[[ basic data ]]|
timedatestamp....: 0x4DBD6AE3 (Sun May 01 14:14:59 2011)
machinetype......: 0x14c (I386)[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x3B000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x3C000, 0x20000, 0x1FE00, 7.93, 4a419889b9e6b117a1d673959a7f49b6
.rsrc, 0x5C000, 0x1000, 0xE00, 4.42, c0df1881ac084ab5150391e3f08fd0bf[[ 10 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
CompanyName: InterCrypto Ltd
FileSize: 199 kB
FileType: Win32 EXE
FileVersion: 5, 50, 13901, 6563
InternalName: Self-Extracting (Encrypted) Module built by AEP PRO www.aeppro.com
LegalCopyright: Copyright (C) 2010
MachineType: Intel 386 or later, and compatibles
OriginalFilename: Self-Extracting (Encrypted) Module built by AEP PRO www.aeppro.com
ProductName: Self-Extracting (Encrypted) Module built by AEP PRO www.aeppro.com
ProductVersion: 1, 0, 0, 1
Subsystem: Windows GUI
TimeStamp: 2011:05:01 16:14:59+02:00
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
Mcafee does not detect the creation of the encrypted file. It is the real-time scanning that quarantines my file when I try to attach it to an email.
I must admit I don't know what the VirusTotal results (above) are telling me - there is no explanation nor summary.
The end result is that Mcafee has again deleted my file. GRRRR.
when real time scanning happens, does it show Artemis!0AAF63234E86 detection?, if that is the case Artemis detection should be resolved in another 30-45 minutes.
Detection Generic Malware.ck is also fixed and should be in in real time DATs2 in 2-3 days.
since malware writers use the double-extension trick to get users to click on a malicious download and if you still want to use these files, you can either change the file name limited to one extension only or add the file name based exclusion from the product.
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership: