McAfee is moving program's exe into Quarantine folder

its_faiz · External Since: Apr 13, 2007 Posts: 2

Hi All,

We have a program developed in VB6 and installed on hundreds of users
scattered around the world. This program is automatically run by an NT
service once a day. It's been running fine for the last 4-5 years.

Please note that all the users have exactly the same operating
environment, i.e. McAfee virus scan 8.0, OS is Windows XP SP2 and MS
office 2003 SP1.

Now SOME of the users have experienced a problem. The McAfee Virus
scan is moving the program's exe into C:\Quarantine folder and
renaming it to *.vir

Can you please advise why this problem is caused?

Regards,

FK

its_faiz · External Since: Apr 13, 2007 Posts: 2

On Apr 13, 1:12 pm, "Marcin Domaslawski" <mila....TakeThisOut@wp.pl> wrote:
> Hi,
>
> McAfeedetected an malware code inside your file. Question is if on every
> system file is detected or only on some.
> First case is caused by similiar malware signature inMcAfee'sdatabase -
> you can contact withMcAfeeand register a false positive
> 2nd case: can be caused by incorrect work of antivirus e.g. by damaged virus
> signatures database. I met with that situation with Kaspersky AV. Try
> re-download all database.
>
> Marcin Domaslawski
>
> Uzytkownik <its_f....TakeThisOut@hotmail.com> napisal w wiadomoscinews:1176448629.245440.276850@e65g2000hsc.googlegroups.com...
>
>
>
> > Hi All,
>
> > We have aprogramdeveloped in VB6 and installed on hundreds of users
> > scattered around the world. Thisprogramis automatically run by an NT
> > service once a day. It's been running fine for the last 4-5 years.
>
> > Please note that all the users have exactly the same operating
> > environment, i.e.McAfeevirus scan 8.0, OS is Windows XP SP2 and MS
> > office 2003 SP1.
>
> > Now SOME of the users have experienced a problem. TheMcAfeeVirus
> > scan ismovingtheprogram'sexeintoC:\Quarantinefolderand
> > renaming it to *.vir
>
> > Can you please advise why this problem is caused?
>
> > Regards,
>
> > FK- Hide quoted text -
>
> - Show quoted text -

I have just come to know that the executable is being detected as
malware just because it is using "RegCreateKeyEx" API to add a value
under "RunOnce" registry key.

Can you please tell a solution to this? I need to enter an entry under
"RunOnce" key.

Regards,

FK

Marcin Domaslawski · External Since: Apr 13, 2007 Posts: 1

Hi,

McAfee detected an malware code inside your file. Question is if on every
system file is detected or only on some.
First case is caused by similiar malware signature in McAfee's database -
you can contact with McAfee and register a false positive
2nd case: can be caused by incorrect work of antivirus e.g. by damaged virus
signatures database. I met with that situation with Kaspersky AV. Try
re-download all database.

Marcin Domaslawski

Uzytkownik <its_faiz.DeleteThis@hotmail.com> napisal w wiadomosci
news:1176448629.245440.276850@e65g2000hsc.googlegroups.com...
> Hi All,
>
> We have a program developed in VB6 and installed on hundreds of users
> scattered around the world. This program is automatically run by an NT
> service once a day. It's been running fine for the last 4-5 years.
>
> Please note that all the users have exactly the same operating
> environment, i.e. McAfee virus scan 8.0, OS is Windows XP SP2 and MS
> office 2003 SP1.
>
> Now SOME of the users have experienced a problem. The McAfee Virus
> scan is moving the program's exe into C:\Quarantine folder and
> renaming it to *.vir
>
> Can you please advise why this problem is caused?
>
> Regards,
>
> FK
>

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: <its_faiz RemoveThis @hotmail.com>

| Hi All,

| We have a program developed in VB6 and installed on hundreds of users
| scattered around the world. This program is automatically run by an NT
| service once a day. It's been running fine for the last 4-5 years.

| Please note that all the users have exactly the same operating
| environment, i.e. McAfee virus scan 8.0, OS is Windows XP SP2 and MS
| office 2003 SP1.

| Now SOME of the users have experienced a problem. The McAfee Virus
| scan is moving the program's exe into C:\Quarantine folder and
| renaming it to *.vir

| Can you please advise why this problem is caused?

| Regards,

| FK

Assuming your author created a good ptrogram and not malware, submit the files being
falsely detected to McAfee via the email addtress virus_research RemoveThis @avertlabs.com and in the
subject of the email use "False Positive on VB6 software" and in the body of the email
state your case why you believe the attached files are not malware.

Attach all the files deemed malware (and you haven't posted what they were declared as) in
password protected ZIP file with the password being; infected { password = infected }

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Zephyr · External Since: Apr 13, 2007 Posts: 1

Hello,

Assuming the program is not malware I would not attempt to make any changes
to it.

Instead, follow David's advice and contact McAfee. If the program is not
malware they should be willing to update their definitions so the program is
no longer being flagged as malware.

--
Zephyr

<its_faiz RemoveThis @hotmail.com> wrote in message
news:1176467034.276901.42840@n59g2000hsh.googlegroups.com...
> On Apr 13, 1:12 pm, "Marcin Domaslawski" <mila... RemoveThis @wp.pl> wrote:
>> Hi,
>>
>> McAfeedetected an malware code inside your file. Question is if on every
>> system file is detected or only on some.
>> First case is caused by similiar malware signature inMcAfee'sdatabase -
>> you can contact withMcAfeeand register a false positive
>> 2nd case: can be caused by incorrect work of antivirus e.g. by damaged
>> virus
>> signatures database. I met with that situation with Kaspersky AV. Try
>> re-download all database.
>>
>> Marcin Domaslawski
>>
>> Uzytkownik <its_f... RemoveThis @hotmail.com> napisal w
>> wiadomoscinews:1176448629.245440.276850@e65g2000hsc.googlegroups.com...
>>
>>
>>
>> > Hi All,
>>
>> > We have aprogramdeveloped in VB6 and installed on hundreds of users
>> > scattered around the world. Thisprogramis automatically run by an NT
>> > service once a day. It's been running fine for the last 4-5 years.
>>
>> > Please note that all the users have exactly the same operating
>> > environment, i.e.McAfeevirus scan 8.0, OS is Windows XP SP2 and MS
>> > office 2003 SP1.
>>
>> > Now SOME of the users have experienced a problem. TheMcAfeeVirus
>> > scan ismovingtheprogram'sexeintoC:\Quarantinefolderand
>> > renaming it to *.vir
>>
>> > Can you please advise why this problem is caused?
>>
>> > Regards,
>>
>> > FK- Hide quoted text -
>>
>> - Show quoted text -
>
> I have just come to know that the executable is being detected as
> malware just because it is using "RegCreateKeyEx" API to add a value
> under "RunOnce" registry key.
>
> Can you please tell a solution to this? I need to enter an entry under
> "RunOnce" key.
>
> Regards,
>
> FK
>

David H. Lipman · External Since: Jul 04, 2003 Posts: 2116

From: "Zephyr" <usenet.DeleteThis@zeppyster.com>

| Hello,
|
| Assuming the program is not malware I would not attempt to make any changes
| to it.
|
| Instead, follow David's advice and contact McAfee. If the program is not
| malware they should be willing to update their definitions so the program is
| no longer being flagged as malware.
|

Correct. They can create a negative Extra DAT that will disable the false declaration as
well subsequently update the next DAT revision to correct the mistaken identification.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

mybest · External Since: Apr 14, 2007 Posts: 1

It is my best shot.
inf0 RemoveThis @sofutoinc.com

<its_faiz RemoveThis @hotmail.com> wrote in message
news:1176448629.245440.276850@e65g2000hsc.googlegroups.com...
> Hi All,
>
> We have a program developed in VB6 and installed on hundreds of users
> scattered around the world. This program is automatically run by an NT
> service once a day. It's been running fine for the last 4-5 years.
>
> Please note that all the users have exactly the same operating
> environment, i.e. McAfee virus scan 8.0, OS is Windows XP SP2 and MS
> office 2003 SP1.
>
> Now SOME of the users have experienced a problem. The McAfee Virus
> scan is moving the program's exe into C:\Quarantine folder and
> renaming it to *.vir
>
> Can you please advise why this problem is caused?
>
> Regards,
>
> FK
>

Segolene · External Since: Apr 25, 2007 Posts: 1

I think Soooo
"Zephyr" <usenet.RemoveThis@zeppyster.com> wrote in message
news:gaednaueqNzvLYLbRVnyugA@giganews.com...
> Hello,
>
> Assuming the program is not malware I would not attempt to make any
> changes to it.
>
> Instead, follow David's advice and contact McAfee. If the program is not
> malware they should be willing to update their definitions so the program
> is
> no longer being flagged as malware.
>
> --
> Zephyr
>
>
> <its_faiz.RemoveThis@hotmail.com> wrote in message
> news:1176467034.276901.42840@n59g2000hsh.googlegroups.com...
>> On Apr 13, 1:12 pm, "Marcin Domaslawski" <mila....RemoveThis@wp.pl> wrote:
>>> Hi,
>>>
>>> McAfeedetected an malware code inside your file. Question is if on every
>>> system file is detected or only on some.
>>> First case is caused by similiar malware signature inMcAfee'sdatabase -
>>> you can contact withMcAfeeand register a false positive
>>> 2nd case: can be caused by incorrect work of antivirus e.g. by damaged
>>> virus
>>> signatures database. I met with that situation with Kaspersky AV. Try
>>> re-download all database.
>>>
>>> Marcin Domaslawski
>>>
>>> Uzytkownik <its_f....RemoveThis@hotmail.com> napisal w
>>> wiadomoscinews:1176448629.245440.276850@e65g2000hsc.googlegroups.com...
>>>
>>>
>>>
>>> > Hi All,
>>>
>>> > We have aprogramdeveloped in VB6 and installed on hundreds of users
>>> > scattered around the world. Thisprogramis automatically run by an NT
>>> > service once a day. It's been running fine for the last 4-5 years.
>>>
>>> > Please note that all the users have exactly the same operating
>>> > environment, i.e.McAfeevirus scan 8.0, OS is Windows XP SP2 and MS
>>> > office 2003 SP1.
>>>
>>> > Now SOME of the users have experienced a problem. TheMcAfeeVirus
>>> > scan ismovingtheprogram'sexeintoC:\Quarantinefolderand
>>> > renaming it to *.vir
>>>
>>> > Can you please advise why this problem is caused?
>>>
>>> > Regards,
>>>
>>> > FK- Hide quoted text -
>>>
>>> - Show quoted text -
>>
>> I have just come to know that the executable is being detected as
>> malware just because it is using "RegCreateKeyEx" API to add a value
>> under "RunOnce" registry key.
>>
>> Can you please tell a solution to this? I need to enter an entry under
>> "RunOnce" key.
>>
>> Regards,
>>
>> FK
>>
>
>
>