View Full Version : McAfee uses F-Secure technology?
NewsArchive
09-14-2010, 01:27 AM
It seems to me, McAfee makes use of some F-Secure "patent pending high-tech
malware detection technologies" now <g>.
Idiots are taking over...
If you are using McAfee, fire some emails to the guys. They detect your SB7
applications as malware now.
Friedrich
NewsArchive
09-14-2010, 01:28 AM
No, McAfee is even smarter than the F-Secure guys. They detect both SB6
*and* SB7 applications as malware now.
Friedrich
NewsArchive
09-14-2010, 01:28 AM
Friedrich,
> No, McAfee is even smarter than the F-Secure guys. They detect both SB6
> *and* SB7 applications as malware now.
I think "idiots" is too nice.
If AVG begins to act like this I'll have to retire!<g>
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Enhanced Reporting: http://www.cpcs-inc.com
NewsArchive
09-14-2010, 01:28 AM
Lee,
>> No, McAfee is even smarter than the F-Secure guys. They detect both SB6
>> *and* SB7 applications as malware now.
>
> I think "idiots" is too nice.
>
> If AVG begins to act like this I'll have to retire!<g>
<BG>
And I think that when we are all retired or dead, F-Secure will still flag
SB7 apps <g>
Friedrich
NewsArchive
09-14-2010, 01:29 AM
There's no way they can look at content, is there?
I just did a test SB7 installer containing only notepad.exe.
McAfee didn't fuss.
jf
NewsArchive
09-14-2010, 01:30 AM
Recompiled the same project with no code-signing on the installer.
Now, McAfee DOES flag it.
F-secure had said something about white-listing my certificate. That
doesn't seem to be the case with the f-secure version that virustotal is
running. Wonder whether they share their white-lists with McAffee?
jf
NewsArchive
09-14-2010, 01:30 AM
Hi Jane,
> Recompiled the same project with no code-signing on the installer.
>
> Now, McAfee DOES flag it.
>
> F-secure had said something about white-listing my certificate. That
> doesn't seem to be the case with the f-secure version that virustotal is
> running. Wonder whether they share their white-lists with McAffee?
I think what they do is they share their talented developers <g>
As far as I see, all code-signed SB7 apps are NOT flagged by McAfee. That
is good news -- but it also means that a code-signing certificate becomes
more and more vital in business.
Friedrich
NewsArchive
09-14-2010, 01:31 AM
Wonder if their shared developer newsgroup forum reads like our chat? <vbg>
--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm
NewsArchive
09-14-2010, 01:32 AM
Friedrich
>I think what they do is they share their talented developers <g>
Perhaps these talented developers?
http://www.offshore-software.ru/Customers/CustomersList/tabid/137/Default.aspx
see the top logo/story and another about 9 down starting with "SoftVel******
So perhaps the delays in fixing f-Secure are related to delays with CW7 / .NET
John
NewsArchive
09-14-2010, 01:33 AM
> Recompiled the same project with no code-signing on the installer.
>
> Now, McAfee DOES flag it.
>
> F-secure had said something about white-listing my certificate. That
> doesn't seem to be the case with the f-secure version that virustotal is
> running. Wonder whether they share their white-lists with McAffee?
Jane and Friedrich,
OK, installed Trial Version - McAfee Home Office Total Protection in a
Clean Install VM - then installed Product Scope 7.9
No malware detections on Product Scope 7.9 - however, it is white-listed at
F-Secure (if they share lists) -
Also, F-Secure definitely didn't white-list my company certificate - only
SB install programs that I uploaded.
Also, ran McAfee custom scan including Program Files area -
only 1 file was flagged/deleted - something they call a Cookie-2o7
(potentially unwanted program detection) - out of 41 tracking cookies -
they deleted 1 (no specific details on that file).
Interesting news item on McAfee Home Page - Intel buyout agreement.
David
--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397
NewsArchive
09-14-2010, 01:35 AM
Hi Jane,
> There's no way they can look at content, is there?
>
> I just did a test SB7 installer containing only notepad.exe.
>
> McAfee didn't fuss.
I am uploading the very same "helloworld.exe" (not code signed!!!) for more
than two weeks now <g>. It was fine until today.
See (zipped) helloworld.exe.
http://www.lindersoft.com/projects/helloworld.zip
BTW, I just noticed that McAfee does not detect the code-signed SB7
wupdate.exe and other signed SB7 apps as malware. So the code-signature
seems to make a BIG, BIG difference.
Of course, good old F-Secure still flags *ALL* SB7 apps as malware.
Unbelievable!
Friedrich
NewsArchive
09-14-2010, 01:36 AM
suggest involving them in a lawsuit, that might prick some ears up.:-)
Richard Rose
NewsArchive
09-14-2010, 01:36 AM
Hubboy! :(
--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm
NewsArchive
09-14-2010, 01:37 AM
Scrapped McAfee a few months ago. Destroyed two of our machines - had to
reinstall XP and W7. They seem to be going south.
J André Labuschagné
NewsArchive
09-14-2010, 04:43 AM
>
> Wonder if their shared developer newsgroup forum reads like our chat?
> <vbg>
>
<G>
BTW, I just noticed that the F-Secure thread is already very popular. More
than 5,000 hits in 19 days -- what a bad marketing concept. I am sure that
F-Secure is a good protection product. But this delay in fixing things is
NOT acceptable.
http://www.lindersoft.com/forums/showthread.php?t=27387
Friedrich
NewsArchive
09-14-2010, 05:22 AM
Hi John,
Interesting link. And I had no idea that F-Secure and Arcadia Software
Consulting "cooperate" in software development and maintenance projects.
As I understand it, Arcadia has some 160 employees in St. Petersburg,
Russia. And they stated that "over 97% of our software developers hold a
university degree at the master's level, 10% of them hold a PhD level degree
in high sciences, such as mathematics, physics, and engineering."
So hope is not lost and I am positive that they'll fix the "false-positive"
in F-Secure soon <g>.
Friedrich
NewsArchive
09-15-2010, 12:44 AM
BS? MS? PhD?
Bull S***, More S***, Piled High and Deep.
<vbg>
--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm
NewsArchive
09-15-2010, 12:44 AM
> BS? MS? PhD?
>
> Bull S***, More S***, Piled High and Deep.
>
> <vbg>
<ROFL> :)
Friedrich
NewsArchive
09-15-2010, 12:45 AM
ROFLMAO! On the button mate.
J André Labuschagné
NewsArchive
09-15-2010, 12:46 AM
Hi Friedrich
I looked there to see if perhaps McAfee was also one of their "cooperative" customers.
I don't know the parent company of McAfee (if any) but there may be a link thru one of
those other partners.
Fingers crossed that F-Sec and McA sort things out soon.
John
NewsArchive
09-15-2010, 12:47 AM
Degrees, schmegrees.
Friedrich, F-Secure are Finns!
They and their Russian counterparts are too busy chasing herring to work on
software :-(
jf
NewsArchive
09-15-2010, 12:48 AM
Why do you hate herring?????<g>
Jeff Slarve
NewsArchive
09-15-2010, 12:48 AM
Silly man!
I just hate Finns and Russians <g>
Jane Fleming
NewsArchive
09-15-2010, 12:49 AM
Well, I'm only half Russian. I hope that doesn't count<g>
Jeff Slarve
NewsArchive
09-15-2010, 12:49 AM
OK.
We're Finnished...
Jane Fleming
NewsArchive
09-15-2010, 12:50 AM
You are Russing it.
--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm
NewsArchive
09-15-2010, 12:50 AM
Jane,
> I just hate Finns and Russians <g>
Russ has kids?!
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Enhanced Reporting: http://www.cpcs-inc.com
NewsArchive
09-15-2010, 12:50 AM
Yes.
Finns wearing Depends.
Jane Fleming
NewsArchive
09-15-2010, 12:51 AM
Jane,
> Finns wearing Depends.
TMI..... WAY TMI!<g>
--
Lee White
RPM Report Viewer.: http://www.cwaddons.com/products/rpm/
RPM Review........: http://www.clarionmag.com/cmag/v11/v11n06rpm.html
Report Faxing.....: http://www.cwaddons.com/products/afe/
---Enroll Today---: http://CWaddons.com
Enhanced Reporting: http://www.cpcs-inc.com
NewsArchive
09-15-2010, 12:51 AM
How can I prove this with my install? I don't want McAffee on my computer...
always thought it was a virus. I did try the virustotal web site and my
install came back clean. Should I worry about this.. . could lose a lot of
money if my potential customers download and their anti-virus thinks our
software is a problem... although I haven't had a customer say anything
yet... but the ones that don't say anything are the ones that I just lost as
a customer.. catch 22.
Thanks... .please keep us informed on this issue. Trying to figure if I need
to add some sort of disclaimer to my download page or email.
Ray Rippey
VMT Software
NewsArchive
09-15-2010, 12:52 AM
> How can I prove this with my install? I don't want McAffee on my computer...
> always thought it was a virus.
Ray,
Friedrich makes this statement later in the thread...
> BTW, I just noticed that McAfee does not detect the code-signed SB7
> wupdate.exe and other signed SB7 apps as malware. So the code-signature
> seems to make a BIG, BIG difference.
So, if your SB7 installs are code signed - McAfee does not declare them as
malware.
I can understand your reluctance to install even a trial version of McAfee
to do direct tests - I DID install a McAfee trial verison recently in a
Clean Install Virtual Machine - and using a SB7 install - Product Scope 7.9
install program - had no problems with McAfee challenging the install.
So, for now, generally speaking code signed SB7 installs seem to be fine
with McAfee.
David
--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397
NewsArchive
09-15-2010, 01:14 AM
Ray,
> How can I prove this with my install? I don't want McAffee on my
> computer... always thought it was a virus. I did try the virustotal web
> site and my install came back clean. Should I worry about this.. . could
> lose a lot of money if my potential customers download and their
> anti-virus thinks our software is a problem... although I haven't had a
> customer say anything yet... but the ones that don't say anything are the
> ones that I just lost as a customer.. catch 22.
>
> Thanks... .please keep us informed on this issue. Trying to figure if I
> need to add some sort of disclaimer to my download page or email.
What Dave said. If your SB7 installs are code signed (don't forget to use
the timestamp option!), you are already in a very good position. Quite a
few virus scanners verify digital signatures and ignore files (or treat them
differently) that are properly signed.
In this specific case, if your SB7 install is code signed, McAfee does not
declare them as malware. But if the file is not code signed or the
signature "expired" (because the timestamp option was not used), McAfee
flags the file. It's possible that this will change again today, tomorrow,
next week, etc. and they "white-list" unsigned SB7 applications -- but it's
also possible that it's a permanent change in the McAfee heuristic scanners.
A false positive is essentially a defect (bug) in the software protection
system. False positives are a well known problem with anti-virus scanners
that affect all vendors from time to time. In April 2010, McAfee broke a
lot of its customers' computers because a virus definition update caused a
false positive identification of a virus within a key Windows file. In
February 2010 Kaspersky Lab falsely flogged Google AdWords as malign.
Anti-virus companies who do not put enough emphasis on false positive
mitigation are more likely to push out an update for new malware which false
positives.
15 years ago the anti-virus vendors were detecting just a few virus a day
and still had false positives. Nowadays, they are detecting more than
50,000 new malware samples a day and there are less false positives in
proportion. However, at the end the total number of false positives is much
higher than in the good old days. The increase in malicious code volumes
means that anti-virus labs have to improve existing automatic processing of
malware samples and add "aggressive generic detections" for malware.
We are in contact with most anti-virus vendors (QA Engineering Departments)
to make sure that we are part of the internal quality assurance processes
and to reduce the possibility of false positive detections. This is a very
time consuming task for us -- but even this cannot guarantee that false
positives will not occur!
Most "real" virus-infected and spyware products are distributed through
freeware installers and as a result, quite a few products powered by
freeware setups are getting nailed with false positives on a consistent
basis and their customers (or, even worse, potential customers) are
routinely being inconvenienced, if not downright scared off.
False-positives on SetupBuilder apps (installations, web updates, tools) are
very, very rare.
Please note that it's NOT enough to let www.VirusTotal.com only check your
installers because false-positives are not a "setup-only" problem per-se!
You should also check your own application files from time to time to make
sure they are not flagged by the generic detection mechanisms. Imagine the
situation where the setup installed your application without any problem but
the virus-scanner gives a false-positive warning on one of your own apps.
Friedrich
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
SetupBuilder is Windows 7 installation -- "point. click. ship"
-- Official Comodo Code Signing and SSL Certificate Partner
NewsArchive
09-16-2010, 12:30 AM
Thanks for the info. I went to the McAffee site and there was some great
reading material on the history of anti-virus software.. a great read.
http://www.mcafee.com/us/research/mcafee_security_journal/index.html
Ray
VMT
NewsArchive
09-16-2010, 12:31 AM
I just had my sb7 setup scanned....it is code signed.
F-Secure 9.0.15370.0 2010.09.15 Suspicious:W32/Malware!Gemini
one hit.
Skip
NewsArchive
09-16-2010, 12:31 AM
It's a new feature, since it's the Gemini variant, you get two installs for the
price of one. Can't beat that with a stick! <g>
--
Russell B. Eggen
www.radfusion.com
Clarion developers: www.radfusion.com/devs.htm
NewsArchive
09-16-2010, 12:32 AM
Skip,
> I just had my sb7 setup scanned....it is code signed.
>
> F-Secure 9.0.15370.0 2010.09.15 Suspicious:W32/Malware!Gemini
>
> one hit.
F-Secure does NOT care whether it's code signed or not, so the signature
does not make any difference. See a few threads down:
http://www.lindersoft.com/forums/showthread.php?t=27387
So in fact, McAfee is smarter in this case.
The F-Secure virus scan does not flag the SB7 app. But they still have a
bug in their "DeepGuard" technology. Old pre-SB7 apps are not flagged, but
all SB7 applications are flagged as 'suspicious' (W32/Malware!Gemini).
"The detection of Suspicious:W32/Malware!Gemini by Virustotal's scan is
equivalent to an automatic block by DeepGuard"
Charles managed to push this issue and F-Secure plans to release a DeepGuard
fix next week.
Friedrich
NewsArchive
09-16-2010, 12:33 AM
Friedrich,
Many thanks to you and Charles for the promised F-Secure DeepGuard fix next
week. Many developers complained, sent samples, etc - but due to your
diligence, and whatever mode of "push" Charles used :-D! - light at the end
of the tunnel!
David
--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397
NewsArchive
09-16-2010, 12:33 AM
I agree! Thanks to both.
I just sent my sb7 install to them as well.
Skip
NewsArchive
09-16-2010, 12:34 AM
> I just had my sb7 setup scanned....it is code signed.
>
> F-Secure 9.0.15370.0 2010.09.15 Suspicious:W32/Malware!Gemini
Skip,
Yes, unfortunately - this is what a lot of us are still seeing - F-Secure
hasn't fixed their False positives for SB7 - code signed installs.
Many of us have uploaded our code signed SB7 installs to:
F-Secure Sample Analysis System, MFG - F-Secure
Internet Link - https://analysis.f-secure.com/portal/login.html
So they have plenty of samples to analyze -
so far, F-Secure has whitelisted uploaded installs - but have still not
fixed the main SB7 installs - false postive problem.
David
--
From David Troxell - Encourager Software
Microsoft Forums NNTP Bridge - Instructions to use
http://profileexchanges.com/blog/?p=397
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.