I had trouble on a HP with McAfee & your software

[NuJudge]

I had to get McAfee to exclude your software from their program's authority on my new HP Laptop. McAfee asked me to submit your software for their study, and sent me an eMail, which I don't understand. I forwarded the eMail to your eMail address.

[nmCollector]

Quote:

Originally Posted by NuJudge

I had to get McAfee to exclude your software from their program's authority on my new HP Laptop. McAfee asked me to submit your software for their study, and sent me an eMail, which I don't understand. I forwarded the eMail to your eMail address.

Thank you for the email. I only skimmed it and see how it can be confusing. However, I will study it in more detail tomorrow. Some Artificial Intelligence (AI) heuristics think NM Collector CP is dangerous. This is most likely due to the fact that the executable is a wrapper for the underlying java program. This looks like suspicious behavior to some virus and malware detectors. This was confirmed by MalwareBytes who did correct the problem on their end. Please see https://forums.malwarebytes.com/topi...nganomalous96/ for more information.

Another customer reported the same issue with McAfee and requested help from them to resolve it. I guess McAfee made it too hard for my customer to work with them so he chose to dump McAfee and use a different anti-virus software instead.

Hopefully, with your help, I can provide McAfee with the information they need to correct the issue on their end. In case the analysis has to be run on your computer, since you have McAfee installed and I don't, we may have to have you run whatever steps they are asking for on your computer. In that case, hopefully, I can help clarify their instructions for you.

Once again, thank you so much for following up with them!

[nmCollector]

Since others may have experienced the same issue with McAfee, I will post an explanation of what they want us to do here. Unfortunately, after going through the email they sent you in detail, this is something you will need to follow through with for me.

I would love to be able to replicate the issue on my computer but I do not want to purchase their product. I have installed an evaluation version of McAfee before to see if I can replicate the issue but it seems the evaluation version they provide does not include the machine learning capability that you are running into because it did not detect issues on my computer. They have been unwilling to work with me. They say the issue has to be reported by one of their customers ... but I do not want to give up. Can you tell me exactly what version you purchased so I can see if I can get an evaluation version of it to match?

Anyway, back to the email they sent to you. They want you to send their analysis of the program to virus_research@avertlabs.com using their tools on your computer ... see further down for their process. But first, they want you to do the following which, again, is something you will need to do on your computer since you have McAfee installed:

1. Make sure that your McAfee software, your McAfee subscription information, and Windows are all up to date. For more information, see:

• TS102018 - How to update and verify your McAfee software on Windows.
  
• Step 1 in the On My PC section of TS101424 - You see an alert that your subscription has expired.
  
• Windows update FAQ on the Microsoft website.

2. Check to see if the suspicious file has already been quarantined: TS100843 - How to delete or restore quarantined files or programs

3. Check to see if the suspicious file contains a known threat, using VirusTotal. VirusTotal scans files with over 70 different virus scanners all at once, which increases the likelihood of an infection being identified. Click to learn more about VirusTotal.

Note, I have several blog entries on VirusTotal. This is the latest. You can follow the links in that blog to see the results. These results seem to change with every new release. Currently there is one issue detected by SentinelOne and the issue appears to be related to a Machine Learning (ML) algorithm: (Static ML) Static AI - Suspicious PE. Back to the issue at hand.

After completing all of the above, they want you to run their tool on your machine with the software following these instructions.

How to send sample files to McAfee

If you’ve followed the steps above and still think that you might have infected files, send one or more samples to McAfee. Use one of the options shown below.

We review and classify the samples appropriately, and get back to you with the results.

Option 1: Use the GetSusp tool:

The GetSusp tool analyzes the computer that you think contains malware and tries to identify suspicious files. Click download GetSusp or go to https://www.mcafee.com/enterprise/en...s/getsusp.html.
NOTES:

• GetSusp is a Windows-only tool.
• Make sure that the option Submit results to McAfee is checked under Preferences. GetSusp then automatically sends any suspect files to McAfee.
• Remember to add your email address so that we can send a confirmation of your sample submissions, then click OK.
• Preferences screen where you enter your email address so that you receive a confirmation on submitted samples.
• Click Scan Now to run a scan. Any suspicious or infected files are submitted to McAfee Labs.
• The file being sent to us must not be larger than 10 MB.

When we receive the results, you’re sent an automated confirmation email that contains a Work-item ID.

After the sample has been analyzed and found to be legitimate, it’s whitelisted. If you haven’t heard from us for more than 5 business days, contact Customer Service with the Work-item ID that you had received earlier.

Option 2: Email the sample to us:

• If the sample file is smaller than 50 MB, you can submit samples to us by emailing virus_research@avertlabs.com, and attaching the file to your email. When you submit a sample via email, ensure that your attachment is contained in a password-protected ZIP file, with the password: infected (all lowercase).
• If the sample file is larger than 50 MB, contact Customer Service with the relevant screenshot and the sample submission ID.

NOTE: If the ZIP file is smaller than 50 MB, it must not contain more than 30 files.

For more information about creating a ZIP file, see the Related Information section of this article. Click the I think I have a false positive link below to see an example email template.

NOTE: The sample email can be found here: https://service.mcafee.com/?articleI...l=article-view

[nmCollector]

As documented in my blog entries on the subject, linked to above, I should add that this ML and AI threat detection is very susceptible to false positives. In the case of NM Collector CP the issue seems to be with the method of deployment to windows. This is the best explanation I have found:

Quote:

This has come up before. The packaged exe works by creating a new process (ie starting Java). This is seen as a possible threat by "AI" based antivirus/antimalware software. I had this problem with Malwarebytes. I reported this as a false positive and don't have the issue anymore.

However, not all virus software companies are so easy to work with. I have had difficulty working with McAfee since I am not a customer so I cannot provide the specific information they want from their tools. I could not duplicate the issue with the evaluation copy of McAfee that I tried and I refuse to pay them for a product I do not want.

As a result, I am dependent on one or more users of McAfee that is experiencing this problem to get McAfee to look at it. So far nobody (that I know of) has been willing to go through the hoops McAfee throws at them to get the software evaluated.

Thanks,