|
|
|||||||
Please be aware that since last Sunday (Feb 5 2017) compiled kix scripts are seen as malware by McAfee/Intel security. We experienced some issues due to this and contacted our consultancy company to assist and contact McAfee/Intel security to get this fixed. Samples have been sent and are being analyzed by the techs at the moment. They expect to release an ExtraDAT or (depending on the time) incorporate the fix directly in the regular DAT releases. It is a generic detection without any specific malware associated to it but the defense mechanisms are triggered and the file is blocked or removed depending on your settings. Below is the detection we had. The part after the exclamation mark will be different depending on the application that is blocked/deleted. Quote: .... List of Detected Threats: GenericR-JFN!1A28C854203E .... System details: Win7 SP1, Kix 4.67, editor and compiled in ASE. |
||||||||
|
|
|||||||
Tokenized scripts? |
||||||||
|
|
|||||||
Not sure. I did not test with tokenized scripts. In ASE you can compile it to an exe. The combination of the script and kix32.exe or wkix32.exe triggers AV software with the current DAT from McAfee/Intel security. The script or wkix32 or kix32 do not trigger it but the combination does. |
||||||||
|
|
|||||||
I don't have any customers that use McAfee. I use Kix2exe (which is probably similar to the ASE) quite a bit. Curious if they are treating K2E the same way? |
||||||||
|
|
|||||||
I have seen false negatives with kix2exe packaged scripts. I don't remember for sure if it was mcafee, but more than likely. Something about an exe, launching another exe, tends to seem suspicious. |
||||||||
|
|
|||||||
This issue seems to be fixed with DAT 8432.0000 (Feb 7 2017). I'll double check with the techs at McAfee to be sure. |
||||||||
|
|
|||||||
Sorry but this is not fixed in DAT 8432.0000. McAfee/Intel techs are still investigating this. |
||||||||
|
|
|||||||
Interesting, can you test by putting wkix32.exe and the script together in a self-extracting and executing 7-zip file? (that's pretty much how most packagers do it anyway). |
||||||||
|
|
|||||||
It took some time to get it done but the detections below have been marked as safe and will be ignored by McAfee/Intel. These were the detections we had. GenericR-JFN!1A28C854203E GenericR-JFN!77E0941BC5BB GenericR-JFN!AA6A86D675DE |