Page 1 of 1 1
Topic Options
#212268 - 2017-02-07 11:33 AM Compiled scripts detected as malware by McAfee/Intel security
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4672
Loc: The Netherlands
Please be aware that since last Sunday (Feb 5 2017) compiled kix scripts are seen as malware by McAfee/Intel security. We experienced some issues due to this and contacted our consultancy company to assist and contact McAfee/Intel security to get this fixed. Samples have been sent and are being analyzed by the techs at the moment. They expect to release an ExtraDAT or (depending on the time) incorporate the fix directly in the regular DAT releases.

It is a generic detection without any specific malware associated to it but the defense mechanisms are triggered and the file is blocked or removed depending on your settings.

Below is the detection we had. The part after the exclamation mark will be different depending on the application that is blocked/deleted.
 Quote:

....
List of Detected Threats: GenericR-JFN!1A28C854203E
....


System details: Win7 SP1, Kix 4.67, editor and compiled in ASE.
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#212269 - 2017-02-07 02:56 PM Re: Compiled scripts detected as malware by McAfee/Intel security [Re: Mart]
Allen Administrator Online   shocked
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4545
Loc: USA
Tokenized scripts?
Top
#212270 - 2017-02-07 05:14 PM Re: Compiled scripts detected as malware by McAfee/Intel security [Re: Allen]
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4672
Loc: The Netherlands
Not sure. I did not test with tokenized scripts. In ASE you can compile it to an exe. The combination of the script and kix32.exe or wkix32.exe triggers AV software with the current DAT from McAfee/Intel security. The script or wkix32 or kix32 do not trigger it but the combination does.
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#212271 - 2017-02-07 05:18 PM Re: Compiled scripts detected as malware by McAfee/Intel security [Re: Mart]
Allen Administrator Online   shocked
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4545
Loc: USA
I don't have any customers that use McAfee. I use Kix2exe (which is probably similar to the ASE) quite a bit. Curious if they are treating K2E the same way?
Top
#212272 - 2017-02-07 09:20 PM Re: Compiled scripts detected as malware by McAfee/Intel security [Re: Allen]
ShaneEP Moderator Offline
MM club member
*****

Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
I have seen false negatives with kix2exe packaged scripts. I don't remember for sure if it was mcafee, but more than likely. Something about an exe, launching another exe, tends to seem suspicious.
Top
#212275 - 2017-02-08 04:37 PM Re: Compiled scripts detected as malware by McAfee/Intel security [Re: ShaneEP]
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4672
Loc: The Netherlands
This issue seems to be fixed with DAT 8432.0000 (Feb 7 2017). I'll double check with the techs at McAfee to be sure.
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#212277 - 2017-02-09 10:11 AM Re: Compiled scripts detected as malware by McAfee/Intel security [Re: Mart]
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4672
Loc: The Netherlands
Sorry but this is not fixed in DAT 8432.0000. McAfee/Intel techs are still investigating this.

Edited by Mart (2017-02-09 10:12 AM)
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#212278 - 2017-02-09 11:33 AM Re: Compiled scripts detected as malware by McAfee/Intel security [Re: Mart]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Interesting, can you test by putting wkix32.exe and the script together in a self-extracting and executing 7-zip file? (that's pretty much how most packagers do it anyway).
Top
#212341 - 2017-03-15 01:15 PM Re: Compiled scripts detected as malware by McAfee/Intel security [Re: Arend_]
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4672
Loc: The Netherlands
It took some time to get it done but the detections below have been marked as safe and will be ignored by McAfee/Intel. These were the detections we had.

GenericR-JFN!1A28C854203E
GenericR-JFN!77E0941BC5BB
GenericR-JFN!AA6A86D675DE
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
Page 1 of 1 1


Moderator:  Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 382 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.059 seconds in which 0.024 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org