Page 1 of 1

False virus alerts from McAfee VirusScan when indexing files

PostPosted: Wed Mar 25, 2009 4:20 am
by lveale
Hi there

Just this morning, during my scheduled file index with X1 Professional Client 6.2.1 (build 3618), I suddenly started getting virus alerts from McAfee VirusScan Enterprise about a trojan virus called Ransom-F. Every alert identifies an infected file in C:\documents and settings\MyName\local settings\temp\X1Server\, so I guess X1 is taking a local copy of files on the network, in order to index them?

When I go direct to the, supposedly infected, file on the network, and scan it - it is free from viruses - so I can only conclude that X1 is making the files appear infected (or even, is infecting the files!? Seems unlikely....).

If it helps, the VirusScan engine version is 5300.2777 and the DAT version is 5563.0000 dated 24th March 2009

Has anyone else experienced this?

PostPosted: Wed Mar 25, 2009 4:34 am
by gemdelft
Same problem here. Since today it triggers Random-F virusalerts.
We got Virusscan 8.0i patch 15, engine 5300, definitions 5563, EPO agent 3.5.5.

PostPosted: Wed Mar 25, 2009 5:00 am
by esbachb
Same thing here, users all across the network are being hit by this.
In our case, all users report that the virus is constantly throwing up for every attachment, both on index and on access (ie, not just once but multiple times per document).
We know the documents are clean in this case as well.

I'd really appreciate an official response to this one so that users can be informed.

PostPosted: Wed Mar 25, 2009 5:27 am
by tjh
Surely if it's just happening today, it's a McAfee problem?

I understand that a direct scan of the file doesn't show up, but it must be something McAfee has done if it's only just started happening to all McAfee users today?

Tim

PostPosted: Wed Mar 25, 2009 6:14 am
by lveale
If you care to post some suggestions as to how we can decide whether McAfee or X1 are to blame, then I'll happy try them. It just seems odd to me that the file itself is uninfected, but having "been through" X1 indexing, it then "appears" infected.

Thanks!

PostPosted: Wed Mar 25, 2009 7:52 am
by lveale
I have just updated to the latest version (6.2.3 - 3631ao), and I still have the problem.

PostPosted: Wed Mar 25, 2009 9:11 am
by Kenward
McAfee, famously crap at such things, has almost certainly sent out a signature update that erroneously identifies a virus in X1.

The fact that no other virus detector reveals the same issue says a lot.

You should report this to McAfee. They are the people who caused the grief.

Unfortunately, McAfee is a consumer product which means that it is almost certainly less responsive than software used in a commercial environment. So you may have a hard time trying to get a response.

PostPosted: Wed Mar 25, 2009 12:45 pm
by Greg Dawes
X1 is in contact with McAfee to get them to update their virus definitions. In the meantime, a knowledge base article has been posted on our support site.

Go here: http://www.x1.com/support/kb.html

And search for "McAfee". If you want more background on X1 and anti-virus programs, try searching for "virus"

PostPosted: Thu Mar 26, 2009 5:45 am
by lveale
Great! Thanks Greg! Much appreciated.
Lewis

PostPosted: Thu Mar 26, 2009 9:48 am
by Greg Dawes
We've updated our X1 Knowledge Base article with respects to the Ransom-F Trojan alert from McAfee:

- http://tinyurl.com/cvts7b