(imported topic written by basketman2391)
Here is a log file from McAfee
22/04/2008 15:10:34 Not scanned (scan timed out) NT AUTHORITY\SYSTEM BESClient.exe C:\Program Files\BigFix Enterprise\BES Client__BESData\Enterprise Security\1Superseded.fxf\000004ae.EML (Virus)
Does anybody know about this issue ?
Does it require to send and email for what ?
(imported comment written by BenKus)
Hi Basketman,
It looks like your McAfee is having some issues. The first indication of the problem is that the path provided can’t possibly be a file… Specifically:
“C:\Program Files\BigFix Enterprise\BES Client__BESData\Enterprise Security\1Superseded.fxf” is a file
“C:\Program Files\BigFix Enterprise\BES Client__BESData\Enterprise Security\1Superseded.fxf\000004ae.EML” is an invalid path.
Additionally, we don’t use any files with the extension .EML. I believe that extension is used for your email browser.
So you should talk with McAfee to try to understand what might cause this type of AV error. I think I remember at least one customer reporting something very similar, but it was a long time ago and we never heard about the issue again after they talked to McAfee so I am guessing that they fixed it somehow.
Ben
(imported comment written by Security_admin)
We have received the same alert from Mcafee scanner for Virus detection on EML file. this file is located under TEM client. “C:\Program Files\BigFix Enterprise\BES Client__BESData\BigFix Labs__Local\Get\Content.fxf\0000992b.EML”
This alerts are spreading rapidly across organization and we have already checked with Mcafee and as per them this is a false positive alert. However we want to know what these .EML files are used for and do we have an update/hotfix from IBM for this issue.
We are suspecting it to the be vulnerable for Heartbleed bug, as these files are detected as “Exploit-SSL” virus.
I would request IBM support to have to have this checked and the earliest and update the forum.
(imported comment written by MichaelBell)
BigFix Labs now includes a scanner for CVE-2014-0160 (Heartbleed) and although the scanner itself is NOT distributed via the site, it is referenced in the fixlets as well as general commentary about it. We believe McAfee is producing these .EML files themselves and is picking up on the content (now in a .EML) and incorrectly flagging them most likely based upon the commentary in the description, not any real threat. There is NO malware being propagated via the site content.
To confirm, the scanner binary is found at
http://support.bigfix.com/labs/downloads/CVE-2014-0160.bfz
and McAfee’s own scanner shows this file to be free from malware as seen here:
http://www.siteadvisor.com/sites/http%3A//support.bigfix.com/labs/downloads/CVE-2014-0160.bfz
Unfortunately, there is nothing we can do about the false positive other than ensure you we have tested our content. Please contact your McAfee representation and request assistance in having the false positive corrected in your environment.