ATP100 - false/positive McAfee/Trellix amupdate.exe

e_mano_e
e_mano_e Posts: 82  Ally Member
First Anniversary 10 Comments Friend Collector First Answer
edited October 2022 in Security
Hi,

today a customer send me about 500 emails generated from the ATP100 CDR feature stating that malware was detected.

It showed in the logs that the amupdate.exe was detected as malware.
amupdate.exe belongs to McAfee/Trellix Endpoint Security Software.

Here is the Hash of the detection: 7C32EC1E282EFF6530D0DE979687537E

This was an issue some weeks (or months) ago.
Please update the Anti-Malware signatures to not detect this as malware.

Thanks.

All Replies

  • Zyxel_James
    Zyxel_James Posts: 606  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hello @e_mano_e,
    Thanks for your feedback.
    Since I cannot reproduce this problem, could you provide the information below?

    1. The complete message of the log
    2. A screenshot of Anti-Malware Statistics. ( Monitor > Security Statistics > Anti-Malware. 
    3. Anti-Malware signature
    4. amupdate.exe download link. ( I download amupdate.exe from https://www.pconlife.com/viewfileinfo/amupdate-exe/, but Anti-Malware didn't detect anything.)

    Thanks,
    James

  • Hello, I've got the same probleme on 2 differents customers with Flex 200. Each Trellix client that make an update was blocked by Zywall : CDR malware detected

  • Zyxel_James
    Zyxel_James Posts: 606  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Thanks for your feedback.
    Could you provide more information as I mentioned previously?

    James
  • the same hash as "@e_mano_e" :
    Malicious Virus(detected by Anti-Malware Cache)
    7C32EC1E282EFF6530D0DE979687537E
    signature are update

    thanks for help
  • e_mano_e
    e_mano_e Posts: 82  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    @Zyxel_James

    1. The complete message of the log
    Sorry. The log is already cleared. It seems that the ATP100 log space is a bit small.

    2. A screenshot of Anti-Malware Statistics. ( Monitor > Security Statistics > Anti-Malware. 

    It would also be helpful if this screen would show a) the virus name and b) which file the virus and hash belongs to. Currently I only see a Hash value but without the logs I do not know which malicious file it belongs to.

    3. Anti-Malware signature


    4. amupdate.exe download link. ( I download amupdate.exe from https://www.pconlife.com/viewfileinfo/amupdate-exe/, but Anti-Malware didn't detect anything.)
    I do not know the download link. The Endpoint Security Autoupdater does this in the background.

  • the same hash as "@e_mano_e" :
    Malicious Virus(detected by Anti-Malware Cache)
    7C32EC1E282EFF6530D0DE979687537E
    signature are update

    thanks for help
  • Zyxel_James
    Zyxel_James Posts: 606  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    We're checking, I will get back to you when there is any progress or need anything, please wait patiently, thank you.

    However, I cannot reproduce this false positive, download amupdate.exe, and didn't detect anything, could you provide reproduction steps? Are you blocked during an update or download? thank you.

    James
  • e_mano_e
    e_mano_e Posts: 82  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    <<Are you blocked during an update or download?>>
    Normal update that Trellix does periodically in the background.

Security Highlight