One man's false positive is another man's proactive protection. Looking at the driver, "Exploit-CVE2007-3845" is a bit too specific of a name for such a heuristic detection. But, I'm not overly concerned about it catching other exploit code.
OK, the context may not be exactly right in this specific Groupshield example, but I'm not one to sacrifice genericisity and performance for the sake of allowing security researchers to swap exploit code. Craig Schmugar Threat Researcher McAfee Avert Labs -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 09, 2007 12:03 PM To: [email protected] Subject: Re: [funsec] The false positive in McAfee GroupShield This warning is kind of funny. I wonder what triggered the false positive in my original message. Richard > McAfee GroupShield™ Alert > > McAfee GroupShield discovered a problem with this email. If you do not > know the sender, it is probably a virus. If you do know the sender but > were not expecting an attachment from them or the subject or message > text "doesn't sound like something they would say," it is probably a > virus. Simply delete this message if you believe this message contains a > virus. Do not be alarmed that you got a virus-laden message--some people > are getting a dozen per day. Welcome to the club :-) Call the help desk > at x5ITC if you need further information. > > Date/Time sent: 09 Oct 2007 14:48:21 > Subject line: Re: [funsec] Adobe confirms critical vulnerability after a > remarkable delay > From: [EMAIL PROTECTED] > To: Juha-Matti Laurio > Action taken: Replaced > Reason: Anti-Virus > Rule Group: > Virus (if found): Exploit-CVE2007-3845 > Quarantined file: > Filename: > Ticket: 10ac-470b-ccf5-0001 > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
