I got a report today that my software (the installation wizzard) is virus
infected according to McAfee's latest definitions.
More particulary an older version of my software wrapped with an older
version of Inno Setup (don't ask me what version, I don't know anymore).
The file in question that is labeled as infected can still be downloaded
here for instance :
It doesn't seem to happen with the consumer version but appears to happen
with the enterprise version of McAfee.
I'm putting this to the group because more installation exes were found as
infected on this user's system ... POSSIBLY all done with Inno, I don't know
I'm curious to find out if more of you are affected by this serious problem
that could undermine our product and company name ?
The full story here (email conversation), if you're interested about this
possible issue, it's worth reading this to understand the issue better :
Thanks for your response. Based on your checking, I'm inclined to
believe that the virus definition we received yesterday has a flaw.
McAfee does that regularly.
BTW, I hate McAfee, but it's the anti-virus tool mandated by my
employer, an agency of the federal government. More on that below.
>> This morning my McAfee VirusScan 8.0 -- engine 4400, with the new
>> virus definitions received yesterday, 4511 -- declared the file had a
>> trojan horse, specifically 'Generic BackDoor.dr(Trojan)," and deleted
>> the file.
> Huh ???
> Unless the exe got infected on your system this is really
I don't think it got infected on my system for a couple reasons. I first
learned of the McAfee action because I got an alert from work saying the
copy of the PCWorld IsoBuster 1.7 had been identified as a trojan and
deleted by the nightly McAfee scan there. (I had copied the image of the
WinXP SP2 CD and the tools I used to make it, including IsoBuster, to a
server at work.) I then checked my McAfee log on my home machine and
found it had done the same. So two separate machines reacted the same
way and the only thing they have in common is this version of McAfee and
these virus definitions.
The other thing that makes me think we're looking at a false positive
here is that McAfee does the same thing when I download a fresh copy of
1.7 from PCWorld. I just did the same thing on an unrelated machine at
work and got the same result. (These repeated alerts will freak out the
other people who get the virus notices at work, but I was going to tell
them what was going on anyway.)
> It's the first I hear of this but then if you say this
> is only with the latest virus definitions ...
When I looked up the generic class of alleged trojan that McAfee claimed
it found, Generic BackDoor.dr, I note that allegedly McAfee has been
able to detect this since 6/25/2003, but that the detection was
"updated" on 6/10/2005. It looks as if the update broke something.
Here's their info:
> I hope it's a fluke because otherwise this is going to be a support
> nightmare, and a blow for the product and company name.
> Obviously 1.7 is not (nor contains) a virus or trojan.
Perhaps there's some means by which you can contact McAfee about this
> Were there other files flagged by McAfee as well ?
None, but that doesn't undermine my theory.
Actually, now that I think about it, I got several virus reports this
morning, but I focused on the one that was a file I put on a server and
also had on my home PC.
I just looked up the details on the other reports and McAfee found the
same "trojan" in two files each on two different PCs at work:
GMT4.0setup.exe - Generic BackDoor.dr(Trojan)
MIRONE06setup.exe - Generic BackDoor.dr(Trojan)
cclog.exe - Generic BackDoor.dr(Trojan)
MMTTY165B.zip - Generic BackDoor.dr(Trojan)
I dare say the users are unlikely to miss these files, but it does lend
support to the theory that the McAfee virus definition for this "trojan"
> I run Kasperski as protection against virii
> I have the very latest definitions loaded and did a deliberate scan of all
> versions just now.
> No complaints, all is clean.
This again suggests that the latest virus definition is the problem.
> PCWorld seems to be hosting the file themselves, instead of linking to the
> IsoBuster download sites.
I wrote them with the same query.
> I downloaded the file there, checked it with Kasperski and the file was OK
> as well.
> So at least to Kasperski nothing is wrong with v1.7, which can be
> downloaded from the PCWorld website.
> What I can't see is if they mirror the file on more than one server and so
> one of them may still be infected but on the other hand it would surprise
> me greatly if PCWorld would host infected files.
I've downloaded it three times (the original time, and today once at
home and once at work) and got the same result. So I think they're
serving up the same file each time and the problem is the latest McAfee
virus definition is falsely identifying a threat in that file.
> I downloaded the latest version of McAfee (15 day trial) and tried it
I tried to do this to see if I would get a different result, but the
McAfee site wouldn't let me get the stupid trial version. Outside of
forcing me to use Internet Explorer, which I dislike, and turning off
all its security and cookie controls, it said I was ineligible because I
needed a subscription. I thought I had enrolled but it apparently wants
something else. As I can't figure out what that is, I gave up. Did I
mention I hate McAfee?
> McAfee did not complain at all, not on the files on our system(s), not
> on the file downloaded from PCWorld.
The reason I wanted to try the trial version is I suspect it's the
consumer version of the product. I think the enterprise version that we
use and the virus definitions we get are substantively different from
the consumer version. So they could have broken my virus definition file
yesterday without breaking the one you tried.
> PS. besides with Kasperski, also double checked with Norton (latest
> definitions), and no problems detected.
Well, the bottom line is I am relieved. Again, thanks for putting in so
much work to check this out.
I will write PCWorld to tell them what you found. As I don't have a
straight-forward means to contact McAfee, you might want to try. Often
McAfee seems to find these problems within a couple days itself and
fixes it in a subsequent update. As they issue updates daily, this may
be fixed later today.
With luck no other McAfee users will actually report this problem to
you. Unless they are using the enterprise version, have automatic
periodic scanning turned on, and have an alert mechanism in place (the
automatic scans in McAfee 8 don't normally notify the user of any virus
removals), they're unlikely to get a report such as I did. And in a day
or so the problem will probably be fixed.