McAfee Access Protection Errors

[ghost]

With McAfee VirusScan Enterprise 8.8.0.1247, I'm getting several entries for each of the following errors in my Access Protection Log when running ZBS:

Blocked by Access Protection rule   [my domain user]    [ZBS install directory]\ZeroBraneStudio\zbstudio.exe    C:\Program Files (x86)\McAfee\Common Framework\McTray.exe   Common Standard Protection:Prevent termination of McAfee processes  Action blocked : Terminate
Blocked by Access Protection rule   [my domain user]    [ZBS install directory]\ZeroBraneStudio\zbstudio.exe    C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard Protection:Prevent termination of McAfee processes  Action blocked : Terminate

Please see this post by a McAfee SME: https://community.mcafee.com/message/250101#250101

[pkulchenko]

I'm not sure what to do about it. What version of ZBS are you running? When exactly do you get this message? When you start debugging? Stop debugging? Run a script from the IDE? Stop the script? Start ZBS?

ZBS may use TERMINATE_PROCESS call, but only to terminate the scripts or applications started from it. For example, when you use "Stop Debugging", ZBS will attempt to stop the process that is being debugged (with the ID of the process reported in the Output window). I can't think of a situation when it would try to terminate anything else other than the process it itself started.

Their description says "try to interact with one of our protected processes, and explicitly seeks the access mask called TERMINATE_PROCESS" and the only situation that may qualify as "interact" is when ZBS is checking if the application it launched has any windows that need to be shown or hidden. This process iterates over all windows currently present, but any action is limited to the windows with the same process IDs as the one started from the IDE.

Do you see similar reports for other applications? It does seem like a false positive and I haven't seen other reports with this issue. I'll see if I can submit ZBS to McAfee's whitelist.

[ghost]

I downloaded the latest version this morning (0.50 Windows exe installer).

Those were the only errors in log (repeated many times).

I only used ZBS to launch the demos that came with it. Some of the demos I ran while others I debugged, so I'll need to test that tomorrow (it was on my work PC).

There was no notifications or warnings from McAfee when it happened and all the demos ran perfectly, so I wasn't even aware there was a problem until I accidentally stumbled on those errors when troubleshooting something else unrelated.

Tomorrow I'll clear the log then watch it as I start and stop Run, Run from Scratchpad, and Debug for all the demos.

[pkulchenko]

@lualuau, sounds good. Please check if you see those messages after one of these events: (1) starting ZBS, (2) starting debugging, (3) stopping debugging (using "Stop Debugging"), (4) finishing debugging "naturally", (5) running the application (without debugging), and (6) stopping the application (using "Stop Process"). You can skip Run as Scratchpad as it's not too different from debugging (in terms of launching processes from ZBS). Thank you!

[ghost]

1) Launching ZBS doesn't cause any Access Protection log entries. 2-4) Starting debugging will cause entries to be generated indefinitely while debugging (aprox. 30 per second on my machine) until stepping over all the lines until the end of the script, stopping the debugging, or if I set a Breakpoint and Continue it will stop generating entries (after clicking Continue) even if I Step Over/In/Out of the breakpoint and all the remaining lines. 5-6) Running (F6) the application will cause several (25-85) entries to be generated when started, but not while running or when stopping.

I tested with most of the scripts in "spirograph-samples" and "turtle-samples".

Run as Scratchpad behaved the same as Debugging, like you said, but not with all scripts, e.g., "graph.lua" in the "livecoding-samples" directory would only generate a fixed number of entries like when Running the application. Debugging those apps would cause the continuous log entries same as all the others.

I'm running Win7 Pro SP1 x64.

Let me know if there's anything else I can do to help.

[pkulchenko]

Very interesting; this does sound like it's reported only because the IDE enumerates the windows. It stops when you "run" the application as the window is found it acted upon.

To confirm this, can you add the following line to ZBS config: unhidewindow = nil. This should disable any activation logic and as such may eliminate the log entries reported. Thank you.

[ghost]

I entered that line into the system preferences then restarted ZBS. The Graphics Window was no longer created and no Access Protection log entries were created either (when Running or Debugging).

[pkulchenko]

The Graphics Window was no longer created and no Access Protection log entries were created either (when Running or Debugging).

Yes, this indicates that McAfee VirusScan doesn't like the process enumerating windows, which is quite innocent behavior. I think it's an overreaction on the VirusScan part, so I'll be closing this ticket, but I'm also going to check on two options: (1) getting the list of windows for a process (don't see a way in the current winapi API, and (2) whitelisting ZBS with McAfee (can be time consuming and probably won't help with already deployed installations).

[pkulchenko]

I'm using this ticket to track virus total reports for ZBS packages: win32.exe, win32.zip, lua5.1.dll, winapi.dll, and zbstudio.exe. Some of these files report 1-2 threats (mostly various forms of Trojan malware), but they seem to be false positives as they get reported on files like a proxy dll (lua5.1.dll) and not reported on other dlls or executable files, like zbstudio.exe.

From VirusTotal FAQ:

A given antivirus in VirusTotal detects a file and its equivalent commercial version does not VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.

VirusTotal is detecting a legitimate software I have developed, please remove the detections VirusTotal acts simply as an information aggregator, presenting antivirus results, file characterization tool outputs, URL scanning engine results, etc. VirusTotal is not responsible for false positives generated by any of the resources it uses, false positive issues should be addressed directly with the company or individual behind the product under consideration.

Also from VirusTotal About page:

Very often antivirus solutions and URL scanners will produce false positives, i.e. detect as malicious innocuous files and URLs. These erroneous detections may severely hinder the business activity/popularity of third party products (e.g. refrain access to a given site, disuade users from downloading and installing a given application, etc.).

[pkulchenko]

Results for v1.10: zip file and exe file.