Afraid it's happened again: McAffee condemned MadCHook...

c++ / delphi package - dll injection and api hooking
Post Reply
hmemcpy
Posts: 12
Joined: Tue Apr 20, 2004 11:47 pm

Afraid it's happened again: McAffee condemned MadCHook...

Post by hmemcpy »

Hello madshi and fellow developers...

First it was an anti-virus system I myself use: Kaspersky. It identified an older version of MadCodeHookLib as viral. It was resolved, and everyone was happy...

I have just been informed that the latest McAffee update identifies the latest MadCHook.dll as AFXrootkit.dll.gen virus.

Madshi, please take it under consideration.

Thanks.
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

What does Aphex codes has to do with MadCodeHook? AFXrootkit.dll is not a viruses.. See your self in http://www.iamaphex.net/ Someone needs to send an e-mail to McAfee telling this
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

:cry:

It seems that every big AV company at least once in their lifetime condemns madCodeHook. I'll write to McAfee. Thanks for letting me know...
hmemcpy
Posts: 12
Joined: Tue Apr 20, 2004 11:47 pm

It's a shame

Post by hmemcpy »

that some people use this amazing product to do viral/harmful tools with it... It just hurts.

I've just looked at the link posted to AFX. One of their software is a code hook library. Makes me wonder... has any disassembled madchook.dll code has been stolen and put to AFX? I mean, how else would you explain the AV trigger?
hmemcpy
Posts: 12
Joined: Tue Apr 20, 2004 11:47 pm

Post by hmemcpy »

Has the issue been resolved? I don't have any way to test McAfee myself...
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

Here McAfee did not get MadCodeHook as virus... Version o McAfee: 4.5.1 with last update.
hmemcpy
Posts: 12
Joined: Tue Apr 20, 2004 11:47 pm

Post by hmemcpy »

Is that the latest madCodeHook?

I dont know if try to install McAfee right now, it won't go haywire with my other antivirus, which I don't want to uninstall...

Thanks anyway... Maybe they've read the madshi's letter :)
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I've checked the situation. McAfee seemingly detects *all* madCHook.dll versions... :( I've mailed them and hopefully they'll remove the detection as soon as possible. Sorry for the inconvenience. I really don't understand why McAfee detects madCHook.dll instead of AfxRootKit.exe...
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Someone just mailed this to me:

http://vil.nai.com/vil/content/v_127138.htm
The AFXrootkit trojan uses a third party library to achieve its stealthing. The 4382 DATs incorrectly identify a legitimate DLL (madCHook.dll 108,544 bytes) as trojan or variant AFXrootkit.dll.gen . This will be suppressed in the 4383 DAT release.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Reply from McAfee:
My apologies for this reoccurring.

Our Beta Dats contain corrected detection and our next scheduled
full-release dats will also contain corrected detection.

Additionally we are taking steps to help ensure that this problem does not
reoccur.
Post Reply