Question
JOEL IVEY · Dec 6, 2022

Community Edition of Iris identified as malicious by McAfee and Malwarebytes

Yesterday I downloaded and attempted to install the newest version of the Community Edition of IRIS but not the preview, and attempted to update an older version, but each time I tried to install it, I would get an error, and then an antivirus program would indicate that it had identified and blocked a threat (McAfee identified it as GenericRXAA-FA!EAEEF9B8457F with a location of C:\Users\jivey\AppData\Local\Temp\pbt3FDD840C\IRIS_x64.msi).  I tried the installation again this morning and this time a threat was identified by Malwarebytes as Malware.AI.4072586503 and McAfee identified it as it did yesterday.  I was trying to upgrade my system for Open Source development, but now have removed the previous IRIS installation and don't have IRIS on my development system.

I have no idea what is going on with this installation, I have never had a problem before, and in the Product Version that I could select from while entering this message 2022.2 doesn't exist.

Product version: IRIS 2022.1
$ZV: IRIS 2022.2.0.36.0-win_x64.exe
0
1 357
Discussion (5)2
Log in or sign up to continue

This is probably a question to raise in the WRC.

What's the MD5 hash of your InterSystems IRIS Community 2022.2.0.368.0 installation file (original exe, not the unpacked msi)?

The MD5 of IRIS_Community-2022.2.0.368.0-win_x64.exe that I obtained was  fec44f570d1b64d8cd6ae15d41c5d602.  I did not find a value to compare this against.

This is likely a false positive. Each Antivirus company comes up with their own algorithm to determine if an application may be malicious. These factors include the number of times they have seen the file. how it is installed, and if the file is digitally signed with an EV certificate. 

This means that new releases are more likely to be flagged by AV vendors as malicious as they build up a positive reputation score.

InterSystems digitally signs our installer exe, but does not currently sign the unpacked msi. You can verify the validity of the exe by examining the properties of the file. If that file is signed by InterSystems, you can safely assume that McAffee is flagging this as a false positive. We are changing our release pipeline and are examining the benefits of signing the internal msi. 

We have reached out to McAffee to try to notify them of false positives, and they have asked that their customers directly contact them via a support case, they do not work with vendors such as InterSystems. 

In summary, if the original exe is signed, you can safely assume it is a false positive and create an exception with McAfee using the hash of the file.

Well, I kept indicating to my copy of McAfee that the application they were halting should be ignored, but that certainly didn't stop the problem.  I tried to contact McAfee and indicate to them that there was a false positive for the files, and had little to no success.  I could find no way to contact them about the issue by email.  I then did call their TechMaster Support number, which ended up being totally laughable.  I finally decided to uninstall McAfee from my system and after that I was able to complete the installation.  So the idea that customers will be able to directly contact them via a support case doesn't seem very possible.