Unsolved
This post is more than 5 years old
19 Posts
0
14234
URGENT! McAfee claiming Alienware file Oscust.exe is a trojan
New Alienware laptop, McAfee (installed on system by manufacturer) has no way to leave this file alone, it just keeps quarantining it. I've uploaded it at virustotal, 16/40 flag this file as a trojan, but I found a post from an Alienware software developer who says this file is legit and that some antivirus software may flag it as malware. At the moment, we're likely going to have to uninstall McAfee. We're kind of concerned that the laptop won't run properly without this file.
Anyone else having this problem tonight? I can no longer view the properties of the original file because every time I restore it, McAfee changes the date stamp in the properties, so I am unable to see any of its properties to verify its legitimacy. The file is 75264 bytes in size, MD5 1d71f24bcb47d8e63d647b412afd0beb. Super quick response would be appreciated.
Countryhm
19 Posts
0
November 6th, 2009 20:00
Thank you. No kidding, I have spent this entire evening trying to get more information about this, including trying to get onto the Alienware site for support. There doesn't seem to be any way to do that. I mean, I certainly don't have a customer number that they'll accept as valid, nor do I see where to find one. I've just got the numbers Dell provided, which Alienware doesn't accept--the customer number and the service tag number. I've been on hold on the phone with Alienware as well, finally hung up. I'll try again, though. They should be told if a whole bunch of antivirus programs are tagging one of their files as a trojan. I submitted the file to Avert after an online chat with a McAfee tech. (I would advise my son to toss McAfee when the trial is up, since I see there is no mechanism for McAfee to be told to ignore a file, and what if it gets aggressive with a false positive on something the computer really needs? I'm thinking the new Windows Security Essentials is starting to look good. Too bad, though, I thought McAfee would be a good product for my son and I liked the firewall.)
So you're not having a problem, then, with ostcust.exe being stuck in quarantine for the past month then? I think right now it is not in quarantine and my son is a bit worried. What if it IS actually infected, he says. Well, I told him that as it stands now, if it actually tries to DO anything, McAfee will grab it up right away and quarantine it and it can't do anything from there. In fact, if I so much as try to view the file's properties, that file will be gone into quarantine. McAfee might even grab it if I navigate to the folder it's in. (Honestly, I've never heard of an antivirus software that behaves like this--that won't let you ignore a file!)
TrelawneyHope
29 Posts
0
November 6th, 2009 20:00
Quick answer - leaving McAfee Quarantine OSTCUST.EXE has had no side effects after 1 month for me. :emotion-15:
I tried the same as you by restoring each time, and eye rolling after it kept doing this - but I can report that after letting it do this, there were no side effects.
I wouldn't delete the file but if you're worried, copy it to a CD just in case with a copy of the path in case this ever happens and you need to restore. I treat this as a False Positive, and although I have repeatedly submitted the file, it is always picked up as you have found...
Cheers
Trelawney
TrelawneyHope
29 Posts
0
November 7th, 2009 04:00
No worries Countryhm - seriously not worth expending any energy on so am enjoying my laptop with the latest games instead. "Don't sweat the petty stuff, and don't pet the sweaty stuff!" :emotion-15:
Generally speaking I think Dell/AW need to inform McAfee if this a a true false-positive, otherwise it is likely to remain so. I don't know if someone can mark a (suspected) Trojan as safe (even if false positive), hence that may be why you can't do anything about it.
My advice - Let McAfee Quarantine it and just keep a DVD backup (save the path as a text file so you know where it comes from) in the unlikely event it is needed in future. I think it's just a redundant file from the build & test process.
Then enjoy! :emotion-1:
Cheers
Trelawney
Countryhm
19 Posts
0
November 7th, 2009 13:00
I was on hold with Alienware (for an hour) and was writing a post, and then an agent finally answered. So I deleted the post and I am starting again. The Alienware tech I spoke to said that the folks at Alienware are aware of the situation with this file. They will be releasing a new version of it and it will be available as an update from Dell in the future. He said that the file is for the onscreen display and it is not a trojan, but they know about various antivirus companies claiming that it is.
Apparently this has been an issue for quite some time. I came across this:
http://virscan.org/report/39e10d4972b08ca2af4dbd897aa80a37.html
Notice that scan was done in 2008. The MD5 and SHA1 numbers on the above page are identical to those of the file on my son's laptop.
My son says if we ignore this, how would we know then if the file were to actually become infected in the future. Well, I guess those numbers would be altered and we would see different numbers on a virustotal.com scan, so I'll keep the printout from today.
The tech I spoke to said there would be no harm in keeping the file in quarantine, but it is clean. I guess if you notice anything 'off' in your onscreen display, you can restore it.
Not fond of the McAfee feature that doesn't allow a user to ignore a file that the user knows is a false positive. Any AV scanner can get it wrong, and if it gets it wrong on a critical file, that can really mess up your system. I used to use ZoneAlarm Internet Security Suite, and from time to time it used to pick on ATI (video graphics) software as being infected, but it was always a false positive. If I hadn't been able to tell ZASS to ignore it until the false positive was corrected, my computer may have ended up with a black screen and therefore nonfunctional, and that's bad. McAfee has lost themselves a customer, I think.
Thanks for your response Trelawney. We'll get that file copied over onto a CD, and my son can relax and enjoy his laptop.
Countryhm
19 Posts
0
November 8th, 2009 22:00
Update:
We have a mystery here. Came home late tonight, son had a big download going and was asleep, so I thought I would take a peak at McAfee and see if it had left that file alone or if it had been quarantined it again. The file is completely gone off the computer. McAfee has no record of having taken any action on it either, not since Nov 6th. There is nothing recorded re that file in McAfee's settings after the last time I restored it. Unfortunately, we had not had a chance to get it copied to CD either. My son went away for the day and said he would do it when he got home from his outing. So the file is gone permanently and I have no idea why or how. Also, oddly enough, McAfee was turned off and my son said he didn't do that.
I think he should run another full scan in the morning. And hopefully he truly doesn't need that file for anything.
Countryhm
19 Posts
0
November 8th, 2009 23:00
OK, another update to this. I just got off the phone with tech support (I reached Alienware support via the Dell tech support telephone #), and now this latest person I spoke to said this oscust.exe is NOT an alienware file. So I honestly don't know what to think--one person said it IS an alienware file and it's not an infected item, the next person says it's not. Rather frustrating, rather baffling. (Who does a person believe when two individual techs give you the exact opposite information?)
This tech did say the onscreen display controls the touch keys, the use of the FN keys. I checked that by trying the screen brightness, and that worked.
(BTW, my son is 16 and this is his first computer, which is why I am as involved with this as I am. :emotion-1: Otherwise, I would like to leave as much to him as possible so he can learn, but security affects all the systems in this household.)
Anyway, the item is gone and I guess it will remain that way. (Now I am going to check McAfee and see which programs are accessing the 'net...:emotion-5:)