McAfee identifies QtCore.pyd as virus and deleting
-
Hi all,
MyAfee identifies a needed file "QtCore.pyd" as a virus ti!064F3AE101FC and isolated the file. So, ModuleNotFoundError: No module named 'PySide6.QtCore" occures, e.g. in my software "WingetUI".
We also uploaded the file to Uploaded to virustotal: https://www.virustotal.com/gui/file/064f3ae101fc1d3cf709ac28edcdedeb7414e5f9a2e438031e5301b8d6338c3f/detection
Looking at the results (2 flags out of 70) it is clear that it is a false positive. In mcafee we will mark it as a false positive and white-list it. But from Qt perspective it is unclear and not solved.
Because I think, wingetui is not the only affected software I would like to discuss with you the finding with QtCore.pyd and ask, whether I should create a bug report in Qt Jira?
Regards,
Markus -
@DrMaFu said in McAfee identifies QtCore.pyd as virus and deleting:
whether I should create a bug report in Qt Jira?
Why? You should rather fill a bug report at McAfee
-
Well, good point ....
I tought, it is sensible and necessary that Qt should know the problem because I think - as I wrote - wingetui is not the only affected software. My assumption was, that a stackeholder from Qt has more power moving somthing forward at McAfee than a unknown single user.
But OK, in the meantime I created a bug report at McAfee and submitted both relevant files QtCore.pyd and QtGui.pyd (both files leading to false positive). Now waiting for feedback.
-
@DrMaFu Thx. I think creating a bug report in Qt first would taken much more time until in arrives at McAfee. 🙂
-
Hi @Christian-Ehrlicher ,
happy new Year!
I got the following feedback from McAfee
Dear Sir/Madam,
Thank you for contacting us.
We have reviewed your submission for whitelisting of your software and the submitted file named ['QtCore and QtGui.zip'] have been Whitelisted.
Regards,
McAfee Data Submission TeamSo, well done :-)
-
@DrMaFu
And does this apply forever against the file names (surely not, else the virus detector would be worthless?!) or only against the current binary content of the files you supplied, which will be out-of-date in a few weeks and (may well) revert to being "blacklisted"...? -
@JonB It probably only applies to the file with the specific name and matching cryptographic checksum. I do hope they whitelisted the
pyd
files (presumably) inside the zip file and not the zip file itself (as their email says).Hopefully they will also identify what triggered the false positive and adapt their heuristics.
-
@ChrisW67 said in McAfee identifies QtCore.pyd as virus and deleting:
and matching cryptographic checksum
Which as I said will change for a different version and likely be back where they were.
Hopefully they will also identify what triggered the false positive and adapt their heuristics.
Um.