Nmap Development mailing list archives
Re: McAfee & nmap
From: engage <engage () n0sq us>
Date: Mon, 29 Aug 2005 18:38:49 -0600
On Monday 29 August 2005 03:08 am, you wrote:
On Sun, Aug 28, 2005 at 09:44:02PM -0600, engage wrote:I am running McAfee AV 10.0.25 on XP Pro SP2. McAfee keeps displaying a message everytime I try to run nmap. The box is calling it a "potentially unwanted program". Apparently, McAfee defines this as spyware or adware or malware. Did I download a hacked version of nmap or is this just another effort to kill the use of nmap?Yes, that is highly annoying. I notified McAfee last year that Nmap has never contained any spyware or advertising, nor any other code acting against the user's interests. It is not bundled with anything else, and doesn't even offer an executable installer. So it is hard to imagine someone installing it by accident. I asked why they would possibly flag Nmap in their virus scanner. McAfee responded that they never called it a virus/trojan/adware/spyware/etc. Instead, they describe it using the weasel-words "potentially unwanted application". That is easy for them to justify, since any application can be "potentially unwanted". To their credit, they did add a description noting that Nmap "is not a virus or trojan" and even that "Nmap is a very efficient tool ... used by security experts to enhance their network security" (http://vil.mcafeesecurity.com/vil/content/v_100955.htm). McAfee claims that this detection is disabled by default. Is it possible that you changed the configuration to detect "potentially unwanted programs"? Or maybe you are using a corporate AV system that is already configured that way? I regularly get complains/queries because of this bogus listing. Most are polite from people concerned that their Nmap download might be infected with some virus because McAfee flagged it. Other people send angry letters accusing me of distributing spyware, screwing up their PC, etc. These mails always seem to be from McAfee users -- the other virus checkers seem to know better than to flag Nmap. Or maybe they just describe the "issue" better so that fewer users are disturbed. McAfee claim that they flag Nmap because it "can also be used with malicious intent by hackers to target attacks on remote systems." Another free Windowws tool which can be used for this is McAfee's own FoundStone SuperScan. Yet that doesn't seem to be detected -- they apparently don't consider Superscan to be potentially unwanted like Nmap is. Nor do they flag ISS Scanner, Symantec NetRecon, or many of the other commercial scanners. They don't even flag Nessus (not that they should!) McAfee is clearly discriminating against Nmap by flagging it while ignoring so many other scanners (including their own). While I think McAfee should remove the listing, I haven't yet been able to convince them of that. But they might listen if they hear it from enough customers. If you have been annoyed by McAfee flagging Nmap, consider sending a polite email to Joe Telafici ( Joe_Telafici at avertlabs dot com) as well as virus_research () nai com. Also, if you are purchasing virus scanners for yourself or your organization, consider buying from a vendor other than McAfee until they stop flagging clean open source software such as Nmap (and wget). I'll let you know if/when they remove the bogus listing. Cheers, Fyodor
Thanks for the reply. I'll be sure to make McAfee aware of my disappointment concerning this issue. Since this was preloaded onto my new Dell Inspiron 600m laptop, I'll be sure to provide feedback to Dell also. Normally, I use Symantec so I will remove McAfee and install Symantec or AVG. I would also like to point out that the licensing agreement for McAfee requires that I agree to automatic renewals and that my credit card will be automatically billed when the renewal comes up. That'll be interesting to find out if Dell shared my credit card account number with McAfee. Anyway, I've been using nmap with Mandrake Linux and rarely on the Windows platform for many years and find it useful. To the nmap developers: keep up the good work! _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- McAfee & nmap engage (Aug 28)
- Re: McAfee & nmap David Warde-Farley (Aug 28)
- Re: McAfee & nmap Fyodor (Aug 29)
- Re: McAfee & nmap engage (Aug 29)