mailing list archives
Re: McAfee & nmap
From: Fyodor <fyodor () insecure org>
Date: Mon, 29 Aug 2005 02:08:30 -0700
On Sun, Aug 28, 2005 at 09:44:02PM -0600, engage wrote:
I am running McAfee AV 10.0.25 on XP Pro SP2. McAfee keeps
displaying a message everytime I try to run nmap. The box is calling
it a "potentially unwanted program". Apparently, McAfee defines
this as spyware or adware or malware. Did I download a hacked
version of nmap or is this just another effort to kill the use of
Yes, that is highly annoying. I notified McAfee last year that Nmap
has never contained any spyware or advertising, nor any other code
acting against the user's interests. It is not bundled with anything
else, and doesn't even offer an executable installer. So it is hard
to imagine someone installing it by accident. I asked why they would
possibly flag Nmap in their virus scanner.
McAfee responded that they never called it a
virus/trojan/adware/spyware/etc. Instead, they describe it using the
weasel-words "potentially unwanted application". That is easy for
them to justify, since any application can be "potentially unwanted".
To their credit, they did add a description noting that Nmap "is not a
virus or trojan" and even that "Nmap is a very efficient tool ... used
by security experts to enhance their network security"
claims that this detection is disabled by default. Is it possible
that you changed the configuration to detect "potentially unwanted
programs"? Or maybe you are using a corporate AV system that is
already configured that way?
I regularly get complains/queries because of this bogus listing. Most
are polite from people concerned that their Nmap download might be
infected with some virus because McAfee flagged it. Other people send
angry letters accusing me of distributing spyware, screwing up their
PC, etc. These mails always seem to be from McAfee users -- the other
virus checkers seem to know better than to flag Nmap. Or maybe they
just describe the "issue" better so that fewer users are disturbed.
McAfee claim that they flag Nmap because it "can also be used with
malicious intent by hackers to target attacks on remote systems."
Another free Windowws tool which can be used for this is McAfee's own
FoundStone SuperScan. Yet that doesn't seem to be detected -- they
apparently don't consider Superscan to be potentially unwanted like
Nmap is. Nor do they flag ISS Scanner, Symantec NetRecon, or many of
the other commercial scanners. They don't even flag Nessus (not that
they should!) McAfee is clearly discriminating against Nmap by
flagging it while ignoring so many other scanners (including their
While I think McAfee should remove the listing, I haven't yet been
able to convince them of that. But they might listen if they hear it
from enough customers. If you have been annoyed by McAfee flagging
Nmap, consider sending a polite email to Joe Telafici ( Joe_Telafici
at avertlabs dot com) as well as virus_research () nai com
Also, if you are purchasing virus scanners for yourself or your
organization, consider buying from a vendor other than McAfee until
they stop flagging clean open source software such as Nmap (and wget).
I'll let you know if/when they remove the bogus listing.
Sent through the nmap-dev mailing list