False Positive Detection Generic.dx!yxk in DAT 6329

McAfee Labs has received multiple reports of a false positive detection in SAP software. This is impacting SAP telephone connectivity functionality.

Detection name(s) causing the false:

File Name(s):
Spsgui.exe – This file is typically found only on workstations that have the SAP client installed. This file is loaded by the SAP client when it starts up and is used to send and receive faxes inside the SAP application.

Date of First Occurrence: April 28, 2011

DAT Version:

DAT Version Containing the Fix:
6330 – This DAT has now been posted and replication is occurring.

What are the affected products?

  • VirusScan Enterprise

NOTE: This issue can affect all McAfee anti-virus products utilizing this DAT, however it will manifest itself only on endpoints such as VirusScan.

This KnowledgeBase article will be updated when additional information is made available.

Solution 1

McAfee has posted the 6330 DAT files, and recommends applying these DATs as soon as possible.

Solution 2

The following remediation tools are available:

  • EXTRA.DAT is attached to this KnowledgeBase article in the Extra.zip file. This negative extra DAT is used to suppress detection.
  • SDAT_EM.exe is attached to this KnowledgeBase article in the SDAT_EM.zip file. This SuperDAT can be deployed directly through McAfee ePolicy Orchestrator (ePO).
  • sdatInstaller.msi is attached to this KnowledgeBase article in sdatInstaller.zip. This can be deployed via a Group Policy if you have Active Directory as described below.

Create the Group Policy Object in the Active Directory Users and Computers application:

Before you begin to create the Group Policy Object:

  • Create a share on a server and allow Domain Computers at least READ access to the share.
  • Copy the MSI installation file to the share.

Follow these steps to create the Group Policy Object in the Active Directory Users and Computers application:

  1. Right-click on the Organization Unit that you wish to use to define the new GPO and select Properties.
  2. Click the Group Policy tab, then click New.
  3. Enter a name for this new GPO.
  4. Click Properties.
    1. Select the Security tab.
    2. Add the Domain Computers group (or edit the existing Authenticated Users group) and assign the READ and APPLY GROUP POLICY rights.
  5. Click Edit to edit this new Group Policy.
    1. Expand the Computer ConfigurationSoftware Settings tree on the left side of the screen.
    2. Right-click the Software Installation tree option and select the menu item New, Package.
  6. An Open File dialog box should appear.
    1. Type in the UNC path to the server share where the MSI installer file is located.
    2. Select the appropriate MSI installer file and click Open.
  7. Select the Assign radio button and click OK. You have now created and assigned the Package Object.
  8. Right-click on the Package Object and select Properties.
  9. Click the Security tab and add Domain Computers to the security permissions. Ensure Domain Computers has the READ rights.
  10. Click the Advanced tab and select Domain Computers and click Edit. Assign – List Contents, Read All Properties, and Read Permissions checkboxes.
  11. Close the Group Policy window.
  12. Close the GPO window. The MSI package has now been defined and is now ready for deployment.
  13. Force replication to all other Domain Controllers. Reboot a machine contained within the Organization Unit for which you originally defined the GPO.


A negative extra.dat to suppress the detection is attached to this KnowledgeBase article. McAfee recommends that affected customers apply the negative extra.dat and utilize the quarantine restore function to retrieve the incorrectly removed file.

Related Information

Additional details on the SAP file in question are listed below:

File Publisher: SAP AG
Copyright: (C) 1999 – 2002
Product: SAPPhone Server GUI
Description: XP Compatible Version
File Name: SPSGUI.exe
Internal Name: SPSGUI
File version: 2.05.0009

Attachment 1

261Bytes • < 1 minute @ 56k, < 1 minute @ broadband

Attachment 2

375K • 1 minute(s) @ 56k, < 1 minute @ broadband

Attachment 3

410K • 1 minute(s) @ 56k, < 1 minute @ broadband

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.