cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Request / Clarification of Detection of Various Malware

I have been asked to confirm that McAfee is able to detect the following Malware / Viruses that have recently been used to effect infections and ransomware in Higher Education establishments in the UK These include: Bloodhound MimiKatz .pysa DoppelPaymer REvil Can someone confirm if these recent versions have been detected and current DAT versions they have been detected by Thanks Steve
2 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Request / Clarification of Detection of Various Malware

Hi Steve

Thanks for reaching out to Community.

You might need to provide us with samples by following the below KB.

https://kc.mcafee.com/corporate/index?page=content&id=KB68030

OR you can share us the Advisory so that we can check for coverage. 

Was my reply helpful?

Please give me a Kudo and we can help other community members. 

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: Request / Clarification of Detection of Various Malware

TLDR:  My thoughts on detecting malware samples.  

There are various types of detection, and what is detected depends on numerous factors.  McAfee might be able to say that they detect all known samples of a malware family, and this could be done by hash.  Or maybe they have a generic signature, and it covers the families.  Or perhaps ATP gets it by machine learning.  However, this only tells you about what is known, not unknown. Even machine learning requires the known elements of the unknown, though the better you get at it the more unknown you will pick up, but then you can't speak to any one particular samples unless you analyze it or run the engine against it. Ultimately, my point is that the attacker can easily modify files and/or pack them to further avoid detection.  None of this is to say AV detection isn't important.  It definitely is, but there is a lot to consider.  

As an example, I was looking at a CobaltStrike beacon sample today out of VirusTotal used by REvil.  When first uploaded yesterday it only had a small number of detections, even though CobaltStrike is very common.  Over the next 24 hours the number of detections more than doubled, but as of 5 hours ago, less than half the AV engines are detecting it (McAfee does).  But I say this because it is very difficult to say that any AV engine definitely detects a particular family fully, only that one can detect a particular sample and maybe those known to be related.  

If you know the threats that concern you, I would look at how those threats get into the environment and try to stop the attack vector.  If you have a sandbox like ATD you can also add rules beyond what McAfee provides (so 2 of our internal rules fired on that CobaltStrike sample) and similarly, within ENS in Access Protection and Expert Rules you may block the attack behaviorally, so you are not dependent upon detecting just the file.  Obviously, here again, you have to go by the known vectors, but there are fewer of those (though still many) than there are ways to modify files for detection avoidance.  

Just some thoughts.   

Dave

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community