Request / Clarification of Detection of Various Malware
I have been asked to confirm that McAfee is able to detect the following Malware / Viruses that have recently been used to effect infections and ransomware in Higher Education establishments in the UK
Can someone confirm if these recent versions have been detected and current DAT versions they have been detected by
Re: Request / Clarification of Detection of Various Malware
TLDR: My thoughts on detecting malware samples.
There are various types of detection, and what is detected depends on numerous factors. McAfee might be able to say that they detect all known samples of a malware family, and this could be done by hash. Or maybe they have a generic signature, and it covers the families. Or perhaps ATP gets it by machine learning. However, this only tells you about what is known, not unknown. Even machine learning requires the known elements of the unknown, though the better you get at it the more unknown you will pick up, but then you can't speak to any one particular samples unless you analyze it or run the engine against it. Ultimately, my point is that the attacker can easily modify files and/or pack them to further avoid detection. None of this is to say AV detection isn't important. It definitely is, but there is a lot to consider.
As an example, I was looking at a CobaltStrike beacon sample today out of VirusTotal used by REvil. When first uploaded yesterday it only had a small number of detections, even though CobaltStrike is very common. Over the next 24 hours the number of detections more than doubled, but as of 5 hours ago, less than half the AV engines are detecting it (McAfee does). But I say this because it is very difficult to say that any AV engine definitely detects a particular family fully, only that one can detect a particular sample and maybe those known to be related.
If you know the threats that concern you, I would look at how those threats get into the environment and try to stop the attack vector. If you have a sandbox like ATD you can also add rules beyond what McAfee provides (so 2 of our internal rules fired on that CobaltStrike sample) and similarly, within ENS in Access Protection and Expert Rules you may block the attack behaviorally, so you are not dependent upon detecting just the file. Obviously, here again, you have to go by the known vectors, but there are fewer of those (though still many) than there are ways to modify files for detection avoidance.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.