CAREFUL! THE ATTACHED FILE CONTAINES A LIVE VIRUS!!!!
I have been using McAfee anti-virus for as long as I can remember. I believe it's what we used back in the DOS days. I have been a staunch advocate of the product (AVD/VSE) for my legal community clients and am responsible for the purchasing decisions for some 250 desktops in the San Francisco Bay Area. I have gotten several clients to dump Symantec in favor of McAfee, which I always found to be faster and more stable than Symantec products.
But I am now at the brink of being completely fed up with the product and am seriously considering moving my entire client base over to Kaspersky. In fact, I have already purchased a 10 user pack for one client and we'll be putting that on high-risk and/or notebook computers.
Why am I upset with McAfee? I have no fewer than 8 documented cases of rootkit infections that flew in under the McAfee radar. I have a good 50 cases of additional malware infections that also evaded detection, and some of these were affected under "locked down" conditions (Access protection turned with the thumbsrews on). Some of these things are very very very hard to remove.
I acknowledge that in many cases my clients were not following protocol, including: using administrator level accounts, clicking on "fake alert" notifications and thus unwittingly manually infecting their machines, using questionable browsing behavior such as looking for free music and/or video content. But others have followed reasonable levels of protocol and were dupped by sophisticated social networking traps.
It's a new world out there and I acknowledge that things need to be locked down (at the expense of end-user productivity and cost of their becoming irritable over additonal required training and clicks to get work done) and one cannot rely solely on antivirus software to resolve issues. HOWEVER, I have some MAJOR problems with McAfee.
Here is the root of my deep concern:
1) Kaspersky can identify and remove threats that McAfee (and tons of other products) cannot, on a REGULAR BASIS.
2) McAfee heuristics seem basically useless. I have never seen heuristics work (yes, it's enabled).
3) I have sent newly captured threats (I have *some* highly educated and intelligent users) to McAfee and it take 5 days to two weeks for the threats to be added to your DAT file updates!!!!!!!!!!!!!!!!!!!!!!!!!!!! WHAT???? That's reeeeaaaaly bad. Please put more guys on the job at Avert Labs!!!!!!!!
4) Rootkit detection is lame.
5) Why can't you make an engine that watches for modification of system boot objects and warns the user???? It's not rocket science!
6) Why don't you have an option to protect SYSTEM RESTORE POINT directories???? Not rocket science!
7) Why don't you have your own system restore point features?
😎 Why don't you separate out your Access Protection features? It's massively time consuming to turn individual things on and off and I never want to turn everything off because then I'm more or less wide open (with no protection against stopping McAfee services).
9) Kaspersky can give the user temporary access to system folders and other protected areas of the operating system during program updates. Thus the user cannot subsequently forget to turn on "Access Protection." This is a HUGE issue - I often find infections where Access Protection has been turned off, presumably because the user wanted to update Flash or Java or Adobe Air or ActiveX or Acrobat, or iTunes or Quicktime or Google Earth or Google Toolbar or... you get the picture. There are too many updates required these days to make it inconvenient for the end user to run them when running out the door to lunch, and it's too much to ask they remember to turn Access Protection back on when they come back from lunch.
I have only just begun evaluating Kaspersky, but so far it seems FAR AND AWAY A MUCH MUCH MUCH MUCH better product! It has a nice balance betwen user-friendly interface but you can click deeper to get the information you want if you're highly proficient. It watches for activities that are suspicious and let's the end user make a decision as to whether to permit it, unlike McAfee, which gives you the choice of having it locked down or not. McAfee should be looking for suspicious TCP/IP port usage, performing deep packet inspections, watching system files, watching for code execution, looking for Java scripts being executed from third party IP addresses, etc....
Kaspersky has a patented code tracing capability that can deconstruct running code traced from suspicious activities. Wow. What innovation does MacAfee have? Heuristics is OLD. Still relying on known code and pushing out DATs to recognize it is not cutting the cake any more.
Then there's the atrocious McAfee gaff of inadvertently identifying a windows system file as a threat and thus my client's machines won't boot and I have to run around town with a bootable thumb drive and replacement file. How could this have happened? Don't you do testing? This is like Microsoft's bad batches back in the bad old NT days!
It seems like bean counters who want to maximize shareholder profits are in charge of how things operate. Well, let me at 'em! Tell them to go count beans and get out of management!
I have been bounced around telephone extensions in the Philippines and/or been on hold for over 35 minutes now and still I can't seem to get anyone on the phone who can tell me the following:
Why should I stick with McAfee????
I attach the latest threat, identified by Kaspersky (and ONLY Kaspersky). This is a Dell driver file that was modified by some threat while McAfee was asleep at the wheel. Let's see how soon McAfee can get this put into their DAT files! Ha!
I submitted this same file to Avert Labs via WebImmune yesterday at this time and still no identification or Extra.dat.
I challenge McAfee, in front of the community, to meet this threat in a timely manner. It's already at least a week old. Has nobody else submitted this thing????? Why do I seem to be finding so many "new" threats? Prove me wrong, McAfee!
CAREFUL! THE ATTACHED FILE CONTAINES A LIVE VIRUS!!!!
Your story is no different than mine and many others in this forum. McAfee support is lame. This is the best place for support. You can be happy about one thing; you only bought antivirus.
The problem with big old companies is that they think they are the only vendors in the market. so you mentioning Kaspersky or NOD32 is not going to change their mind. Second, they believe they are already doing us a favor and we don't deserve as much.
McAfee's avert labs is 'the best' in the market. The problem is not with the labs. the problem is with the scan engine that's 5 years old (I'm not talking about builds) in terms of functionality. As you mentioned, the engine is not suitable for online web scan or rootkit scan. I'm not sure if they will develop on Access Protection as they have SolidCore products for that purpose. The only product from McAfee that I'm impressed with is ePO. It's a beautiful peice of software on many fronts whether architecture, design, functionality or interface.
McAfee has to realize that every individual and every compnay is connected to internet 24/7. I wish they read their own documentation at least once which goes "Security is only good as the update". If they keep the attitude that "we are not going to change our products unless Wallmart or DoD request such features" is giving other startups enough time to develop a sophisticated security eco-system of their own. in this century where the companies are looking for 'solutions' rather than 'products', this attitude is not going to help.
Still waiting for Windows 7/Windows 2008 R2 (x64) support.......... I mean where the product actually functions in these platforms.
Best of Luck to the current FkAfee customers
from this post here: http://community.mcafee.com/message/134228#134228
the best way to submit a sample for corporate customers is via the portal:
Further to this I'd like to clarify the best way for corporate
customers to submit samples to us.
Portal is the preferred method.
If it's not available then email is the next
best option. Webimmune is the least preferred method as it is publically
available to anyone regardless of whether or not they are a customer.
The queue for webimmune responses can often be much longer than portal
for any of these types of submissions if you wish to get your samples
escalated quicker please contact technical support by telephone, as this
way you are covered by the SLAs that support provide. Support can also
give further advice about what you can do whilst awaiting a response
from McAfee Labs.
How to submit samples to McAfee Labs through the McAfee ServicePortal or Platinum Portal
Corporate KnowledgeBase ID: KB68030
Last Modified: March 19, 2010
You can submit file samples to McAfee Labs through the McAfee ServicePortal or Platinum Portal.
Possible reasons for submitting samples:
* Suspected malware detection failure (virus not found)
* Clean failure for detected malware
* Suspected false positive detection
* Suspected false positive detections from Artemis
* Request for a Threat Library entry to be created for detected malware
For information about possible infected files, see: KB53094 - Troubleshooting procedure for finding possible infected files (issue: when virus not detected)
After you have collected your samples, you must archive them in a password protected .zip file and set the password to infected (all lower case). For instructions on how to create a .zip file and password protect it, see the following:
To submit your samples to McAfee Labs
1. Log in to the McAfee ServicePortal at: https://mysupport.mcafee.com, or the Platinum Portal at: https://platinum.mcafee.com.
2. Under Interactive Support, click Submit a Sample.
3. In the General Information section, add the following information:
* Customer Region (required)
* Grant Number(required)
* McAfee Labs Previous Service Request (if you have already created a case for this issue)
* Partner (if you receive service via a McAfee partner)
4. In the Submission Details section, add the information below:
* Scan Engine
* DAT Version
NOTE: To determine the current Scan Engine and DAT Version, refer to your product documentation.
* Issue Type (required)
o Artemis False
o Clean Failure
o Detection Failure
o Suspected False
o VIL Request with Sample
* Brief Description (100 characters maximum)
* Description (full description of the issue, no size restriction)
5. In the Samples section, click Browse and navigate to the .zip file that contains your collected samples.
IMPORTANT: The .zip file must be not be larger than 3 MB and the password must be set to 'infected'.
6. Click Upload.
7. Click Submit Sample.
After the sample is successfully uploaded, you see a confirmation message and your new Service Request (SR) reference number. This SR number is listed under your open SRs in the Interactive Support section of the ServicePortal or Platinum Portal.
If your sample was not successfully uploaded, an SR will still be created, but you must email the sample to firstname.lastname@example.org. Remember to quote the SR reference number in your email.
Firstly thank you for the feedback. There are some good product functionality ideas there that I will forward over to our Product Management team.
There are some points you are making that I am not clear on, and I hope you will be happy to clarify for me please?
1) Are you using file/macro heuristics or have you also enabled Artemis? If you have VSE 8.5i then enabling Artemis requires a special superdat to be be run on each machine, if you have 8.7i then there is a drop down box in the GUI called 'heuristic network check for suspicious files' - I'd recommend starting with it set to 'low' in the first instance.
2) How are you trying to contact Support? We don't have a corporate support desk in the Philippines as far as I know - it's consumer support instead - if you have VirusScan Enterprise then you should be talking to corporate support. All fo the numbers are listed in the back of the Gold Support Handbook.
3) Have you seen the best practice guide for Access Protection? It concerns me that your users have control over their VSE settings so if we can help you address this it would be good.
4) What security awareness training/education have your users been given? It sounds like they also have admin rights to their machines. Some of the documents in our Best Practices section might be helpful.
Three further points I would like to make:
1) jmcleish's post is correct - please can you follow this process and provide me with the SR number so I can escalate this for you.
2) Please do not ever attach live malware to a public forum. It puts other users/networks at risk (and could potentially be illegal, depending on the cyber laws in your country, as you are distributing a virus.)
3) No AV vendor in the world will protect you 100% of the time. What's very important, regardless of your eventual choice of vendor, is that you know how best to contact the vendor if you do have an issue, that you're getting the most out of your investment - which both McAfee and our Customer Community can help you with, and that you do all possible to educate and protect your users.
I hope this helps and I look forward to your response,.
I just read this topic and would like to make a point here. We have done an inhouse product analysis just recently and we covered some 10+ products including Kaspersky, Trend Sophos etc.
The functionality scope of these products were to us almost identical (not counting support and efficiency, coding, etc.) but it is interesting that some products incorporated a HIPS like feature in the AV package. I think this is the key point here. I consider the Access Protection very much like a very, very basic HIPS (I'm sorry for being not strictly technical and hope you get the point nevertheless), and some competing product also had "HIPS" (not the authentic one), which I see as a more advanced Access Protection.
While the original McAfee AP is dependant upon your decisions and common sense, the other advanced AP offers a scoring system where admins can more liberally use AP features because it is not a feature trigger that will block a code but a sum score of all the enabled feature triggers.
I would like to know if McAfee have considered redesigning this "old-style" Access Protection into an advanced one, possibly allowing score based and non-score based halves (or even more) to function. I wonder if you have any insider info on this..