cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 26

McAfee Threat Detection and Remediation Process ?

Just throwing out a general question here regarding how the McAfee Threat Detection process is supposed to work - from a threat appearing out there on the web through to getting protection against it via a new DAT signature (for example) for McAfee AV.

Anyone know what the general process is as I can't seem to find it documented anywhere ?

Looking to see if anyone knows the formal process but also how members think it should work.

I'm thinking about it from a couple of aspects  - looking to understand the "theory" which for me is along the lines of the process by which McAfee learns of new malware, analyzes the emerging threat, develops DATs etc. but also how that works in practice.

So for example if someone out there develops a new piece of malware or a variant of an existing known malware (is the process any different in this case?) and a non-mcafee customer (for example) is attacked by it and discovers the cause to be an infected file that hasn't been picked up by their protection and then notifies their AV supplier - meanwhile the new threat gets detected in the wild and gets named "ScrewyerSystems2014" and is detected by someone - what happens from then on regarding McAfee customers getting protected and their ability to tell if they are protected against "ScrewyerSystems2014" because they've just read an online article on a security forum about the detection of this new threat and how serious it could be?


Hoping for further discussion about certain aspects of the process as feedback comes in.

Jim

25 Replies
catdaddy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 26

Re: McAfee Threat Detection and Remediation Process ?

By me being a McAfee Consumer myself. Should I experience such, I simply run the latest "Getsusp Tool", which can be found in the (2nd) link below my Signature. This is one method of sending "Suspicious Files" to McAfee Labs.

In addition, please make certain you select "Preferences", and fill in your Email address, before running the scan. You should then receive a notification from McAfee that said detections, if any. Are being analyzed. Furthermore, given the appropiate amount of time for McAfee Labs to process. Record the (Work Item #) and post back the (Work Item id-#) and generally someone will do their best to further assist you.

Just My personal Thoughts...

All the very best,

Cliff
McAfee Volunteer
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 26

Re: McAfee Threat Detection and Remediation Process ?

Thanks Cliff - I appreciate that should I actually encounter  a suspicious or infected file I can submit it to McAfee for analysis but I'm interested in the larger process as I don't want to wait to experience a problem before I get protection or even to wait until some other unfortunate McAfee customer hist an infected file before the process kicks off.

Jim

catdaddy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 26

Re: McAfee Threat Detection and Remediation Process ?

Thanks Jim- I can certainly understand your thoughts.I guess I failed to mention, that in addition to my (weekly) scheduled scan, I generally run the Getsusp Tool as well, just in case my RTS for some reason missed it.

Should it be the case that McAfee detected such as "Artemis!", then there is no need to send it via "Getsusp"

For then I would use the other method of submittal, in regards to informing McAfee of such. If I feel that it was safe. Having said all this...I am in  full agreement with your statements.

All the very best,

Cliff
McAfee Volunteer

Re: McAfee Threat Detection and Remediation Process ?

To answer your original question.

The way McAfee Labs gather their knowledge and build their database is a trade secret I'm afraid so you wont find that sort of information anywhere.  They don't even tell us how they do things.

They also have methods for manual submission of suspicious files and for appealing incorrect diagnoses as do all major A/V software makers.

Sorry but that's about it  !!

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 26

Re: McAfee Threat Detection and Remediation Process ?

I sincerely hope that you are wrong Peter - by which I mean I'm (obviously?) not looking for "Trade Secrets" but an indication of the processes in place that are used to monitor emerging threats and respond to them appropriately.

Surely that's not too  much to ask of your AV vendor - "how do you protect me from emerging threats and how can I easily tell if I'm protected against a threat I've seen mentioned ?"

Jim

Re: McAfee Threat Detection and Remediation Process ?

You can ask as you have done, and hope one of their staff answers here, but it's rare as these forums are mainly peer-to-peer support and I still think that discussion of their information gathering processes would not be fruitful.

Former Member
Not applicable
Report Inappropriate Content
Message 8 of 26

Re: McAfee Threat Detection and Remediation Process ?

Still interested in what others think the process involves or even how they think it should work.

Obviously a response from McAfee would be possibky nore accurate and informative so no harm in asking.

And at the end of the day it's nothing that a McAfee Salesman shouldn't expect to be asked I suppose by a prospective customer.

Jim

Re: McAfee Threat Detection and Remediation Process ?

Well these forums are really for discussion of McAfee products and problems people have with them and we are here to steer people in the best direction to obtain help with said products.  Esoteric discussions about what may or may not go on behind corporate doors is really just speculation and belongs perhaps in an independent forum, not one owned by Intel/McAfee.

You wont be successful in eliciting any information on how McAfee works anywhere here.   In this insecure world where everyone is trying to cut each others' corporate throats, I doubt they would give anyone a 'guided tour' of what goes on behind the scenes.

What is already published on the labs main page and associated links is all the information they are likely to give.  http://www.mcafee.com/us/mcafee-labs.aspx

Sorry to be the voice of doom, but you know as much as I do about the subject, believe me.

SafeBoot
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 26

Re: McAfee Threat Detection and Remediation Process ?

As Peter says, we don't share our inner workings (no vendor does) as that would only help hackers "game" the system. What I can tell though which is sometimes missed, is that pretty much EVERY McAfee product acts like a sensor for our global threat intelligence. Every spam message, every URL with detected malware, every enterprise and consumer firewall, everything feeds back information to us, which our systems use to make better decisions re the unknowns.

And things don't have to be known bad for us to convict them - we have hardware which does static analysis, devices which "detonate" unknown files to see what they do etc.

The malware detections you get may have originated at a corporate firewall across the globe due to someone clicking a link in a spammy email etc..

Add some thousands of researchers to the mix of our entire install base, and all the honeypots and sharing agreements with other vendors and you get pretty good coverage.

But - you've got to enable GTI - not doing so puts you really behind in terms of detection rates.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community