Just throwing out a general question here regarding how the McAfee Threat Detection process is supposed to work - from a threat appearing out there on the web through to getting protection against it via a new DAT signature (for example) for McAfee AV.
Anyone know what the general process is as I can't seem to find it documented anywhere ?
Looking to see if anyone knows the formal process but also how members think it should work.
I'm thinking about it from a couple of aspects - looking to understand the "theory" which for me is along the lines of the process by which McAfee learns of new malware, analyzes the emerging threat, develops DATs etc. but also how that works in practice.
So for example if someone out there develops a new piece of malware or a variant of an existing known malware (is the process any different in this case?) and a non-mcafee customer (for example) is attacked by it and discovers the cause to be an infected file that hasn't been picked up by their protection and then notifies their AV supplier - meanwhile the new threat gets detected in the wild and gets named "ScrewyerSystems2014" and is detected by someone - what happens from then on regarding McAfee customers getting protected and their ability to tell if they are protected against "ScrewyerSystems2014" because they've just read an online article on a security forum about the detection of this new threat and how serious it could be?
Hoping for further discussion about certain aspects of the process as feedback comes in.
By me being a McAfee Consumer myself. Should I experience such, I simply run the latest "Getsusp Tool", which can be found in the (2nd) link below my Signature. This is one method of sending "Suspicious Files" to McAfee Labs.
In addition, please make certain you select "Preferences", and fill in your Email address, before running the scan. You should then receive a notification from McAfee that said detections, if any. Are being analyzed. Furthermore, given the appropiate amount of time for McAfee Labs to process. Record the (Work Item #) and post back the (Work Item id-#) and generally someone will do their best to further assist you.
Just My personal Thoughts...
All the very best,
Thanks Cliff - I appreciate that should I actually encounter a suspicious or infected file I can submit it to McAfee for analysis but I'm interested in the larger process as I don't want to wait to experience a problem before I get protection or even to wait until some other unfortunate McAfee customer hist an infected file before the process kicks off.
Thanks Jim- I can certainly understand your thoughts.I guess I failed to mention, that in addition to my (weekly) scheduled scan, I generally run the Getsusp Tool as well, just in case my RTS for some reason missed it.
Should it be the case that McAfee detected such as "Artemis!", then there is no need to send it via "Getsusp"
For then I would use the other method of submittal, in regards to informing McAfee of such. If I feel that it was safe. Having said all this...I am in full agreement with your statements.
All the very best,
To answer your original question.
The way McAfee Labs gather their knowledge and build their database is a trade secret I'm afraid so you wont find that sort of information anywhere. They don't even tell us how they do things.
They also have methods for manual submission of suspicious files and for appealing incorrect diagnoses as do all major A/V software makers.
Sorry but that's about it !!
I sincerely hope that you are wrong Peter - by which I mean I'm (obviously?) not looking for "Trade Secrets" but an indication of the processes in place that are used to monitor emerging threats and respond to them appropriately.
Surely that's not too much to ask of your AV vendor - "how do you protect me from emerging threats and how can I easily tell if I'm protected against a threat I've seen mentioned ?"
You can ask as you have done, and hope one of their staff answers here, but it's rare as these forums are mainly peer-to-peer support and I still think that discussion of their information gathering processes would not be fruitful.
Still interested in what others think the process involves or even how they think it should work.
Obviously a response from McAfee would be possibky nore accurate and informative so no harm in asking.
And at the end of the day it's nothing that a McAfee Salesman shouldn't expect to be asked I suppose by a prospective customer.
Well these forums are really for discussion of McAfee products and problems people have with them and we are here to steer people in the best direction to obtain help with said products. Esoteric discussions about what may or may not go on behind corporate doors is really just speculation and belongs perhaps in an independent forum, not one owned by Intel/McAfee.
You wont be successful in eliciting any information on how McAfee works anywhere here. In this insecure world where everyone is trying to cut each others' corporate throats, I doubt they would give anyone a 'guided tour' of what goes on behind the scenes.
What is already published on the labs main page and associated links is all the information they are likely to give. http://www.mcafee.com/us/mcafee-labs.aspx
Sorry to be the voice of doom, but you know as much as I do about the subject, believe me.
As Peter says, we don't share our inner workings (no vendor does) as that would only help hackers "game" the system. What I can tell though which is sometimes missed, is that pretty much EVERY McAfee product acts like a sensor for our global threat intelligence. Every spam message, every URL with detected malware, every enterprise and consumer firewall, everything feeds back information to us, which our systems use to make better decisions re the unknowns.
And things don't have to be known bad for us to convict them - we have hardware which does static analysis, devices which "detonate" unknown files to see what they do etc.
The malware detections you get may have originated at a corporate firewall across the globe due to someone clicking a link in a spammy email etc..
Add some thousands of researchers to the mix of our entire install base, and all the honeypots and sharing agreements with other vendors and you get pretty good coverage.
But - you've got to enable GTI - not doing so puts you really behind in terms of detection rates.