About 10 days ago a user in our company received an email from email@example.com with upsxxxxx.zip file that contained a .exe file. Since I was testing McAfee Total Protection for Endpoint I copied the zip file to the test laptop and scanned for threat using McAfee but it did not detected. I thought maybe the problem is with my DAT file. So, I went and updated the Master Repository with ePO and forced the changes to go to the test laptop. After the update I verified that the laptop has the same DAT as the ePO on the server, and when I scanned the upsxxxxx.zip file again McAfee did not detect anything. I continued to scan the upsxxxxx.zip for server days until today, when I scanned the upsxxxxx.zip McAfee came up with the alert.
To be fair to McAfee our current protection program (Symantec Endpoint Protection) did not either detect the initial email that the user received….so both program failed. I am guessing that both companies did not have the right code to pick up trojan contained within the upsxxxxx.zip. Maybe our DAT was not up to date, but I doubt that since all clients on our computer perform daily updates.
This is more of a thing for the McAfee Labs team than ePO as it's about detection.
If you have the full name of the Trojan detected now you can look it up via the Threat Library link here:
This would give you an idea of when McAfee first detected it and what requirements were necessary for detection and removal.
Failing that you can also submit the sample file to McAfee through the 'submit a malware sample' link on the same web page.
Hopefully the response from McAfee Labs should answer your questions.
Don't forget to submit a sample to virustotal.com and on webimmune.net.
If McAfee has an extra.dat for it, it will be available for download on webimmune.net after your sample's been scanned.
There are literally thousand of new pieces of malware created every day so there will be times where something is so new it won't be included in the current dats. Our Artemis technology does close the detection gaps in many cases. Please submit a sample of the file to http://www.webimmune.net and let us know the analysis ID number you are sent.
SamMessage was edited by: Samantha Price on 3/11/10 8:40:35 AM CST
Maybe i posted this under the wrong forum (administrator please move topic to correct forum if possible)...but I thought that system like McAfee suppose to protect from known threats and kind block future attacks based on detection algorithm...etc.. I was testing McAfee to see if we need to switch from Symantec, but now I am not sure if I should switch and go through all the troubles of switching and spending 10 to 20 grand.
Here is the info about the threat found.
We can work out the cause if you submit the sample as Sam suggests.
When it comes to Malware detection the detail is everything
It'll help if you know which dat version was first to detect or which was the last not to detect. (same thing really)
I am assuming the AV-Engine version and product scanner settings are constant across this, as they would be a factor too.
Looks like this has been moved off to the right forum now.
handing it over to those who specialise in this field...
We do of course detect all the threats we know about, and as I mentioned our Artemis technology does proactively protect our customers against many many new threats (we have around 20million signatures in the cloud). Additionally our heuristic capabilities within the DATs can identifiy and remove new threats. However, no AV vendor in the world is going to offer you 100% detection and cleaning given that the malware writers continually churn out new files and new techniques to try and stay under the radar. Gone are the days of just 'script kiddies' writing bad stuff just or the hell of it - the malware writers of today are in business to make money, and the type of threat that we are talking about is created purely to con customers out of their hard earmed money.
I am sure when you are considering AV vendors that the outcome of any decision you take will not be based on one file. However if you would like provide me with the MD5 of the file, or a sample ID I can investigate if Artemis had detection for it, should you be interested.
What kind of data do you need from me? I am willing to provide as much data as possible to see if McAfee failed or if I failed in setting up McAfee. I downloaded few weeks back McAfee Total Protection for Endpoint and installed on Win2003 server and released to one laptop so that I can test. Like I said before McAfee did not detect the threat until earlier this week on my laptop.
Please let me know what you need and where to locate the info just incase it is something I am not familiar with.
I registered with webimmune and waiting for confirmation email.
Message was edited by: John K on 3/11/10 9:40:21 AM CSTMessage was edited by: John K on 3/11/10 9:54:58 AM CST