I just wanted to state we will NOT be turning GTI back on any time soon. I find the "It no longer is necessary to disable Artemis/GTI FileReputation" response from the SNS to be hard to swallow as well.
Exactly what happened?
How did it happen?
How has it been fixed?
Mos importantly, what is being done to prevent this from happening again?
Until all of those items are answered I don't feel we can trust the McAfee GTI system anymore. If all it takes is 1 simple Artemis mistake to bring all of our systems to their knees there need to be a much better checks and validations to prevent this from happening again.
Well said. Confidence in this file reputation system (which granted, is in theory a useful thing no doubt) will be shaken until we get appropriate disclosure of what went on here, what architectural lessons have been learned, and what's been done to fix it.
That it's not a DAT issue is irrelevant -- something else in the chain led to a death by security controls.
I trust that McAfee knows that they owe their customers a rather complete description of what happened and what steps they're taking to ensure it won't happen again.
I fully agree with everything being said above. I personally am hesitant to turn GTI back on until we get the full details about what happened exactly from McAfee. What I don't understand is if there was a server outage, why wouldn't this system fail open so that nothing being sent in is deleted, rather than legitimate files being deleted. We saw HIPS DLL files being deleted in our environment. To me, that's ridiculous that McAfee doesn't seem to have the hashes of their own products on some kind of white list.
Was this some kind of attack on the GTI databases? Imagine the kind of havoc some injection of hashes could cause.
To add to that I find it extremely troubling that the burden was put on the customer to disable things in their environment, and that it wasn't until later that they finally pulled the plug at their end. I want an explanation as to why the customer was left to deal with it. Similar to last summer's McAfee screw-up related to Certificates we again get a tool for use that leaves no results in ePO itself that can be checked for efficacy. If I have to verify things client side, then it rather defeats the point of a console to begin with.
For us this was the final straw we've informed McAfee they will not be renewed, enough is enough. I've been to the San Jose headquarters and heard promises from a number of key people in the organization. I don't put much stock in anything they say, their track record simply doesn't back it up.
I think the bigger question to ask is "Why should I trust McAfee?", for me it's a very simple answer "I cannot."Message was edited by: gtjayg on 8/1/13 1:02:32 PM CDT
Hard to believe this: the medicine was worst than the illness, in another way: the antivirus was worst than the virus itself.
Security vendors need a reminder from time to time of the A being one third of the CIA triad.
This is a colossal pooch screw no doubt, and I have confidence McAfee is clueful enough to make some changes in how GTI servers fail "safe." And for all the awfulness, their response has been pretty decent. But man, what a mess indeed. As I've seen someone say "death by security controls!"
Made an account here to bump this. I want a full explanation as well. Lost production software on one machine and another 2 programs were deleted from 2 other user's computers. Luckily most people in our company had gone home for the day and it was isolated to the people staying late in the office.
It's fun telling them the anti-virus software that is supposed to be protecting them actually deleted the programs and I have no idea why /sarcasmoff.