cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

NSP Virus Coverage

I think NSP is not intended to virus detection but according to my work in field experience with 5.1 version I saw many times virus detection events in the Threat Analyzer. Now with the integration of Artemis it is supposed to detect Malware over HTTP traffic.

The question is: what is the virus/malware library NSP can detect with and without Artemis?

3 Replies
hschupp
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: NSP Virus Coverage

Good day -

The Network Security Platform is still does not act like nor detect virus activity like an AV product does.

What the sensor will detect are activities (use of certain or combined exploit attempts, scans, communications, etc) that are indicative of malicious activity.  There are some very well-known and/or unique combinations that have been 'labelled' as a particular type of virus in the names of the alerts but even these are simply saying that "this activity seen is highly indicative of a "Code Red, or "Nimda" , etc.  While there are some that can be strictly tied to a particular virus, worm, or trojan....primarily the Sensor is detecting the ACTIVITY of those rather than the malicious exectable itself.

This is valuable and USABLE information in stopping the initial infection and in halting the spread of the virus since we stop its activies on the network.  But in most case we are detecting and stopping the activity rather than the infection itself.

As for Malware (Artemis) ... it works by comparing attachments in the traffic and whenever it sees a file being downloaded it takes a hash of the file and compares it to a library of previously known/suspect malicious files that have been recorded into the Artemis cloud.  If the file matches a hash for another file in the Artemis cloud it will simply drop the attachments.  Artemis is large and has so many feeds that once a file anywhere has been identified as malicious and has been added to the Artimis "DB" it will then response with that information to any other client sending that hash.  This is a constantly live update and there is no "list" - and would consists of millions of hashes if there were.

If you wish to find a list of the signatures that deal with Virus, Trojan, BOT, Exploit, and Backdoor activity then open up the All-Inclusive with Audit policy and go to advanced search.  Search for thos exact terms and you will find a little over 300 related signatures.

Henry "Hank" Schupp
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: NSP Virus Coverage

I think most related is signature start with WORM:

other are signature to detect network payload vulnerability that can potentially caused by virus worm etc.

hschupp
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: NSP Virus Coverage

I agree with that.  I left out the search term of "Worm" which is what takes the count to a bit over 300.

Henry "Hank" Schupp
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community