cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Is it just me or is the anti-spyware component sorely lacking?

I am constantly asked by our desktop team why McAfee isn't picking up malware that other third party tools pick up successfully and remove. I don't have an answer for them. I was told that Artemis would help with detection rates, which is did for us. Unfortunately, they were always false positives and caused more alarm than it was worth.

So my question is, am I doing something wrong, or is the anti-spyware component to VSE (in my case it's 8.7) just a total piece of garbage? I'm a pretty huge McAfee fanboi, but this product seems to be pretty lackluster.

Labels (1)
31 Replies
runcmd
Level 10
Report Inappropriate Content
Message 2 of 32

Re: Is it just me or is the anti-spyware component sorely lacking?

Interesting...  Our sales rep has been trying to sell us on the anti-spyware component.  With "legitimate" spyware, are the problems you are having lack of detection, lack of cleanup, or both?

Re: Is it just me or is the anti-spyware component sorely lacking?

Generally both. I'm not saying that it never detects anything, but we often get machines that stop behaving normally only to find that they got crudded up with malware. You would expect the on-access scanning to protect against that, but many times it doesn't. Then if you run a scan, you have the expectation that everything is good, right? Well it's generally not. If you install a third party program like Super Anti-Spyware or Malwarebytes, you'll find all kinds of things that McAfee did not. It's incredibly frustrating, and a bit embarrassing as the admin of all of these products.

Artemis was supposed to alleviate much of this, but all I've seen from Artemis is a wagon full of false positives.

secured2k
Level 11
Report Inappropriate Content
Message 4 of 32

Re: Is it just me or is the anti-spyware component sorely lacking?

The AntiSpyware detections are built into the normal antivirus DATs. The add-in module is mostly for added reporting and ePO configuration features.

Since McAfee is a widely known and used antivirus engine, malware authors modify their code in ways specifically designed not to be detected. Once McAfee gets a sample, they can add it to their database (DATs) but a lot of malware gets missed due to a format/wipe of the computer or some third party tool is used to delete the samples without it ever getting to McAfee AVERT.

Artemis is a method to help speed up the generic detections as if a sample in a honey pot or submission from another user is flagged as suspicious, all users with Artemis enabled can be proactively protected before the DAT update happens.

In VirusScan Enterprise, you have the option of setting additonal rules that block key areas of the registry, files, or network connections. If these options are enabled properly, they can prevent most serious types of malware (rootkit/stealth) from ever working. Correct policies are the way to go to drastically reduce the chance of infection and outbreak. For example, limited user accounts, blocking (unsigned) drivers and driver installations, restricting access to key registry areas like winlogon, appinit_Dlls, userinit, services, and safe mode entries will greatly reduce potential system-wide damage and allows for easy recovery in safe mode.

There is some limited functionality issues, but most programs and users don't need access to those key system areas anyway. Just be sure to disable that security (or make an exception) when doing software installs and system updates/patches.

Re: Is it just me or is the anti-spyware component sorely lacking?

All of the common sense protections that you mentioned are wonderful in a pristine work environment where security takes precedence over everything else. Unfortunately I work in an environment that isn't pristine, and wasn't built with security in mind from the top down. The problem with using VSE to lockdown all of the security areas that you mentioned is that it inadvertantly causes other legitimate programs and daily functions to stop working properly. Locking things like that down have unintended consequences many times that causes more problems than they solve.

I flatly reject the notion that McAfee isn't getting good malware samples just because they're McAfee - that's not my problem, nor should I have to put up with inferior malware protection because of it. Obviously other (much smaller) software companies are getting it right, there's no reason McAfee can't deliver an equal or superior product to the little guys.

Mal09
Level 12
Report Inappropriate Content
Message 6 of 32

Re: Is it just me or is the anti-spyware component sorely lacking?

The Spyware component does actually detect more than the regular VSE does. The same dat files are used, but some detections are supressed from normal scans.

I also agree that it isn't the admin's problem if McAfee can't detect and clean certain spyware. If McAfee want to be in the anti-spyware business, then they should have a product that works well - or they should do what is commonly done and buy a competing product that has a great engine and integrate it.

I believe some of the issues are legal, some are just because McAfee seems to be late entering the game and others are based around the McAfee malware engines.

secured2k
Level 11
Report Inappropriate Content
Message 7 of 32

Re: Is it just me or is the anti-spyware component sorely lacking?

Mal09 wrote:

The Spyware component does actually detect more than the regular VSE does. The same dat files are used, but some detections are supressed from normal scans.

...

There is no difference in detection capability with or without the AntiSpyware Module. Detections of Spyware use the same McAfee Engine. In VirusScan Enterprise 8.0i, you had to turn on the detection of PUPs. The ASE module added cookie and registry scanning. The idea was to have a specific antispyware product and maintain different DATs (AVV, PUP, and TROJAN DATs). McAfee abandoned the idea and integrated the detections into the AntiVirus + DATs (8.5i-8.7i). You should still have the option to disable or enable specific PUP detections in the Potentially Unwanted Program Policy.

Mal09
Level 12
Report Inappropriate Content
Message 8 of 32

Re: Is it just me or is the anti-spyware component sorely lacking?

As William Warren posted later in this thread, there *is* detection differences between VSE 8.X and VSE 8.X with ASE. The dat files are the same, but the detections are supressed.

secured2k
Level 11
Report Inappropriate Content
Message 9 of 32

Re: Is it just me or is the anti-spyware component sorely lacking?

As far as I know from experience, there are more detections of Potentially Unwanted Objects which usually seem to be registry entries and cookies. Despite what McAfee says about the detection of PUPs being more inclusive with the antispyware module, I have yet to see it detect more executable code than the normal VSE with all options selected in the PUPs policy.

On the other hand, one of the concerns I've brought up with McAfee AVERT recently was the ability to clean the registry better in the Engine as with these files being more evasive, it may be easier to stop/block/remove the registry entries that are pointing to these bad files. This is one of the bonus advantages of the ASE module and is done very well in other free antispyware programs.After all, if the registry entry that causes the program to start is removed, many malware programs cannot start even if their files are left on the computer.

PhilR
Level 12
Report Inappropriate Content
Message 10 of 32

Re: Is it just me or is the anti-spyware component sorely lacking?

secured2k wrote:

Despite what McAfee says about the detection of PUPs being more inclusive with the antispyware module, I have yet to see it detect more executable code than the normal VSE with all options selected in the PUPs policy.

Nor have I.

 

On the other hand, one of the concerns I've brought up with McAfee AVERT recently was the ability to clean the registry better in the Engine as with these files being more evasive, it may be easier to stop/block/remove the registry entries that are pointing to these bad files. This is one of the bonus advantages of the ASE module and is done very well in other free antispyware programs.After all, if the registry entry that causes the program to start is removed, many malware programs cannot start even if their files are left on the computer.

So, what you're really saying is that the standard VSE is crap and you have to pay McAfee some extortionate fee for the Antispyware module to get it to do the (almost) right thing?

Folks, and McAfee, this "Antispyware" distinction really is a load of nonsense.  Just provide all the features in the default program and be done with it.  After all, they're already there in the program, all the Antispyware module does is unlock the features, for an extra fee.

Phil

Message was edited by: PhilR on 19/01/10 08:44:49 CST

Message was edited by: PhilR on 19/01/10 08:45:13 CST
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator