Next version of Mcafee VirusScan Enterprise product request
Prescan and access protection rules
In the past I have used the Prescan function with EPO on systems. The concept is nice. I wonder why they just dont incorporate the functionality of Prescan into the VirusScan product. We see more and more virus (vundo for example) that mcafee detects but cannot remove because it cannot terminate. This leaves a person with a process of booting into safemode and pausing explorer.exe and winlogon.exe processes while initiating a virusscan, etc. This can be time consuming, difficult, and requires you be at the computer. Prescan helps elimate this. It would be nice for the user to be able to initiate a prescan from windows in the event that VirusScan goes crazy trying to remove something and notifies them of a virus 7000 times. Even better for an EPO admin to do a one click initation of a precan. Right now it is a bit cumbersome to create a task, change a policy, do a wake up call, etc to do this. I think the prescan ability built into the AV product itself with easy initiation would put Mcafee one step above the rest. If I remember right the prescan product does not seem to have much put into it as far as development. It seemed that it only would run on 32bit processors and would not run on any of our 64 bit processors (but running 32bit windows)l, but perhaps I am wrong on this statement.
The other thought regards Access protection rules. This ability has been so useful to us however it could be simplified. My though it to create a rule using all three access protection techiniques. File/Folder, Reg Keys, and ports. An Example. A rule called "New Fake Alert Virus" or "Prevent WebShots installation". The rule would consist of- Block the following file or folder names, and block the following registry keys, and block port 25 traffic from the following exe. This would be easier to manage a grouped rule than 5 different ones. Another item is in the file and folders protection, the ability to use a hash value rather than just name would be nice. Many virus have random name generators for the files and user can bypass rules just by changing the folder location or file name. To be able to block on a hash value would greatly reduce this. I would like to see that hash feature in the unwanted programs section where I can specify a file of my choice to be detected and deleted too for the same reason.
For anyone else that manages virusscan enterprise in a large environment with EPO, am I way off base or do you agree? Or did I not make my idea clear? I am curious to know.