Those who participated in the Beta can attest to the performance improvements. Meeting your expectation though may be a different thing altogether VSE 8.8 is better overall, and in some scenarios it's way better.
I think this sums up 8.8 well
1. I hope in default mode, McAfee will able to block autorun feature from removable media.
2. I hope thereis defense to overcome and protect the attack in hotspot area.
3. Please increase the speed of McAfee Engine, but I hopeit will still accurate.
4. I hope McAfee VSE Engine and modul can be lighter so that they don't become the burden in my computer.
5. Hoping there is sound when detecting virus.
6. Please your modul lighter when running, scanning and startup.
7. Where is the address for download McAfee VSE 8.8?
8. What's new feature in McAfee VSE 8.8? Integrated with McAfee SiteAdvisor, McAfee AntiTheft and McAfee Artemis Technology?
The RTW of VSE 8.8 release has been moved to January since we have identified a potential compatibility issue during installation with HIPS 8.0. Since this issue is very intermittent, further analysis is being done and the product will be posted once we have a resolution.Message was edited by: William Warren on 12/30/10 11:36:47 AM CST
More important then HIPS compatibility issue can be this:
McAfee is aware of a recently released attack tool
(e.g., “Metasploit”) that can be used to disable McAfee VirusScan Enterprise
(VSE) software and insert a persistent backdoor. This is a complex payload
attack that must be injected under another exploitable attack and requires
administrative access to run. It will not kill the processes or insert the
backdoor effectively if it is launched from reduced privileges.
has released DAT 6209 which detects the script used to trigger the tool. The DAT
is available now via all auto-update mechanisms. McAfee continues to examine the
threat for further remediation and other corrective measures.
additional information, go to mysupport.mcafee.com and see KnowledgeBase article
SB10014 at https://kc.mcafee.com/corporate/index?page=content&id=SB10014. McAfee will continue to post updates to this article as new
information becomes available.
From SB10014 it's not clear if the latest build of VS8.8 is affected by this issue.
If not then will be nice to get it ASAP.
If 88 can be disabled/exclusions added the same way as current products a fix should be included in RTW version.Message was edited by: psolinski on 12/30/10 8:22:58 PM CET
If anyone is under the illusion that the threat of exploit payloads (including those available and very easy to use in the metasploit framework) is limited just to a specific version of a specific vendor's anti-virus, I'm afraid to say that the situation is far worse than you can imagine.
Mcafee's DAT update to detect a specific metasploit module is not going to save you/us/anyone. That module will surely be updated to repack the exploit in a way that McAfee (or any other AV vendor) is likely to miss. AV is typically only about 38% effective against real world threats.
I don't know the specifics of the Mcafee disabling mechanism that the exploit mentioned uses, but a DAT update is unlikely to fix the issue systematically.
I doubt any of this would modulate 8.8's release one iota, as this ability for exploit code to evade and bypass AV has been the case for many years now. Host-based AV is at once a dead/failed technology, and yet a baseline we must have to possible detect old exploits/code and for compliance purposes.
VirusScan Enteprise 8.8 will not be affected by this recently disclosed metasploit attack method (it uses thread injection). VSE 8.8 has improved self-protection mechanisms beyond that of VSE 8.7i, and consequently we're looking into moving that 8.8 code into 8.7i as a hotfix resolution; it's challenging to do though, and as yet we're not sure how long it'll take.
AV is typically only about 38% effective against real world threats.
Interesting figure. Does that come from somewhere authoritative?
Real world threats consist of malware we know of, and those that we do not know of.
VSE's signature updates released from McAfee Labs each day (more frequently if warranted) cater to those we know of. VSE comes with Access Protection and Buffer Overflow protection features to help our customers contend with those threats we do not know of, i.e. 0-day protection, meaning, you can have a protection layer in place well before signature updates are released.
If the sum of these features is 38% effective then I suggest the product is not being used to its potential.
FYI, discussion about the metasploit issue should be had in another thread.
I'm struggling to find specifically where the 38% number is I latched onto, but I will eventually unearth it. Any such numbers have to be viewed with suspicion, but suffice it to say, AV is not going to save you. Among my bookmarks though I could find similar figure ranges. I've chosen a free report (happens to be for consumer AV) so everyone can see, but I've seen the Corporate one as well:
Which summarizes the efficacy ranges of malware and exploits. And best I can tell, NSS Labs has as thorough and impartial a methodology as we have in this space.
Specifically, one sentence everyone should take as gospel in my experience: "And the notion that ―you‘re fine as long as you keep your AV updated--is completely false." and "Cybercriminals have between 25% - 97% chance of compromising your machine using exploits (depending on the product)." is accurate given my penetration testing experience.
AV won't save you. Regardless of vendor.
These number ranges echo my experience as McAfee customer, but I'm certain my experience would be similar under any other vendor's wares in this space. AV is quite necessarily a reactive technology--your sales folks will admit that if pressed.
Those who don't believe haven't spent any time with a framework like Canvas or metasploit. In preparation for a presentation I was giving for user education, I tried a relatively recent PDF exploit in metasploit and compared a variety of repackers/encoders offered for it, and uploaded results to Virustotal for a comparative look at how AV's viewed the malicious PDF I'd created: Every major player in the corporate AV failed to detect anything amiss yet this was an exploit that when opened in an Adobe Reader one version back, would provide a full meterpreter back door to the machine. Just 3 of 22 AV engines with current dat's even flagged it as suspicious. Among them, the lowly free MIcrosoft Security Essentials and 2 other AV's I'd not ever heard of in the corporate space.
I'm encouraged, however to hear that McAfee researched the metasploit module in detail and baked in countermeasures against the _vulnerability_ it leverages rather than attempting to simply detect the signature of a set of known exploits.
The fact remains though, that there are necessary limitations to what an AV product running on the very machine that it's trying to protect (with a user possibly surfing the internet as an Administrator) is going to be able to see and prevent. It will remain vulnerable to being potentially disabled. Out of band monitoring such as hypervisor based AV engines that look at running virtual machines from an entirely different perspective, for instance, have a much better chance at remaining intact.
It's a hard problem, and despite the 0day protections VSE and others attempt to employ, for every countermeasure, attackers tend to find a measure to get around it.
AV is worthwhile and necessary, but for any readers that are using it and thinking the next version is going to be bulletproof, I'd simply suggest that they think that through a little further. AV evasion is the name of the exploit game and attackers are getting awfully good at it.