cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 12
Report Inappropriate Content
Message 51 of 85

Re: VirusScan 8.8

wwarren wrote:


Those who participated in the Beta can attest to the performance improvements. Meeting your expectation though may be a different thing altogether VSE 8.8 is better overall, and in some scenarios it's way better.

I think this sums up 8.8 well

Highlighted
Level 7
Report Inappropriate Content
Message 52 of 85

Re: VirusScan 8.8

1. I hope in default mode, McAfee will able to block autorun feature from removable media.

2. I hope thereis defense to overcome and protect the attack in hotspot area.

3. Please increase the speed of McAfee Engine, but I hopeit will still accurate.

4. I hope McAfee VSE Engine and modul can be lighter so that they don't become the burden in my computer.

5. Hoping there is sound when detecting virus.

6. Please your modul lighter when running, scanning and startup.

7. Where is the address for download McAfee VSE 8.8?

8. What's new feature in McAfee VSE 8.8? Integrated with McAfee SiteAdvisor, McAfee AntiTheft and McAfee Artemis Technology?

Highlighted

Re: VirusScan 8.8

I really hope it will be posted today

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 54 of 85

Re: VirusScan 8.8

The RTW of VSE 8.8 release has been moved to January since we have identified a potential compatibility issue during installation with HIPS 8.0. Since this issue is very intermittent, further analysis is being done and the product will be posted once we have a resolution.

Message was edited by: William Warren on 12/30/10 11:36:47 AM CST
William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted
Level 7
Report Inappropriate Content
Message 55 of 85

Re: VirusScan 8.8

I think there are more user suffering poor VSE performance than user with installed HIPS 8.0, since it is brandnew.

I would have been great to take a look at the end of decemeber...

Highlighted

Re: VirusScan 8.8

More important then HIPS compatibility issue can be this:

McAfee is aware of a recently released attack tool
(e.g., “Metasploit”) that can be used to disable McAfee VirusScan Enterprise
(VSE) software and insert a persistent backdoor. This is a complex payload
attack that must be injected under another exploitable attack and requires
administrative access to run.  It will not kill the processes or insert the
backdoor effectively if it is launched from reduced privileges.


McAfee
has released DAT 6209 which detects the script used to trigger the tool. The DAT
is available now via all auto-update mechanisms. McAfee continues to examine the
threat for further remediation and other corrective measures.


For
additional information, go to mysupport.mcafee.com and see KnowledgeBase article
SB10014 at
https://kc.mcafee.com/corporate/index?page=content&id=SB10014. McAfee will continue to post updates to this article as new
information becomes available.

From SB10014 it's not clear if the latest build of VS8.8 is affected by this issue.

If not then will be nice to get it ASAP.

If 88 can be disabled/exclusions added the same way as current products a fix should be included in RTW version.

Message was edited by: psolinski on 12/30/10 8:22:58 PM CET
Highlighted
Level 12
Report Inappropriate Content
Message 57 of 85

Re: VirusScan 8.8

If anyone is under the illusion that the threat of exploit payloads (including those available and very easy to use in the metasploit framework) is limited just to a specific version of a specific vendor's anti-virus,  I'm afraid to say that the situation is far worse than you can imagine.

Mcafee's DAT update to detect a specific metasploit module is not going to save you/us/anyone.  That module will surely be updated to repack the exploit in a way that McAfee (or any other AV vendor) is likely to miss.  AV is typically only about 38% effective against real world threats.

I don't know the specifics of the Mcafee disabling mechanism that the exploit mentioned uses, but a DAT update is unlikely to fix the issue systematically. 

I doubt any of this would modulate 8.8's release one iota, as this ability for exploit code to evade and bypass AV has been the case for many years now.   Host-based AV is at once a  dead/failed technology, and yet a baseline we must have to possible detect old exploits/code and for compliance purposes.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 58 of 85

Re: VirusScan 8.8

VirusScan Enteprise 8.8 will not be affected by this recently disclosed metasploit attack method (it uses thread injection). VSE 8.8 has improved self-protection mechanisms beyond that of VSE 8.7i, and consequently we're looking into moving that 8.8 code into 8.7i as a hotfix resolution; it's challenging to do though, and as yet we're not sure how long it'll take.

AV is typically only about 38% effective against real world threats.

Interesting figure. Does that come from somewhere authoritative?

Real world threats consist of malware we know of, and those that we do not know of.

VSE's signature updates released from McAfee Labs each day (more frequently if warranted) cater to those we know of. VSE comes with Access Protection and Buffer Overflow protection features to help our customers contend with those threats we do not know of, i.e. 0-day protection, meaning, you can have a protection layer in place well before signature updates are released.

If the sum of these features is 38% effective then I suggest the product is not being used to its potential.
FYI, discussion about the metasploit issue should be had in another thread.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted
Level 12
Report Inappropriate Content
Message 59 of 85

AV is only part of exploit prevention (was: Re: VirusScan 8.8)

I'm struggling to find specifically where the 38% number is I latched onto, but I will eventually unearth it.  Any such numbers have to be viewed with suspicion, but suffice it to say, AV is not going to save you.   Among my bookmarks though I could find similar figure ranges.  I've chosen a free report (happens to be for consumer AV) so everyone can see, but I've seen the Corporate one as well:

http://www.nsslabs.com/research/endpoint-security/anti-malware/consumer-anti-malware-products:-group...

http://www.nsslabs.com/assets/noreg-reports/NSS%20Labs%20Consumer%20Antimalware%20Group%20Test%20Q3%...

Which summarizes the efficacy ranges of malware and exploits.  And best I can tell, NSS Labs has as thorough and impartial a methodology as we have in this space.

Specifically, one sentence everyone should take as gospel in my experience: "And the notion that ―you‘re fine as long as you keep your AV updated--is completely false." and "Cybercriminals have between 25% - 97% chance of compromising your machine using exploits (depending on the product)."  is accurate given my penetration testing experience.

AV won't save you. Regardless of vendor.

These number ranges echo my experience as  McAfee customer, but I'm certain my experience would be similar under any other vendor's wares in this space.  AV is quite necessarily a reactive technology--your sales folks will admit that if pressed.  

Those who don't believe haven't spent any time with a framework like Canvas or metasploit.  In preparation for a presentation I was giving for user education, I tried a relatively recent PDF exploit in metasploit and  compared a variety of repackers/encoders offered for it, and uploaded results to Virustotal for a comparative look at how AV's  viewed the malicious PDF I'd created:   Every major player in the corporate AV failed to detect anything amiss yet this was an exploit that when opened in an Adobe Reader one version back, would provide a full meterpreter back door to the machine. Just 3 of 22 AV engines with current dat's even flagged it as suspicious.  Among them, the lowly free MIcrosoft Security Essentials and 2 other AV's I'd not ever heard of in the corporate space.

I'm encouraged, however to hear that McAfee researched the metasploit module in detail and baked in countermeasures against the _vulnerability_ it leverages rather than attempting to simply detect the signature of a set of known exploits.

The fact remains though, that there are necessary limitations to what an AV product running on the very machine that it's trying to protect (with a user possibly surfing the internet as an Administrator) is going to be able to see and prevent.  It will remain vulnerable to being potentially disabled.   Out of band monitoring such as hypervisor based AV engines that look at running virtual machines from an entirely different perspective, for instance, have a much better chance at remaining intact.

It's a hard problem, and despite the 0day protections VSE and others attempt to employ, for every countermeasure,  attackers tend to find a measure to get around it. 

AV is worthwhile and necessary, but for any readers that are using it and thinking the next version is going to be bulletproof, I'd simply suggest that they think that through a little further.  AV evasion is the name of the exploit game and attackers are getting awfully good at it.

Highlighted
Level 7
Report Inappropriate Content
Message 60 of 85

Re: AV is only part of exploit prevention (was: Re: VirusScan 8.8)

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community