cancel
Showing results forΒ 
Search instead forΒ 
Did you mean:Β 

Re: GAM 2014.2 BETA

OK here is somethink I do not understand. You wrote you have better grey detection in GAM2014.2

So I expect findings should be the same....

Will you please verify this link?

http://www.symbiansoftware.us/search.jsp?cx=partner-pub-2686785568490234%3Al982il-1wfl&cof=FORID%3A1...

Using our productive proxy I receive: McAfeeGW: JS/Exploit-Blacole.lj

the new GAM does not find anything....

The file contains a link to http://79.96.228.215/!rodzinka/LZ6427Dm.php?id=13419783 and this is definetly a link you should not visit... πŸ™‚


In the attachment you will find the file I received after visiting the link.


Regards

Frank

McAfee Employee MSchneider
McAfee Employee
Report Inappropriate Content
Message 12 of 25

Re: GAM 2014.2 BETA

Hi Frank,

Afaict, the jsp is sane so far apart from the redirect to the malware.

the below is likely why you get no conviction now. Can you access the payload from your company?

malware.png

thanks,

Michael

Michael Schneider
Lead Product Manager for Web Protection
(β€’β€Ώβ€’)
Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 13 of 25

Re: GAM 2014.2 BETA

Hi,

the JSP file is also included in the regular DAT file on endpoint.

blackole.jpg

Cheers

, extended the GAM Test to the whole company. Actually we see no problem or no problem was reported to me. πŸ™‚

McAfee Employee MSchneider
McAfee Employee
Report Inappropriate Content
Message 14 of 25

Re: GAM 2014.2 BETA

Thanks for the info, Thorsten!

Michael Schneider
Lead Product Manager for Web Protection
(β€’β€Ώβ€’)

Re: GAM 2014.2 BETA

New Question:

The following Link:

http://dde.s.bdirectdownload-about.com/36/942/ct9425736/9dd24fe94ffb4209b1f6d39e34f9bb38/Downloads/P...

is detected as PUP by the current engine.

The new GAM detects nothing...

and virustotal.... (without any comment)

AVGGeneric.83420150209
AVwareTrojan.Win32.Generic!BT20150209
Ad-AwareApplication.Generic.110567520150209
Antiy-AVLGrayWare[WebToolbar:not-a-virus]/Win32.Agent.avw20150209
AvastWin32:Adware-BRM [PUP]20150209
Baidu-InternationalPUA.Win32.ClientConnect.A20150209
BitDefenderApplication.Generic.110567520150209
DrWebAdware.Conduit.8720150209
ESET-NOD32a variant of Win32/ClientConnect.A potentially unwanted20150209
F-SecureApplication.Generic.110567520150209
GDataApplication.Generic.110567520150209
K7AntiVirusTrojan ( 0049ef011 )20150209
K7GWTrojan ( 0049ef011 )20150209
Kasperskynot-a-virus:WebToolbar.Win32.Agent.avw20150209
MalwarebytesPUP.Optional.ClientConnect20150209
MicroWorld-eScanApplication.Generic.110567520150209
NANO-AntivirusTrojan.Win32.ClientConnect.deinfe20150209
Qihoo-360Win32/Virus.WebToolbar.8f120150209
TrendMicro-HouseCallSuspici.83CCD37220150209
VIPRETrojan.Win32.Generic!BT20150209
ZillyaAdware.Agent.Win32.4048720150209
McAfee20150209
McAfee-GW-Edition20150209
McAfee Employee MSchneider
McAfee Employee
Report Inappropriate Content
Message 16 of 25

Re: GAM 2014.2 BETA

Hi Frank,

The transferred file contained a virus and was therefore blocked.  URL:

http://dde.s.bdirectdownload-about.com/36/942/ct9425736/9dd24fe94ffb4209b1f6d39e34f9bb38/Downloads/P...
Media Type: application/executable, application/x-nsis-installer
Virus Name: McAfeeGW: Artemis

So we catch that with Artemis.

Michael Schneider
Lead Product Manager for Web Protection
(β€’β€Ώβ€’)

Re: GAM 2014.2 BETA

But why did not virtustotal detect the malware using the MWG Engine?

Now I can see the site is rated as malicious....  (I was unrated this morning). Also the GAM detect now the object....

Is there a process where MC checked virustotal findings? πŸ™‚

This is with all objects I've tested here. I've tested a few untested findings a few minutes ago (also findings from yesterday), there I've the same result. GAM did not find anything. Virtustotal has findings with 5-8 different virusengines.

Re: GAM 2014.2 BETA

Ok here is the next one....

http://dl2.vip0installer.com/download/Base/450233/candide/java.exe

Site is uncategorized by McAfee

Using Virus Total

BitDefenderMalware site
Trustwave

Malicious site

Java.exe

ist PUP using Current Enging

Nothing using New GAM

(

URL: http://dl2.vip0installer.com/download/Base/450233/candide/java.exe

Media Type: application/executable /

WebSite Reputation: Unverified (16)

WebSite Category:

Avira Version: Avira-Engine=8.3.28.16|Avira-VDF=7.11.209.128|Avira-Savapi=1.5.0.34

McAfee Version: AM-DAT=3516|AM-Engine=7001.1402.1890|MFE-DAT=7708|MFE-Engine=5700|Avira-Engine=8.3.28.16|Avira-VDF=7.11.209.128|Avira-Savapi=1.5.0.34

MGAM VersionAM-DAT=3516|AM-Engine=7001.1402.1890|MFE-DAT=7708|MFE-Engine=5700

)


Chrome Browser said "Potential Malicious"

and Virus Total

AVGGeneric.74220150211
AVwareInstallIQ Installer (fs)20150211
Antiy-AVLRiskWare[Downloader:not-a-virus]/NSIS.Agent20150211
AvastWin32:Adware-gen [Adw]20150211
AviraAPPL/InstallIQ.Gen420150211
BkavW32.HfsAdware.D90620150210
ComodoApplication.Win32.InstallIQ.B20150211
DrWebAdware.Downware.971520150211
ESET-NOD32a variant of Win32/InstallIQ.A potentially unwanted20150211
FortinetRiskware/Agent20150211
GDataWin32.Application.InstallIQ.F20150211
K7AntiVirusUnwanted-Program ( 0040f9a91 )20150210
K7GWUnwanted-Program ( 0040f9a91 )20150211
Kasperskynot-a-virus:Downloader.NSIS.Agent.ij20150211
MalwarebytesPUP.Optional.SafeInstall.A20150211
McAfeeArtemis!63DFF2821B8E20150211
McAfee-GW-EditionArtemis20150210
NANO-AntivirusRiskware.Win32.Searcher.csnymk20150211
PandaGeneric Suspicious20150210
Qihoo-360HEUR/QVM41.1.Malware.Gen20150211
SophosInstallQ20150211
TrendMicro-HouseCallSuspicious_GEN.F47V020920150211
VBA32suspected of Trojan.Downloader.gen.h20150210
VIPREInstallIQ Installer (fs)20150211

As you can see Mc detects also the file. But our Proxy says: CLEAN!!!

McAfee Employee MSchneider
McAfee Employee
Report Inappropriate Content
Message 19 of 25

Re: GAM 2014.2 BETA

URL:

http://dl2.vip0installer.com/download/Base/450233/candide/java.exe
Media Type: application/executable
Virus Name: McAfeeGW: Artemis

I'll give you a call Frank, to check some options.

According to your screenshot - there is detection by GAM on VT.

I'm on the latest and greatest 7.5.1 btw.

Michael Schneider
Lead Product Manager for Web Protection
(β€’β€Ώβ€’)
dstraube
Level 11
Report Inappropriate Content
Message 20 of 25

Re: GAM 2014.2 BETA

Hello,

all the detection issues here are Artemis (Cloud Lookup) related. With the GAM v2014 the way the Artemis lookups are done has been changed and if you need to import a rule to activate those lookups in MWG. The ruleset is in the Rule Library, you can find it under the Common Rules. The name is "Set URL Filter Internal Settings".

URL_Filter_Internal.png

Fresh MWG 7.4 (and higher) installation have this ruleset by default. If you upgraded from older MWG versions this ruleset might not exist and needs to be imported. This should be done, even if you still use the v2013 GAM engine version, as it will enable the engine to use Trusted Source reputation and categorization information for the detection. The v2014 GAM engine requires this rule also for the file reputation, the v2013 did the file reputation in a different way.

Regards,

Dirk

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community