cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Encryption of communications to update servers

As discussed in these posts:

https://community.mcafee.com/t5/ePolicy-Orchestrator/ePO-communication-to-update-nai-com-on-port-80/...

https://community.mcafee.com/t5/ePolicy-Orchestrator/ePo-communication-to-update-nai-com/td-p/603596

communications to update.nai.com are not encrypted, as DAT files are publicly available and file/directory hashes are used to prevent a Man in the Middle attack.

However I suspect it could be possible for a malicious attacker to prevent DAT updates being uploaded into ePO and other McAfee products that communicate with update.nai.com,  by simply cloning the website and redirecting DNS (or adding a hosts file entry) to point to the clone.

An https connection should prevent this.

Can you consider allowing https traffic to update.nai.com or are there other safeguards present in the update mechansim that stop this being an issue ?

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Encryption of communications to update servers

Refer to KB55986.  That would also apply to amcore content.  You can also submit an IDEA per kb60021 to request that functionality for using https.

What integrity and validity checks are performed on the DAT files to ensure they are not tampered with?
The DAT files are encrypted and then compressed and signed when they are compiled. The Antivirus Engine performs a signature verification on the DATs as an integrity check during initialization and will not load them if they have been modified. The products that utilize the Engine in turn verify the integrity of the Engine by checking whether the digital certificate used to sign the Engine is valid.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Encryption of communications to update servers

Thanks for the response.

I understand the safeguards that are in place to prevent an AV client using a malicious DAT file, however it seems fairly trivial to stop DAT updates altogether.

I'm currently testing with ENSL and it's happily downloading from my snapshot of update.nai.com.

Will anything in ePO or the AV client itself alert if it doesn't update to a later DAT in a set period of time ?

I will raise an IDEA...

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Encryption of communications to update servers

You can set up a dashboard in epo for dat compliance, or you can set up a server task to run a dat compliance query and then email you the results.  That is entirely up to you for how you want to be notified of any dat compliance issues.

Yes, VSE and ENS will update from a cloned site, but if you tamper with the dats in any way, they will fail.  There are checks for the integrity of the dats.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community