6 Replies Latest reply on Apr 16, 2009 8:46 AM by tonyb99

    5301 Engine info

      In case anyone else is suprised to find the 5301 engine in their repository this morning:

      https://kc.mcafee.com/corporate/index?page=content&id=KB51132
      McAfee is releasing the 5301 Anti-Malware Incremental Engine Update for elective download on January 28th 2009. From this date you will be able to download 5301 Engine packages for manual installation. This release includes packages that can be used with ePolicy Orchestrator (ePO), ProtectionPilot (PrP) and McAfee AutoUpdate Architect (MAA)

      This release will not include SuperDAT packages or Command Line Scanners, as they do not use Incremental Engine Update technology.
      The daily SuperDATs (SDat and XDat) will continue to contain the 5.3.00 Engine.

      After a review of the 5301 elective download the McAfee AutoUpdate sites will be updated with the 5301 Engine. If you do not want to receive this update automatically when this occurs, please reconfigure your update procedures accordingly. The AutoUpdate posting is scheduled for April 15th 2009.

      https://kc.mcafee.com/corporate/index?page=content&id=KB59951
      What is the 5301 Anti-Malware incremental Engine Update?
      5301 is a minor revision to the engine which includes enhancements to NSIS and Adobe Flash support. These enhancements are being delivered to allow for better protection to the end user. The release also contains minor bug fixes.


      Why is there an incremental Engine release?
      The threat landscape is evolving on an hourly basis. While McAfee has mechanisms in place to respond these threats, enhancements in the Engine allow for a faster and more powerful method to AVERT Researchers to deliver effective detection to our customers.


      What are the benefits of the 5301 Incremental Engine Update over the 5300 Release?
      As noted above, the benefits of 5301 will be enhanced detection rates for threats utilizing the widespread NSIS installer format, as well as Adobe’s Flash format (Shockwave Flash) which is widely used on the web today, and known for being a highly exploitable format.
        • 1. RE: 5301 Engine info
          I am curious as to how much testing time folks devote to these sorts of updates? Even if you have a devoted QA team, there still isn't any prescribed testing "plan", per se.

          For instance, I loaded it on a few test machines/VMs and let it run for a few days (OAS, and a few ODS). I didn't really specifically "test" anything, just kept an eye out for any false positives or other odd behavior.

          Just curious.
          • 2. RE: 5301 Engine info
            tonyb99
            I got an additional 200 odd nsis related positives in my overnight scans last night, 3 of them at least I have tracked down as def false positives though.

            Gave me a few moments of panic till I remembered the engine update
            • 3. RE: 5301 Engine info
              We are aware of the 5301 engine and have been testing it - but we're tossing up upgrading everyone to this engine or just going whole hogg and going from 8.5p6 to 8.7..

              False positives dont help with the confidence though sad
              • 4. RE: 5301 Engine info
                jmaxwell


                I'd at least wait for 8.7P1

                Jim
                • 5. RE: 5301 Engine info


                  Yep - thats what I've been suggesting to my manager.. We've got a lot of other work coming up and Ive heard of some performance issues with flat 8.7.
                  • 6. RE: 5301 Engine info
                    tonyb99
                    The FP were in the nsis of an app that regularly comes up FP on many malware scanners, so apart from that one I'm pretty happy with it, it didint thro up any other FP on the machines I tested it on before it went live