7 Replies Latest reply on May 11, 2010 6:39 AM by SamSwift

    Mcaffe did not react on virus - help

    bostjanc
      Greetings moderators and mcafee people!

       

      I need a help to solve this situation.

       

      In our company we have installed:

       

      SERVER:

      Epolicy Orchestrator 4.5 on server

       

      USERS:

      MCAFFE AGENT - 4.5

      VIRUSCAN ENTERPRISE - 8.7i with 2 patches

       

      -On epolicy orchestrator there is policy enabled On-access scanning for user machines.

      -But enable access protection is not on for the computers.

       

      We had a problem, that one user got this virus:

      http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=62470

       

      but the most strange thing is that on-access scanning did not find it, but on-demand scan found it:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> Quarantined and deleted successfully.

       

      QUESTIONS:

      -How did user get this virus/trojan computer on his computer?

      -Why did not on-access scan stopped this virus and noticed us on our sys e-mail (we have set up, that we will be warn if some viruses are discovered) and demand scan did?

      -Does this have to do anything with access protection is not being on?

       

      Plz, help.

       

      With best regards

        • 1. Re: Mcaffe did not react on virus - help
          SamSwift

          The difference here is due to registry scanning within the on demand scan. Was anything else other than the registry key detected during the ODS that you ran?

           

          Some admins also choose configure their ODS to be more aggressive than the OAS (no exclusions, scanning all files, etc), so with regards to how the machine got infected in the first place it's also worth considering how you have VSE configured. Support can provide you with best practice documentation for VSE.

           

          HTH

           

          Sam

          • 2. Re: Mcaffe did not react on virus - help
            secured2k

            Hello,

             

            I created a document with some information that could help with general answers to some of your questions.

            http://community.mcafee.com/docs/DOC-1105

             

             

            If you really had a variant of Cutwail, chances are an active McAfee VirusScan installation will at least catch the common rootkit and virus components. However, the "dropper" that first gets onto the system may have been missed because it's a new variant.

             

            Access Protection could also have protected against this virus IF they are configured correctly. Out of the box, most of the policies do not block some actions as they would also stop legitimate software.

            • 3. Re: Mcaffe did not react on virus - help
              secured2k

              Additionally...

               

              On Access scanning might fail if the infection was done entirely in memory or in an area that was not being scanned by policy.

              • 4. Re: Mcaffe did not react on virus - help
                bostjanc

                Secured2k, thank you for you answer. Let me say, that I'm using your bootable cd for business and private purpouse and it's a great tool if you have problems with virus.

                 

                I would still have 1 more "newbie" question.

                 

                What is the difference between Access Protection Policies and On-Access General Policies. Why are this two things seperated? Why do we even need to turn on Access Protection.

                 

                 

                Message was edited by: bostjanc on 12/2/09 1:50 AM
                • 5. Re: Mcaffe did not react on virus - help

                  Dude,

                   

                  Access Protection and OA Scan are completely different from each other that i why they have to be separated.

                   

                  Access Protection is like the bult-in firewall from Mcafee and you set policies to block ports, directories, or files. You could also prevent stopping of Mcafee services (as some viruses tries to shut off installed AVs and even prevent system modifications, etc.

                   

                  In other words, its a very powerful feature and should be maximized for optimum protection. While OA scan is the "real-time" scanner and is like the "enforcer" of those policies that you set. If you disable OA scan then Access protection is useless

                  • 6. Re: Mcaffe did not react on virus - help
                    secured2k

                    On Access Protection is based off known detections on files and objects.

                     

                    Access Protection is based on reporting or blocking program behaviors. It is for stopping bad program/malware behavior without having any signatures and stopping or mitigating an outbreak.

                     

                    Access Protection is good if setup properly to block common malware activity. For example, it can be set to prevent anything else from touching McAfee files or registry settings or prevent any program from changing a registry setting that could block access to the task manager and registry editor. It also include some very base firewall abilities with basic port blocking. File rules for blocking network shares or blocking file name or writing to the Windows folder are all possibilities.

                    • 7. Re: Mcaffe did not react on virus - help
                      SamSwift

                      Marking as 'assumed answered' due to age of thread. If you need any further assistance please don't hesitate to let us know.