1 2 3 4 Previous Next 31 Replies Latest reply: Jun 9, 2011 8:32 AM by Sabot6 RSS

    Is it just me or is the anti-spyware component sorely lacking?

    Mindcrime

      I am constantly asked by our desktop team why McAfee isn't picking up malware that other third party tools pick up successfully and remove. I don't have an answer for them. I was told that Artemis would help with detection rates, which is did for us. Unfortunately, they were always false positives and caused more alarm than it was worth.

       

      So my question is, am I doing something wrong, or is the anti-spyware component to VSE (in my case it's 8.7) just a total piece of garbage? I'm a pretty huge McAfee fanboi, but this product seems to be pretty lackluster.

        • 1. Re: Is it just me or is the anti-spyware component sorely lacking?
          runcmd

          Interesting...  Our sales rep has been trying to sell us on the anti-spyware component.  With "legitimate" spyware, are the problems you are having lack of detection, lack of cleanup, or both?

          • 2. Re: Is it just me or is the anti-spyware component sorely lacking?
            Mindcrime

            Generally both. I'm not saying that it never detects anything, but we often get machines that stop behaving normally only to find that they got crudded up with malware. You would expect the on-access scanning to protect against that, but many times it doesn't. Then if you run a scan, you have the expectation that everything is good, right? Well it's generally not. If you install a third party program like Super Anti-Spyware or Malwarebytes, you'll find all kinds of things that McAfee did not. It's incredibly frustrating, and a bit embarrassing as the admin of all of these products.

             

            Artemis was supposed to alleviate much of this, but all I've seen from Artemis is a wagon full of false positives.

            • 3. Re: Is it just me or is the anti-spyware component sorely lacking?
              secured2k

              The AntiSpyware detections are built into the normal antivirus DATs. The add-in module is mostly for added reporting and ePO configuration features.

               

              Since McAfee is a widely known and used antivirus engine, malware authors modify their code in ways specifically designed not to be detected. Once McAfee gets a sample, they can add it to their database (DATs) but a lot of malware gets missed due to a format/wipe of the computer or some third party tool is used to delete the samples without it ever getting to McAfee AVERT.

               

              Artemis is a method to help speed up the generic detections as if a sample in a honey pot or submission from another user is flagged as suspicious, all users with Artemis enabled can be proactively protected before the DAT update happens.

               

               

              In VirusScan Enterprise, you have the option of setting additonal rules that block key areas of the registry, files, or network connections. If these options are enabled properly, they can prevent most serious types of malware (rootkit/stealth) from ever working. Correct policies are the way to go to drastically reduce the chance of infection and outbreak. For example, limited user accounts, blocking (unsigned) drivers and driver installations, restricting access to key registry areas like winlogon, appinit_Dlls, userinit, services, and safe mode entries will greatly reduce potential system-wide damage and allows for easy recovery in safe mode.

               

              There is some limited functionality issues, but most programs and users don't need access to those key system areas anyway. Just be sure to disable that security (or make an exception) when doing software installs and system updates/patches.

              • 4. Re: Is it just me or is the anti-spyware component sorely lacking?
                Mindcrime

                All of the common sense protections that you mentioned are wonderful in a pristine work environment where security takes precedence over everything else. Unfortunately I work in an environment that isn't pristine, and wasn't built with security in mind from the top down. The problem with using VSE to lockdown all of the security areas that you mentioned is that it inadvertantly causes other legitimate programs and daily functions to stop working properly. Locking things like that down have unintended consequences many times that causes more problems than they solve.

                 

                I flatly reject the notion that McAfee isn't getting good malware samples just because they're McAfee - that's not my problem, nor should I have to put up with inferior malware protection because of it. Obviously other (much smaller) software companies are getting it right, there's no reason McAfee can't deliver an equal or superior product to the little guys.

                • 5. Re: Is it just me or is the anti-spyware component sorely lacking?

                  The Spyware component does actually detect more than the regular VSE does. The same dat files are used, but some detections are supressed from normal scans.

                   

                  I also agree that it isn't the admin's problem if McAfee can't detect and clean certain spyware. If McAfee want to be in the anti-spyware business, then they should have a product that works well - or they should do what is commonly done and buy a competing product that has a great engine and integrate it.

                   

                  I believe some of the issues are legal, some are just because McAfee seems to be late entering the game and others are based around the McAfee malware engines.

                  • 6. Re: Is it just me or is the anti-spyware component sorely lacking?
                    runcmd

                    Since McAfee is a widely known and used antivirus engine, malware authors modify their code in ways specifically designed not to be detected. Once McAfee gets a sample, they can add it to their database (DATs) but a lot of malware gets missed due to a format/wipe of the computer or some third party tool is used to delete the samples without it ever getting to McAfee AVERT.


                    I dunno...  That seems like a bit of a copout to me.  Evasive coding is what the bad guys do and I'd imagine that all other anti-virus / anti-malware providers face the same kinds of challenges (in obtaining samples).  If the other anti-malware programs are able to find it, what am I supposed to believe?  As someone considering purchasing the anti-spyware piece, please convince me of why this would be a benefit over a third-party utility.

                    • 7. Re: Is it just me or is the anti-spyware component sorely lacking?
                      secured2k

                      There are many Access Protection policies that may break legitimate software, but usually blocking write to those key areas I mentioned cause no problems as most legitimate software have no use to write to those areas. The only time a program should be able to change those sections is during a software install in which case disabling Access Protection (or making an exception for say programs named "trustedInstaller.exe" and "setup.exe") would be like an unlock and locking mechanic.

                       

                      I completely agree with your concerns that McAfee should be able to at least match what the smaller guys are doing. I have already brought up many of these concerns with some internal McAfee employees which is being reviewed at the development level. Hopefully the future will see better protection against unknown malware. Things like only trusted execution for signed and white-listed applications as well as more advanced automatic submission and automatic virus analysis (for use with Artemis detections) are potentially coming...

                      • 8. Re: Is it just me or is the anti-spyware component sorely lacking?
                        Mindcrime

                        As a customer that uses and loves almost every McAfee product we've ever tried, I can absolutely recommend against buying or relying on the anti-malware piece. It's total garbage.

                         

                         

                        Message was edited by: Mindcrime on 1/18/10 2:41:45 PM GMT-06:00
                        • 9. Re: Is it just me or is the anti-spyware component sorely lacking?
                          secured2k

                          Mal09 wrote:

                           

                          The Spyware component does actually detect more than the regular VSE does. The same dat files are used, but some detections are supressed from normal scans.

                          ...

                          There is no difference in detection capability with or without the AntiSpyware Module. Detections of Spyware use the same McAfee Engine. In VirusScan Enterprise 8.0i, you had to turn on the detection of PUPs. The ASE module added cookie and registry scanning. The idea was to have a specific antispyware product and maintain different DATs (AVV, PUP, and TROJAN DATs). McAfee abandoned the idea and integrated the detections into the AntiVirus + DATs (8.5i-8.7i). You should still have the option to disable or enable specific PUP detections in the Potentially Unwanted Program Policy.

                          1 2 3 4 Previous Next