Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
13028 Views 31 Replies Latest reply: Jun 9, 2011 8:32 AM by Sabot6 RSS 1 2 3 4 Previous Next
Mindcrime Apprentice 119 posts since
Jan 10, 2008
Currently Being Moderated

Jan 18, 2010 10:29 AM

Is it just me or is the anti-spyware component sorely lacking?

I am constantly asked by our desktop team why McAfee isn't picking up malware that other third party tools pick up successfully and remove. I don't have an answer for them. I was told that Artemis would help with detection rates, which is did for us. Unfortunately, they were always false positives and caused more alarm than it was worth.

 

So my question is, am I doing something wrong, or is the anti-spyware component to VSE (in my case it's 8.7) just a total piece of garbage? I'm a pretty huge McAfee fanboi, but this product seems to be pretty lackluster.

  • runcmd Apprentice 221 posts since
    Feb 22, 2006

    Interesting...  Our sales rep has been trying to sell us on the anti-spyware component.  With "legitimate" spyware, are the problems you are having lack of detection, lack of cleanup, or both?


    ---
    Start/RunCMD...
    C:\>
    ePO v4.5 / MA v4.6.0 / VSE v8.8, P1 / Engine v5400
    MEG (IronMail) v7.6-2810
  • secured2k Champion 3,903 posts since
    Jun 17, 2005

    The AntiSpyware detections are built into the normal antivirus DATs. The add-in module is mostly for added reporting and ePO configuration features.

     

    Since McAfee is a widely known and used antivirus engine, malware authors modify their code in ways specifically designed not to be detected. Once McAfee gets a sample, they can add it to their database (DATs) but a lot of malware gets missed due to a format/wipe of the computer or some third party tool is used to delete the samples without it ever getting to McAfee AVERT.

     

    Artemis is a method to help speed up the generic detections as if a sample in a honey pot or submission from another user is flagged as suspicious, all users with Artemis enabled can be proactively protected before the DAT update happens.

     

     

    In VirusScan Enterprise, you have the option of setting additonal rules that block key areas of the registry, files, or network connections. If these options are enabled properly, they can prevent most serious types of malware (rootkit/stealth) from ever working. Correct policies are the way to go to drastically reduce the chance of infection and outbreak. For example, limited user accounts, blocking (unsigned) drivers and driver installations, restricting access to key registry areas like winlogon, appinit_Dlls, userinit, services, and safe mode entries will greatly reduce potential system-wide damage and allows for easy recovery in safe mode.

     

    There is some limited functionality issues, but most programs and users don't need access to those key system areas anyway. Just be sure to disable that security (or make an exception) when doing software installs and system updates/patches.


    E-mail Certificate Download Live Messenger Status Skype Status
  • Mal09 Champion 428 posts since
    Feb 18, 2009

    The Spyware component does actually detect more than the regular VSE does. The same dat files are used, but some detections are supressed from normal scans.

     

    I also agree that it isn't the admin's problem if McAfee can't detect and clean certain spyware. If McAfee want to be in the anti-spyware business, then they should have a product that works well - or they should do what is commonly done and buy a competing product that has a great engine and integrate it.

     

    I believe some of the issues are legal, some are just because McAfee seems to be late entering the game and others are based around the McAfee malware engines.

  • runcmd Apprentice 221 posts since
    Feb 22, 2006

    Since McAfee is a widely known and used antivirus engine, malware authors modify their code in ways specifically designed not to be detected. Once McAfee gets a sample, they can add it to their database (DATs) but a lot of malware gets missed due to a format/wipe of the computer or some third party tool is used to delete the samples without it ever getting to McAfee AVERT.


    I dunno...  That seems like a bit of a copout to me.  Evasive coding is what the bad guys do and I'd imagine that all other anti-virus / anti-malware providers face the same kinds of challenges (in obtaining samples).  If the other anti-malware programs are able to find it, what am I supposed to believe?  As someone considering purchasing the anti-spyware piece, please convince me of why this would be a benefit over a third-party utility.


    ---
    Start/RunCMD...
    C:\>
    ePO v4.5 / MA v4.6.0 / VSE v8.8, P1 / Engine v5400
    MEG (IronMail) v7.6-2810
  • secured2k Champion 3,903 posts since
    Jun 17, 2005

    There are many Access Protection policies that may break legitimate software, but usually blocking write to those key areas I mentioned cause no problems as most legitimate software have no use to write to those areas. The only time a program should be able to change those sections is during a software install in which case disabling Access Protection (or making an exception for say programs named "trustedInstaller.exe" and "setup.exe") would be like an unlock and locking mechanic.

     

    I completely agree with your concerns that McAfee should be able to at least match what the smaller guys are doing. I have already brought up many of these concerns with some internal McAfee employees which is being reviewed at the development level. Hopefully the future will see better protection against unknown malware. Things like only trusted execution for signed and white-listed applications as well as more advanced automatic submission and automatic virus analysis (for use with Artemis detections) are potentially coming...


    E-mail Certificate Download Live Messenger Status Skype Status
  • secured2k Champion 3,903 posts since
    Jun 17, 2005

    Mal09 wrote:

     

    The Spyware component does actually detect more than the regular VSE does. The same dat files are used, but some detections are supressed from normal scans.

    ...

    There is no difference in detection capability with or without the AntiSpyware Module. Detections of Spyware use the same McAfee Engine. In VirusScan Enterprise 8.0i, you had to turn on the detection of PUPs. The ASE module added cookie and registry scanning. The idea was to have a specific antispyware product and maintain different DATs (AVV, PUP, and TROJAN DATs). McAfee abandoned the idea and integrated the detections into the AntiVirus + DATs (8.5i-8.7i). You should still have the option to disable or enable specific PUP detections in the Potentially Unwanted Program Policy.


    E-mail Certificate Download Live Messenger Status Skype Status
1 2 3 4 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points