Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
4657 Views 9 Replies Latest reply: Mar 3, 2010 11:07 AM by sameer172006 RSS
Newcomer 5 posts since
Feb 11, 2010
Currently Being Moderated

Feb 11, 2010 10:15 AM

TOPS not stopping malware

I have 125 computers in several organizations running mcafee tops.  The problem is that tops does not stop malware.  We are constantly cleaning trojans and rootkits from computers that have valid, up to date mcafee tops running.  The malware is simply getting by the tops.   I have a technician cleaning a comptuer right now that had fully up to date tops but yet is still infected  to the point that the machine won't boot.  I was at this machine myself 3 days ago and it was perfectly healthy.  I have 2 more machines waiting for us to go clean viruses even though they have fully functional up to date tops.  This happens over and over and over.

I will update this post later today with a list of viruses that tops did not detect.

 

There is no point in calling technical support.  They are going to want to remotely control one computer and try to see what's wrong with it.  That is pointless.  We have cleaned hundreds in the last 2 months, all of which have fully functional, up to date Tops.  the problem is not with the computer, it is not with the installation.  The tops application is simply not doing the job.

 

I am convinved right now that I do not need to purchase this product anymore.  I hate to go to symantec becuase it slows down a computer so much, but I have 25 computers running symantec endpoint and not a single infection since the product was installed 2 years ago.

 

I like certain aspects of mcafee tops, but if it's not going to stop viruses, then what's the point in having it?

 

I am looking for any comments or insight from any current users.  I would especially like comments from mcafee professionals.

 

Look for answers.

Buddy Weaver

bmwj@cp-tel.net

  • McAfee Mentor 83 posts since
    Nov 3, 2009
    Currently Being Moderated
    2. Feb 11, 2010 1:16 PM (in response to bmwj)
    Re: TOPS not stopping malware

    Hello Buddy,

     

    Thanks for your report. We apologize for any inconvenience this has caused.

     

    There are thousands of new malware and variants daily. Moreover, there are myriad names for viruses and each company, when they discover detection, gives a virus a name.  Often more than one company will "discover" the detection at about the same time, and a virus will get different names from different companies.  So what one company would detect something as may differ significantly from what another company will detect it as.  Unfortunately, without a sample, we cannot say whether we detect a certain virus or specific variant based only on a description or name from another company.

     

    Based on the virus list names you reported, we suspect these are Vundo and FakeAlert related variants. Certain variants of the Vundo trojan are especially difficult to remove.  Please refer to Vundo Removal Instructions at: http://vil.mcafeesecurity.com/vil/content/v_127690.htm.

     

    We can also suggest you to run the Stinger tool for FakeAlert, as described at http://community.mcafee.com/thread/21269.

     

    Anyway, in order for us to research this question, if you still have the file(s) in your system, please send us a sample for further analysis, in a password-protected ZIP file (password - infected). You can find detailed instructions for how to do this at <http://vil.mcafeesecurity.com/vil/submit-sample.aspx>.

     

    Best regards,

     

    Patty Ammirabile

    McAfee Labs

  • sameer172006 Champion 410 posts since
    Nov 4, 2009
    Currently Being Moderated
    4. Feb 11, 2010 5:56 PM (in response to bmwj)
    Re: TOPS not stopping malware

    Hi Buddy,

     

     

    Also I am too late to respond because the computers have already been infected. However, There is a little work around that you need to do in order to be well protected. Currently the ToPS that you are running has the Artemis settings to the default level ( Very low ) which is as good as not having it. This is by my own experience. The Artemis does a great job when it is set to very high but yes there will be those occasional false alarms but it would not harm a technical manager as you can always restore them from Quarantine but trust me the machines stay clean !!!

     

    Now getting back to setting the Artemis Settings to VERY HIGH :- But be warned you would have to disable the Policy Plug in for the Virus Scan for this. So that the next time the software updates, It does not reset the Artemis setting to Very low.

     

    HOW you can do this :- This is a little tedious but very effective work around. But I must say, Kindly use caution while you practice it. You have to use the regedit.exe and then go to the Local Machine Key, Then Software and click on McAfee.

     

    2} Once you have the McAfee key open, You would then click on "Managed Services". Go to Agent. Click on POLICY PLUG INS. Then from the drop down, Select the Virus Scan option and then on the right hand side, Change the enable registry entry to " 0" to disable it. Once that is done, Under the Managed Services, Please click on Virus Scan Option. Once there, Please click on the On Demand Scan. On the right had side, You will see the Artemis level. Set it to 4. ( Very High )

     

    3} Then scroll down to the end of the McAfee tree and click on VSCORE. Once you click on it, You will see the On access scan, Follow the same procedure as you did in the On Demand Scan setting to set the Artemis setting to VERY HIGH.

     

    Now, You have the highest settings for Artemis. On the test/infected machine, Now you run a scan and you will see any detections which were missed. Make sure the internet is active.

     

     

    ONE MORE THING :-

     

    The reason malware manage to easily bypass ToPS is because the mcshield.exe proces in ToPS is defenseless. You can easily disable it from Task manager. Try doing it so easily with Virus Scan Enterprise or even the Home users software ?? U cant !!!

     

    This happens because under the Services, The mcshield.exe process and other important services which are essential for ToPS to work are set to take no action in case of a failure. We would have to manually change it to RESTART SERVICE immediately or to 0 seconds. I would actually suggest doing so with all the McAfee services. Once this is done, We need to do 1 more thing under regedit.exe and then you will have a rock solid ToPS.

     

    Under teh regedit.exe, YOu remember we had clicked on the VSCORE key. On teh right hand side, You will see :- LOCKDOWN ENABLED :- It is by default set to Disabled ( Such a shame. that is why mcshield.exe cannot protect itself from being stopped). But yes, Change it to 1.  to enable it.

     

    All the above mentioned information is tested and tried  by me on a lot of test machines and that is why in my 2 earlier posts, I Clearly mentioned the need for a way to set the Artemis settings like how you can do in VSE. But no one seems to be bothered. Looks like McAfee will only wake up when the complaints burst through the roof. I tested the TopS with Artemis set to default and also to Very HIGH. There is a world of difference. Try it to believe it !!!

     

    ToPS is a great product provided McAfee helps us in helping ourselves. It is a shame if the software cant even protect itself. Just think how it would protect your machines ?? But provided this simple thing is taken care of, There will be no looking back...

     

     

    I hope this may help you albeit a little late.

     

    God Bless !!!

     

     

    Message was edited by: sameer172006 on 2/11/10 5:56:13 PM CST
  • sameer172006 Champion 410 posts since
    Nov 4, 2009
    Currently Being Moderated
    6. Feb 12, 2010 11:17 AM (in response to bmwj)
    Re: TOPS not stopping malware

    Hi Buddy,

     

     

    I am glad to know that my little effort helped you.

     

    I will be very happy if that actually helps you in getting rid of the malware and keep your network clean !!!

     

     

    Have a great day !

  • sameer172006 Champion 410 posts since
    Nov 4, 2009
    Currently Being Moderated
    7. Feb 26, 2010 3:32 PM (in response to bmwj)
    Re: TOPS not stopping malware

    Hi Buddy,

     

    Hope all is well with you.

     

    How did the little experiment with the test machine go ?

     

    If this post helped you, Please mark the thread as Answered .

     

    Have a great day !

  • argint Newcomer 34 posts since
    Apr 16, 2009
    Currently Being Moderated
    8. Mar 3, 2010 4:52 AM (in response to sameer172006)
    Re: TOPS not stopping malware

    Hi - Whilst these steps might prove useful for especially keen and technical people, it is a totally unnaceptable to have to be expected to go and make such changes in a busy production environment with people on the move.

     

    The facility to change the artemis level should be available from the security center.

     

    The fact that it CAN be changed gives at least *some* hope that on year or decade later from now that McAfee might even give us this facility to allow us to administrate it in a technically controlled and confident manner.

     

    Making such changes across many machines is a step that you must be able to quickly REVERSE if you dont like the new results.

     

    This should be in its own thread under something like "Please provide granular control of the artemis setting from security center"

     

    I personally would never consider making this change in such a fashion on an individual machine basis, I would regard it as very poor practice in a production environment, or live environment, whatever you want to call it.

     

    But each to their own, I guess.

     

     

    Regards

    Argint

  • sameer172006 Champion 410 posts since
    Nov 4, 2009
    Currently Being Moderated
    9. Mar 3, 2010 11:07 AM (in response to argint)
    Re: TOPS not stopping malware

    Very true Argint.

     

    That is why I have been lamenting about having an easier way to set the Artemis levels.

     

    Anyway, The user who had raised a concern wanted to try it out on his test machine and thus I listed out the steps to him. As far as the reversal goes, All we need to do is to just enable the VirusScan Policy Plugin. Update the software, Everything sets back to default.

     

    Cheers !!!

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points