I have 125 computers in several organizations running mcafee tops. The problem is that tops does not stop malware. We are constantly cleaning trojans and rootkits from computers that have valid, up to date mcafee tops running. The malware is simply getting by the tops. I have a technician cleaning a comptuer right now that had fully up to date tops but yet is still infected to the point that the machine won't boot. I was at this machine myself 3 days ago and it was perfectly healthy. I have 2 more machines waiting for us to go clean viruses even though they have fully functional up to date tops. This happens over and over and over.
I will update this post later today with a list of viruses that tops did not detect.
There is no point in calling technical support. They are going to want to remotely control one computer and try to see what's wrong with it. That is pointless. We have cleaned hundreds in the last 2 months, all of which have fully functional, up to date Tops. the problem is not with the computer, it is not with the installation. The tops application is simply not doing the job.
I am convinved right now that I do not need to purchase this product anymore. I hate to go to symantec becuase it slows down a computer so much, but I have 25 computers running symantec endpoint and not a single infection since the product was installed 2 years ago.
I like certain aspects of mcafee tops, but if it's not going to stop viruses, then what's the point in having it?
I am looking for any comments or insight from any current users. I would especially like comments from mcafee professionals.
Look for answers.
I removed the harddrive from a computer with fully functional, up to date TOPS software, connected it to another computer and scanned it with AVG and malwarebytes.
The following viruses were found.
gorodih.dll dns changer
trojanhorse fake alert.lf
Mcafee TOPS did nothing to stop these infections.
I am 100% certain that TOPS was running and up to date.
Why is TOPS not stopping these infections?
Thanks for your report. We apologize for any inconvenience this has caused.
There are thousands of new malware and variants daily. Moreover, there are myriad names for viruses and each company, when they discover detection, gives a virus a name. Often more than one company will "discover" the detection at about the same time, and a virus will get different names from different companies. So what one company would detect something as may differ significantly from what another company will detect it as. Unfortunately, without a sample, we cannot say whether we detect a certain virus or specific variant based only on a description or name from another company.
Based on the virus list names you reported, we suspect these are Vundo and FakeAlert related variants. Certain variants of the Vundo trojan are especially difficult to remove. Please refer to Vundo Removal Instructions at: http://vil.mcafeesecurity.com/vil/content/v_127690.htm.
We can also suggest you to run the Stinger tool for FakeAlert, as described at http://community.mcafee.com/thread/21269.
Anyway, in order for us to research this question, if you still have the file(s) in your system, please send us a sample for further analysis, in a password-protected ZIP file (password - infected). You can find detailed instructions for how to do this at <http://vil.mcafeesecurity.com/vil/submit-sample.aspx>.
Thanks for the reply Patty. It was as expected. I don't need instructions on how to remove these viruses. I have already done so. What I need is a product that stops them from getting there in the first place.
Unfortunately, we don't have time to collect samples and send them to you. In this particular case, the user was watching us ansxiously awaiting our completion of the task becuase he had to get back to work. We have 4 more comptuers waiting for us to come perform the same exact tasks. We had no choice but to clean the machine and put the user back to work. In the real world, there's no time for collecting samples and doing research.
There is nothing new about any of these viruses. Mcafee TOPS should have detected them and prevented infection, but it did not.
I recommended this product to my customer and he bought it. He now wants to know why it is not stopping the infection. I have informed him that I cannot answer that question. Furthermore, I apologized to him for making a bad recommendation and am hoping he doesn't request that I reimburse him for his bad investment. I am now researching other solutions. That is all I can do.
Also I am too late to respond because the computers have already been infected. However, There is a little work around that you need to do in order to be well protected. Currently the ToPS that you are running has the Artemis settings to the default level ( Very low ) which is as good as not having it. This is by my own experience. The Artemis does a great job when it is set to very high but yes there will be those occasional false alarms but it would not harm a technical manager as you can always restore them from Quarantine but trust me the machines stay clean !!!
Now getting back to setting the Artemis Settings to VERY HIGH :- But be warned you would have to disable the Policy Plug in for the Virus Scan for this. So that the next time the software updates, It does not reset the Artemis setting to Very low.
HOW you can do this :- This is a little tedious but very effective work around. But I must say, Kindly use caution while you practice it. You have to use the regedit.exe and then go to the Local Machine Key, Then Software and click on McAfee.
2} Once you have the McAfee key open, You would then click on "Managed Services". Go to Agent. Click on POLICY PLUG INS. Then from the drop down, Select the Virus Scan option and then on the right hand side, Change the enable registry entry to " 0" to disable it. Once that is done, Under the Managed Services, Please click on Virus Scan Option. Once there, Please click on the On Demand Scan. On the right had side, You will see the Artemis level. Set it to 4. ( Very High )
3} Then scroll down to the end of the McAfee tree and click on VSCORE. Once you click on it, You will see the On access scan, Follow the same procedure as you did in the On Demand Scan setting to set the Artemis setting to VERY HIGH.
Now, You have the highest settings for Artemis. On the test/infected machine, Now you run a scan and you will see any detections which were missed. Make sure the internet is active.
ONE MORE THING :-
The reason malware manage to easily bypass ToPS is because the mcshield.exe proces in ToPS is defenseless. You can easily disable it from Task manager. Try doing it so easily with Virus Scan Enterprise or even the Home users software ?? U cant !!!
This happens because under the Services, The mcshield.exe process and other important services which are essential for ToPS to work are set to take no action in case of a failure. We would have to manually change it to RESTART SERVICE immediately or to 0 seconds. I would actually suggest doing so with all the McAfee services. Once this is done, We need to do 1 more thing under regedit.exe and then you will have a rock solid ToPS.
Under teh regedit.exe, YOu remember we had clicked on the VSCORE key. On teh right hand side, You will see :- LOCKDOWN ENABLED :- It is by default set to Disabled ( Such a shame. that is why mcshield.exe cannot protect itself from being stopped). But yes, Change it to 1. to enable it.
All the above mentioned information is tested and tried by me on a lot of test machines and that is why in my 2 earlier posts, I Clearly mentioned the need for a way to set the Artemis settings like how you can do in VSE. But no one seems to be bothered. Looks like McAfee will only wake up when the complaints burst through the roof. I tested the TopS with Artemis set to default and also to Very HIGH. There is a world of difference. Try it to believe it !!!
ToPS is a great product provided McAfee helps us in helping ourselves. It is a shame if the software cant even protect itself. Just think how it would protect your machines ?? But provided this simple thing is taken care of, There will be no looking back...
I hope this may help you albeit a little late.
God Bless !!!
Message was edited by: sameer172006 on 2/11/10 5:56:13 PM CST
OMG Sameer! I cannot believe that my post here might actually give me a solution (thanks to you). What I do believe is that everything you say is true and I will no doubt be performing these settings on numerous machines. I cannot thank you enough. what a shame that mcafee people cannot provide such valuable information. thank you again.
I am glad to know that my little effort helped you.
I will be very happy if that actually helps you in getting rid of the malware and keep your network clean !!!
Have a great day !
Hi - Whilst these steps might prove useful for especially keen and technical people, it is a totally unnaceptable to have to be expected to go and make such changes in a busy production environment with people on the move.
The facility to change the artemis level should be available from the security center.
The fact that it CAN be changed gives at least *some* hope that on year or decade later from now that McAfee might even give us this facility to allow us to administrate it in a technically controlled and confident manner.
Making such changes across many machines is a step that you must be able to quickly REVERSE if you dont like the new results.
This should be in its own thread under something like "Please provide granular control of the artemis setting from security center"
I personally would never consider making this change in such a fashion on an individual machine basis, I would regard it as very poor practice in a production environment, or live environment, whatever you want to call it.
But each to their own, I guess.
Very true Argint.
That is why I have been lamenting about having an easier way to set the Artemis levels.
Anyway, The user who had raised a concern wanted to try it out on his test machine and thus I listed out the steps to him. As far as the reversal goes, All we need to do is to just enable the VirusScan Policy Plugin. Update the software, Everything sets back to default.