It's not so much McAfee, but the industry in general. The industry as a whole are having huge issues grappling with seeing 50000 new samples per day and trying to work out how to actually detect them quickly and reliably.
McAfee certainly does need to do a lot more work towards the goal, but I don't believe they are alone.
My Suggestion is that you should try and upgrade to the McAfee VSE 8.7i which included the Artemis technology. You can set the Artemis setting as per your requirement ranging from 4- very high to 1 - very low ( default ).
I do agree that the bad guys are working overnight to keep the AV companies busy. But they are not the only people working out there. The AV companies have also taken up the challenge. This is where newer technologies like Artemis come in to picture and serve as the saving grace. The Artemis analyses bevavioural patterns of suspicious files, Quickly sends them over to the McAfee's ever updating servers and improves detection rates. You would have to try it to believe it !
Also, if it is difficult for you to upgrade to 8.7i, Then I would suggest you to contact the McAfee tech support at 1 866 622 3338 and obtain a special SUPERDAT package for the Artemis to be activated in VSE 8.5i.
All said and done, In the end it boils down to how intelligent and cautious we are when we are accessing the internet. No AV in the world can give me 100 % protection if I am not being cautious in what sites I am browsing and what stuff I am downloading.
Please revert for any more information/clarification.
An 8.5 user/Admin has the ability to enable Artemis without contacting support - see https://kc.mcafee.com/corporate/index?page=content&id=KB53732
Artemis is part of the McAfee solution, but not the complete solution. An Admin needs to be careful about how Artemis is implemented (including which level to use).
I have over 4000 nodes running VSE 8.7 and 8.5. I had a user last week who's laptop was infected with several malware and viruses. VSE 8.7 and antispyware was installed with the latest patch, updated with the latest dat files. Artemis is active in ePO. Infections found on the laptop:
Generic Fake Alert!htm
Infections found by AVAST
Infections found by McAfee Boot Scan: This was ran after all of the others
8.7 detected Vundo several time and would not clean it until a reboot. After the reboot the laptop became infected again with Vundo. To finely clean up the device I had I installed SuperAntispyware. I sent 2.5 days cleaning the workstation.
I did contact support. was unable to receive very little help.
I've read up on Artermis recently, bit worried about pushing it out to be honest but I might give it a trial run on a few machines. I wasn't too happy with 8.7 the last time I trialed it but there's probably been a few patches since then, will have a look.
Couldn't agree more about caution when browsing the web being vital but most users tend to click 1st unfortunatly. I also rate memory key's as a big source of our problems/ infections but disabling USB ports is a no go.
I'll definately have a look at 8.7 and Artermis, hopefully it's a runner and we can stop wasting hour upon hour running full scans with multiple alternative products! Thanks for the information and thoughts.
Start it off at "Very Low" and what you think. Eventually, you might want to move it up to "Low", then "Medium".
I still don't have a high level of confidence in Artemis for corporate use except for certain situations. I feel there are still way too many false positives in their Artemis databases.
Mal and Greg,
With the VSE 8.7i, The Artemis is enabled and set to a default level of Very Low.
I suggest bumping that up to MEDIUM because that gives you a good hold on reducing the false alarms. I can assure you that Behavioral blocking is the most useful thing right now. We just can not keep waiting for the signature updates to happen and then worry about getting infected in the vulnerable window until the next DAT update happens.
As far as the false alarms are concerned, You may assign the policy through ePO to only alert or reportt a suspicious file instead of outrightly deleting it at the first attempt. When you get the alert trigger, You may certainly examine if the said file is a false alarm or really is a nasty infection. Then proceed to whatever action you want to take.
As far as assigning the policies is concerned, with a wonderful tool like ePO at hand, You may assign different policies to a particular set of computers. If I am worried about a bunch of certain computers which keep getting infected more often, I would assign a HIGH Artemis setting to those and take it light with the other ones.
Artemis has got an amazing satisfaction rate with both Corporate as well as Enterprise levels. I do not see why it should be a problem. In the end, The Artemis is contacting McAfee's servers where the next day's DATS would also come from. I would certainly trust Artemis but yes with a cautious setting on the sensitivity level !