7 Replies Latest reply on Feb 19, 2010 2:06 PM by sameer172006

    VSE Detection Reliability

      This is more a of a quick survey than a question, apologies if it's in the wrong section but as we're using VSE I think it's appropriate.

       

      I'm wondering if other users here are seeing more malware get through VSE than usual.  In my case, I would say prior to 6-12 months ago I can't recall a single instance where a machine got infected so long as it was up to date.  In the past 6-12 months however more and more machines (all up to date) are getting infected with something that VSE can't detect.

       

      Now whatever gets past VSE and onto the machines (it's different in each case) tends to spawn a load of other malware that VSE does detect and remove but unless we run some alternative product on the machine the source is never removed and the "spawning" keeps reoccuring.

       

      Like I say, this is more of a poll than a rant/ question, just wondering if it's happening more people or just us?  Of course if it turns out to be just us then it might turn into a question

       

      190 x VSE 8.5. Latest Patch and Dat and AntiSpyware Module

      ePO 4.0.

       

      Tanks in advance for any feedback.

      gR

        • 1. Re: VSE Detection Reliability

          It's not so much McAfee, but the industry in general. The industry as a whole are having huge issues grappling with seeing 50000 new samples per day and trying to work out how to actually detect them quickly and reliably.

           

          McAfee certainly does need to do a lot more work towards the goal, but I don't believe they are alone.

          • 2. Re: VSE Detection Reliability

            Gerririgney,

             

            My Suggestion is that you should try and upgrade to the McAfee VSE 8.7i which included the Artemis technology. You can set the Artemis setting as per your requirement ranging from 4- very high to 1 - very low ( default ).

             

            I do agree that the bad guys are working overnight to keep the AV companies busy. But they are not the only people working out there. The AV companies have also taken up the challenge. This is where newer technologies like Artemis come in to picture and serve as the saving grace. The Artemis analyses bevavioural patterns of suspicious files, Quickly sends them over to the McAfee's ever updating servers and improves detection rates. You would have to try it to believe it !

             

            Also, if it is difficult for you to upgrade to 8.7i, Then I would suggest you to contact the McAfee tech support at 1 866 622 3338 and obtain a special SUPERDAT package for the Artemis to be activated in VSE 8.5i.

             

             

            All said and done, In the end it boils down to how intelligent and cautious we are when we are accessing the internet. No AV in the world can give me 100 % protection if I am not being cautious in what sites I am browsing and what stuff I am downloading.

             

             

            Please revert for any more information/clarification.

             

            Sameer !

            • 3. Re: VSE Detection Reliability

              An 8.5 user/Admin has the ability to enable Artemis without contacting support - see https://kc.mcafee.com/corporate/index?page=content&id=KB53732

               

              Artemis is part of the McAfee solution, but not the complete solution. An Admin needs to be careful about how Artemis is implemented (including which level to use).

              • 4. Re: VSE Detection Reliability
                mrandolp

                I have over 4000 nodes running VSE 8.7 and 8.5.  I had a user last week who's laptop was infected with several malware and viruses.  VSE 8.7 and antispyware was installed with the latest patch, updated with the latest dat files.  Artemis is active in ePO.  Infections found on the laptop:

                 

                VSE 8.7

                Generic Fake Alert!htm

                New Malware.j

                Vundo!fu

                FakeAlert-SpyProgram.A

                 

                Infections found by AVAST

                Win32-Rootkit-gen

                Win32:Veslon (Trojan)

                Win32:Agent-lzl

                 

                Infections found by McAfee Boot Scan:  This was ran after all of the others

                None

                 

                8.7 detected Vundo several time and would not clean it until a reboot.  After the reboot the laptop became infected again with Vundo.  To finely clean up the device I had I installed SuperAntispyware.  I sent 2.5 days cleaning the workstation.

                 

                I did contact support.  was unable to receive very little help.

                 

                Thx Mike

                • 5. Re: VSE Detection Reliability

                  I've read up on Artermis recently, bit worried about pushing it out to be honest but I might give it a trial run on a few machines.  I wasn't too happy with 8.7 the last time I trialed it but there's probably been a few patches since then, will have a look.

                   

                  Couldn't agree more about caution when browsing the web being vital but most users tend to click 1st unfortunatly.  I also rate memory key's as a big source of our problems/ infections but disabling USB ports is a no go.

                   

                  I'll definately have a look at 8.7 and Artermis, hopefully it's a runner and we can stop wasting hour upon hour running full scans with multiple alternative products!  Thanks for the information and thoughts.

                   

                  Rgds

                  gR

                  • 6. Re: VSE Detection Reliability

                    Start it off at "Very Low" and what you think. Eventually, you might want to move it up to "Low", then "Medium".

                     

                    I still don't have a high level of confidence in Artemis for corporate use except for certain situations. I feel there are still way too many false positives in their Artemis databases.

                    • 7. Re: VSE Detection Reliability

                      Mal and Greg,

                       

                       

                      With the VSE 8.7i, The Artemis is enabled and set to a default level of Very Low.

                       

                      I suggest bumping that up to MEDIUM because that gives you a good hold on reducing the false alarms. I can assure you that Behavioral blocking is the most useful thing right now. We just can not keep waiting for the signature updates to happen and then worry about getting infected in the vulnerable window until the next DAT update happens.

                       

                      As far as the false alarms are concerned, You may assign the policy through ePO to only alert or reportt a suspicious file instead of outrightly deleting it at the first attempt. When you get the alert trigger, You may certainly examine if the said file is a false alarm or really is a nasty infection. Then proceed to whatever action you want to take.

                       

                      As far as assigning the policies is concerned, with a wonderful tool like ePO at hand, You may assign different policies to a particular set of computers. If I am worried about a bunch of certain computers which keep getting infected more often, I would assign a HIGH Artemis setting to those and take it light with the other ones.

                       

                       

                      Artemis has got an amazing satisfaction rate with both Corporate as well as Enterprise levels. I do not see why it should be a problem. In the end, The Artemis is contacting McAfee's servers where the next day's DATS would also come from. I would certainly trust Artemis but yes with a cautious setting on the sensitivity level !