2 Replies Latest reply on Feb 23, 2010 5:15 PM by argint

    Firewall concerns in TOPS that deserve answers

      Ok, To be more organised I have moved this post to a new thread.

       

      Ok, Ill start!

       

      1. I administrate our 34 nodes. My current feeling towards the firewall functionality is one of uncertainty and slight dread. Our laptops are on the move, users scream if things dont work. The firewall doesnt help me make decisions. This is my experience after 2 years using this product.

       

      2. At a fundamental level, from the security center, I will ask openly off any security engineer: "Would you make a decision on the nature of an unrecognised program based on image name alone?" This is all the security center tells me. I will accept I am wrong if you can prove me to be so. I do not believe I am. The execution path at a bare minimum should be available to me in the security center to make some sort of judgement as to the validity of a firewall blocked program. This is very basic. It would at least allow me to locate the program. This information is available in the console when you manage the firewall from the client end. Why not in the security center? This is so fundamental, and Ive never received a valid answer.

       

      3. Since that information is not available, I suggest the functionality is possibly dangerous as it is asking you to make judgements under pressure. If I click Allow, it could be Malware. Simple as that. As I have no execution path, how am I supposed to locate this program? Do a full search of a harddrive? No thanks! Aint gonna happen.

       

      4. The Unrecognised Programs report provides me with a never ending list of image names that could be in all of my policies, or some, or none. This is hellish to work with. I even see Total Protection Service elements in that list, all the time!!! All the Microsoft Office programs constantly appear in this list. There is no sanity here!! In a busy environment it leads to an empty feeling in my gut.

       

      5. The product should be doing all the work for me. Not me doing all the work to deduce what the hell is going on. The information is available. It is simply being presented in an ultimately unusable way. When I open that report, I expect to see what it says. Unrecognised programs. ie. "Here is a program thats not in a policy. Do you recognise it?" If so, the Allow. If not, then Block and give me information to go and find it. ie execution path at least to start with. Then, that program should disappear from that list until it is executed on anoth machine that it is not recognised in, but not until that moment. I dont want it sitting there in a list because McAfee think I might want to add it to a policy some other time. This is plain silly!!!!!!

       

      6. If it is unrecognised because of a footprint (ie update) Then Tell Me That, feed me information, put it in a different list, but give me the information to make decisions, dont just give me a never ending list of image names that confuse me, or I give up all hope on.

       

      7. There must be some sort of issue about the McAfee whitelist. Common programs that function on the laptops are registered as blocked when you go to the actual list of programs in the firewall itself. Again, more confusion, more doubt, more fear.

       

      8. In the actual firewall policies themselves there are hundreds of image names. No execution path. No information. You presently cannot even sort the column on blocked or allowed status, so you have to scroll thru them. More confusion, more fear, more doubt.

       

      9. Even if the blocked programs had a different colour that would be a start, how long would that take an ASP developer to do??? More confusion.

       

      10. You cannot delete from the firewall allowed application list. We now have hundreds of image names accumulated over time. Unmanageable. More fear, more doubt, more worry.

       

      11. Each policy contains the image name from all other policies. Nightmare!! We have different laptops with different applications. We separate them in to groups, and after all that, all programs from all policies appear in all other policies!!! More confusion, more fear, more doubt.

       

      12.  Can no-one out there see that over a period of time, we just end up with a great load of image names and no sanity, no ability to make sane judgements and general despair from day to day.

       

      13. I was a developer for years. I know this is all fixable, so why all these ajaxy widgety type gimmicks??? get the basics right first and the rest will follow. Go back and review this. Show me you care McAfee!!

       

      That will do for now.

       

      Argint.

        • 1. Re: Firewall concerns in TOPS that deserve answers

          Argint,

           

           

          Sorry for the delay in response.

           

          I have been having some issues with the Internet acting crazy all the time. Its not fine yet . Arrghhh !!!!

           

          I completely agree with you on the Firewall issues. Also, I have observed that due to some peculiar reason that I am unaware of, The ToPS firewall keeps blocking the apps that I allow. For example, If I want the VMware workstation and all its services to be allowed, It keeps asking me again and again. That is more than enough to **** me off for starters ! Memory lapse eh ?

           

          The firewall component itself is mediocre to say the least. I mean, I have used McAfee Host Intrusion Prevention and firewalls from other software. You can see the active component keeping a watch on the network traffic if you go into the IPV4 settings and you would see a firewall filter there. Nothing of that sort here. This firewall I believe is just the same component of the firewall found in Home user's software and can be disabled or compromised easily !

           

          Moving on to the Virus Scan Option :-

           

          1} The On Access Scanner or the Virus and Spyware Component of ToPS has this nasty habit of shutting itself off quite a few times due to reasons only known to the software or the developer. Now the most disheartening feature is that, the service is not configured to take any action on its failure. Yes, You read it right. You would have to manually set it to restart the services immediately or just keep looking at the McAfee console which says you are at risk. Help me Jesus !!!

           

           

          2} Even a school student would know that if he/she has to fiddle around with the comp and its settings, They just have to disable the AV. The McAfee's main scanning component (mcshield.exe) can be stopped by going in to the Services tab or even from the Task manager. McAfee's ToPS can't even protect itself from being terminated. No wonder, Any malware can easily spread its roots in to a system with ToPS by just disabling it.

           

          3} There should be a way to lock down the settings in ToPS as well. Even the Home User's Total protection 2010 will not let you stop mcshield.exe so easily let alone tweaking its settings. I wonder what made the developers to just ignore this very important feature.

           

          4} I have told it time and again. With the current influx of new variants and dangerous malware in the wild, the customers should have a greater leverage to decide what kind of heuristic sensitivity is good for them. There is no easy way to set the Artemis sensitivity level either from the console or from the Security centre. McAfee by default sets it to very low. It is as good as not having it at all. In my earlier posts, I did talk about a painful method of changing the Artemis settings using regedit.exe.

           

          5} ToPS does not clean cookies in the Real time Scans. Unlike VSE. You run an On demand scan and the only detection you will see is that of cookies. I am not interested in knowing how many cookies were there in my comp. For god's sake, Do not keep the cookies in my system untill I run an on demand scan. Please take care of it real time and get me a clean report if my system is clean and do not show me 30 detections and scare the living day lights out of me and then laugh out loud at my face by showing how many cookies you deleted !!!

           

          6} You cannot run an On demand Scan by just right clicking on the tray icon. Come on McAfee !!! All your products have that option. Why do I have to open the console just to run a scan. Now that I have the Console open, You do not want to give me the update option. I have to close the console and only then try an update. Why cant you just let the update happen without nagging me to close the already open window ???

           

          7} If I try and submit a sample from the Quarantinbe viewer, I can't. I wonder why. Some one wants to help me understand ???

           

          I have listed out other features as per my understanding of them. Take out a little time friends and lets try and let McAfee know where they are lacking and help McAfee help itself !!!

           

           

          Message was edited by: sameer172006 on 2/23/10 5:54:29 PM CST
          • 2. Re: Firewall concerns in TOPS that deserve answers

            Hi Sameer.

             

            This is great stuff. Educated, experienced, first hand, real-world experiences of this product in a public forum.

            You have heartened me quite a bit. We are in a tricky situation here, as we have committed ourselves to this product and (as their Perfect Target Audience) are not immediately equipped to put the infrastructure in place to change it over night.. I totally believe in the concept behind this service. But after 2 years, I am shocked at the lack of "reality" behind what is happening with it. We have to prepare ourselves in the background for a move away, but I still hope that these issues we raise will register with someone with a conscience at McAfee. They cannot possibly expect to be taken seriously if these matters are not improved. It will turn in to the "joke" security product. The christmas cracker. The flash in the pan, and die a sorry death. It simply does not stand up to serious technical scrutiny in its current form.

             

            Might I suggest that you separate your issues in to different threads to maintain some form of cohesive strategy. I moved my firewall concerns in to one thread.  If we dont do this, the issues will simply melt together in to a general "moan". If we wish to have impact we need to have organisation and give McAfee the directed imformation they need to hear, or have already heard and are ignoring.

             

            It would also help me to unwind my feelings from my thoughts, as I too have many other ideas on the usefuleness or uselesness of some of the features.

             

            As a taster.....dont get me started on the .mht "scheduled reports" functionality. Great idea, implemented in a simply stupid way. They have overcomplicated everything. Send me a pdf report before you go sending .mht files that (without an internet connection) take nearly 30 seconds to open.!!I tried it once, never again. Useless. This is 2010. Pdf reports are more than adequate.

             

            So, in summary, lets split this whole thing up.

             

            Great input

             

            Argint.