1 2 Previous Next 10 Replies Latest reply on Apr 1, 2010 6:03 AM by Mal09

    Buffer Overflow DAT for VirusScan Enterprise

    D-Fens

      today I noticed this in ePo.

      any news about this?

        • 1. Re: Buffer Overflow DAT for VirusScan Enterprise

          Previously McAfee have only updated it in various Patches rather than letting it auto-update via dat update mechanisms.

           

          Pehaps they now want a faster response to desktops if they have to make fixes/improvements to the file (eg a bug in Patch 2 that was found with the BO dat)

          • 2. Re: Buffer Overflow DAT for VirusScan Enterprise
            Attila Polinger

            Hi,

             

            first, thank you for the information, I noticed that we also had this file.

             

            The story of it as I recall, could hav been originated from earlier, that for some time now, McAfee has conducted several surveys, one of which was inquiry about how users deem new, planned functions. Among them they mentioned, what we would think if they separated the DATs into several smaller DATs.

             

            I guess they have made the first step on this road, and separated BOF DAT from daily AV DAT. This could reduce the memory need for loading (if someone does not use BOF functionality), or can be used for loading these DATs in separate memory areas (just guessing).

             

            Attila

            • 3. Re: Buffer Overflow DAT for VirusScan Enterprise
              D-Fens

              Hi Attila,

               

              I think this was not to lessen the memory consumption, it was only a bugfix.

              hopefully mcafee will repost patch 3 with the new BOP DATs.

               

              But I totally agree with you - the CPU peaks and large amount of RAM that is used when updating DATs  is because of only 3 file containing the DATs - after adding a new incremental .avv file, these files have to be merged.

               

              Avira, for example, renewed their update-system, from 4 files to 32 files ( http://www.avira.com/en/support/vdf_update.html ) so that you won't notice when an update happens. but I'm sure McAfee is also aware of this and is working an that for the announced 8.7.1 VSE version.

               

              D-Fens

              • 4. Re: Buffer Overflow DAT for VirusScan Enterprise
                PhilR

                From https://mysupport.mcafee.com/eservice/Article.aspx?id=KB68448

                 

                 

                Problem

                After installing VirusScan Enterprise (VSE) 8.7i Patch 3  and restarting your computer, the Windows desktop is not displayed with the  Access Protection rule Standard Protection: Prevent Windows Process spoofing enabled.

                 

                Windows Task Manager shows that Explorer.exe is  not running.

                System Change

                Installed Patch 3 for VSE 8.7i and restarted computer.

                Cause

                The Access Protection rule Standard Protection: Prevent  Windows Process spoofing is enabled and configured to Block. The  issue is caused by changes to vscan.bof, a content file for Access  Protection rules and buffer overflow protection.

                 

                This issue has been  reported for the Explorer.exe process. Other Windows processes are not  affected.

                Solution

                 

                This issue is resolved by an updated vscan.bof content file on the  McAfee Common Updater site. This updated file will be automatically downloaded  and applied to all VSE systems (regardless of patch level) in the same was as  daily DAT files.

                 

                This means Patch 3 can be applied and systems will  never encounter the issue.

                 

                The updated package is also attached to this  article.

                 

                NOTE: This content  file is also used by VirusScan Enterprise 8.5i. After the update, both VSE 8.7i  and 8.5i will report version 480 for the Buffer Overflow and Access  Protection DAT Version.

                Workaround

                Disable the Access Protection rule.
                NOTE: Because Explorer.exe is not  running, there is no Start button or VirusScan Enterprise (VSE) icon in  the system tray.

                To open the VirusScan Console

                1. Press CTRL+ALT+DEL.
                2. Click Task Manager, File, New Task (Run...).
                3. Navigate to C:\Program Files\McAfee\VirusScan  Enterprise\mcconsol.exe.
                4. Click OK.
                5. Right-click Access Protection and select  Properties.
                6. Select Anti-virus Standard Protection.
                7. Select Prevent Windows Process spoofing and deselect the  Block option.

                  NOTE: Optionally, you can deselect Report to completely  disable the rule.
                8. Click OK.

                Related Information

                If you log into your system quickly, you might not  encounter this issue, even when the rule to block spoofing of Windows processes  is enabled. This is because Explorer.exe is running before the Access  Protection Rule takes effect.

                • 5. Re: Buffer Overflow DAT for VirusScan Enterprise

                  The buffer overflow dat file is not part of the signature dats. Instead it's a seperate file in the McAfee installation (vscan.bof comes to mind).  If you look at a desktop log for McAfee updating, it says "not in the  repository" for BOCVSE__1000 . I believe that this is the McAfee name  for the Buffer Overflow dat - and until recently it has never been part  of the repository downloaded from McAfee. It has only ever been upgraded as part of various patches for VSE.

                   

                  So this has nothing to do with reducing the size of the signatures, but instead, I believe to allow Sysadmins to update the BO singatures.

                   

                   

                  -- edit : And all better explained by McAfee in the technote listed above!

                   

                   

                  Message was edited by: Mal09 on 17/03/10 17:04:13 GMT
                  • 6. Re: Buffer Overflow DAT for VirusScan Enterprise
                    nasci

                    I noticed this as well, but for the post patch fix for 8.7i Patch 3 the BOP was 480 now I've noticed the current BOP DAT is 483. Are they changing the BOP DAT daily/weekly? I also have 8.5i patch 8software in my environment, am I to be deploying this BOP DAT to 8.5i installs as well?

                    What's going on with this McAFee? What's the frequency of these BOP DAT releases so we can plan (and test) our deployments accordingly.

                     

                     

                    Message was edited by: nasci on 3/31/10 9:28:17 AM CDT

                     

                     

                    Message was edited by: nasci on 3/31/10 9:29:18 AM CDT
                    • 7. Re: Buffer Overflow DAT for VirusScan Enterprise
                      Jonesthemilk

                      Hi

                      I have this DAT in my legacy Epo 3.6.1. Master repository but nothing showing in the 4.5 console.

                      Am I missing something?

                      • 8. Re: Buffer Overflow DAT for VirusScan Enterprise

                        nasci wrote:

                         

                        I noticed this as well, but for the post patch fix for 8.7i Patch 3 the BOP was 480 now I've noticed the current BOP DAT is 483. Are they changing the BOP DAT daily/weekly? I also have 8.5i patch 8software in my environment, am I to be deploying this BOP DAT to 8.5i installs as well?

                        What's going on with this McAFee? What's the frequency of these BOP DAT releases so we can plan (and test) our deployments accordingly

                         

                        The 483 version was released to fix a bug (Outlook Express triggering AP rules) in the 480 version. I don't think McAfee intend to release these frequently, but only when they have to resolve issues.

                         

                        The version is for 8.5i and also 8.7i.

                        • 9. Re: Buffer Overflow DAT for VirusScan Enterprise
                          Attila Polinger

                          Looking at my VirusScan Ent 8.7 P2 About screen it displays BOF DAT v 493. Seems that they are coming quite frequently. I would guess these DATs get updated whenever a major vulnerability issue is found in one of the systems the VSE BOP is intented to cover.

                           

                          Attila

                          1 2 Previous Next