Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1593 Views 5 Replies Latest reply: Apr 21, 2013 10:09 PM by petersimmons RSS
Newcomer 4 posts since
Nov 19, 2009
Currently Being Moderated

Mar 30, 2010 3:11 AM

VSE87i Patch-2 and Personal Security ?!?

Hello,

We have ePO4 Patch6 and VSE87i and recent .dat file updated every day. We have a user which have installed Personal Security

C:\Program Files\PersonSecurity\psecurity.exe which is a malware.

As we configure ePO to send notification rule everytime that we have an user or program tentative to disable McAfee AV, we get around 16000 mails from ePO like this

Event descriptions : Access Protection rule violation detected and blocked
Starting at : 3/29/10 12:23:37 PM

Name of threats : Common Standard Protection:Prevent termination of McAfee processes

Infected file C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe

Additional Information : C:\Program Files\PersonSecurity\psecurity.exe

 

My question: why the user be able to install this program? Shouldn't  VSE87i automatically block/quarantine psecurity.exe? (we have need to contact user and log into user's computer for remediation)

Thks a lot,

  • jeffreychirino Apprentice 90 posts since
    Jul 8, 2008
    Currently Being Moderated
    1. Mar 30, 2010 3:24 AM (in response to cnguyen)
    Re: VSE87i Patch-2 and Personal Security ?!?

    Hello,


    I would advise you to read the following Security Insights Blog:

    http://siblog.mcafee.com/consumer/mcafee-warns-of-scareware-in-its-first-consume r-threat-alert/

     

    Hope this helps,

     

    Jeffrey

  • jeffreychirino Apprentice 90 posts since
    Jul 8, 2008
    Currently Being Moderated
    3. Mar 30, 2010 3:50 AM (in response to cnguyen)
    Re: VSE87i Patch-2 and Personal Security ?!?

    I do agree with you, the software should have been blocked by the combination of VSE 8.7 and MAS 8.7.

    Maybe you should contact the Cybercrime Response Unit at www.mcafee.com/cru.

    They should be able to tell why the scanner is unable to detected and remove the software.

     

    On another note, prevention is always better then remediation.
    A good http scanner (like the webwasher a.k.a. the McAfee Web Gateway) could prevent to popup or banner from showing up at the first place.

  • Lakshmi Narayan S Newcomer 1 posts since
    Apr 19, 2013
    Currently Being Moderated
    4. Apr 19, 2013 11:52 AM (in response to cnguyen)
    Re: VSE87i Patch-2 and Personal Security ?!?

    We had a similar issue where Scan32.exe was trying to terminate MCShield and Access protection logs were piled up.

     

    Threat source:C:\Program Files\McAfee\VirusScan Enterprise\SCAN32.EXE
    Target path:C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    Threat Name:Common Standard Protection:Prevent termination of McAfee processes
    Threat type: access protection, Action taken:Deny terminate

     

     

    The only reason I could think off on demand scan (Scan32.exe) trying to elevate the privileges to scan and Mcshield (Access protection rule) denies to execute those permission. Whereas on demand scan is not is stopped and still it continues and completes the scan.

     

    This seems to be a known issue with VSE8.7 version irrespective of patch level. Upgrading to VSE8.8 solved the issue.

  • petersimmons McAfee Employee 230 posts since
    Dec 22, 2009
    Currently Being Moderated
    5. Apr 21, 2013 10:09 PM (in response to cnguyen)
    Re: VSE87i Patch-2 and Personal Security ?!?

    There are a LOT of reasons why a well known bit of malware would not be detected. I urge you to look at this post:

     

    https://community.mcafee.com/people/petersimmons/blog/2013/03/11/the-minimum-req uirements

     

    Misconfiguration is the number one reason for missed detections.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points