We have ePO4 Patch6 and VSE87i and recent .dat file updated every day. We have a user which have installed Personal Security
C:\Program Files\PersonSecurity\psecurity.exe which is a malware.
As we configure ePO to send notification rule everytime that we have an user or program tentative to disable McAfee AV, we get around 16000 mails from ePO like this
Event descriptions : Access Protection rule violation detected and blocked
Starting at : 3/29/10 12:23:37 PM
Name of threats : Common Standard Protection:Prevent termination of McAfee processes
Infected file C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe
Additional Information : C:\Program Files\PersonSecurity\psecurity.exe
My question: why the user be able to install this program? Shouldn't VSE87i automatically block/quarantine psecurity.exe? (we have need to contact user and log into user's computer for remediation)
Thks a lot,
I would advise you to read the following Security Insights Blog:
Hope this helps,
Thks for your quick reply, I've read the link but I'm not sure that it answer my question...
On the user's computer, we already have VSE87 and MASE87 (is this equivalent to McAfee Total Protection?) and On-Access-Scan is enabled.
Personal Security is NOT a new malware (ie not know and not in McAfee signature file) but well-know. ScriptScan is on.
So, OK there's pop-up saying false things that your's computer is infected, bla-bla and you should download XYZ program to get ride of this.
BUT as the user have VSE87 and MASE87and DAT File is up-to-date and ScriptScan on, McAfee AV shouldn't even allowed the install to start (or at least when the installation is finished, block and quarantine C:\Program Files\PersonSecurity\psecurity.exe (which mean that this program should never run at all)
Do I miss something in the configuration of McAfee product ?!?!?
I do agree with you, the software should have been blocked by the combination of VSE 8.7 and MAS 8.7.
Maybe you should contact the Cybercrime Response Unit at www.mcafee.com/cru.
They should be able to tell why the scanner is unable to detected and remove the software.
On another note, prevention is always better then remediation.
A good http scanner (like the webwasher a.k.a. the McAfee Web Gateway) could prevent to popup or banner from showing up at the first place.
We had a similar issue where Scan32.exe was trying to terminate MCShield and Access protection logs were piled up.
Threat source:C:\Program Files\McAfee\VirusScan Enterprise\SCAN32.EXE
Target path:C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
Threat Name:Common Standard Protection:Prevent termination of McAfee processes
Threat type: access protection, Action taken:Deny terminate
The only reason I could think off on demand scan (Scan32.exe) trying to elevate the privileges to scan and Mcshield (Access protection rule) denies to execute those permission. Whereas on demand scan is not is stopped and still it continues and completes the scan.
This seems to be a known issue with VSE8.7 version irrespective of patch level. Upgrading to VSE8.8 solved the issue.
There are a LOT of reasons why a well known bit of malware would not be detected. I urge you to look at this post:
Misconfiguration is the number one reason for missed detections.