1 2 Previous Next 18 Replies Latest reply on Oct 12, 2010 1:13 AM by vinoo

    Wishlist Items for Future McAfee GETSUSP Version Release - FMR

    crash101

      1.     You should really add-in HTTP proxy support to this tool for customers that do not have direct Internet access and must connect through an HTTP proxy.  This will help leverage the artemis/white-list/black-list data for infected systems that do not have direct Internet access / or can not leverage Artemis.

      2.     Increase the MB filesize automated upload limit as systems that have a long history of usage will have a large amount of suspicious/unkown files to upload.  In one test system, I had 15MB worth of suspicous/unknown files and was not able to upload due to the limit.  I must now manually FTP the files and contact my TAM/SAM help facilitate this.

      3.     Get trackable workflow or SR as a result of using this GETSUSP with an "SLA" of when we would see results.  In some of my cases, the files were uploaded, but there are no results of the uknown/suspicious files.  I have infected computers that must wait in a "holding pattern" on this suspicious analysis process so that I can try to clean the infection as opposed to re-imaging them.

      3.     Provide ePO automated integration so that I can automatically deploy, scan, and upload suspicious/unkown files in the event that a computer has "unknown" malware infection, the system has generated over XX number of malware events, or we want to automatically do this for our master "gold" images.

      4.     Collect the files, processes, and network connects that GETSUSP identifies and log it back into the ePO database so that we can futher analyze/search what are the top files, network IP addresses of suspected/unknown files.  This can assist in identifying botnet infections and where these systems are connecting back to for their C&C source.

      5.     Integrate or copy the list of analyzed start-up/services/web-browser sections like the Microsoft Sysinternals Autoruns.  Provide this information into the GETSUSP log so that we can easily see all common start-up sections, services, and web-browser areas for further analysis.  (Just look at how Autoruns, ESET Sysinspector, HiJackThis works/logs).

      5.     Integrate this functionality into VirusScan or McAfee Agent.

        • 1. Re: Wishlist Items for Future McAfee GETSUSP Version Release - FMR
          vinoo

          Thanks for the detailed feedback. All very valid suggestions and some of these are already on the GetSusp roadmap.

           

          1. We're working on a fix and should have something soon. We also have a behavioral component being integrated. For machines without direct internet access this will further help eliminate files.

          2. Could you send me the FTP link via a private message or mail me the xml logs please? A onetime whitelisting of common files on your environment should do a world of good to future scans.

          3. If an email address is specified, based on domain name, our backend auto-tags submissions looking up the entitlement status. Tagged submissions get a higher priority.

          3. Glad you brought this up - GetSusp can be deployed via ePO. I can forward a video demonstration. The command line switches allow for it to be executed without user intervention.

          4. Long term FMR. Multiple dependencies with ePO.

          5. GetSusp aim is to minimize the amount of information a user has to go though. We want to keep it simple.

          5. Long term. Once the tool matures it will be integrated with endpoint products.

           

          Best,
          Vinoo Thomas
          Technical Product Manager, McAfee Labs

          • 2. Re: Wishlist Items for Future McAfee GETSUSP Version Release - FMR
            crash101

            Hello Vinoo Thomas,

             

            I was chatting with an industry security colleague yesterday and we came up with some addition wishlist items for your consideration.

             

            6.  Color code the entries in the GETSUSP related files.XML and network.XML files with green, grey, yellow, red depending if the status of those files and network IP addresses are clean, minimal risk, dirty, unknown, unverified, medium risk, high risk, malicious.

             

            7.  Provide analysis and hyperlinks in both files.xml and network.xml with additional information from trustedsource.org, processlibrary.com, Cisco senderbase.org, blackhole IP ranges, DNSBL.info Blacklists, spamhause.org DROP list, Dshield block list,  known botnetbotcc block rules IP ranges, and other McAfee Labs systems for further details.

             

            8.  Have GETSUSP scan the Registry of key infection points (startup/autostart/run points, Logon, explorer, winlogon, services/drivers, BHO, winsock providers, codecs, network providers, scheduled tasks) and other web browser add-ons (Internet Explorer, Firefox, Chrome).  Verify entries have digitally file signing or mark it as suspicious.  Color code the entries with green, grey, yellow, red depending if the status of those files are clean, minimal risk, dirty, unknown, malicious.  For example:  ESET SysInspector does this via their free GUI-based diagnostic tool.

             

            9.  Use the VirusTotal API from http://www.virustotal.com/advanced.html  to perform MD5 hash lookups of suspicious files and/or to upload those suspicious/unknown files for further analysis against 30+ other AV engines

             

            10.  Analyze the “Foreign address” in network.XML and compare against the IP reputation information from www.trustedsource.org.

             

            11.  Collect/analyze/dump the “foreign address” in the network.XML into the ePO  database and also compare against information detected out of other existing IDS/IPS systems including IP ranges analyzed out of emerging threats rules / emergingthreats.net (viruses/botnets/P2P/spamhause.org drop list, dshield top attackers list, control servers botcc block rules, RBN block rules, etc.), shadowserver.org, and honey.cz.

             

            • 3. Re: Wishlist Items for Future McAfee GETSUSP Version Release - FMR
              vinoo

              You continue to amaze me with the insightful wishlist

               

              6. The samples in file.xml report are split into suspicious and unknown. The status tab would further indicate if they are dirty. The network.xml report is just informational and does not have smart logic built in at the moment. We could consider this for network.xml logs if TrustedSource lookups areintegrated.
              7. Point taken. When network.xml gets a facelift we can consider this.
              8. In addition to scanning running processes, GetSusp also scans file & registry locations commonly used by malware and assigns a dirtiness level. The flagged files are then split into unknown and suspicious category. We've chosen this approach instead of color coding.
              9. This was considered. However when VirusTotal comes under a DDOS (happened couple of times last quarter), the lookups timeout causing extended scan times. Instead we use Artemis to query our own sample database.
              10. This was being considered. However TrustedSource integration will increase the size of getsusp.exe by over a MB, and given that the tool was written for files, we've deferred enhancing the network report.
              11. Great point - This will tie into our GTI initiative.

               

              I've also whitelisted the samples you'd sent in. Future GetSusp scans should report very minimal files in your environment.

               

              Best,
              Vinoo

              • 4. Re: Wishlist Items for Future McAfee GETSUSP Version Release - FMR
                crash101

                Do you have any information on "McAfee CleanBoot" or how we could easily integreate both GETSUSP, Stinger + Artemis Heuristics, VirusScan CommandLineScanner into a WinPE based boot image (PXE network/CD)?  We are planning on creating an internal network boot image where we need to mount encrypted hard drives and then perform malware removal scans of those infected drives without any user-interaction - (hopefully using some or all of the McAfee tools - GetSUSP | Stinger + Artemis heurstics | Command Line Scanner).  This is especially useful for our support engineers and when we want to run scheduled scans on systems during the weekend.

                • 5. Re: Wishlist Items for Future McAfee GETSUSP Version Release - FMR
                  HBullock

                  Getsusp from what I know of its workings would not provide much utility against a mounted drive. The program examines the processes of the running operating system. Those files would not be active if you booted to a WinPE environment.

                   

                  We have been asking McAfee for a couple years now to provide an easy tool for pre-boot scanning.

                   

                   

                  Message was edited by: HBullock on 9/7/10 10:36:44 PM CDT
                  • 6. Re: Wishlist Items for Future McAfee GETSUSP Version Release - FMR
                    vinoo

                    A consumer McAfee CleanBoot is under development as we speak and its release will be bundled with the next generation Consumer AV offering in Q1 2011. This is WinPE based, offering a GUI, dat updates, Artemis lookups, supports wired networking, 3rd party storage drivers and the beta should be available next quarter.

                     

                    The enterprise version of CleanBoot (with wireless, encrypted hard drive support) is in planning stage. I'll keep you posted on this topic.

                     

                    On creating a custom WinPE image with GetSusp, there could be two workarounds to the shortcomings HBullock has brought up.

                     

                    1. If the offline registry can be mounted, GetSusp will scan the processes that autostart on boot for that disk by referring the corresponding registry values (run keys, services, lsp, bho, activesetup etc.).

                     

                    2. We can create a custom GetSusp that would allow you to browse and select a drive or folder. We've held back on this feature as it can be a double edged sword with GetSusp having to scan gigabytes of data if the user chose to scan the entire C:.

                     

                    All the above tools you've mentioned do execute in a WinPE environment.

                     

                    Regards,
                    Vinoo Thomas
                    Technical Product Manager, McAfee Labs

                     

                     

                    on 8/9/10 12:51:46 PM IST
                    • 7. Re: Wishlist Items for Future McAfee GETSUSP Version Release - FMR
                      Vinod R

                      Hi Vinoo,

                       

                      another FMR

                       

                      1. the custom scan option is a worthy option. ( it can be hidden under a pile of advanced selections and options with a note that scan time will depend on amount of data and connection speed and is not recommended for average users).

                      • 8. Re: Wishlist Items for Future McAfee GETSUSP Version Release - FMR
                        crash101

                        3. Glad you brought this up - GetSusp can be deployed via ePO. I can forward a video demonstration. The command line switches allow for it to be executed without user intervention.

                         

                        On the functionality of deploying GetSusp via ePO-    We reviewed the video, tried testing this functionality in a test landscape, and ran into problems where it would not run on some sample remote system.  From an initial glance of the problem, it looks like UAC on Vista/Win7 is preventing GetSUSP from running completely silent to the target system and will not run until there is some end-user interaction.  Can you test and/or confirm if we should be able to send GetSUSP and have it run it's "magic" completely silently without any end-user interaction on Vista/Win7 systems?

                        • 9. Re: Wishlist Items for Future McAfee GETSUSP Version Release - FMR
                          vinoo

                          Thanks for reporting. GetSusp executable is digitally signed by McAfee for this reason.

                           

                          I'll request the team to specifically test GetSusp-ePO deployment on Vista/7 platforms and update this thread.

                          1 2 Previous Next