7 Replies Latest reply on Nov 11, 2010 4:17 AM by vinoo





      Just wanted to keep everyone posted about a newer version of GetSusp




      + Increased zip upload limit to 5MB.
      (In the event of samples collected being >5MB, GetSusp will revert to only sending the log files to McAfee Labs. The rich meta data captured in the xml reports is sufficient for a McAfee researcher to locate or take action on the samples)


      + Support for GTI Server 1.0.
      (On a machine configured to do Artemis lookups via an internal GTI Server, GetSusp will automatically read the GTI server ip address from the registry and direct all file reputation queries via the GTI server.)


      + Enhanced scan locations
      (Files referenced under Scheduled Tasks and windows firewall authorized application list are now scanned by GetSusp)


      + New help menu
      (Added command line help menu, about dialog and link to McAfee Labs tools site)


      + Reporting
      (Meta data for files classified as Assumed_Dirty/Trojan/Virus/PUP will be highlighted in RED. Font size in xml reports adjusted for easier readability. In the UI, an "...is OK" is displayed for every scanned files that is confirmed clean)


      Enhancements like scan options debug info, whitelist lookup of autorun.inf/host files, handling of files in C:\Windows\assembly\NativeImages folder and cosmetic changes are not being called out. We are focusing on calling out the 5 visible changes that will benefit GetSusp users.


      The latest version of GetSusp is hosted at: http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe


      Message was edited by: vinoo on 18/7/11 4:59:45 PM IST
        • 1. Re: GetSusp

          I like the new red colouring for "Suspected Dirty" files. Here's an example I saw today:


          ASSUMED_DIRTY 9fc816ce4ddcd5edf5d71e3137894bfe C:\Documents and  Settings\All Users\Application Data remove.exe AH 49,878 09/13/2010  11:52 03/30/2009  07:50 Process


          And yes, it was a threat that was currently undetected by McAfee production dats (although an extra.dat was created in seconds after I submitted it ... presume it's already a known threat).

          • 2. Re: GetSusp

            Glad you like it


            The sample was detected in the beta dats at the time of submission.

            • 3. Re: GetSusp

              Got this suspicious detection after running getsusp


              Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type Scan Error
              UNKNOWN dc2a833082802b59500d4639ed7708f9 C:\Program Files (x86)\McAfee\Common Framework boost_thread-vc80-mt-1_32.dll A 65,536 10/15/2010 16:05 10/15/2010 16:05 Module


              And this (unkown files):


              UNKNOWN 09db1bbed520315e38c86c1eed7138e9 C:\Program Files\McAfee\Endpoint Encryption Agent MfeEpeCoreEncryptionPlugin.dll A McAfee Endpoint Encryption Core Encryption Plugin 1, 0, 2, 2 1, 0, 2, 2 1,916,928 08/19/2010 11:35 08/19/2010 11:35 Module
              UNKNOWN 41936b8eae023d8dde73d22471e98f38 C:\Program Files\McAfee\Endpoint Encryption Agent MfeEpeEpoPlugin.dll A McAfee Endpoint Encryption ePO Plugin 1, 0, 2, 2 1, 0, 2, 2 2,334,720 08/19/2010 11:40 08/19/2010 11:40 Module
              UNKNOWN 248320e7ea0bc21a5e98607a1213a8ea C:\Program Files\McAfee\Endpoint Encryption Agent MfeEpeHost.exe A McAfee Endpoint Encryption Agent Host Service 1, 0, 2, 2 1, 0, 2, 2 1,216,512 08/19/2010 11:33 08/19/2010 11:33 Process
              UNKNOWN dddeccd0c694aa4bd12002c3cce0271a C:\Program Files\McAfee\Endpoint Encryption Agent MfeEpeHostInterface.dll A McAfee Endpoint Encryption Agent Host Interface 1, 0, 2, 2 1, 0, 2, 2 126,976 08/19/2010 11:31 08/19/2010 11:31 Module
              UNKNOWN 1437823d660b557309b16465dc8ae17c C:\Program Files\McAfee\Endpoint Encryption Agent MfeEpeProductDetectionPlugin.dll A McAfee Endpoint Encryption Product Detection Plugin 1, 0, 2, 2 1, 0, 2, 2 1,814,528 08/19/2010 11:36 08/19/2010 11:36 Module
              UNKNOWN f7e023ceb92bd1ce6e35195e15adee86 C:\Program Files\McAfee\Endpoint Encryption for PC v6 EpePcEncryptionProviderPlugin.dll A McAfee Endpoint Encryption Encryption Provider Plugin 6, 0, 2, 6 6, 0, 2, 6 2,494,464 10/04/2010 11:41 10/04/2010 11:41 Module
              UNKNOWN 1454b596415db57aa92277c987c9997a C:\Program Files\McAfee\Endpoint Encryption for PC v6 EpePcMonitor.exe A McAfee Endpoint Encryption Encryption Monitor 6, 0, 2, 6 6, 0, 2, 6 200,704 10/04/2010 11:41 10/04/2010 11:41 Process


              Doesn't McAfee know it's own files?

              • 4. Re: GetSusp

                Thanks for reporting. They've been validated and whitelisted.

                • 5. Re: GetSusp

                  I have also previously reported McAfee files being listged as unknown. Why does it take your customers reporting this to get them whitelisted? Doesn't McAfee proactively identify McAfee files? This I hope is a little embarrassing for McAfee so that that McAfee gets its own house in order.

                  • 6. Re: GetSusp

                    Could the following unknown files also be whitelisted?


                    Unknown  Files

                    Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type
                    UNKNOWN 9a4c4af833512f42a2011035afe9a09c C:\program files  (x86)\filezilla ftp client filezilla.exe A FileZilla Project FileZilla FTP Client 3, 3, 4, 1 3, 3, 4, 1 7,588,864 08/16/2010 00:08 08/16/2010 00:08 Windows-Firewall
                    UNKNOWN 722f5357c7355535591d5604d1973fff C:\Program  Files\McAfee\Endpoint Encryption Agent EpeTrayPlugin.dll A McAfee, Inc. McAfee Endpoint Encryption ePO  Tray Plugin 1, 0, 2, 2 1, 0, 2, 2 1,220,608 08/19/2010 11:44 08/19/2010 11:44 Module
                    • 7. Re: GetSusp

                      Sure. They've been validated and whitelisted.


                      On a related note, we are developing a tool christened GetClean which is an initiative to collect and upload clean files from software vendors and large customers for purposes of mass whitelisting.


                      Samples and their meta data currently unclassified in our database would be uploaded to McAfee using the GetClean tool that customers can deploy to submit information on their clean file repositories. Customers will have option to submit only meta data or sample + meta data to McAfee Labs. After validating and scrutiny, McAfee’s SampleDB is then populated with meta data about these clean samples and the harvested intel can be shared across McAfee Labs tools and systems.


                      We'll be reaching out to regular users of GetSusp/Artemis initially to help improve our whitelisting. The benefits for customers to trial this are:


                      1. By whitelisting files in your environment- we prevent future Artemis or DAT false happening on COE images.

                      2. In the event of an infection - whenever the GetSusp tool is run, only foreign, malware or newly introduced files on machines will come up in their report and can be easily spotted.

                      3. While using GetSusp, noise/clean files from a infected machine won't get submitted to McAfee Labs.



                      Message was edited by: Vinoo Thomas on 11/11/10 3:47:57 PM IST