5 Replies Latest reply on Dec 22, 2010 6:22 AM by bcaseiro

    Does the 8.7i anti spyware module actually work?

      Hello,

       

      We are using ePo 4.5 and 8.7i for the desktops.  Recently we have added the anti-spyware module to all PC too, but I's as if it doesn't work at all.  All PC's say it is installed and licensed but we still get spyware on PC's.  We have had to start using Spybot and Malwarebytes again to remove spyware.

       

      I was just wondering if there is anything I need to check or am missing?

       

      Any advise would be most welcome.

        • 1. Re: Does the 8.7i anti spyware module actually work?

          Hello Gonzouk,

           

          Please take a look at the following KB https://kc.mcafee.com/corporate/index?page=content&id=KB54228 for instructions about how to ensure that your antispyware product is working as expected. If the test above is successful, it means that your antispyware module is working as expected (binaries itself).

           

          If VSE fails on this test or it's worked as expected however you are still seeing issues to detect spywares I'd review the following settings:

           

          1. Make sure that your OAS (on-access scanner) settings are set to scan files when reading and also when written to disk. Also check if VSE is set to scan all files. These settings are really really important.

           

          2. Take a look in your exclusions just in case. Check if there are something too general.

           

          3. Then take a look at the Unwanted Program Policy. Verify if all of the categories or at least most of all categories are enabled.

           

          4. Check if Artemis is enabled. Artemis is the McAfee detection in cloud, this setting leverage our detection rate a lot. By default, on VSE 8.7 its automatically enabled using the level Very Low.

           

          5. If all of the settings above are properly configured, I'd submit the missed samples that McAfee did not detect to McAfee Labs and then contact technical support so they can provide you assistance in escalating your service request to McAfee labs and ensure that these samples are reviewed properly.

           

          Hope this helps.


          Regards,

          Bruno

          • 2. Re: Does the 8.7i anti spyware module actually work?

            Thanks, this is just the help I need:

             

            Well the first of the test worked (notepad test), but the fport.exe didn't.

             

            Answers to your other questions:

             

            1.) Read and write scanning is on, how do I check "Also check if VSE is set to scan all files"?

            2.) No Exclusions.

            3.) All ticked apart from remote administration

            4.) Where do I check Artemis?

            5.) Where do this missed samples get saved to?

             

            Many thanks for your time on this.

            • 3. Re: Does the 8.7i anti spyware module actually work?

              Hello,

               

              The second test must work Gonzouk. If it didn't, this might mean that your antispyware installation is not good for any reason. So after renaming fport.exe to asem-test.exe, please, right click on this file and select "scan for threats". This must be detected as "Fport". If you perform this test in a machine where antispyware is not installed, nothing will be detected. If you test this using a machien with VSE plus Antispyware plugin, so it must trigger a detection.

               

              1. You can check if All files setting is enabled by going to VirusScan Console - On Access Scan properties - Default Processes - Items to Scan - What to scan - All Files. (my current config is in portuguese/brazilian, so I'm not 100% sure that the terms will be exactly as above).

               

              2. Good.

               

              3. Good.

               

              4. VirusScan Console - On Access Scan properties - General Settings - Heuristic for suspicious files - Sensitivity level.

               

              5. Well this is a question that I'm unable to answer. Basically what I mean is that if McAfee is not detecting some files which are detected successfully with other tools like malwarebytes (as you stated before), I'd recommend you to do not delete the detected files with this 3rd tool. Then you would be able to see what is the path for the suspicious files and then submit them to McAfee Labs. If you performed a full on-demand scan using latest Dat/Engine files, correct configuration and no malware is detected, you might want to follow the KB below in order to find out if there is a new malware wich is not currenlty detected. After identifying the missed samples using the KB below, submit them to McAfee labs (using service portal or virus_research@mcafeelabs.com - remember that the files must be 'zipped' and protected by the password "infected"). McAfee Labs will verify the sample and will give you a feedback.

               

              https://kc.mcafee.com/corporate/index?page=content&id=KB53094&actp=search&viewlo cale=en_US&searchid=1292954400934

               

              Regards,
              Bruno

              • 4. Re: Does the 8.7i anti spyware module actually work?

                Hi,

                 

                Here my answers:

                 

                1.) All good

                2.) Disabled - Should I raise this?

                 

                Thanks

                • 5. Re: Does the 8.7i anti spyware module actually work?

                  I would really enable Artemis/Network heuristic scanning. This setting leverage McAfee detection level since it not only will search for detections already presented in your dat files, but also will contact the cloud (McAfee Global Threat Intelligence) for new detections.

                   

                  More information about Artemis (also known as GTI - Global Threat Intelligence) are below:

                   

                  https://kc.mcafee.com/corporate/index?page=content&id=KB53735

                  https://kc.mcafee.com/corporate/index?page=content&id=kb53732

                  https://kc.mcafee.com/corporate/index?page=content&id=KB53733

                  https://kc.mcafee.com/corporate/index?page=content&id=KB53734

                   

                  hope this helps.


                  Regards,

                  Bruno