McAfee released a 20 page pdf on this topic last week. It contains some info for epo policy settings in Access Protection to fight the fake alerts.
rdefino, what is your desktop patching strategy, and are you promptly patching all common web plugins (adobe reader/ adobe flash/ quicktime/ java), or are you making the mistake of many environments and only patching Microsoft stuff?
An environment I did some work for was getting their butts handed to them on fake AV (they were mcafee customers too) and after a large effort of implementing vulnerability scanning and getting religion about patching third party web plugins, it's not a big problem any more. That's probably where the biggest bang for the buck is on time spend for the fake AV issue.
I know I am only a Moderator on the consumer side but I read that PDF out of interest and am surprised that it only mentions the regular Stinger tool and not the Fake_Alert one. When it was written I believe they were possibly one and the same, but now they are two distinct entities;
I'll alert the powers that be to have it revised.
Thanks for picking up on this Peter. The doc was produced prior to the most recent changes made to the fake alert stinger - smart scan and fix to scan being the really important for Fake AV. I've asked the KB folks to amend the doc.
We're really keen to get feedback on the new Fake Alert Stinger - if you do have the opportunity to use it please come and post about your experience in the new Top Threats space. I'm going to move this thread over there now.
Thanks Sam, I guess you got my email on it.