4 Replies Latest reply on Aug 1, 2011 1:28 AM by Peacekeeper

    McAfee GetSusp


      This post is a placeholder for hosting the latest version of GetSusp. Latest released version is GetSusp (build date June 12th 2010)


      GetSusp download: http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe


      GetSusp Product Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 22000/PD22668/en_US/GetSusp.pdf


      GetSusp FAQ: https://kc.mcafee.com/corporate/index?page=content&id=KB69385


      McAfee GetSusp Changelog

      Detection based enhancements:


      + GetSusp to scan for infected MBR and Boot sectors.


      + GetSusp to scan files with open file handles on the system.


      + Incorporated local blacklist of rogue digital certificates for malware that are digitally signed.


      + GetSusp now auto loads the registry profile of all users on the system and can scan the contents of HKEY_USERS hive. A prerequisite is that the account running GetSusp must have the appropriate permissions to load other user profiles.


      + Miss on malware using the following the Taskman method:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

      Taskman = "malware file"


      + If GetSusp.exe is infected - a warning will be displayed letting the user know that the executable has been modified and will allow the user to continue. This is to alert the user of a presence of a file infector on the system.


      Usability enhancements:


      + Upload limit for samples raised to 10MB.


      + Provided option to perform an online check for newer version of GetSusp.


      + Change in behavior of OFFLINE mode. GetSusp will perform GTI lookups in OFFLINE mode and not auto submit samples. A user can then review the results and choose to manually upload if needed.


      + The upload button now accepts manual upload of any executable file type. A user can use GetSusp to submit malicious files from a specified location to McAfee Labs.


      + GetSusp when launched auto-populates proxy server ip address and port settings under preferences by querying the default browser on the system for proxy settings. If upload via proxy fails - GetSusp will then attempt a direct connection.


      + GetSusp will auto detect the email address of a user from the default registered email client and auto populate this under preferences. Outlook 2003/2007/2010 are supported. This is to allow the user to receive email communication or an extra.dat from McAfee Labs for the samples submitted. Multiple comma separated email addresses can be specified.