1 2 3 Previous Next 45 Replies Latest reply on Nov 23, 2011 3:10 PM by ccroff

    VSE 8.8 Patch 1 - taking security up a notch

    wwarren

      Hi Everyone,

       

      Here's a thread to potentially spur some discussion

      In the coming release of Patch 1 for VSE 8.8, we will be introducing a new Access Protection rule that will be enabled by default.

      The rule protects certain McAfee processes from DLL injection, which is a technique used by malware that allows the ill-intentioned code to then run inside a McAfee process. And since certain security measures "Trust" our own McAfee processes, the malware is then allowed to perform some pretty darstedly deeds... like terminating a scanner.

       

      With the new AP rule, this technique will not be possible - for certain critical processes of ours, like scanners.

      But this DLL injection technique is used by many a legitimate 3rd party application too. Often leveraging it to gain insightful information about the processes they inject into, perhaps for application metering, usage monitoring, encryption, and more. Those legitimate applications will be prevented from injecting into our process...

       

      The new rule does not have the flexibility of others, meaning you won't be able to exclude or trust processes; it'll only be an On or Off rule - but in the interest of security, ALL customers will want to have this rule enabled!

      What that could mean though, is being aware of your 3rd party applications that inject code into other processes and ensuring they do not have any issues with VSE 8.8 Patch 1's new rule. We expect that 3rd parties who attempt to hook our process, will fail, and fail gracefully. But we cannot predict what else those 3rd parties might do - whether they log events or generate notification alerts etc. So there will be some responsibility needing to be shouldered by all in determining whether the new rule can remain On in the environment. We at McAfee strongly advise that everything be done in your power to keep it enabled... it's just that important.

       

      For those customers with 8.7i, we have a mandatory hotfix releasing soon that will be providing the same process injection protection.

        • 1. Re: VSE 8.8 Patch 1 - taking security up a notch
          aladdin9

          Will the hotfix for VSE 8.7i close SB10014 VSE 8.7 and earlier Metasploit payload attack?  Also will this future manditory hotfixe(s) be released via the public website no logon required, or only with a grant number?

          • 2. Re: VSE 8.8 Patch 1 - taking security up a notch
            wwarren

            The 8.7i hotfix does address SB10014 and Metasploit payload attack. The hotfix will be public at some stage, first it must go through a phased release period - typically 2 to 4 weeks of monitoring its performance in the field.

            • 3. Re: VSE 8.8 Patch 1 - taking security up a notch
              Attila Polinger

              Hello,

               

              Can this functionality be tried before final release, WITHOUT having any actual issue normally needed to escalate to support to receive such upcoming patches?

              I mean I would love to try it asap... will support accept my reasoning: "just because" ?

               

              Attila

              • 4. Re: VSE 8.8 Patch 1 - taking security up a notch
                ottawa_tech_31

                Will VSE 8.8 P1 fix the issue of installation failing if there is a UNC path int he system path? That's really annoying.

                • 5. Re: VSE 8.8 Patch 1 - taking security up a notch
                  wwarren

                  ottawa_tech_31 wrote:

                   

                  Will VSE 8.8 P1 fix the issue of installation failing if there is a UNC path int he system path? That's really annoying.


                  It will not. That code is within the base installer, so the standalone patch won't help there.

                  However, you're probably aware we always repost our base install package such that it includes the latest patch. When we repost to include Patch 1 then Yes, it will allow you to override the UNC check. Timeline for that repost package is typically 2-4 weeks following the public posting of the standalone patch.

                  • 6. Re: VSE 8.8 Patch 1 - taking security up a notch
                    ottawa_tech_31

                    so if we have 8.8 already deployed, and then check in the 8.8 patch, will it deploy properly, or will we need to deploy the full 8.8 patch 1 to all machines?

                     

                    I never know how many machines had a darn UNC path in the system path until VSE 8.8.....

                    • 7. Re: VSE 8.8 Patch 1 - taking security up a notch
                      wwarren

                      ottawa_tech_31 wrote:

                       

                      so if we have 8.8 already deployed, and then check in the 8.8 patch, will it deploy properly, or will we need to deploy the full 8.8 patch 1 to all machines?


                      Yes, it will deploy properly. Patch update packages do not have the UNC check (they don't need it).

                       

                      The issue is only present if you're trying to install VSE. And you say VSE is already deployed, so, there's no possibility of there being an issue for you.

                       

                      However, if you had systems where VSE 8.8 was not yet deployed, due to the UNC check prohibiting the installation, then you will need the 8.8 repost package that has Patch 1 included, allowing an override command for the UNC check. Nothing else will work (unless you remove those UNC paths from the SYSTEM %path% variable).

                       

                      We are trusting customers who make use of the UNC check override, to have properly evaluated their environment and can attest with 100% certainty that the UNC path does not cause any issues for VSE. Because if it does cause VSE any issues, we will insist they be removed when calling into Support.

                      • 8. Re: VSE 8.8 Patch 1 - taking security up a notch
                        akl71

                        wwarren schrieb:

                         

                        Hi Everyone,

                         

                        Here's a thread to potentially spur some discussion

                        In the coming release of Patch 1 for VSE 8.8, we will be introducing a new Access Protection rule that will be enabled by default.

                        The rule protects certain McAfee processes from DLL injection, which is a technique used by malware that allows the ill-intentioned code to then run inside a McAfee process. And since certain security measures "Trust" our own McAfee processes, the malware is then allowed to perform some pretty darstedly deeds... like terminating a scanner.

                         

                        With the new AP rule, this technique will not be possible - for certain critical processes of ours, like scanners.

                        But this DLL injection technique is used by many a legitimate 3rd party application too. Often leveraging it to gain insightful information about the processes they inject into, perhaps for application metering, usage monitoring, encryption, and more. Those legitimate applications will be prevented from injecting into our process...

                         

                        I hope with this AP rule we can get rid of those mfehidk-Warnings with VSE8.8 installed?

                        • 9. Re: VSE 8.8 Patch 1 - taking security up a notch
                          ottawa_tech_31

                          How can we do the UNC path overide when deploying VSE 8.8 via ePO??

                          1 2 3 Previous Next