5 Replies Latest reply on Nov 5, 2012 7:08 AM by Peter M

    Nov. 1st SecurityCenter software update has Intrusion Protection box unchecked by default!?

    stephe

      Sunday, November 4, 2012

       

           I just had an interesting/bad thing happen.

       

           The same day that McAfee identified and blocked a buffer

      overflow exploit in Microsoft Word, McAfee had previously

      performed a lengthy software update that required a re-boot. 

      I didn't realize until a half hour ago (three days later!) that

      there was a new feature in the program's firewall called

      Intrusion Detection, which says "Protect yourself from hackers

      who exploit weaknesses in your operating system or programs to

      take control of your PC.  Learn more," with a checkbox for Use

      Intrusion Protection, with the options being "Basic -- Detect

      activities that are very likely to be attacks.  (Recommended)"

      and "High -- Detect suspicious activities, even though some

      might not be attacks."

       

           What blows my mind is that the Use Intrusion Protection box

      was not checked.  What the Hell, McAfee?!?!?! 

       

           I checked the box and chose High, then clicked Apply.  Then

      I clicked on Learn more, which opened Internet Explorer. 

       

           Right then and there, a McAfee box popped up saying...

       

      <<

      Intrusion blocked.

      McAfee blocked suspicious program activity.  Please check for

      updates for this program and for your Windows operating system.

       

      About This Detection

      Program: Internet Explorer

      Activity: Buffer_Overflow

       

      If your attempt to fix the issue doesn't work, and you think it's

      a false alarm, change your intrusion protection settings in

      Firewall.

      <<

       

           So, I unplugged my ethernet cable, clicked on Home inside

      McAfee, then clicked on Security History.  At the top is

       

      <<

      PC intrusion blocked

      Program name: IEXPLORE.EXE

      <<

       

           I clicked on the + to expand the section, and saw this:

       

      <<

      Firewall blocked a hacker from exploiting the Buffer_Overflow

      weakness in C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE on

      your PC.

      <<

       

           What I'd like to know is why is it that the popup only said,

      "McAfee blocked suspicious program activity. ... If your attempt

      to fix the issue doesn't work, and you think it's a false alarm,

      change your intrusion protection settings in Firewall." instead

      of telling me outright, "Firewall blocked a hacker"? 

       

           So, it looks like the reason I got malware on my computer

      and hacker attacks is that McAfee's new software is sent with a

      new feature called Intrusion Protection which is turned off by

      default!?!?!?  That makes it McAfee's fault!!! 

       

           This is the first time I have ever had an anti-virus program

      detect a PC intrusion attempt, in my 12 years as an owner of a PC. 

      I have gotten trojans and viruses, but never a detected intrusion

      attempt until now.

       

      Stephe

       

      Message was edited b: stephe to change "Security Center" to "SecurityCenter." on 11/4/12 5:31:13 PM CST
        • 1. Re: Nov. 1st SecurityCenter software update has Intrusion Protection box unchecked by default!?
          Peter M

          As you already posted here's the answer again regarding Intrusion Protection feature in Firewall.

           

          It is a new feature for Consumer (integrated from Enterprise products) and we had concerns about compatibility with all of the 3rd party apps that are available in the Consumer environment (vs. an Enterprise environment which is usually locked down to very specific and approved applications).  IOW, we’ve made it available for those customers who are very concerned about their network security, but didn’t turn it on until the Beta product reveals no issues.

          • 2. Re: Nov. 1st SecurityCenter software update has Intrusion Protection box unchecked by default!?
            stephe

            When I said...

             

                 "The same day that McAfee identified and blocked a buffer

            overflow exploit in Microsoft Word, McAfee had previously

            performed a lengthy software update that required a re-boot."

             

                 I was in error.  I looked through my System Restore

            restoration points, and found that the lengthy software update

            was not on November 1st but on October 26th.

             

            "I didn't realize until a half hour ago (three days later!) that

            there was a new feature in the program's firewall called

            Intrusion Detection, which says "Protect yourself from hackers

            who exploit weaknesses in your operating system or programs to

            take control of your PC.  Learn more," with a checkbox for Use

            Intrusion Protection, with the options being "Basic -- Detect

            activities that are very likely to be attacks.  (Recommended)"

            and "High -- Detect suspicious activities, even though some

            might not be attacks."

             

                 What blows my mind is that the Use Intrusion Protection box

            was not checked.  What the Hell, McAfee?!?!?!"

             

            Ex_Brit wrote:

             

            "As you already posted here's the answer again regarding Intrusion Protection feature in Firewall.

             

            It is a new feature for Consumer (integrated from Enterprise products) and we had concerns about compatibility with all of the 3rd party apps that are available in the Consumer environment (vs. an Enterprise environment which is usually locked down to very specific and approved applications).  IOW, we’ve made it available for those customers who are very concerned about their network security, but didn’t turn it on until the Beta product reveals no issues."

             

                 So, is the feature a crucial component of McAfee now, or is it

            superfluous?

             

                 I just went to Safe Mode and ran Malwarebytes and McAfee

            again, and neither found anything, whereas GMER did.

             

                 What I want to know is, if and when I re-format, will changing

            my IP address be enough to stymie the hacker, or will it be futile

            because he has my mac address?  In other words, if I re-format, will

            the hacker instrude into my fresh, re-formatted system before I am

            even able to install and update McAfee?

             

            [Re the buffer overflow exploit in Microsoft Word:]

            The first time I ran GMER (on November 3rd), GMER found exactly 36 .text

            entries for each of the following 13 programs:

             

            C:\WINDOWS\system32\services.exe[864]

            C:\WINDOWS\system32\lsass.exe[876]

            C:\WINDOWS\system32\svchost.exe[1092]

            C:\WINDOWS\system32\svchost.exe[1176]

            C:\WINDOWS\System32\svchost.exe[1272]

            C:\WINDOWS\system32\svchost.exe[1332]

            C:\WINDOWS\system32\svchost.exe[1364]

            C:\WINDOWS\system32\svchost.exe[1440]

            C:\WINDOWS\Explorer.EXE[1880]

            C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[2240]

            C:\WINDOWS\system32\svchost.exe[2436]

            C:\WINDOWS\system32\dllhost.exe[3584]

            C:\WINDOWS\System32\svchost.exe[3936]

             

                 To the far right of each of the 13 programs listed above was the following

            same exact sequence of 36 lines of information (with the exception of the 29th line...

             

            (line 29) ADVAPI32.DLL!RegCreateKeyW + 3       77DFBA58 2 Bytes  [55, 88]

             

            ...which had different numbers in the bracketed area each time):

             

            (line 01) ntdll.dll!NtCreateFile               7C90D0AE 5 Bytes  JMP 0014000A

            (line 02) ntdll.dll!NtCreateProcess            7C90D14E 5 Bytes  JMP 00140025

            (line 03) ntdll.dll!NtProtectVirtualMemory     7C90D6EE 5 Bytes  JMP 00140FD2

            (line 04) ntdll.dll!KiUserExceptionDispatcher  7C90E47C 5 Bytes  JMP 00140FE3

            (line 05) kernel32.dll!CreateFileA             7C801A28 5 Bytes  JMP 00260000

            (line 06) kernel32.dll!VirtualProtectEx        7C801A61 5 Bytes  JMP 002600B2

            (line 07) kernel32.dll!VirtualProtect          7C801AD4 5 Bytes  JMP 002600A1

            (line 08) kernel32.dll!LoadLibraryExW          7C801AF5 5 Bytes  JMP 00260FC7

            (line 09) kernel32.dll!LoadLibraryExA          7C801D53 5 Bytes  JMP 00260084

            (line 10) kernel32.dll!LoadLibraryA            7C801D7B 5 Bytes  JMP 0026004E

            (line 11) kernel32.dll!GetStartupInfoW         7C801E54 5 Bytes  JMP 002600E0

            (line 12) kernel32.dll!GetStartupInfoA         7C801EF2 5 Bytes  JMP 002600CF

            (line 13) kernel32.dll!CreateProcessW          7C802336 5 Bytes  JMP 0026010C

            (line 14) kernel32.dll!CreateProcessA          7C80236B 5 Bytes  JMP 00260F69

            (line 15) kernel32.dll!GetProcAddress          7C80AE40 5 Bytes  JMP 0026011D

            (line 16) kernel32.dll!LoadLibraryW            7C80AEEB 5 Bytes  JMP 0026005F

            (line 17) kernel32.dll!CreateFileW             7C810800 5 Bytes  JMP 00260011

            (line 18) kernel32.dll!CreatePipe              7C81D83F 5 Bytes  JMP 00260F98

            (line 19) kernel32.dll!CreateNamedPipeW        7C82F0DD 5 Bytes  JMP 0026003D

            (line 20) kernel32.dll!CreateNamedPipeA        7C860CDC 5 Bytes  JMP 0026002C

            (line 21) kernel32.dll!WinExec                 7C86250D 5 Bytes  JMP 002600F1

            (line 22) ADVAPI32.DLL!RegOpenKeyExW           77DD6AAF 5 Bytes  JMP 00350FD4

            (line 23) ADVAPI32.DLL!RegCreateKeyExW         77DD776C 5 Bytes  JMP 00350F72

            (line 24) ADVAPI32.DLL!RegOpenKeyExA           77DD7852 5 Bytes  JMP 0035001B

            (line 25) ADVAPI32.DLL!RegOpenKeyW             77DD7946 5 Bytes  JMP 00350FE5

            (line 26) ADVAPI32.DLL!RegCreateKeyExA         77DDE9F4 5 Bytes  JMP 00350F83

            (line 27) ADVAPI32.DLL!RegOpenKeyA             77DDEFC8 5 Bytes  JMP 00350000

            (line 28) ADVAPI32.DLL!RegCreateKeyW           77DFBA55 2 Bytes  JMP 00350FA8

            (line 29) ADVAPI32.DLL!RegCreateKeyW + 3       77DFBA58 2 Bytes  [55, 88]

            (line 30) ADVAPI32.DLL!RegCreateKeyA           77DFBCF3 5 Bytes  JMP 00350FB9

            (line 31) msvcrt.dll!_wsystem                  77C2931E 5 Bytes  JMP 00360014

            (line 32) msvcrt.dll!system                    77C293C7 5 Bytes  JMP 00360F7F

            (line 33) msvcrt.dll!_creat                    77C2D40F 5 Bytes  JMP 00360FAB

            (line 34) msvcrt.dll!_open                     77C2F566 5 Bytes  JMP 00360FEF

            (line 35) msvcrt.dll!_wcreat                   77C2FC9B 5 Bytes  JMP 00360F9A

            (line 36) msvcrt.dll!_wopen                    77C30055 5 Bytes  JMP 00360FD2

             

            [Re the buffer_overload Internet Explorer blocked hacker intrusion attempt"]

            The second time I ran GMER (on November 4th), GMER found between

            25 and 51 .text entries for each of the following 20 programs:

             

            C:\WINDOWS\system32\svchost.exe[568]

            C:\WINDOWS\system32\csrss.exe[776]

            C:\WINDOWS\system32\winlogon.exe[804]

            C:\WINDOWS\system32\services.exe[848]

            C:\WINDOWS\system32\lsass.exe[860]

            C:\WINDOWS\system32\svchost.exe[1068]

            C:\WINDOWS\system32\svchost.exe[1156]

            C:\WINDOWS\System32\svchost.exe[1196]

            C:\WINDOWS\system32\svchost.exe[1284]

            C:\WINDOWS\system32\svchost.exe[1312]

            C:\WINDOWS\system32\spoolsv.exe[1468]

            C:\WINDOWS\system32\svchost.exe[1572]

            C:\Program Files\Internet Explorer\iexplore.exe[1616]

            C:\WINDOWS\Explorer.EXE[1996]

            C:\Program Files\Internet Explorer\iexplore.exe[2576]

            C:\Program Files\Internet Explorer\iexplore.exe[2612]

            C:\Program Files\Internet Explorer\iexplore.exe[2764]

            C:\WINDOWS\system32\dllhost.exe[2916]

            C:\WINDOWS\system32\rundll32.exe[3004]

            C:\WINDOWS\System32\alg.exe[3176]

             

                 To the far right of the first of the 20 programs listed above was the

            following sequence of 51 lines of information:

             

            (line 01) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtCreateFile                                   7C90D0AE 5 Bytes  JMP 00D00FEF

            (line 02) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtCreateProcess                                7C90D14E 5 Bytes  JMP 00D00031

            (line 03) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtProtectVirtualMemory                         7C90D6EE 5 Bytes  JMP 00EB0BE7

            (line 04) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!NtSetSecurityObject                            7C90DD2E 5 Bytes  JMP 00EB0477

            (line 05) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!KiUserExceptionDispatcher                      7C90E47C 5 Bytes  JMP 00D00000

            (line 06) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!LdrLoadDll                                     7C91632D 5 Bytes  JMP 00EB0400

            (line 07) C:\WINDOWS\system32\svchost.exe[568] ntdll.dll!LdrGetProcedureAddress                         7C917CF0 5 Bytes  JMP 00EB0B70

            (line 08) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateFileA                                 7C801A28 5 Bytes  JMP 00EB07B8

            (line 09) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualProtectEx                            7C801A61 5 Bytes  JMP 00EB0D4C

            (line 10) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualProtect                              7C801AD4 5 Bytes  JMP 00EB0CD5

            (line 11) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryExW                              7C801AF5 5 Bytes  JMP 00CF0025

            (line 12) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryExA                              7C801D53 5 Bytes  JMP 00CF0014

            (line 13) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryA                                7C801D7B 5 Bytes  JMP 00F301DC

            (line 14) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetStartupInfoW                             7C801E54 5 Bytes  JMP 00CF0F09

            (line 15) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetStartupInfoA                             7C801EF2 5 Bytes  JMP 00EB091D

            (line 16) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!ReadProcessMemory                           7C8021D0 5 Bytes  JMP 00EB0F28

            (line 17) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateProcessW                              7C802336 5 Bytes  JMP 00EB0A82

            (line 18) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateProcessA                              7C80236B 5 Bytes  JMP 00EB0E3A

            (line 19) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualAllocEx                              7C809B12 7 Bytes  JMP 00EB0DC3

            (line 20) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetProcAddress                              7C80AE40 5 Bytes  JMP 00EB0994

            (line 21) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryW                                7C80AEEB 5 Bytes  JMP 00EB0A0B

            (line 22) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateRemoteThread                          7C8104CC 5 Bytes  JMP 00F30000

            (line 23) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateFileW                                 7C810800 5 Bytes  JMP 00CF0FD4

            (line 24) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!HeapCreate                                  7C812C56 5 Bytes  JMP 00F30077

            (line 25) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreatePipe                                  7C81D83F 5 Bytes  JMP 00EB08A6

            (line 26) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeW                            7C82F0DD 5 Bytes  JMP 00CF0FA8

            (line 27) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!OpenProcess                                 7C8309E9 5 Bytes  JMP 00EB0EB1

            (line 28) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!PeekNamedPipe                               7C860977 7 Bytes  JMP 00EB082F

            (line 29) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeA                            7C860CDC 5 Bytes  JMP 00CF0FB9

            (line 30) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!WinExec                                     7C86250D 5 Bytes  JMP 00EB0C5E

            (line 31) C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadModule                                  7C86261E 5 Bytes  JMP 00EB0AF9

            (line 32) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExW                               77DD6AAF 5 Bytes  JMP 00CE0025

            (line 33) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExW                             77DD776C 5 Bytes  JMP 00CE0051

            (line 34) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExA                               77DD7852 5 Bytes  JMP 00CE000A

            (line 35) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyW                                 77DD7946 5 Bytes  JMP 00CE0FD4

            (line 36) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExA                             77DDE9F4 5 Bytes  JMP 00CE0040

            (line 37) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyA                                 77DDEFC8 5 Bytes  JMP 00CE0FE5

            (line 38) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyW                               77DFBA55 2 Bytes  JMP 00CE0FA8

            (line 39) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyW + 3                           77DFBA58 2 Bytes  [EE, 88]

            (line 40) C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyA                               77DFBCF3 5 Bytes  JMP 00CE0FB9

            (line 41) C:\WINDOWS\system32\svchost.exe[568] RPCRT4.dll!NdrServerInitialize                           77E79FB5 5 Bytes  JMP 00EB0741

            (line 42) C:\WINDOWS\system32\svchost.exe[568] USER32.dll!SetWindowsHookExW                             7E42820F 5 Bytes  JMP 00EB0565

            (line 43) C:\WINDOWS\system32\svchost.exe[568] USER32.dll!SetWindowsHookExA                             7E431211 5 Bytes  JMP 00EB04EE

            (line 44) C:\WINDOWS\system32\svchost.exe[568] GDI32.dll!GetDIBits                                      77F19FA5 5 Bytes  JMP 00EB06CA

            (line 45) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wsystem                                      77C2931E 5 Bytes  JMP 00CD0FB0

            (line 46) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!system                                        77C293C7 5 Bytes  JMP 00F300EE

            (line 47) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_creat                                        77C2D40F 5 Bytes  JMP 00F30165

            (line 48) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_open                                         77C2F566 5 Bytes  JMP 00CD0FEF

            (line 49) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wcreat                                       77C2FC9B 5 Bytes  JMP 00CD0FC1

            (line 50) C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wopen                                        77C30055 5 Bytes  JMP 00CD0FDE

            (line 51) C:\WINDOWS\system32\svchost.exe[568] NETAPI32.dll!NetpwPathCanonicalize                       5B86A3A9 5 Bytes  JMP 00EB05DC      Whatever this is, Malwarebytes and McAfee are not identifying it

             

                 The other programs had fewer lines of text.

             

                 There was also this:

             

            C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1948] kernel32.dll!LoadLibraryA   7C801D7B 5 Bytes  JMP 62418360 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

            C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1948] kernel32.dll!LoadLibraryW   7C80AEEB 5 Bytes  JMP 62418460 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

             

                 Whatever this series of commands is, Malwarebytes and McAfee are not

            identifying it as malware-related activity.  I think it is it might be

            automated, i.e. the hacker is not personally sitting there at the ready

            each time I get a new buffer overflow.

             

                 Two minutes ago, I got a buffer overflow in Firefox!  In McAfee's

            Security History, I clicked on the + to expand the section, and saw this:

             

            <<

            Firewall blocked a hacker from exploiting the Buffer_Overflow

            weakness in C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

            on your PC

            <<

             

                 And when I opened a second Firefox window, I got another Firefox

            Buffer_Overflow alert.

             

            Stephe

             

            Message was edited by stephe to colorize some text on 11/5/12 4:49:11 AM CST

             

            Message was edited by: stephe on 11/5/12 5:16:45 AM CST
            • 3. Re: Nov. 1st SecurityCenter software update has Intrusion Protection box unchecked by default!?
              Peter M

              Stephe, we don't/can't analyze such reports here.   Please look in the last link in signature below and follow the Hijackthis instructions for posting HJT logs on specialist forums for analysis.   You must know that no antivirus on the Planet is guaranteed to catch everything there is out there, hence the need for all those extra tools.   It's unfortunate but necessary in some cases.

               

               

              .Edit:  Moved this to the sub-section Home User Assistance.

               

              Message was edited by: Ex_Brit on 05/11/12 6:57:59 EST AM
              • 4. Re: Nov. 1st SecurityCenter software update has Intrusion Protection box unchecked by default!?
                Peter M

                Such long answers make it rather difficult to filter out the questions you are asking so I just saw one or two there.

                 

                Intrusion Protection being turned off shouldn't make a difference to those who practice safe surfing and who take the normal precautions by keeping everything up to date.

                 

                Your firewall is already blocking attempts by unknowns anyway.

                 

                It's (I.P.) an extra level of protection which is still being tested to a certain extent, hence not being turned on by default....yet.

                 

                Maybe it's me but I see no evidence above that you've been hacked in the first place but a HJT log posted elsewhere and hopefully analyzed by the right people should assist you with that question.

                 

                There is no need to change your IP address.  It will change by itself eventually anyway.  

                 

                There probably is no need to format either but see what those forums tell you.

                 

                Pick only one though, as they are all extremely busy and might take exception to doing duplicate work.

                 

                It's outlined in the link below in my signature.

                 

                 

                 

                .

                 

                 

                 

                Message was edited by: Ex_Brit on 05/11/12 7:40:08 EST AM
                • 5. Re: Nov. 1st SecurityCenter software update has Intrusion Protection box unchecked by default!?
                  Peter M

                  Please continue this in your other thread:  https://community.mcafee.com/thread/49734?tstart=0

                   

                  The header question of this thread has been answered.

                   

                  Locking this one.

                   

                  Message was edited by: Ex_Brit on 05/11/12 8:08:45 EST AM