8 Replies Latest reply on Apr 2, 2013 9:21 AM by greatscott

    Malware/Vulnerability lifecycle in relation to McAfee products

    greatscott

      So when seeing some new emerging vulnerabilities and malware in the wild, I am attempting to figure out a few items.

       

      1. Are we covered?
      2. With what products (VSE, HIPS, IDS, etc)?
      3. If we are not covered what do we do about it (wait for DAT, create custom HIPS signature, etc)
      4. When will we be covered?

       

      For example, the following comes from McAfee Threat Intelligence Service:

      ******************************************************************************** *******************

      [MTIS13-021-A]

      Oracle Java SE Java Runtime Environment 2D 1 Remote CodeExecution

      ===============================================================================

      Threat Identifier(s):             CVE-2013-0437

      Threat Type:                      Vulnerability

      Risk Assessment:                  Medium

      Main Threat Vectors:              Web

      User Interaction Required:        Yes

      Description:                      A vulnerability in someversions of Oracle Java SE could lead to remote code execution. The flaw isspecific to Java JRE/JDK 7 Update 11 and prior, JDK/JRE 6 update 38 and prior, JDK/JRE 5.0 update 38 and prior, as wellas SDK and JRE 1.4.2_40 and prior.  Inaddition, JavaFX 2.2.4 and earlier are affected. Under specific conditions, thevulnerable application can allow an attacker to gain full control of acompromised host or affect the availability of services.

      Importance:                       Medium. On February 1,Oracle released an update to address this vulnerability.

       

      McAfee Product Coverage *

       

      DAT files:                        Under analysis

      VSE BOP:                          Generic bufferoverflow protection is expected to cover code-execution exploits.

      Host IPS:                         Generic bufferoverflow protection is expected to cover code-execution exploits.

      McAfee Network Security Platform: Under analysis

      McAfee Vulnerability Manager:     A future FSL/MVM package will include avulnerability check to assess if your systems are at risk.

      McAfee Web Gateway:               Under analysis

      McAfee Remediation Manager:       Under analysis

      McAfee Policy Auditor:            Under analysis

      MNAC:                             Under analysis

      McAfee Firewall Enterprise:       Under analysis

      McAfee Application Control:               Run-Time Control locks downsystems and provides protection in the form of Execution Control and Memory Protection.

      McAfee Database Activity Monitoring: Out of scope

      McAfee Vulnerability Manager for Databases: Out of scope

      ******************************************************************************** *****************

       

      I look at key components that apply to me - chiefly DAT coverage, and secondarily HIPS coverage. I would say for MTIS notifications, 99% of the time, DAT coverage is "Under Analysis". HIPS sometimes is addressed with buffer overflow coverage, but can also sometimes say "Under Analysis". My biggest issue I am having during my process is, when can we expect coverage? While the MTIS notification is an acknowledgement from McAfee that the finding is known, there is no followup email to confirm coverage from those items which are marked as "under analysis", which may be later addressed by a McAfee HIPS Content Update, or DAT file. Short of going through every DAT file "readme.txt", one will never know if coverage is achieved or not.

       

      I have tried using the McAfee Threat Intelligence Site to query for CVE's, but more often than not, it only returns something pertaining to Foundstone. In summation, a follow up alert for coverage would be great, and possibly a better database with a one stop shop is in store. I get the feeling that McAfee Products, or separate departments are disjointed, when really they should be more synergistic when addressing common issues (vulnerabilities).

       

      I hope this has landed in the correct forum.