8 Replies Latest reply on Oct 25, 2013 2:52 PM by vinoo

    McAfee GetSusp 3.0.0.373

    vinoo

      We're pleased to announce a newer version of GetSusp. Latest released version is GetSusp 3.0.0.373 (build date 11th, Oct 2013)

       

      GetSusp download: http://getsusp.mcafee.com
      GetSusp-ePO: KB70405

       

      Changelog:

       

      1. Fixed a digital signature verification issue on Win 8.

      2. GetSusp is now compiled on Visual Studio 2010. This raises the minimum supported OS to WinXp Sp2 and higher.

      3. Update to the zip compression algorithm.

      4. GetSusp now auto checks if a newer package is available at launch and will alert the user.

      5. Updated scan locations on 64bit systems.
      6. GetSusp ePO package now available via ePO Software Manager. (Thank you Steen!)

        • 1. Re: McAfee GetSusp 3.0.0.373
          dbusby3

          Is there a new flag that I should use to disable the update check that you describe below?  I don’t think we want this happening all the time.  Sometimes the user needs to be unaware that the tool is running.

          • 2. Re: McAfee GetSusp 3.0.0.373
            vinoo

            Getsusp.exe --ePO

             

            The ePO switch supresses any warnings.

            • 3. Re: McAfee GetSusp 3.0.0.373
              dbusby3

              I think that is working however; the time for Getsusp seems be getting longer.  Any suggestions on monitoring to make sure it is going fairly fast.  If you want I can get a previous version and test but I am assume that some of the new pathing etc.. is taking more time.

              • 4. Re: McAfee GetSusp 3.0.0.373
                vinoo

                By how much longer does a scan take now?

                Each GetSusp scan will list how many files it scanned. It's captured as part of the raw getsusp.xml (end of file).  Please compare scan using different versions and let me know the scan times and how many files got scanned.

                • 5. Re: McAfee GetSusp 3.0.0.373
                  dbusby3

                  Vinoo,

                   

                  Here are my initial results but I am dubios.  Would it be better to do a reboot between scans?  Is something getting cached that I may need to remove to get a better test.

                   

                  VersionIdentified FilesStart TimeEnd TimeDelta
                  30026212638:46:108:48:220:02:12
                  30028512558:52:558:54:430:01:48
                  30031112158:55:218:57:100:01:49
                  30031812149:00:449:01:310:00:47
                  30032312149:01:559:02:220:00:27
                  30037312149:03:359:04:010:00:26
                  • 6. Re: McAfee GetSusp 3.0.0.373
                    vinoo

                    The Artemis DNS lookups are cached

                    Ipconfig /flushdns will clear the cache and the next scan will lookup every file again.

                    • 7. Re: McAfee GetSusp 3.0.0.373
                      dbusby3

                      Never mind.  It was probably just my perception anyway.

                       

                      I do notice that if a company is using some software from Oracle a new driver is inserted into domain controllers in particular to obtain a users clear text password for use later.

                       

                      Have you seen any malware using this feature to grap credentails?  I would be unusal if found though as I would consider this difficult to pull off and there are probably easier ways.

                      • 8. Re: McAfee GetSusp 3.0.0.373
                        vinoo

                        Sorry, haven't heard of such malware. Have been retired from the research scene for a while.