2 Replies Latest reply: Sep 16, 2014 4:03 AM by dmease729 RSS

    VSE OD discussion queries - VSE Technical Briefs (SNS Journal - VSE edition 22/08/14)




      Link from SNS journal here.


      Under the reasons why a user would expect a full system scan to catch the malware if on-access/realtime has not, there are valid reasons listed, but the following one confuses me:


      "Global Threat Intelligence (GTI, formerly Artemis) is disabled on the system. NOTE: GTI delivers real-time reputation data for more than 140 million IP addresses on top of the signatures provided by the daily DAT file. McAfee recommends that customers enable GTI to increase threat detection accuracy."


      Firstly, this bullet point implies that the use of on-demand scans will catch malware that on-access hasnt detected, on systems with GTI disabled.  If GTI is fully disabled, then surely an OD scan doesnt give any benefit?  Secondly, the reference to 140 million IP addresses is surely related to IP reputation, and not Artemis/file reputation...


      In the case study section, I follow it through fine, however could I clarify the following: *If* the system was rebooted, and the location of the infected file was not excluded in the on-access policy, would the infected file have been detected when the system boots back up (as the file needs to be read in order to become active).  I would suspect yes, but just wanting to confirm.



        • 1. Re: VSE OD discussion queries - VSE Technical Briefs (SNS Journal - VSE edition 22/08/14)

          Hi dmease729,


          Well, when I read this, I did not interpret the information the same as you.


          '140 million IP addresses' to me means that the number of nodes reporting into GTI. Thus, the likelihood of your node being the first to see a new piece of malware is small. This is a large database, giving better accuracy for new and unknown files getting the analysis needed to update signature files, quicker than without the GTI reporting. The law of large numbers is acting here. Probably the only larger database is MS, but mostly collected monthly (via MSRT), whereas McAfee is collecting constantly. That is as long as the On-Access Heuristics (Artemis or GTI) are ON.


          But even if you completely disable GTI, the fact that others do not, decreases the time it takes for analyzing newly discovered malware. As a result, .DAT files may get updated signatures sooner, thus the On-Demand scan will catch that malware even though the On-Access scan missed something. The delay between new (zero-day) exploits and updated signatures is where On-Demand scan will catch things that the On-Access scan missed.


          If the Signatures have yet to be updated for very recent malware, it is less likely that during boot the read of the file will catch the malware during it's startup (especially if VSE has yet to load). It's also unlikely that GTI can help much there as well, as many files may already be running before the network interface is active.


          The one big downside to GTI is that when enabled, it is possible for VSE to mistakenly delete or force the deletion at next boot, a critical file causing the OS to now not boot. A False-Positive on a critical file can make for a very long day. So, GTI should not be set higher than Medium unless the security administrator is actively working on an outbreak within the network. Personally, I keep GTI set to Low.


          With or without GTI, the On-Demand Scan does catch malware missed by the On-Access Scanner. For my customers, I recommend a Weekly scan, though this is debatable. Also, what is included in the On-Demand Scan can cover more items that might significantly impact performance on the On-Access Scanner. Thus, the on-demand scan may catch things that got through the more liberal On-Access Scan settings. It's a balancing act.


          Anyway, just my thoughts.

          Ron Metzger

          • 2. Re: VSE OD discussion queries - VSE Technical Briefs (SNS Journal - VSE edition 22/08/14)

            Hi rmetzger,


            Good point on the 140 million IP addresses - I suppose it is the way that you read it :-)  I would agree with your interpretation.  I also agree with your comments on the scenario where GTI is disabled.  Thanks for your thoughts and interpretation on this - I think the journal article could have been worded slightly better, but I still think the journals are a very good thing.


            Regards your comment on balancing acts - I wholly concur!  The number of clients I have been to that think that VSE can simply be installed and left is quite scary :-)