8 Replies Latest reply on Sep 5, 2014 8:58 AM by rmetzger

    Customize VSE to analyze automatically removable media

    willsonlebig

      Hi all,

      I would like you to think and if possible develop a tool that will work with McAfee Virus Scan Enterprise to analyse removable media as soon as it is plugged.

      This feature is already included in McAfee antivirus home versions like McAfee Antivirus Plus.

      I need your ideas about this case.

       

      thank you in advance!

        • 1. Re: Customize VSE to analyze automatically removable media
          ansarias

          Hello,

           

          As per I know we don't have such option in VSE.

          • 2. Re: Customize VSE to analyze automatically removable media
            mbenali

            This option is not available in VSE but what you can do is to disable autorun. This can be done as well in HIPS.

             

            1. McAfee VirusScan Enterprise (Access Protection Rules) and McAfee Host Intrusion Prevention System prevents that programs be registered as Autorun:

             

            1. VirusScan Enterprise 8.7i-8.8:
              1. In the VirusScan console – Access Protection – category: Common Maximum Protection. Enable this rule to block: Prevent Programs registering to Autorun.
              2. In the VirusScan console – Access Protection – category: AntiVirus Standard Protection. Enable this rule to block: Prevent remote creation of Autorun files.

             

            Furthermore, you could control access to the removable media with device control

            • 3. Re: Customize VSE to analyze automatically removable media
              rmetzger

              Hi willsonlebig,

              willsonlebig wrote:

               

              Hi all,

              I would like you to think and if possible develop a tool that will work with McAfee Virus Scan Enterprise to analyse removable media as soon as it is plugged.

              This feature is already included in McAfee antivirus home versions like McAfee Antivirus Plus.

              I need your ideas about this case.

              thank you in advance!

              Scanning entire USB (flash) drives 'automatically' is not very effective at stopping malware. It is very effective at killing performance and making USB drives impractical. Performance issues with the USB interface, coupled with the recent incredible sizes of new USB attached drives can make scanning the entire drive so painfully slow that your users would find the system unusable.

               

              A better strategy is to scan all files upon Read and Write to the drive (via the On-Access Scanner). As long as this is done, scanning the entire external drive is simply redundant without value. The On-Access Scanner can handle this nicely without the performance penalty of scanning the entire drive. Scanning the entire external drive before allowing access is simply a plecebo scan, used to placate the uninformed or the paranoid. If you find it necessary, those workstations can have the heuristics scan (Artemis, or GTI) set to High, though expect false positives at this level.

               

              Make sure that from the Control Panel:

              On-Access Scan Properties>All Processes>Scan Items>Scan Files

                   Check "When reading from disk"

               

              Make the equivalent settings change from ePO if available.

               

              This will ensure that any file on the USB drive is scanned prior to execution (autorun or otherwise).

               

              This setting should be in place regardless of external drives as this is an Absolute Requirement for stopping many forms of malware, for internal drives too.

               

              In addition, make sure that from the Control Panel:

              On-Access Scan Properties>All Processes>Scan Items>Scan Files

                   Check "When writing to disk"

               

              to ensure that files written to the USB drive are scanned during the write process.

               

              These 2 settings ('When reading from disk' and 'When writing to disk') coupled with GTI, should protect against spreading malware from external drives, as long as you are keeping the signature files completely up to date.

               

              :: see McAfee KnowledgeBase - McAfee GTI File Reputation Service - Best Practices Guide for VSE 

              (hxxps://kc.mcafee.com/corporate/index?page=content&id=PD24043)

               

              I hope this is helpful.

              Ron Metzger

                

              • 4. Re: Customize VSE to analyze automatically removable media
                willsonlebig

                Thank you all for your answers!

                I am not talking about the consequences, but I want to know if it is possible to develop an application that can open a GUI to ask the user if he want to scan the USB key.

                • 5. Re: Customize VSE to analyze automatically removable media
                  llamamecomoquieras


                  Hi Willsonlebig,

                   

                  I have been working in support for almost 4 years. As we well know this functionality is not in VSE and another competidors has it, and I think it is call pre-scan. As far as I know some consumer products has this option, but not VSE Enterprise. I have been told that customers should submit a PER (Product enhacement request) to ask McAfee product manager to consider this new functionality. As far as I know, at least 8-10 of my customers submitted the PER so I think may be the product manager does not seen this option as a good functionality to be included in VSE (they should know why after analyzing possitive and negative points).

                   

                  As I used to tell me customers, the only thing that you can do it is to submit a PER as per KB60021 (https://kc.mcafee.com/corporate/index?page=content&id=KB60021) and wait for the product manager decission.

                   

                   

                  All the best and best regards,

                   

                  Jose Maria

                  • 6. Re: Customize VSE to analyze automatically removable media
                    willsonlebig

                    Hello llamamecomoquieras,

                    Thank you for your explanation!

                    I have already submited a PER (Product enhacement request) and also a SR (Service Request).

                    I am also having request from my customers about this option.

                    Many times according to the information I received from McAfee Support, I told them the reason why McAfee VSE does not have this option enabled.

                    But they don't want to share this opinion because many others vendors have this options.

                    It is for this reason that I was thinking if it possible to develop an application to do it.

                    Have a nice week-end!

                    • 7. Re: Customize VSE to analyze automatically removable media
                      llamamecomoquieras

                      Hi Willsonlebig,

                       

                      I was thinking a bit about your idea, as I dont think McAfee will implement this in the future, as per many PER has been submitted without succés.

                       

                      What you could do is create a script, that when a USB is plugged (event 4688),the script call the VSE command line scanner for the USB path (E:\, G:\...) and do a full scan.

                       

                      http://social.technet.microsoft.com/forums/windows/en-US/3eba3ae4-1d93-4181-888b -6980885f6537/event-id-when-usb-removable-disk-is-plugged-in

                       

                      VSE command line switches

                       

                      https://kc.mcafee.com/corporate/index?page=content&id=KB52229

                       

                      I think that this can work and do What you looking for

                       

                      Best regards,

                       

                      Jose Maria

                      • 8. Re: Customize VSE to analyze automatically removable media
                        rmetzger

                        Hi Willsonlebig,

                        willsonlebig wrote:

                         

                        I am not talking about the consequences, but I want to know if it is possible to develop an application that can open a GUI to ask the user if he want to scan the USB key.

                        This is already there.

                        In Explorer, Computer -> Right-Click on the new drive -> 'Scan for threats'

                         

                        It has been my experience that this works for those who are concerned about security, but fails for anyone who doesn't want to be bothered. To those people (the don't bother me group), your requested pop-up GUI prompt would simply be annoying and immediately closed. Again, as long as 'Scan on read from disk' and 'Scan on write to disk' are checked, It Will Be Scanned, without the redundancy.

                         

                        With security software, it is always a balancing act between Performance, User Interface, and Security. Each has to be good. But when one encroaches on the other, reason must balance out the answer.

                         

                        When I have consulted on systems that have other AV solutions on it (or McAfee VirusScan consumer) that extra scan has simply gotten in the way. I have to turn it off to get my work done, otherwise wait hours for the scan to complete. If their On-Access Scanner is any good at all, it should find problems without the redundant scan. A second scan is simply a placebo effect.

                         

                        I personally don't need changes made to security software, simply because some other security software has a 'feature' to overcome it's inferior scanning. Others security software may need this feature, but in my humble opinion, VSE does not. Education may be the best solution. Otherwise, we placate the uninformed.

                         

                        For those who wish to scan on drive insertion: Explorer, Computer -> Right-Click on the new drive -> 'Scan for threats'

                         

                        Good luck,

                        Ron Metzger