9 Replies Latest reply on Aug 16, 2016 1:53 PM by william_warren

    Exploit prevention content date

    jmvalls

      Hi

       

      As far as I know, exploit prevention content signature is released once a month. We are testing Endpoint Security 10 in a few machines and in "about" info we can see that last released signature for exploit prevention is 10.1.0.6555 (08/24/2015) Is this correct?.

       

      Thank you.

        • 1. Re: Exploit prevention content date
          wwarren

          Yes, that is correct.

           

          Exploit Prevention content operates separately and different to the daily DAT type of content you might be used to seeing.

          There still is daily DAT content, being provided through the AMCore Content updates but Exploit Prevention content is its own beast. 8/24/2015 is correct as of this posting for the exploit prevention content.

          • 2. Re: Exploit prevention content date
            jmvalls

            Thank you wwarren!

             

            I ask this because the product guide says that Exploit Prevention Content is updated once a month (usually after Microsoft patch tuesday)

            • 3. Re: Exploit prevention content date
              wwarren

              I ask this because the product guide says that Exploit Prevention Content is updated once a month (usually after Microsoft patch tuesday)

              Good find.

              Interestingly your thread here has come in tandem with inquiries on the same topic elsewhere; so this discrepancy has certainly not gone unnoticed.

              We need to write up some kind of documentation-correction article in hopes to avoid propagating more confusion.... there, added it to my to-do list.

              • 4. Re: Re: Exploit prevention content date
                mcafeenewb

                http://b2b-download.mcafee.com/products/naibeta-download/ENS_10-1/threat_prevent ion_white_paper.pdf

                Threat Prevention 10.1 introduces content-based Exploit Prevention capability. This capability replaces the VirusScan Enterprise 8.8 Buffer Overflow Protection and provides broader range of coverage against vulnerabilities and exploits. The Exploit Prevention content is updated monthly, based on research done by our dedicated malware research team. The content is published in line with the Microsoft Black Tuesday vulnerability announcements. This content not only provides protection against zero-day exploits, but also gives you some flexibility in applying Microsoft patches.

                 

                 

                I have to ask - what I am taking away from your comment is that the Exploit Prevention Content has not been updated from Intel/McAfee since 08/24/15, the same date as my lab installation.  The documentation states (in various articles) that it is updated monthly to match Patch Tuesday and various other threats/exploits identified.  Your statement is that this is a "discrepancy"?  That is quite a large discrepancy, no?

                • 5. Re: Re: Exploit prevention content date
                  wwarren

                  Some might think so, yeah.

                  It can also be interpreted as our current content is still more than adequate to contend with todays threats.

                  But either way I've submitted a documentation correction to our KB system, KB86631

                  • 6. Re: Re: Re: Exploit prevention content date
                    mcafeenewb

                    My apologies for reviving an old thread, but felt this was worth mentioning sharing.

                     

                    As a simple test I ran 4 very common Metasploit exploits against the Exploit Prevention content version 10.1.0.6555 date 8/24/15. As per the product literature the Threat Prevention module utilizes the Exploit Prevention content providing a broader range of coverage that legacy BOP in VSE could ever offer.

                     

                    I had execute 4 common exploits on a target system and none had been detected/prevention by the Threat Prevention module.

                    • exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl
                    • exploit/multi/browser/adobe_flash_opaque_background_uaf
                    • exploit/windows/browser/ms13_022_silverlight_script_object
                    • exploit/windows/browser/adobe_media_newplayer


                    How is it that the Threat Prevention module did not observe/detect the above attacks?


                    Thank you

                    • 7. Re: Exploit prevention content date
                      jasonliu

                      Wow, McAfee can you comment on this? Is your Exploit Prevention useless? And can I trust other modules? I'll stay with Viruscan enterprise for now.

                      • 8. Re: Exploit prevention content date
                        jasonliu

                        Hi wwarren, any comment on it?

                        • 9. Re: Exploit prevention content date
                          william_warren

                          (using a different account while I sort out authentication issues with my primary account)

                           

                          Best to follow up on the details through Support.

                           

                          There is a specific escalation path that can vouch for those threats being part of the content or not.

                          And if not, they can be added. You'd want to know why they weren't present already though.

                          And if they are added, the focus will be on why the product is not blocking them; config issues, compatibility, installation etc.

                           

                          But, I'll raise awareness of this thread to folks from our Content team.