Posts tagged ‘McAfee’

« Previous Entries

Nitro and Q1Labs Sold

October 4, 2011, 9:35 pm

McAfee to Aquire NitroSecurity.   IBM to aquire Q1Labs.

Can anyone think of an example where a big company bought a smaller security company and the product got better?  We could spend the reset of the day talking about products that became moribund or were abandoned altogether because some big company thought they were missing an important piece in their portfolio. 

I get it.   The investors need to be paid.   The startup-execs aren’t as into the day-to-day of a company as when they worked out of the garage.   They want to get paid and thenhave the wealth to  be the investor for the next go-around.

The customer is left wondering if the company was purchased for a patent or for a specific integration.    Will I now be as frozen out because the %bigCompany% has traditionally not been interested in talking to me?  Will the hardware lifecycle stay the same or will we find a constant churn of new hardware models designed to force upgrades?

The press releases linked at the top make me feel like IBM sees Q1Labs as an important component.   The McAfee/NitroSecurity press release makes we wonder if ePO will suddenly be the only way to manage the appliances and whether non-McAfee products will take second fiddle.

Tags: , , ,
Category: General  |  Comment

Fake AV on Drudge

May 6, 2010, 10:35 am

I was over at the Drudge Report last night and finally saw a fake antivirus social engineering attempt there. I’d heard before that the ads on drudge often served that up, but it was the first time I ran across it myself.
On my work computers, I have the full Symantec Endpoint Protection suite installed and the IPS generally detects and blocks fake antivirus attempts. My home computer doesn’t have the firewall component of SEP installed thus it can’t have the IPS functionality. This means its relying on the antivirus scanner exclusively for detection. Of course that detected nothing.
I downloaded the inst.exe file. That’s the same file name i see in the fake antivirus attempts that are frequently attempted at pwinsider.com. You’d think the bad guys would avoid using the same file name all the time.
I got sidetracked and didn’t run the file through virus total until this morning. 13 out of 41 detected the virus installed downloaded from a major site the day after.

File inst.exe received on 2010.05.06 14:31:04 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.06 -
AhnLab-V3 2010.05.05.00 2010.05.05 -
AntiVir 8.2.1.236 2010.05.06 TR/Fakealert.mnd
Antiy-AVL 2.0.3.7 2010.05.06 -
Authentium 5.2.0.5 2010.05.06 -
Avast 4.8.1351.0 2010.05.06 -
Avast5 5.0.332.0 2010.05.06 -
AVG 9.0.0.787 2010.05.06 -
BitDefender 7.2 2010.05.06 Trojan.FakeAlert.CCA
CAT-QuickHeal 10.00 2010.05.04 -
ClamAV 0.96.0.3-git 2010.05.06 -
Comodo 4779 2010.05.06 -
DrWeb 5.0.2.03300 2010.05.06 Trojan.Fakealert.15369
eSafe 7.0.17.0 2010.05.05 -
eTrust-Vet 35.2.7471 2010.05.06 Win32/FakeAlert.E!generic
F-Prot 4.5.1.85 2010.05.06 -
F-Secure 9.0.15370.0 2010.05.06 Trojan.FakeAlert.CCA
Fortinet 4.0.14.0 2010.05.05 -
GData 21 2010.05.06 Trojan.FakeAlert.CCA
Ikarus T3.1.1.84.0 2010.05.06 -
Jiangmin 13.0.900 2010.05.06 -
Kaspersky 7.0.0.125 2010.05.06 Packed.Win32.Krap.ai
McAfee 5.400.0.1158 2010.05.06 -
McAfee-GW-Edition 2010.1 2010.05.06 -
Microsoft 1.5703 2010.05.05 -
NOD32 5091 2010.05.06 a variant of Win32/Kryptik.ECX
Norman 6.04.12 2010.05.06 -
nProtect 2010-05-06.02 2010.05.06 Trojan.FakeAlert.CCA
Panda 10.0.2.7 2010.05.05 Suspicious file
PCTools 7.0.3.5 2010.05.06 -
Prevx 3.0 2010.05.06 High Risk Cloaked Malware
Rising 22.46.03.04 2010.05.06 -
Sophos 4.53.0 2010.05.06 Mal/FakeAV-CZ
Sunbelt 6267 2010.05.06 FraudTool.Win32.SecurityTool (v)
Symantec 20091.2.0.41 2010.05.06 -
TheHacker 6.5.2.0.277 2010.05.06 -
TrendMicro 9.120.0.1004 2010.05.06 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.06 -
VBA32 3.12.12.4 2010.05.06 -
ViRobot 2010.5.6.2304 2010.05.06 -
VirusBuster 5.0.27.0 2010.05.06 -
 
Additional information
File size: 887824 bytes
MD5…: 2e797ae47b533739a234ffd66d736a55
SHA1..: d3a984790a2d83f33db3b7791d540f259eb1ef34
SHA256: 05a094eb2512b0df90b98e8789ce9166049749dc428d38561d805c577ec52202
ssdeep: 24576:j9r0ObkXlgxp3JEFp56d1Ctz7YQn7jPff7l0xm6U:j6pwp5Ap0A4GPfKzU
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×1000
timedatestamp…..: 0x42f2757e (Thu Aug 04 20:07:26 2005)
machinetype…….: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×58000 0×57400 7.79 c8a376ad4f177f3ae434902b7b8f4a8f
.rdata 0×59000 0×1000 0×200 3.79 6d3e2283fc369479980764aca0706a36
.trash 0x5a000 0×80000 0x7f200 7.79 4579192af1340dc0f8377086beb4767c
.rsrc 0xda000 0xa3000 0×2000 5.14 00d9d5b447b6a0236d734be8ae5af459
.reloc 0x17d000 0×4 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 2 imports )
> ntdll.dll: DbgPrint, DbgPrompt, NtPulseEvent, RtlUlongByteSwap, atan
> KERNEL32.dll: GetModuleHandleA, CreateFileA, GetLastError, WriteFile, ReadFile, GetVersionExA, ExitProcess, CloseHandle, GetCurrentProcessId, GetCurrentProcess, GetCurrentThreadId

( 0 exports )
RDS…: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
sigcheck:
publisher….: n/a
copyright….: n/a
product……: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…..: n/a
signers……: -
signing date.: -
verified…..: Unsigned
<a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4′ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=58CECCFE103F91A08CFD0D13520C63001BD0C5B4</a>

In March the Senate Sargent at Arms traced the source of an infection back to Drudge. People thought that was politically motivated. Drudge is a high value target due to the number of visitors. Is there anything he should be doing differently? I think he needs to be holding his ad company to a higher standard and switching companies if they continue to allow these malicious ads to sneak in.

Tags: , , , ,
Category: Antivirus  |  Comment

Staging Virus Definition Updates

April 27, 2010, 7:16 pm

In the wake of McAfee’s false positive that rendered Windows XP computers unbootable there has been a lot of talk. What I wanted to talk about today was the staging of virus definition updates. I saw a lot of comments that companies took the McAfee update and deployed it company-wide without any testing.
I dont know of companies of any size that would roll out any other patches without testing. Or I shouldnt’ say testing as much as rolling it to a small group of users, followed by a bigger group then all. Even if no tests are performed, the computer at least is used after the update an shown that everyday tasks still work.
Yet companies have given in to the virus definition update race and update definitions between 365 and 5000 times a year without any testing at all.
Depending on your vender, virus definitions come out between 1 and 20 times per day. Do you really want to be the choke point that prevents your company from being as fully protected as they could be? I gave up on that after the time I had to drive back from an awards dinner and run down a hallway yelling “hit update now, hit update now”. (I needed the email gateway antivirus updated)
Perhaps i’m going to feel really stupid when Symantec does the same thing next year. But I still feel our protection is better for having up to date definitions. Perhaps as a middle ground I could apply Rapid Release definitions to my own computer.
More and more antivirus venders are going to the cloud or going to the community to provide intelligence on the validity of a file. As antivirus venders take to the cloud, any staging/testing of virus definitions is only part of the equation. You can’t test the cloud in small groups.

Tags: , , ,
Category: Antivirus  |  3 Comments

Comcast to warn of infected machines

October 10, 2009, 6:15 pm

This week numerous sources reported on news that Comcast will deliver popups to alert customers with infected machines.
I agree with Phil Lin, marketing director at network security firm FireEye Inc as reported in the linked AP story above, if this catches on we’ll soon see this used in social engineered attacks.
According to Brian Krebs in his Washington Post blog Security Fix, the alert is a

“so-called “service notice,” a semi-transparent banner that overlays a portion of whatever page is being displayed in the customer’s Web browser. Customers can then either move or close the alert, or click “Go to Anti-Virus Center,” for recommended next-steps, which may include downloading and running the McAfee anti-virus tools the company offers for free, or purchasing a cleanup package and allowing a Comcast technician to attempt to remotely diagnose and fix the problem.”

I’d love to see an escalation so that ignored notices eventually put you in a walled garden until remediation occurs.
There is debate in the industry about the responsibility of the ISP. Techies want a pipe. They dont use the ISPs email server, webhosting, or news server. They dont want blocked ports or managed traffic. There is another side that demands a clean pipe. I’ve seen this more in the business area where a business ISP partners with a Security as a Service vender to clean up or montior the Internet Traffic. John Pescatore takes this position in his post saying warning about a problem isn’t as good as preventing the problem from reaching the user in the first place.
I think its good to see a ISP want to be a good citizen. ISPs want to be more than just dumb pipes. Trying to clean up the neighborhood is a good start. This is a logical next step from blocking ports such as outbound SMTP other than through the ISPs mail server.

Tags: , , ,
Category: General  |  Comment

AVComparatives Corporate Review

May 28, 2009, 9:31 pm

AVComparatives has posted a review of corporate products at http://www.av-comparatives.org/comparativesreviews/corporate-reviews. This test includes AVIRA, ESET, GDATA, Kaspersky, Sophos, Symantec and Trustport. No mention of McAfee or Trend Micro who I believe would both be in the top three deployed corporate endpoint protection solutions.
The report includes a detailed table comparing the available features of the products. It does not focus on detection rates for the most part. It does report on SPAM detection rates. Personally I think SPAM filtering belongs at the enterprise gateway not at the desktop.
As a Symantec Endpoint Protection admin, I loved one of the conclusions of the report, “The Symantec suite is, by far, the most mature and professional product tested by us.”

Tags: , , ,
Category: Antivirus  |  Comment

Kaspersky and csshover.htc Possible False Positive?

April 9, 2009, 11:04 am

This morning Kaspersky is detecting Downloader.JS.Iframe.aqo in csshover.htc on a few different websites.
Seems to be a false positive.
Virustotal shows the following:

File csshover.htc received on 04.09.2009 17:40:35 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.09 -
AhnLab-V3 5.0.0.2 2009.04.09 -
AntiVir 7.9.0.138 2009.04.09 -
Antiy-AVL 2.0.3.1 2009.04.09 -
Authentium 5.1.2.4 2009.04.08 -
Avast 4.8.1335.0 2009.04.09 -
AVG 8.5.0.285 2009.04.09 -
BitDefender 7.2 2009.04.09 -
CAT-QuickHeal 10.00 2009.04.09 -
ClamAV 0.94.1 2009.04.09 -
Comodo 1107 2009.04.09 -
DrWeb 4.44.0.09170 2009.04.09 -
eSafe 7.0.17.0 2009.04.07 -
eTrust-Vet 31.6.6447 2009.04.09 -
F-Prot 4.4.4.56 2009.04.08 -
F-Secure 8.0.14470.0 2009.04.09 Trojan-Downloader.JS.Iframe.aqo
Fortinet 3.117.0.0 2009.04.09 -
GData 19 2009.04.09 -
Ikarus T3.1.1.49.0 2009.04.09 -
K7AntiVirus 7.10.697 2009.04.08 -
Kaspersky 7.0.0.125 2009.04.09 Trojan-Downloader.JS.Iframe.aqo
McAfee 5578 2009.04.08 -
McAfee+Artemis 5578 2009.04.08 -
McAfee-GW-Edition 6.7.6 2009.04.09 -
Microsoft 1.4502 2009.04.09 -
NOD32 3997 2009.04.09 -
Norman 6.00.06 2009.04.09 -
nProtect 2009.1.8.0 2009.04.09 -
Panda 10.0.0.14 2009.04.09 -
PCTools 4.4.2.0 2009.04.08 -
Prevx1 V2 2009.04.09 -
Rising 21.24.32.00 2009.04.09 -
Sophos 4.40.0 2009.04.09 -
Sunbelt 3.2.1858.2 2009.04.09 -
Symantec 1.4.4.12 2009.04.09 -
TheHacker 6.3.4.0.305 2009.04.09 -
TrendMicro 8.700.0.1004 2009.04.09 -
VBA32 3.12.10.2 2009.04.09 -
ViRobot 2009.4.7.1686 2009.04.09 -
VirusBuster 4.6.5.0 2009.04.09 -
 
Additional information
File size: 4314 bytes
MD5…: 4d50942ad963dd3d0cde4fe42ae1157b
SHA1..: ddb47d9f8d783f8ff1b79527b65ee7e6ac53a359
SHA256: afb97a5d637531616f85cffcd11dd68e7b85f2b5aa01b51b7959dbf2fcf8704c
SHA512: c829e90f6a3669320aec4bb489fb91aa39ed17a85f1584156b5eb8fc32c26b4d
610ede9a8060ce5a82b945930796c7033c55a8e48e7c13a4a179d2aa41b459c0
ssdeep: 96:D+5yu5ugQhnmLzuAX6mLJ3FFD6wB5XhY/l1yYmLXiuiXqwCDGqh:Dju5ugQOF
zLJ3FF5B5S/l1B8XiuiXtCP
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
RDS…: NSRL Reference Data Set
-

UPDATEThis afternoon, I reported the false positive to Kaspersky via a webform. I heard back pretty quickly that this was fixed in the latest defs. Also note Ryan’s entry in the comments.
My problem was compounded a bit becasue the BlueCoat cached the “infected” status, so I needed to clear the cache of that, before csshover.htc could be served.

Tags: , , , , ,
Category: Antivirus  |  6 Comments

AV-Comparatives Performance Test

November 21, 2008, 7:17 pm

AV-Comparatives has released a test report comparing antivirus performance during boot, file copy and file compression.
To access the report, go to av-comparatives.org, click on Comparatives, and scroll down to the Performance Test report.
I’m always disappointed that the tests focus on consumer products (although Sophos is included. I’m more interested in Symantec Endpoint Protection than Symantec Antivirus 2009. I care more about McAfee Total Protection Suite than McAfee Antivirus.

Tags: , , ,
Category: Antivirus  |  Comment

Sophos Endpoint Security Eval Thoughts

May 3, 2008, 1:17 pm

This week I began a evaluation of Sophos Endpoint security. (why do I get the feeling all over the country sales guys just perked up and began repeating “sales lead” to themselves). Currently we’re using Symantec Antivirus 10. I’m looking to consolidate antivirus, antispyware and the personal firewall into one product. We also want more protection than signature based solutions can provide. For years I’ve been wanted to go with Cisco Security Agent (although now I dont want to add yet another agent), I’ve also considered McAfee Total Protection because it has the McAfee HIPS technology.
Sophos recently made big sales to Northrop Grumman and GE. This shatters the notion that they are only a small European AV vendor. Sophos sales tells a pretty good story, and they are nothing if not tenacious.
When I set up their enterprise console, I found as they stated, its a lot simpler to manage than McAfee TPS and Symantec Endpoint Protection. When I got to installing the client I found a couple of things that really bother me.
1. McAfee and Symantec both provide mechanisms for locking the client configuration. With Sophos they create local groups; Sophos Administrator, Sophos Power User and Sophos User. The install on the client added every member of local administrators to the Sophos Administrators group. In our company employees have local admin rights so this is kind of a problem.
Sophos’ answer to this is to use Restricted Group in Group Policy to restrict membership in the Sophos Administrators group to whatever groups you specify. Additionally they use Group Policy to place NTFS file permissions on their XML configuration file.
This solution is simply not as granular as that provided by the competitor. With Symantec I can allow specific settings to be modifiable by the user. I can give the user the uninstall password if necessary. This solution doesn’t allow you to lockdown settings on computers that are not members of your domain. This solution creates a dependency on group policy acting correctly. Informed local administrators may be able to add themselves to the group long enough to perform their rogue task.
2. Installing Sophos requires supplying a local administrator account for the machine where the installation is occurring. Since we generally deploy software through SMS this means I’ll have to supply a password in the command line script. I believe that is specifically forbidden under NIST 800-53. Its certainly bad practice. It also raises questions on how users outside the domain will install. (home users, windows computers in other domains).
I haven’t run across software with this requirement before. Either software runs as the user running the install (if they have admin rights) or you run the install as the sms install account.
I had a lot of problems getting the install to work and then successfully check in for updates. When installing on a non-domain computer.
3. The Sophos install creates a local administrator account. Now I’m sure it has a very strong password, but I’m just not comfortable with my software creating a local admin account. Symantec didn’t do that. McAfee didn’t do that.
I’ve been accused of writing off these endpoint security vendors too quickly. The way I see it, it doesn’t matter if the rest of the eval is perfect, if Sophos can’t answer to my satisfaction why they are doing things this way and why it isn’t a problem, I can’t do with this product.
Sophos has already gotten me to change some of my thinking. Their defaults include scanning program files only, scanning on read/execute only, not scanning compressed files. Its no wonder they claim to be faster than the competitor. In those cases, they had a good argument for their recommendations. (although a sales engineer did recommend I scan on write too and ignore the manual on that point). These three issues may be too much for me to accept.
My sales engineer is out most of next week. I’m out Monday. I’ll post a followup when I get some answers back.

Tags: , , , , ,
Category: Antivirus  |  3 Comments

Yet Another SEP11 problem

December 18, 2007, 9:31 am

I wrote last week how my Vista tablet cratered shortly after I installed Symantec Endpoint Protection 11. I’ve rebuilt that computer, and decided not to do any more testing with SEP for a while. If I didn’t have Symantec coming in sometime soon for a NAC demo I’d be evaling McAfee Total Protection Enterprise.
Today I came in after a few days off and found that my desktop is out of hard drive space. After looking around I found 18.6 GB of files in c:\program files\common files\Symantec shared\. Most of these files were in directories named *.tmp. Now I know this sort of thing happened in previous version of Symantec as well, but it hadn’t happened to me. and it hadn’t happened within weeks of installation.

Tags: , ,
Category: Antivirus, General  |  Comment

Article: Color Me Complex

November 13, 2007, 9:06 pm

Information Security Mag has an article by Ed Skoudis and Matt Carpenter in which they do a bake off between several endpoint protection products.
http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1280028_idx1,00.html
(not sure if non-subscribers can view that or not. Its free to sign up or try bugmenot).
This will make all the Symantec bashers angry, but it actually comes out rather well. Looks like it will be worth it to learn the new platform that is SEP and upgrade.
Points of interest to me

  • ISS not doing so well. They dont have their own AV so the AV piece and the rest seem cobbled together
  • Third Brigade not yet well integrated with Trend
  • McAfee surprisingly not doing well. I would have expected McAfee HIPS (Entercept) to have crushed the malware tests. It seemed that only the buffer overflow protection was tested. Was HIPS not on by default? I’m pretty sure it is part of Total Protection Enterprise
  • Symantec doing rather well.
  • Sophos scanning on read only by default

The article writers feel that Endpoint Protection suites are still new and have some maturing to do.

Tags: ,
Category: Antivirus  |  Comment
« Previous Entries