This is interesting, McAfee has purchased Safeboot for $350 million.
Safeboot seems to be the name I hear most when talking to people at other companies about what FDE products they use. I wonder if ePO will be extended to manage this software in the next few years. That would be pretty cool. I found Safeboot to be rather buggy in my eval. But it seems similar problems occur in any FDE product.
That McAfee would make this purchase shows that they think this will continue to be a big market. One wonders what other companies may be on the market.
Posts tagged ‘McAfee’
McAfee buys Safeboot
What have we learned from history
Saw this on the McAfee blog.
Forefront for Sharepoint Eval
We’ve decided that McAfee Portalshield for Sharepoint isn’t cutting the mustard so its time to look for other products. The Sharepoint guys are working on upgrading to Sharepoint 2007. From what I’ve heard McAfee doesn’t support Sharepoint 2007 yet. McAfee Portalshield has had a couple annoying habits anyway. Once we installed it, we had to restart IIS on a scheduled basis, otherwise the sites would become unavailable. We also had one compressed file that would constantly get detected, and we could never figure out where the file was located.
One of the sysadmins installed Forefront for Sharepoint and asked me to check it out. I really don’t remember why we didn’t go with this a year ago. I like Sybari products and this should be pretty much the same thing as the newer Microsoft Forefront branded products.
As I began to eval, I attempted to upload an eicar file. Forefront successfully detect this, but I also received a detection from Symantec Antivirus Corporate Edition (the file system antivirus) for Eicar in C:\Program Files\Microsoft Forefront Security\SharePoint\Data\ADF\VxData\eicar.00.ext. I figure that I need to exclude the data directory in SAV. It would be nice to find a KB indicating that, but no joy thus far.
Next, I uploaded cain.exe into my Sharepoint My Site. Actually, it rejected cain.exe because it is an executable so I renamed the file to cain.ex_. Sybari had a incredibly stupid configuration where they only scanned file types known to be potentially malicious (this setting isn’t visible to the admin and is on by default). It seems that this behavior has held over to Microsoft Forefront, because cain.ex_ is not detected on upload. I initiated a quickscan of My Site in Sharepoint. Forefront still detects nothing, but I received a detection
File: C:\WINDOWS\Temp\3e540056.$$$
Virus: CainAbel
It appears that Forefront is unpacking its scanned files in Windows\Temp. This seems incredibly foolish. I’m wondering if this has something to do with using the Clean setting rather than the delete setting. Either way, this shouldn’t happen.
Symantec Endpoint Security 11
Yesterday, I attended a webinar on Symantec Endpoint Security 11. It should be available for ondemand replay at some point on at symantec.com.
A lot of people including myself have been very negative about the Symantec product, virus detection rates, and product support. I’m actually starting to believe that Symantec is turning things around. Yes, I know this brief ray of hope will soon be crushed by more Symantec nonsense. But for now, for this blog entry, I’ll focus on the positive.
Symantec Endpoint Security, formerly code named Hamlet, is a single agent, single console solution. In the past people have implemented piecemeal solutions. So the clients have anti-virus products, antispyware products, and a personal firewall. Each of these products require a separate management point. They each require upgrades and management. There is a incredible cost to the old “best-of-breed” approach. Back then “kitchen-sink” solutions like Symantec Client Security were bloated beasts that weren’t the best at anything. McAfee Total Protection was the first vendor to grab my attention with a consolidated approach. Lets see what Symantec brings to the table.
- Antivirus – as I’ve blogged about before, Symantec is doing much better on the AV tests.
- Antispyware – Includes Veritas technology VxMS to detect rootkits. They feel this is superior to rootkit detection in other products. I’m not convinced though that the product is overall better in spyware detection than Webroot or Sunbelt. But it may be worth it to preserve resources.
- Intrusion Prevention (Network and Host)
Generic exploit blocking (currently in SCS)
Proactive Threat Scan (from Whole Security)
Deep Packet Inspection - Device Control – restrict data leakage (not a lot of info on this that I noted)
- Symantec NAC
This is all with a single agent. According to the presenter McAfee is using multiple agents in its product.
They had some interesting memory baseline numbers:
Symantec Antivirus Corporate Edition – 62 MB
Symantec Client Security – 129 MB
McAfee Total Protection – 71 MB
Symantec Endpoint Protection 21 MB
That is a very significant number. We have been very concerned about each security solution adding a burden to the computer.
There is a public beta. To sign up for that, or for additional information, check out www.symantec.com/endpointsecurity.
This sounds interesting. Of course I would never install a dotZero release from Symantec. But about 6 months after release this could be of interest.
AV-Test Bakeoff
PC Mag has an article with the results of the latest av-test.org Antivirus bakeoff.
I’m kind of surprised Symantec did so well. It seems like just a few years ago they were days behind other vendors in releasing updates. They even beat McAfee who only had a 87.28% detection rate.
Delf.aki
The HTTP gateway detected the Delf.aki virus in a file profilewatcher_setup.exe which one of my users tried to download. Just for kicks I uploaded it to the virustotal site and here’s the result.
File size: 985897 bytes
MD5: 837c3036adf45c11a45c8a2f356c060e
SHA1: ef7311d94a80962d886befefb6bc08f03941f3e4
packers: BINARYRES
Antivirus Version Update Result
AhnLab-V3 2007.5.21.1 05.22.2007 no virus found
AntiVir 7.4.0.27 05.22.2007 DR/Delf.aki
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.22.2007 no virus found
AVG 7.5.0.467 05.22.2007 no virus found
BitDefender 7.2 05.23.2007 no virus found
CAT-QuickHeal 9.00 05.22.2007 no virus found
ClamAV devel-20070416 05.23.2007 no virus found
DrWeb 4.33 05.22.2007 no virus found
eSafe 7.0.15.0 05.21.2007 Win32.Delf.aki
eTrust-Vet 30.7.3654 05.23.2007 no virus found
Ewido 4.0 05.22.2007 no virus found
FileAdvisor 1 05.23.2007 no virus found
Fortinet 2.85.0.0 05.22.2007 W32/Delf.AKI!tr.bdr
F-Prot 4.3.2.48 05.22.2007 no virus found
F-Secure 6.70.13030.0 05.23.2007 Backdoor.Win32.Delf.aki
Ikarus T3.1.1.8 05.22.2007 Backdoor.Win32.Delf.aki
Kaspersky 4.0.2.24 05.23.2007 Backdoor.Win32.Delf.aki
McAfee 5036 05.22.2007 no virus found
Microsoft 1.2503 05.22.2007 no virus found
NOD32v2 2285 05.22.2007 no virus found
Norman 5.80.02 05.22.2007 no virus found
Panda 9.0.0.4 05.22.2007 no virus found
Prevx1 V2 05.23.2007 no virus found
Sophos 4.17.0 05.21.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.23.2007 no virus found
TheHacker 6.1.6.120 05.21.2007 no virus found
VBA32 3.12.0 05.22.2007 Backdoor.Win32.Delf.aki
VirusBuster 4.3.23:9 05.22.2007 no virus found
Webwasher-Gateway 6.0.1 05.22.2007 Trojan.Delf.aki
As Steve Spurrior would say while coaching the Redskins,”6 and 10, not too good.” Virustotal will pass on this file to the vendors who didn’t detect it and they’ll “coach ‘em up.”
McAfee Joins Data Leakage Market
McAfee called me earlier this week about their Data Loss Prevention Host software. In addition to host-based software, they have an appliance check for leakage at the network boundary. Enterprises that have implemented full disk encryption now realize that their data is at risk from more than just a stolen laptop. Social Security Numbers, Credit Card info and company proprietary information are routinely passed over the Internet in plain text at many companies.
I haven’t looked into this McAfee product, but I see their interest as a validation that this marketspace will continue to develop.
What is your selection criteria for corporate antivirus?
I was really impressed by the the RFP George Washington University put together for their Encryption project. It was made available at the SANS Desktop and Storage Encryption Summit that I attended a few months back.
I decided to sit down and try to hammer out a list of requirements for some upcoming projects. I’ would like to replace the corporate antivirus that we currently use on our desktops and servers. I’ve been kind of impressed with what McAfee has done. Many companies left them for Symantec at the turn of the millenium. McAfee was too difficult to update, and had a reputation for bogging the systems down. Now McAfee has a reputation for being easy to manage through ePolicy Orchestrator and many companies have tired of Symantec’s lack of support, virus definition corruption problems and confusing update structure.
Certainly reputation is important. Experiences from someone you trust can go a lot further thna a 30 day eval in a lab. The problem is that the people I know using McAfee have really drunk the koolaid. They’re like a Mac user. They can only bash the competition, they apparently have nothing but postitive experiences to report. It makes me question whether they can be trusted to provide a true evaluation of McAfee.
Actually detecting and cleaning is important. But how to select which vendor is good at it? I read an interesting NIST article on that from 1996. Rather than evaluating vendors on the basis of some virus zoo, I think a better evaluation is to 1) measure their response time when a new varient comes out, and 2) measure how they perform when signatures aren’t available and all that is left is heuristics and behavior profiling.
The ability to control which PUPs (potentially unwanted programs) are detected and what occurs. I am sick of getting alerts about Netcat. I don’t have a problem with it being in my environment. But because Symantec made an error in the version I’m running, I can’t completely exclude it from detection.
It is just so easy to make the evaluation points all of the things you hate about the current product, rather than brainstorming a full list of requirements.
Currently we have a lot of systems having issues with corrupt virus definitions. Gartner reports that McAfee has the same problems. How do I know if that’s a real issue. Is it better or worse than my Symantec problems.
