Mcafee GETSUSP (Stinger V2) free Virus Scan / HIPS

by butsch 27. April 2015 01:13

http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx

http://www.mcafee.com/us/downloads/free-tools/index.aspx

http://www.mcafee.com/uk/downloads/free-tools/how-to-use-getsusp.aspx

Bei Virenbefall würde ich auf einzelnen Clients ab sofort das Tool mcafee GETSUSP laufen lassen. Dies zusätzlich zum VSE.

  1. GETSUSP Macht Scan auf GTI-basis (Cloud DB von Mcafee Online) (Manuell kann man auch Binaries uploaden um diese zu analysieren)
  2. Aktiviert (Nicht installiert) eine HIPS (IPS) Firewall welche den Netzwerk traffic überwacht wenn das Tool läuft (Scan Echtzeit Viren und Botnet traffic)
  3. Das Netzwerk HIPS Tool gibt es auch kostenlos fuer das TRAY (RAPTOR) (Dieses kann man einmal starten und ggf. nach dem Reboot aktivieren [Autostart]). Nach Säuberung von clients dieses Tool einige Tage drauf lassen.

 

Nachteile: Client muss online sein da P2P/GTI/Cloud check der files.

Vorteil: Es gibt eine EPO Version.

 

Hier kann man Binaries/Files auch online checken:

www.virustotal.com

https://www.hybrid-analysis.com

 

Mcafee Raptor (Kostenlose HIPS Firewall)

 

Mcafee GETSUPS (Stinger V2.0)

 

Upload Files to check online:

 

 

HTML Report:

 

 

 

 

 

Tags:

Client Management | Mcafee VSE, EPO, DLP

VMWARE / VDI malware Protection Symantec, Trend and Mcafee

by butsch 24. February 2015 06:21

Symantec Endpoint Protection still has no Agentless Virus scan version like Trend or Mcafee with Move. Those use VSHIELD API from VMware and need no direct Software running in the VM. (http://www.vmware.com/pdf/vshield_55_admin.pdf)

BUT test have shown that even with the Agent in the VM/VDI Symantec SEP 12.X is faster in daily tracking, stable status, scanning but only slow if the machine does Virus pattern updates once a day.

Keep in mind that most virus producers only update the main definitions once a day (mcafee 17:00 CET) and the rest is GTI/0-day releases on all three.

So even with the Agent in VDI machines you over the thumb get more or even performance.

Also keep in mind that Virus API like the one from Microsoft has been sources for a lot of trouble, false events and fights the last few years. You can decide if you want that between:

  1. your antivirus producer and MS

    OR

  2. Between your antivirus producer and VMWARE

To mention on that part would be a solution with Hypervisor which mixes up things again.

The problem in general may be not so actual since Netapp and all the new companies who come out with Flash/SSD Storage try to solve it on the other side.

Gartner Magic Quadrant

http://blogs.antivirussales.ca/en/blog/gartner-magic-quadrant-for-endpoint-protection-platforms/

Mentioned products in terms of VM in those articles:

MCAFEE:

McAfee's Management for Optimized Virtual Environments (MOVE) has offered optimized anti-malware scanning in virtualized environments for two years, and now MOVE 2.5 offers agentless anti-malware scanning in VMware environments using native vShield API integration.

Symantec:

Symantec does not yet offer an "agentless" version for optimizing anti-malware scanning in virtualized environments (although its shared Insight cache feature can be used to improve performance).

2012 Symantec SEP 12.1 and Mcafee MOVE under VMware 5.X

http://www.acmehk.net/report_download/Tolly212130SymantecSEP12dot1VMwareAVPerformance.pdf

2012 Symantec SEP 12.1 and Trend

http://www.symantec.com/connect/sites/default/files/Tolly212117SymantecSEP12_TRendDS8_VMwareAVPerformance.pdf

Back in 2011 Trend was faster

2011 Symantec SEP 11, Trend and Mcafee

http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/rpt_test_deep-security-7.5-vs-mcafee-and-symantec_tolly.pdf

 

Tags:

APP-V | Mcafee VSE, EPO, DLP | VMWare

Massive Spam Reply wave in Switzerland 08.08.2013 – Federal E-Mail domain admin.ch involved

by butsch 8. August 2013 11:01

Subject Range: RE: [#SMV-xxxxxxxxxxxxxxxxxxxx]: Transfer - Ueberweisung

 

Since today 08.08.2013 starting around 17:10 O'clock CET we see a large amount of "Reply – Delete me also" spam running through all kind devices and also large enterprise

Spam filters. We even have a reply from Swiss federal E-Mail domain @admin.ch which hosts all or most E-Mail accounts of Swiss federal employee. We also see large

Amount of Reply Switzerland's university's and college's which most of them are experts in SPAM defense and have developed Grey Listening modules which commercial spam filters use.

That's means that this E-mail drops though all very expensive commercial and Linux mail filters currently.

 

Most of those people have/had the E-Mail already opened and some of them already replied WHICH then makes another wave of spam. It's to date unclear If the E-Mail contains a 0-day

Exploit. Mcfaee VSE 8.8 SP2, SEP Corporate Edition client side with actual Defintions, CLAM-AV and Group shield with actual Defintions did not show any malware at 22:00 CET European time.

  1. Do NOT reply to the E-Mail (You will generate another wave with thousands of E-Mail)
  2. And yes above link is also involved in the SPAM wave itself, so reporting to them and telling them to "teach their employee HOW to use E-mail nefore handing out a client or mobile"

     

Tags:

Exchange 2007 | Exchange 2010 | Mcafee VSE, EPO, DLP

Two vulnerabilities in McAfee ePolicy Orchestrator May 2013

by butsch 5. May 2013 22:38

Two vulnerabilities in McAfee ePolicy Orchestrator (ePO) have been discovered and resolved.

 

Affected Product Versions

·         ePO 4.5 (RTW) to ePO 4.5.6

·         ePO 4.6 (RTW) to ePO 4.6.5

 

Protected Versions

These products are NOT affected:

·         ePO 4.5.7 (or later)

·         ePO 4.6.6 (or later)

·         ePO 5.0 (or later)

 

Impact

·         VESVM-2013-001 (CVSS: 6.2; Severity: High) is a server-side pre-authenticated SQL Injection within the Agent-Handler component (Agent-Server communication channel) that, if exploited, can lead to remote code execution (RCE).

·         VESVM-2013-002 (CVSS: 3.4; Severity: Low) is a server-side pre-authenticated directory path traversal within a file upload process that, if exploited, can lead to an arbitrary file upload under the ePO installation folder.

 

Recommendation

McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes.

 

For full instructions and information, see McAfee KnowledgeBase article SB10042, McAfee Security Bulletin - ePO update fixes two vulnerabilities reported by Verizon (https://kc.mcafee.com/corporate/index?page=content&id=SB10042)

Tags:

Mcafee VSE, EPO, DLP

Kaspersky and KB2823324 Update causing machine to hang at reboot Windows 7

by butsch 12. April 2013 09:18

Actual Kaspersky Version and Windows 7/Server 2008, 2008R2 with the Microsoft Patch 2823324 from 09.04.2013 installed MARK the NTFS Filesystem as DIRTY.

Thus after the Reboot Checkdisk Forced is RUN.

http://support.microsoft.com/kb/2823324

Microsoft Recommends to Uninstall the Patch from all Windows Systems.

START > RUN >

wusa.exe /uninstall /kb:2823324 /quiet /norestart

As a Mcafee certified SSE i recommend to keep of the hands of anything else then Mcafee or Symantec. Only those two companies have the power, the money and the resources to fully validate and have understood the VSSAPI from Microsoft.

The VSSAPI is the interface (API) which is offered by Microsoft to the Producers of Antivirus Software. Some understand it better some not.

 

Products affected:

Microsoft Windows Vista x32/x64, 
Microsoft Windows 7 x32/x64, 
Microsoft Windows Server 2008 x32/x64, 
Microsoft Windows Server 2008 R2

Kaspersky AntiVirus for Windows Workstations Server 6.0.4.1424 & 6.0.4.1611

These are the affected Patches:

Security Update for Windows Server 2008 (KB2823324)
A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

Security Update for Windows Server 2008 for Itanium-based Systems (KB2823324)
A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

Security Update for Windows 7 for x64-based Systems (KB2823324)
A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

Security Update for Windows Server 2008 R2 for Itanium-based Systems (KB2823324)
A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

Security Update for Windows Server 2008 R2 x64 Edition (KB2823324)
A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

Security Update for Windows Server 2008 x64 Edition (KB2823324)
A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

Security Update for Windows 7 (KB2823324)
A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article. After you install this update, you may have to restart your system.

 

If you want a peek at MCAFEE Enterprise Products like Webgateway (Enterprise Web Filter), DLP Data Lost Prevention (USB and Data Safety) or Mcafee EPO Server feel free to contact us in Switzerland.

Tags:

Client Management | Mcafee VSE, EPO, DLP | WSUS