http://img169.echo.cx/img169/8483/mcafeeheur8fq.png
Screen taken from VirusTotal...

Looks like McAfee heuristics aren't that bad after all. I was also surprised when VSE8.0i picked New malware.h on one sample collected from friends MSN.
The 4400 engine that is...

I wonder whats with 5000 engine. I subscribed for beta,but nothing since then and it should be in beta1 phase by now. Hope they'll improve generic and heuristic part even further with this new engine.

Been waiting for the 5000 beta engine myself. Can't wait to try it out.

I checked out a few files that were detected als Malware.h - seems McAfee simply reports every file encrypted with Morphine. Nothing bad about that, Norman does it too (W32/Morphine.Gen or so).

Looks like they never found any legitim file encrypted with Morphine or a minimal number,so they just exclude them by signatures or something.

Hm,i finally managed to login as beta tester,but 5000 engine is still not available. Status is Upcomin in May...
I just wonder which day in May...

{QUOTE-> Looks like they never found any legitim file encrypted with Morphine or a minimal number,so they just exclude them by signatures or something. <-QUOTE}

There are legit files encrypted with Morphine? I don't think so. Why would any programmer encrypt his legal software with a VX tool?

Who knows :P Then whats so strange if they pick all files packed with morphine?

@Skeeve

"There are legit files encrypted with Morphine? I don't think so. Why would any programmer encrypt his legal software with a VX tool?"

Although I am not aware of any legit files encrypted with Morphine I know several legit applications (including security programs) which are protected and/or compressed with the help of a FREEWARE packer/crypter like UPX or TeLock. So why shouldn't a coder use open-source Morphine?

Moreover, I believe that it is generally a bad idea to rely on McAfee's !guru parameter. Does the new heuristic offer any advantage over the guru parameter?

If not: a heuristic which is solely based on the detection of an unpacking stub is clearly inferior to Kaspersky's static unpacking engine. Do you agree?

!guru parameter? What should this parameter do anyway?

!guru enables extended detection for the McAfee command line scanner. What I find strange is that McAfee resorts to such kind of "tricks" - don't they have propper unpacking to handle Morphine?


{QUOTE-> If not: a heuristic which is solely based on the detection of an unpacking stub is clearly inferior to Kaspersky's static unpacking engine. Do you agree? <-QUOTE}

Of course, real unpacking is better. Though it really slows down the virus scanners lately with all those multi-packed malware around.

Morphine might be open source, but it still from a person who sells Rootkits, undetectable service etc. - I don't think that any legal programmer wants to be associated with that.

My McAfee VSE 8.0i detected file as New Malware.h On-Access,so it has nothing to do with !guru for cmd.

" but it still from a person who sells Rootkits, undetectable service etc. - I don't think that any legal programmer wants to be associated with that."

Personally, I don't care. I also use certain AV/AT software although I know that, for example, the lead coder has virus writing experience and/or the respective developer has employed well-known malware coders etc. I also do not shy away from using AV/AT software developed by persons who I personally dislike.

Such personal stuff does not matter to me.

As regards Morphine: maybe hf is a criminal. But this has nothing to do with the quality of the source code.

"so it has nothing to do with !guru for cmd."

Why do you think it's different?

Nautilus ;)

{QUOTE-> Nautilus ;) <-QUOTE}
oops :o

Adema! ;-)

MY only problem with V8.0i is the forcefuly installed / use of firewall/ or what ever sandbox control on the system.

I would rather they left it as a seperate module. ( Which they did for Antispyware ) And improve 5000 engine so it will take less resources.

{QUOTE-> MY only problem with V8.0i is the forcefuly installed / use of firewall/ or what ever sandbox control on the system.

I would rather they left it as a seperate module. ( Which they did for Antispyware ) And improve 5000 engine so it will take less resources. <-QUOTE}
The what?
McAfee seems to have heuristic false positives when you enable all the riskware detections. At least for me, on some files, like a java file from NetBeans (or was it Eclipse?).

? McAfee doesn't have Sandbox. And firewall for VSE8.0i is optional.
Also all other modules like Lotus and Outlook scanning.

They have a a part where "rules" are used for connection and System. Such as Which port is locked.... OE not allow to do this.. etc.

Anyway for me i am still waiting for F Prot :P
( For now NOD does a good job )

{QUOTE-> They have a a part where "rules" are used for connection and System. Such as Which port is locked.... OE not allow to do this.. etc.

Anyway for me i am still waiting for F Prot :P
( For now NOD does a good job ) <-QUOTE}
Actually I don't think that really does anything without the McAfee Desktop Firewall software....

{QUOTE-> McAfee Internet Security Suite 2005 Insecure File Permission
Vulnerability

iDEFENSE Security Advisory
I. BACKGROUND

McAfee Internet Security Suite 2005 is a product used to protect a
personal computer from virus infections, and additionally provides
firewall and privacy control functionality.

II. DESCRIPTION

Local exploitation of an insecure permission vulnerability in McAfee
Internet Security Suite 2005 allows attackers to escalate
non-Administrator privileges or disable protection.

The vulnerability specifically exists in the default file Access
Control
List (ACL) settings that are applied during installation. When an
administrator installs McAfee Internet Security Suite 2005, the default
ACL allows non-Administrator users to modify the installed files.
Because of the fact that some of the programs run as system services, a
non-Administrator user can simply replace an installed McAfee Internet
Security Suite 2005 file with their own malicious code that will later
be executed with system privileges.

III. ANALYSIS

Successful exploitation allows local attackers to escalate privileges
to

the system level. It is also possible to use this vulnerability to
simply disable protection by moving all of the executable files so that
they cannot start upon a reboot.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in McAfee
Internet Security Suite 2005. It is suspected earlier versions are also
vulnerable. <-QUOTE}

Apparently there are some vulnerabilities in Mcafee...

{QUOTE-> Apparently there are some vulnerabilities in Mcafee... <-QUOTE}

Your finding is for McAfee Internet Security Suite 2005, not VSE8.0i.

correct Mike, I just thought it was a heads up around Mcafee...

Intrusion rules in VSE 8.0i rock! I set that SCR files can only be executed or read,but they can't modify or delete any other files. PIF files are completely blocked. COM and VBS are also very restricted. So it's quiet bullet proof.
IRC ports are also blocked,same with SMTP port.
This way you can prevent even things that can slip by scan engine.
It's also nearly zero false positive setup so it doesn't restrict while you work.
Really great combination of powerful scan engine and generic blocking like Prevx.
VSE 8.0i also offers Buffer Overflow protection. I'm very impressed.

Mcafee is a highly regarded AV and one of the top 5 performers...they are doing better and better and I bet their sigbase isn't one of the smallest around ;)
Heuristics has been improved a lot by a lot of AV's lately and always good to see nice heuristics.

@ Rejzor: that Buffer Overflow Protection, would that be in any way comparable to Prevx one? Such a combo would make a nice security setup anyway lol :) Kinda like SnS and Bitdefender...

Remember, this is the enterprise version of McAfee - the home versions dont have this flexibilty :(

I do like McAfee's signature base and their generic detections - but their heuristics still do need to improve.

McAfee announced that engine 5000 beta test is delayed till end of May.
They had some problems beyond their control. June is not so far away anyway :)

Hi im new here, sorry about my poor english.

Im using a trial vr of VSE and i love it, it has saved me a lot of times, im using KAV 4.5 as a second on demmand scanner and after scan whit mcafee VSE, it hasn't found any thing, i believe that mcafee is too close to KAV... i would like to know if there is somebody who knows how to create new intrusion rules like RejZoR's rules

{QUOTE-> Intrusion rules in VSE 8.0i rock! I set that SCR files can only be executed or read,but they can't modify or delete any other files. PIF files are completely blocked. COM and VBS are also very restricted. So it's quiet bullet proof.
IRC ports are also blocked,same with SMTP port.
This way you can prevent even things that can slip by scan engine.
It's also nearly zero false positive setup so it doesn't restrict while you work.
Really great combination of powerful scan engine and generic blocking like Prevx.
VSE 8.0i also offers Buffer Overflow protection. I'm very impressed. <-QUOTE}

by the way there is a new basic tutorial in rules creation, posted in NAI forums,

http://www.iserv.net/~shoe/VSE80i_BestPracticesGuide_EN.pdf

maybe it helps somebody to perform a good tutorial to sugest what rules to create


tanks

PIF Protection (Only recommended for Windows 2000/XP)
http://img79.echo.cx/img79/3329/pifblock1bl.png
SCR Protection (allows screensavers,but blocks malware like activity)
http://img79.echo.cx/img79/326/scrblock0ij.png
VBS Protection
http://img79.echo.cx/img79/9849/vbsblock0ip.png

These are very general,nearly false positive free rules that can protect you very well. We can make them even more together. Just give me an idea and i'll think how to make it.

tnx for your rules RejZoR. i have created it now ;D

some samples of rules i have seen:

(extracted of VSE80i_BestPracticesGuide)

"The last thing that the virus attempts to do is create files ‘in folders that contain the phrase shar’. There are
several filenames that the virus uses, but a broad rule can be created that prevents the creation in the
‘**\*shar*\**\*.exe’ location by all (*) processes."

or

"For example, in a non-English or Localized environment, you may choose to apply the rule ‘Prevent Internet Explorer from
launching files from the Downloaded Programs folder (.exe).’ This rule applies to the process named "iexplore.exe" and uses an
English folder name: ‘**\Downloaded Program Files\**\*.exe.’ This means any executable file attempting to launch from
any location on the drive where 'Downloaded Program Files' is in the path, will trigger the rule. If the localized operating system
does not include the folder name 'Downloaded Program Files,' you can accomplish the same results by creating an environment
variable on each client that sets, for example, 'DWNPRGFILES' to the equivalent location of the 'Downloaded Program Files' folder
on the localized operating system. (This can be done in the System properties in Control Panel on Windows 2000 and above, and
requires a reboot to be applied.) Once this has been completed, you can edit the Access Protection rule to use
'**\%DWNPRGFILES%\**\*.exe' to accomplish the same results as the default rule."

and.... have 2 questions

1. what do you think RejZoR is it posible to block... for example, the new pcaudit´s dlls creation in "system32", with the dll´s predefined rules? and is it posible to create some rules to protect aplications like "explorer.exe" against global hooks?

2. is there any way to exclude (for example whit wilcards like <> or something), aplications, process or folders in the acces proteccion rules creation ???


tanks :-*

You can do the same for *.COM files (with all actions blocked). Again only recommended for Windows 2000/XP.

EXE are used way too much,so we can't use such generic blocking in any way.

You need to disable SCR rule when installing new screensavers,otherwise you won't be able to install them. Those that are already on your disk should work without any problems.