McAfee cant stop koobface, lol

The local government uses McAfee for all of its thousand plus computers. Today my boss lost his internet connection and the Citys IT department came out. Found out it was from Facebook and it was this virus that did it. Evidently it starting spreading and now they have issued a block for Facebook till they get it under control.

 

Thats a hot one...........

 

I presume that local government uses the enterprise product. If so there is no way any virus or koobface could infect a computer protected by VirsusScan Enterprise with Artemis and all access protection option enabled such as block all read and write access to all shares (in the Anti-Virus control section). One could also opt to

Prevent svchost executing non-Windows executables,

Protect cached files from password and email address stealers,

Prevent alteration of all file extension registrations,

Prevent installation of Browser Helper Objects and Shell Extensions,

Prevent execution of scripts from the Temp folder,

Prevent remote creation/modification of executable and configuration files,

Prevent common programs from running files from the Temp folder,

etc...


A good network administrator would be able to tweak these options to infinity. If koobface could get through, it is only because of bad configurations. That local government should hire a new IT personnel with greater competence.

There is no way a virus could get through or spread inside a system protected by McAfee VirusScan Enterprise 8.7 (patch 1 and 2) when it is configured properly, period.

 

well it did.

What: Blocking access to Facebook



When: Tuesday, September 22nd, 2009 starting at 3:00pm



Who: Anyone attempting to access Facebook while on the City network



More Info: There is a highly active worm in the wild called koobface. The worm is downloaded to PCs while the user is accessing Facebook. The worm causes multiple other worms and viruses to be downloaded to the PCs rendering some PCs useless. The worm has been detected on several City PCs which are being addressed at this time.



If you have a City owned laptop, you should not connect to Facebook while off the City network. The worm can be installed on the laptop and then infect other City computers when it is connected to the City network.

 

You seemed to miss my point here. There is no way any virus let alone koobface can infect or spread inside a computer protected by McAfee VirusScan Enterprise when it is configured properly. VirusScan Enterprise will not prevent you going into any website, what it will do is to prevent the virus from getting into your computer.

Again when VirusScan Enterprise is configured properly, no infection or spread of infection is possible and I'm telling you all this by first hand experience.

 

I am not saying this in any disrespectful way, but I do not believe any AntiVirus is full proff. Thats a pretty bold statement. I run some very serious Security Hardware, and software on my network. I always rely on a layered approach. I always run in a virtual environment, and keep frequent backups of my data. Even Virtual environments have been proven to be defeated by certain methods such as kill disk malware. I could go on, but i'm sure you get my point.

 

You seem to miss my point here. There is no way any virus let alone koobface can infect or spread inside a computer protected by McAfee VirusScan Enterprise when it is configured properly. VirusScan Enterprise will not prevent you from going into any website, what it will do is to prevent the virus from getting into your computer.

Again when VirusScan Enterprise is configured properly, no infection or spread of infection is possible and I'm telling you all this by first hand experience.

Here is a complete list of Access Protection options:

Anti-Spyware Standard Protection:
Protect Internet Explorer favorites and settings

Anti-Spyware Maximum Protection:
Prevent installation of new CLSIDs, APPIDs and TYPELIBs
Prevent all programs from running files from the Temp folder
Prevent execution of scripts from the Temp folder

Anti-Virus Standard Protection:
Prevent registry editor and Task Manager from being disabled
Prevent user rights policies from being altered
Prevent remote creation/modification of executable and configuration files
Prevent remote creation of autorun files
Prevent hijacking of .EXE and other executable extensions
Prevent Windows Process spoofing
Prevent mass mailing worms from sending mail
Prevent IRC communication
Prevent use of tftp.exe

Anti-Virus Maximum Protection:
Prevent svchost executing non-Windows executables
Protect phonebook files from password and email address stealers
Prevent alteration of all file extension registrations
Protect cached files from password and email address stealers

Anti-Virus Outbreak Control:
Make all shares read-only
Block read and write access to all shares

Common Standard Protection:
Prevent modification of McAfee files and settings
Prevent modification of McAfee Common Management Agent files and settings
Prevent modification of McAfee Scan Engine files and settings
Protect Mozilla & FireFox files and settings
Protect Internet Explorer settings
Prevent installation of Browser Helper Objects and Shell Extensions
Protect network settings
Prevent common programs from running files from the Temp folder

Common Maximum Protection:
Prevent programs registering to autorun
Prevent programs registering as a service
Prevent creation of new executable files in the Windows folder
Prevent creation of new executable files in the Program Files folder
Prevent launching of files from the Downloaded Program Files folder
Prevent FTP communication
Prevent HTTP communication

Virtual Machine Protection:
Prevent Termination of VMWare Processes
Prevent modification of VMWare Workstation files and settings
Prevent modification of VMWare Server files and settings
Prevent modification of VMWare virtual machine files

User Defined Rules:
Could be tweaked to infinity by an excellent network administrator.

This is, to me bullet proof protection.

For more information on these options please consult:

https://kc.mcafee.com/resources/sit...00/PD20870/en_US/5345wp_tops_vse_ap_0109s.pdf

Sometime some people do not know how to enable Artemis in VirusScan Enterprise 8.7, here is how, please view:

https://kc.mcafee.com/content/tutorials/artemis/vse_rc_kb53732_enabling_artemis.htm

Final note: There is no doubt in my mind that your local government IT department is incompetent because they do not know how to use an excellent product like VirusScan Enterprise 8.7, period. .

 

Hi,

I have to agree with you 100% on this matter. I have used McAfee VirusScan ENTERPRISE 8.7i, and when PROPERLY CONFIGURED is very reliable when it comes to stopping viruses from infecting computers.

However, what you missed saying was the fact when you configure it that way you will need a SUPERPOWERFUL computer [QuadCore, perhaps] to run it.
It will bring your PC to its knees if configured that way. That's the reason why many IT Administrators install it using the DEFAULT settings [a.k.a.: “Standard Protection] instead of “Maximum Protection”. Besides, with Maximum Protection enabled it's going to act like a HIPS everytime you try to run an installer for any program you want to install in may cases preventing you from installing your program.

My sister used to have it on her laptop because she's attending college and they install it for free if you're a student but her laptop was painfully slow to a crawl so I unistalled it for her and installed something else and now, her lappy runs faster.

Regards,

Carlos

 

Only 8 gig of RAM 64bit architecture on all my business computers with VSE 8.7 and peace of mind. It is a shame that McAfee home products are not that good. I use maximum protection on all my business computers and no slow down.

 

Who are you? A McAfee employee or reseller?

 

My take is, no he's not - but Cogito does know his stuff.

I also agree McAfee if configured properly, the enterprise version is solid. The administrators should start reading the user guide, or seeking McAfee support. McAfee Enterprise Edition protects hundreds of thousands of government systems from where I'm from. No virus has taken down the network here.

 

No antimalware will provide you 100% security. However, I agree with Cogito when he says VSE 8.7i is a solid product if tweaked properly. But one thing I would like to mention is that on big networks it is difficult to control all the machines.

I've seen several machines with old signatures or the VSE disabled as well! Most people who use those machine don't know what is good or what is bad in terms of IT Security. And I am talking about one of the largest banks, its a humongous network.

You can't always blame the system administrator. Sometimes the end users are so dumb that you can't help it.

 

No, just a happy customer.

 

Please do not worry about malware disabling your VM. VSE 8.7 can protect it for you by enabling such features like:

Virtual Machine Protection:

• Prevent Termination of VMWare Processes

• Prevent modification of VMWare Workstation files and settings

• Prevent modification of VMWare Server files and settings

• Prevent modification of VMWare virtual machine files

 

Guys

You all have to understand that VSE 8.7 is build upon prevention as a matter of fact the keywords are prevent and protect. As some would say: Prevention is better than the cure.

 

And that is why a good network admin must have strong password protected policies (from a client side perspective) to protect the users from himself or herself.

 

Why would someone, using a client computer, have the need to install a software? Only people with admin privileges can do that. Consequently, I'm not worry about software installation. Anyway the only thing an admin would do is temporarily pause access protection during installation and enable it thereafter.

Also the admin (should) know the installer involved as well as the processes and installation files and accordingly have access protection policies exception in place. The number of rules chosen or created will have no impact upon the speed of any client computer, at least with respect to VSE 8.7 (patch 1 or 2)

By the way, I would like to advise anyone please do not push patch 1 to any x64 client, since it will disable self-protection in VSE 8.7. This is actually a dumb move by McAfee, why would any company provides a patch that creates more problems than it solves? Also forget about patch 2, because patch 2 requires patch 1 before installation.