McAfee strikes with heuristics

http://img169.echo.cx/img169/8483/mcafeeheur8fq.png
Screen taken from VirusTotal...

Looks like McAfee heuristics aren't that bad after all. I was also surprised when VSE8.0i picked New malware.h on one sample collected from friends MSN.
The 4400 engine that is...

I wonder whats with 5000 engine. I subscribed for beta,but nothing since then and it should be in beta1 phase by now. Hope they'll improve generic and heuristic part even further with this new engine.

 

Been waiting for the 5000 beta engine myself. Can't wait to try it out.

 

I checked out a few files that were detected als Malware.h - seems McAfee simply reports every file encrypted with Morphine. Nothing bad about that, Norman does it too (W32/Morphine.Gen or so).

 

Looks like they never found any legitim file encrypted with Morphine or a minimal number,so they just exclude them by signatures or something.

 

Hm,i finally managed to login as beta tester,but 5000 engine is still not available. Status is Upcomin in May...
I just wonder which day in May...

 

There are legit files encrypted with Morphine? I don't think so. Why would any programmer encrypt his legal software with a VX tool?

 

Who knows Then whats so strange if they pick all files packed with morphine?

 

@Skeeve

"There are legit files encrypted with Morphine? I don't think so. Why would any programmer encrypt his legal software with a VX tool?"

Although I am not aware of any legit files encrypted with Morphine I know several legit applications (including security programs) which are protected and/or compressed with the help of a FREEWARE packer/crypter like UPX or TeLock. So why shouldn't a coder use open-source Morphine?

Moreover, I believe that it is generally a bad idea to rely on McAfee's !guru parameter. Does the new heuristic offer any advantage over the guru parameter?

If not: a heuristic which is solely based on the detection of an unpacking stub is clearly inferior to Kaspersky's static unpacking engine. Do you agree?

 

!guru parameter? What should this parameter do anyway?

 

!guru enables extended detection for the McAfee command line scanner. What I find strange is that McAfee resorts to such kind of "tricks" - don't they have propper unpacking to handle Morphine?

Of course, real unpacking is better. Though it really slows down the virus scanners lately with all those multi-packed malware around.

Morphine might be open source, but it still from a person who sells Rootkits, undetectable service etc. - I don't think that any legal programmer wants to be associated with that.

 

My McAfee VSE 8.0i detected file as New Malware.h On-Access,so it has nothing to do with !guru for cmd.

 

" but it still from a person who sells Rootkits, undetectable service etc. - I don't think that any legal programmer wants to be associated with that."

Personally, I don't care. I also use certain AV/AT software although I know that, for example, the lead coder has virus writing experience and/or the respective developer has employed well-known malware coders etc. I also do not shy away from using AV/AT software developed by persons who I personally dislike.

Such personal stuff does not matter to me.

As regards Morphine: maybe hf is a criminal. But this has nothing to do with the quality of the source code.

 

"so it has nothing to do with !guru for cmd."

Why do you think it's different?

 

Nautilus

 

oops

 

Adema! ;-)

 

MY only problem with V8.0i is the forcefuly installed / use of firewall/ or what ever sandbox control on the system.

I would rather they left it as a seperate module. ( Which they did for Antispyware ) And improve 5000 engine so it will take less resources.

 

The what?
McAfee seems to have heuristic false positives when you enable all the riskware detections. At least for me, on some files, like a java file from NetBeans (or was it Eclipse?).

 

? McAfee doesn't have Sandbox. And firewall for VSE8.0i is optional.
Also all other modules like Lotus and Outlook scanning.

 

They have a a part where "rules" are used for connection and System. Such as Which port is locked.... OE not allow to do this.. etc.

Anyway for me i am still waiting for F Prot
( For now NOD does a good job )

 

Actually I don't think that really does anything without the McAfee Desktop Firewall software....

 

Apparently there are some vulnerabilities in Mcafee...

 

Your finding is for McAfee Internet Security Suite 2005, not VSE8.0i.

 

correct Mike, I just thought it was a heads up around Mcafee...

 

Intrusion rules in VSE 8.0i rock! I set that SCR files can only be executed or read,but they can't modify or delete any other files. PIF files are completely blocked. COM and VBS are also very restricted. So it's quiet bullet proof.
IRC ports are also blocked,same with SMTP port.
This way you can prevent even things that can slip by scan engine.
It's also nearly zero false positive setup so it doesn't restrict while you work.
Really great combination of powerful scan engine and generic blocking like Prevx.
VSE 8.0i also offers Buffer Overflow protection. I'm very impressed.