McAfee cant stop koobface, lol

Discussion in 'other anti-virus software' started by trjam, Sep 22, 2009.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    The local government uses McAfee for all of its thousand plus computers. Today my boss lost his internet connection and the Citys IT department came out. Found out it was from Facebook and it was this virus that did it. Evidently it starting spreading and now they have issued a block for Facebook till they get it under control.
     
  2. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    Thats a hot one...........:thumbd:
     
  3. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    I presume that local government uses the enterprise product. If so there is no way any virus or koobface could infect a computer protected by VirsusScan Enterprise with Artemis and all access protection option enabled such as block all read and write access to all shares (in the Anti-Virus control section). One could also opt to

    Prevent svchost executing non-Windows executables,

    Protect cached files from password and email address stealers,

    Prevent alteration of all file extension registrations,

    Prevent installation of Browser Helper Objects and Shell Extensions,

    Prevent execution of scripts from the Temp folder,

    Prevent remote creation/modification of executable and configuration files,

    Prevent common programs from running files from the Temp folder,

    etc...


    A good network administrator would be able to tweak these options to infinity. If koobface could get through, it is only because of bad configurations. That local government should hire a new IT personnel with greater competence.

    There is no way a virus could get through or spread inside a system protected by McAfee VirusScan Enterprise 8.7 (patch 1 and 2) when it is configured properly, period.
     
    Last edited: Sep 22, 2009
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    well it did.

    What: Blocking access to Facebook



    When: Tuesday, September 22nd, 2009 starting at 3:00pm



    Who: Anyone attempting to access Facebook while on the City network



    More Info: There is a highly active worm in the wild called koobface. The worm is downloaded to PCs while the user is accessing Facebook. The worm causes multiple other worms and viruses to be downloaded to the PCs rendering some PCs useless. The worm has been detected on several City PCs which are being addressed at this time.



    If you have a City owned laptop, you should not connect to Facebook while off the City network. The worm can be installed on the laptop and then infect other City computers when it is connected to the City network.
     
  5. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    You seemed to miss my point here. There is no way any virus let alone koobface can infect or spread inside a computer protected by McAfee VirusScan Enterprise when it is configured properly. VirusScan Enterprise will not prevent you going into any website, what it will do is to prevent the virus from getting into your computer.

    Again when VirusScan Enterprise is configured properly, no infection or spread of infection is possible and I'm telling you all this by first hand experience.
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    I am not saying this in any disrespectful way, but I do not believe any AntiVirus is full proff. Thats a pretty bold statement. I run some very serious Security Hardware, and software on my network. I always rely on a layered approach. I always run in a virtual environment, and keep frequent backups of my data. Even Virtual environments have been proven to be defeated by certain methods such as kill disk malware. I could go on, but i'm sure you get my point.
     
  7. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    You seem to miss my point here. There is no way any virus let alone koobface can infect or spread inside a computer protected by McAfee VirusScan Enterprise when it is configured properly. VirusScan Enterprise will not prevent you from going into any website, what it will do is to prevent the virus from getting into your computer.

    Again when VirusScan Enterprise is configured properly, no infection or spread of infection is possible and I'm telling you all this by first hand experience.

    Here is a complete list of Access Protection options:

    Anti-Spyware Standard Protection:
    Protect Internet Explorer favorites and settings

    Anti-Spyware Maximum Protection:
    Prevent installation of new CLSIDs, APPIDs and TYPELIBs
    Prevent all programs from running files from the Temp folder
    Prevent execution of scripts from the Temp folder

    Anti-Virus Standard Protection:
    Prevent registry editor and Task Manager from being disabled
    Prevent user rights policies from being altered
    Prevent remote creation/modification of executable and configuration files
    Prevent remote creation of autorun files
    Prevent hijacking of .EXE and other executable extensions
    Prevent Windows Process spoofing
    Prevent mass mailing worms from sending mail
    Prevent IRC communication
    Prevent use of tftp.exe

    Anti-Virus Maximum Protection:
    Prevent svchost executing non-Windows executables
    Protect phonebook files from password and email address stealers
    Prevent alteration of all file extension registrations
    Protect cached files from password and email address stealers

    Anti-Virus Outbreak Control:
    Make all shares read-only
    Block read and write access to all shares

    Common Standard Protection:
    Prevent modification of McAfee files and settings
    Prevent modification of McAfee Common Management Agent files and settings
    Prevent modification of McAfee Scan Engine files and settings
    Protect Mozilla & FireFox files and settings
    Protect Internet Explorer settings
    Prevent installation of Browser Helper Objects and Shell Extensions
    Protect network settings
    Prevent common programs from running files from the Temp folder

    Common Maximum Protection:
    Prevent programs registering to autorun
    Prevent programs registering as a service
    Prevent creation of new executable files in the Windows folder
    Prevent creation of new executable files in the Program Files folder
    Prevent launching of files from the Downloaded Program Files folder
    Prevent FTP communication
    Prevent HTTP communication

    Virtual Machine Protection:
    Prevent Termination of VMWare Processes
    Prevent modification of VMWare Workstation files and settings
    Prevent modification of VMWare Server files and settings
    Prevent modification of VMWare virtual machine files

    User Defined Rules:
    Could be tweaked to infinity by an excellent network administrator. :D

    This is, to me bullet proof protection.

    For more information on these options please consult:

    https://kc.mcafee.com/resources/sit...00/PD20870/en_US/5345wp_tops_vse_ap_0109s.pdf

    Sometime some people do not know how to enable Artemis in VirusScan Enterprise 8.7, here is how, please view:

    https://kc.mcafee.com/content/tutorials/artemis/vse_rc_kb53732_enabling_artemis.htm

    Final note: There is no doubt in my mind that your local government IT department is incompetent because they do not know how to use an excellent product like VirusScan Enterprise 8.7, period. :D.
     
    Last edited: Sep 24, 2009
  8. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    Hi,

    I have to agree with you 100% on this matter. I have used McAfee VirusScan ENTERPRISE 8.7i, and when PROPERLY CONFIGURED is very reliable when it comes to stopping viruses from infecting computers.

    However, what you missed saying was the fact when you configure it that way you will need a SUPERPOWERFUL computer [QuadCore, perhaps] to run it.
    It will bring your PC to its knees if configured that way. That's the reason why many IT Administrators install it using the DEFAULT settings [a.k.a.: “Standard Protection] instead of “Maximum Protection”. Besides, with Maximum Protection enabled it's going to act like a HIPS everytime you try to run an installer for any program you want to install in may cases preventing you from installing your program.

    My sister used to have it on her laptop because she's attending college and they install it for free if you're a student but her laptop was painfully slow to a crawl so I unistalled it for her and installed something else and now, her lappy runs faster.

    Regards,

    Carlos
     
  9. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Only 8 gig of RAM 64bit architecture on all my business computers with VSE 8.7 and peace of mind. It is a shame that McAfee home products are not that good. I use maximum protection on all my business computers and no slow down.
     
    Last edited: Sep 22, 2009
  10. Narxis

    Narxis Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    477
    Who are you? A McAfee employee or reseller?
     
  11. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    My take is, no he's not - but Cogito does know his stuff.

    I also agree McAfee if configured properly, the enterprise version is solid. The administrators should start reading the user guide, or seeking McAfee support. McAfee Enterprise Edition protects hundreds of thousands of government systems from where I'm from. No virus has taken down the network here.
     
  12. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    No antimalware will provide you 100% security. However, I agree with Cogito when he says VSE 8.7i is a solid product if tweaked properly. But one thing I would like to mention is that on big networks it is difficult to control all the machines.

    I've seen several machines with old signatures or the VSE disabled as well! Most people who use those machine don't know what is good or what is bad in terms of IT Security. And I am talking about one of the largest banks, its a humongous network.

    You can't always blame the system administrator. Sometimes the end users are so dumb that you can't help it.
     
  13. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    No, just a happy customer. :D
     
    Last edited: Sep 23, 2009
  14. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Please do not worry about malware disabling your VM. VSE 8.7 can protect it for you by enabling such features like:

    Virtual Machine Protection:
    • Prevent Termination of VMWare Processes
    • Prevent modification of VMWare Workstation files and settings
    • Prevent modification of VMWare Server files and settings
    • Prevent modification of VMWare virtual machine files
     
  15. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Guys

    You all have to understand that VSE 8.7 is build upon prevention as a matter of fact the keywords are prevent and protect. As some would say: Prevention is better than the cure. ;)
     
  16. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    And that is why a good network admin must have strong password protected policies (from a client side perspective) to protect the users from himself or herself.
     
    Last edited: Sep 23, 2009
  17. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Why would someone, using a client computer, have the need to install a software? Only people with admin privileges can do that. Consequently, I'm not worry about software installation. Anyway the only thing an admin would do is temporarily pause access protection during installation and enable it thereafter.

    Also the admin (should) know the installer involved as well as the processes and installation files and accordingly have access protection policies exception in place. The number of rules chosen or created will have no impact upon the speed of any client computer, at least with respect to VSE 8.7 (patch 1 or 2)

    By the way, I would like to advise anyone please do not push patch 1 to any x64 client, since it will disable self-protection in VSE 8.7. This is actually a dumb move by McAfee, why would any company provides a patch that creates more problems than it solves? Also forget about patch 2, because patch 2 requires patch 1 before installation.
     
    Last edited: Sep 23, 2009
Loading...
Similar Threads
  1. Ibrad
    Replies:
    24
    Views:
    2,402
Thread Status:
Not open for further replies.