McAfee releases VirusScan with intrusion prevention

McAfee releases VirusScan with intrusion prevention
VirusScan Enterprise 8.0i integrates IPS and firewall with antivirus software

IDG News Service August 30, 2004

Antivirus software company McAfee Inc. said on Monday that a new version of its VirusScan Enterprise software contains so-called "intrusion prevention" features that can protect computers from attacks such as buffer overflows, which are often used by viruses, worms and malicious hackers to compromise vulnerable Microsoft Corp. Windows machines.

VirusScan Enterprise 8.0i integrates IPS (intrusion prevention services) and firewall technology with antivirus software to protect personal computers and file servers from new malicious code outbreaks automatically. The new version of VirusScan also has features to manage new malicious code outbreaks, limiting the damage they cause, McAfee said.

The announcement comes as antivirus software makers and networking equipment vendors look for ways to harden machines against possible compromise and crack down on a host of threats, from spam and spyware to bogus Web pages used in phishing scams.

The new version of VirusScan incorporates host IPS technology from McAfee's acquisition of Entercept Security Technologies Inc. in April 2003. The Entercept technology allows VirusScan to spot malicious code used to exploit vulnerabilities in the Windows operating system and Microsoft Corp. applications like Internet Explorer, Outlook and Microsoft Office, said John Bedrick, group marketing manager for systems security at McAfee.

The product requires periodic updates from McAfee, but Bedrick was reluctant to call the IPS updates "signatures," for fear of lumping them in with the frequent antivirus updates that are required when new worms and viruses appear.

For example, VirusScan 8.0i spots malicious code that tries to exploit a known vulnerability in older versions of a Windows component called the Local Security Authority Subsystem Service (or LSASS). The recent Sasser and Gaobot worms spread by compromising machines using vulnerable versions of LSASS. VirusScan 8.0i protects Windows machines from any of those threats. However, unlike antivirus software, it does not require a new "signature" for each worm that targeted LSASS, Bedrick said.

The new features are part of Protection-in-Depth, a McAfee program intended to provide many layers of defense against malicious computer activity, McAfee said.

While IPS features in VirusScan improves that product's ability to spot malicious computer code, the new features do not turn VirusScan into a full-fledged IPS product. Instead, McAfee added a small set of IPS features that will provide the maximum protection to users while creating the minimum of "noise" such as blocking valid traffic, Bedrick said.

Whereas a comprehensive IPS product like Entercept's prevent buffer overflows of any kind, VirusScan 8.0i limits buffer overflow protection to the 30 or so Windows applications and services that most McAfee customers use, he said.

"The idea was to pick the applications and services that were the most commonly exploited," he said.

In doing so, McAfee had to strike a careful balance between making VirusScan more proactive and turning it into a nuisance for users, he said.

The release of VirusScan 8.0i is part of a larger push into the IPS arena at McAfee. In June the company, formerly Network Associates Inc., announced new versions of two intrusion prevention (IPS) products, IntruShield and Entercept, that it said will make it easier to protect corporate networks from so-called "zero day" attacks, attempts to break in to networks using previously unknown vulnerabilities.

The company has more announcements planned for future releases that will enhance the ability of its products to spot malicious code before it can infect a customer network. Future features may include wizards and rules for configuring proactive security, he said.

McAfee VirusScan 8.0i is not sold as a stand-alone product, but is sold in suites, such as McAfee Total Virus Defense, with other McAfee products. The product is available for free to existing customers with valid support agreements, and to new customers through McAfee and its partners, McAfee said.

THE MUL

 

I am running It on XP Pro It ia a out standing program

 

Another happy user here

 

I am glad u like this great programme.


THE MUL

 

Mul, you will have to try and switch to a company which uses this AV

But you seem to have more than adequate cover for malware threats with your software choice.

 

Here are some screenshots of this program.

I am using this version without the ‘firewall’ or email scanner installed and it runs with 7 processes in memory for a total of 30 MB. The on-access Monitor, Mcshield.exe is taking up the majority of this with 19MB ( 16036 KB VM ). This produces no slowdown on my laptop, but as it has a 3.6GHz processor, this is not surprising. However, I have seen it running quite happily on much older computers in my Department at work. It takes up about 35MB of disc space.

I have not used the Home version of VirusScan since version 4, but this Enterprise edition is supposedly a lot leaner than the recent versions of the retail product.

Although not a retail product and therefore not as widely available as the Home version, it is worth checking if your Company/University runs this software.

My University has been running both the Norton and McAfee Corporate products, particularly on the gateway, for many years but I was reluctant to use these on my Home computers.

But do not be put off by the 'horror' stories reported by some people about the 2 big retail products and apply this to the Corporate editions. Both Norton and McAfee have excellent Business AV's, and according to my IT people, support is excellent.

McAfee has always had a good reputation for its malware engine and this AV is well worth trying out if you have the choice.

 

Port Blocking, which is a 'firewall' feature.

 

File, Share and Folder Protection.

 

A number ( 200 ) of 'unwanted programs are now detected.

 

The Monitor Settings; easy to use GUI.

 

Infection window. Quarantine is an option here.

 

Updates are incremental and very small which is very useful as I am restricted to dial-up. You can also schedule updates to include on dial-up.

Extensive options are available and these include; Daily, Weekly, Monthly, Once, at System Startup, At Logon, and Run Immediately.

 

Wow, looks like a real pro to me.

 

Indeed. It looks much much better than edition for home users.
The thing i hated most was terrible configuration level (actually non existing) and popup that showed for each detected file seperately (imagine when you detect 30 malware files and you have to click 30 times in order to clean the mess). Its funny that they don't offer such package to home users.
If not because of other things,at least because of that damn &%!*+### Security Center which is useless.

 

The Mul & Blackcat.

I help a friend installed it yesterday but I could not find the function to Scan the diskette?

I think I saw few options somewhere that I could set it to scan My Computer, All Local drive etc., what is the different between them by the way?

Cheers



P/s: any conflict with Prevx or any other software so far?

PP/s: How to uninstall older version of McAfee?

 

me too

 

Simply right-click on your Floppy disc icon in the My Computer Folder and then click on the McAfee AV icon for scan for viruses. Or more long-winded, right-click on the system tray icon>On-Demand Scan>Where>edit>Item to scan>Drive or Folder>Browse>Select Floppy. See attachment.

Chew, check in the help-file, it' s very good and does outline the differences between these.

I do not use Prevx, but I have had no conflicts so far with my combination of software but I believe there is (was!) some conflicts between the program and some software firewalls, particularly Zone Alarm Pro, if Buffer Overflow Protection is enabled.

If retail versions try here; http://ts.mcafeehelp.com/default.asp?siteID=1&resolution=1024x768&rurl=&rqs=
http://forums.mcafeehelp.com/viewtopic.php?t=554
If previous version was an Enterprise AV; http://forums.mcafeehelp.com/viewtopic.php?t=33187

 

Hai Mul!

What is the reason there are (right now) only 4400 virus definitions?

I know the McAfee heuristics are very strong, but only 4400 definitions?

Ciao,

Smokey

 

Standing in for the mul,

I may be wrong, but I think that the number of definitions does not mean viruses detected, but in fact only records. One record can stand for many viruses. Dr Web is similar to this.

The length of time the McAfee engine has been about, I would think that the numbers of malware detected is on par with KAV and F-Prot.

 

Thanks for the explanation!

Ciao,

Smokey

 

It also depends on how company counts malware. Some count only entire families (for example Win32:Beagle A-Z is counted as 1 virus in the definitions count),other count every and each variant (so you get high number just for one family of viruses). Generic and heuristic detections cannot be counted (you cannot measure this), so these numbers don't mean much at all.

Low total number of viruses detected by AV doesn't mean anything if the company counts each family as 1 virus type and uses strong heuristic/generic engine. In this case, it can easily outperform any other AV that says it can detect 100.000 viruses.

Kaspersky for example has around 80.000 unique signatures(now go figure how they count them ). But it still has the best detection level you can get in these days.

 

Thanks for the clarification, RejZoR

 

Blackcat

Thanks for the Uninstall links and the explanation.

Cheers

 

Is there a page somewhere that shows "unique signatures" # for Kaspersky? Or are you just a bit outdated

McAfee numbers their definition releases (not sure when they started this), so the DAT# will generally go up 1 iteration every week or more depending on any outbreaks.

(Kaspersky lists 102112 records, looks like McAfee has also reached over 100k at 104507.)

 

The 4400 is the DAT Version number.

You can go here to see the number of threats detected (104,507)

http://vil.nai.com/vil/DATReadme.asp