McAfee strikes with heuristics

Discussion in 'other anti-virus software' started by RejZoR, May 8, 2005.

Thread Status:
Not open for further replies.
  1. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    http://img169.echo.cx/img169/8483/mcafeeheur8fq.png
    Screen taken from VirusTotal...

    Looks like McAfee heuristics aren't that bad after all. I was also surprised when VSE8.0i picked New malware.h on one sample collected from friends MSN.
    The 4400 engine that is...

    I wonder whats with 5000 engine. I subscribed for beta,but nothing since then and it should be in beta1 phase by now. Hope they'll improve generic and heuristic part even further with this new engine.
     
  2. Ianb

    Ianb Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    232
    Location:
    UK
    Been waiting for the 5000 beta engine myself. Can't wait to try it out.
     
  3. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    I checked out a few files that were detected als Malware.h - seems McAfee simply reports every file encrypted with Morphine. Nothing bad about that, Norman does it too (W32/Morphine.Gen or so).
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Looks like they never found any legitim file encrypted with Morphine or a minimal number,so they just exclude them by signatures or something.
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Hm,i finally managed to login as beta tester,but 5000 engine is still not available. Status is Upcomin in May...
    I just wonder which day in May...
     
  6. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    There are legit files encrypted with Morphine? I don't think so. Why would any programmer encrypt his legal software with a VX tool?
     
  7. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Who knows :p Then whats so strange if they pick all files packed with morphine?
     
  8. O--O

    O--O Guest

    @Skeeve

    "There are legit files encrypted with Morphine? I don't think so. Why would any programmer encrypt his legal software with a VX tool?"

    Although I am not aware of any legit files encrypted with Morphine I know several legit applications (including security programs) which are protected and/or compressed with the help of a FREEWARE packer/crypter like UPX or TeLock. So why shouldn't a coder use open-source Morphine?

    Moreover, I believe that it is generally a bad idea to rely on McAfee's !guru parameter. Does the new heuristic offer any advantage over the guru parameter?

    If not: a heuristic which is solely based on the detection of an unpacking stub is clearly inferior to Kaspersky's static unpacking engine. Do you agree?
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    !guru parameter? What should this parameter do anyway?
     
  10. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    !guru enables extended detection for the McAfee command line scanner. What I find strange is that McAfee resorts to such kind of "tricks" - don't they have propper unpacking to handle Morphine?


    Of course, real unpacking is better. Though it really slows down the virus scanners lately with all those multi-packed malware around.

    Morphine might be open source, but it still from a person who sells Rootkits, undetectable service etc. - I don't think that any legal programmer wants to be associated with that.
     
  11. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    My McAfee VSE 8.0i detected file as New Malware.h On-Access,so it has nothing to do with !guru for cmd.
     
  12. O--O

    O--O Guest

    " but it still from a person who sells Rootkits, undetectable service etc. - I don't think that any legal programmer wants to be associated with that."

    Personally, I don't care. I also use certain AV/AT software although I know that, for example, the lead coder has virus writing experience and/or the respective developer has employed well-known malware coders etc. I also do not shy away from using AV/AT software developed by persons who I personally dislike.

    Such personal stuff does not matter to me.

    As regards Morphine: maybe hf is a criminal. But this has nothing to do with the quality of the source code.
     
  13. o--o

    o--o Guest

    "so it has nothing to do with !guru for cmd."

    Why do you think it's different?
     
  14. Happy Bytes

    Happy Bytes Guest

    Nautilus ;)
     
  15. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    oops :eek:
     
  16. o--o

    o--o Guest

    Adema! ;-)
     
  17. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    MY only problem with V8.0i is the forcefuly installed / use of firewall/ or what ever sandbox control on the system.

    I would rather they left it as a seperate module. ( Which they did for Antispyware ) And improve 5000 engine so it will take less resources.
     
  18. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    The what?
    McAfee seems to have heuristic false positives when you enable all the riskware detections. At least for me, on some files, like a java file from NetBeans (or was it Eclipse?).
     
  19. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    ? McAfee doesn't have Sandbox. And firewall for VSE8.0i is optional.
    Also all other modules like Lotus and Outlook scanning.
     
  20. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    They have a a part where "rules" are used for connection and System. Such as Which port is locked.... OE not allow to do this.. etc.

    Anyway for me i am still waiting for F Prot :p
    ( For now NOD does a good job )
     
  21. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    Actually I don't think that really does anything without the McAfee Desktop Firewall software....
     
  22. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Apparently there are some vulnerabilities in Mcafee...
     
  23. liang_mike

    liang_mike Registered Member

    Joined:
    Mar 12, 2004
    Posts:
    91
    Location:
    Canada
    Your finding is for McAfee Internet Security Suite 2005, not VSE8.0i.
     
  24. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    correct Mike, I just thought it was a heads up around Mcafee...
     
  25. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Intrusion rules in VSE 8.0i rock! I set that SCR files can only be executed or read,but they can't modify or delete any other files. PIF files are completely blocked. COM and VBS are also very restricted. So it's quiet bullet proof.
    IRC ports are also blocked,same with SMTP port.
    This way you can prevent even things that can slip by scan engine.
    It's also nearly zero false positive setup so it doesn't restrict while you work.
    Really great combination of powerful scan engine and generic blocking like Prevx.
    VSE 8.0i also offers Buffer Overflow protection. I'm very impressed.
     
Loading...
Similar Threads
  1. Ibrad
    Replies:
    24
    Views:
    2,421
Thread Status:
Not open for further replies.