McAfee strikes with heuristics

Mcafee is a highly regarded AV and one of the top 5 performers...they are doing better and better and I bet their sigbase isn't one of the smallest around
Heuristics has been improved a lot by a lot of AV's lately and always good to see nice heuristics.

@ Rejzor: that Buffer Overflow Protection, would that be in any way comparable to Prevx one? Such a combo would make a nice security setup anyway lol Kinda like SnS and Bitdefender...

 

Remember, this is the enterprise version of McAfee - the home versions dont have this flexibilty

I do like McAfee's signature base and their generic detections - but their heuristics still do need to improve.

 

McAfee announced that engine 5000 beta test is delayed till end of May.
They had some problems beyond their control. June is not so far away anyway

 

Hi im new here, sorry about my poor english.

Im using a trial vr of VSE and i love it, it has saved me a lot of times, im using KAV 4.5 as a second on demmand scanner and after scan whit mcafee VSE, it hasn't found any thing, i believe that mcafee is too close to KAV... i would like to know if there is somebody who knows how to create new intrusion rules like RejZoR's rules

by the way there is a new basic tutorial in rules creation, posted in NAI forums,

http://www.iserv.net/~shoe/VSE80i_BestPracticesGuide_EN.pdf

maybe it helps somebody to perform a good tutorial to sugest what rules to create


tanks

 

PIF Protection (Only recommended for Windows 2000/XP)
http://img79.echo.cx/img79/3329/pifblock1bl.png
SCR Protection (allows screensavers,but blocks malware like activity)
http://img79.echo.cx/img79/326/scrblock0ij.png
VBS Protection
http://img79.echo.cx/img79/9849/vbsblock0ip.png

These are very general,nearly false positive free rules that can protect you very well. We can make them even more together. Just give me an idea and i'll think how to make it.

 

tnx for your rules RejZoR. i have created it now

some samples of rules i have seen:

(extracted of VSE80i_BestPracticesGuide)

"The last thing that the virus attempts to do is create files ‘in folders that contain the phrase shar’. There are
several filenames that the virus uses, but a broad rule can be created that prevents the creation in the
‘**\*shar*\**\*.exe’ location by all (*) processes."

or

"For example, in a non-English or Localized environment, you may choose to apply the rule ‘Prevent Internet Explorer from
launching files from the Downloaded Programs folder (.exe).’ This rule applies to the process named "iexplore.exe" and uses an
English folder name: ‘**\Downloaded Program Files\**\*.exe.’ This means any executable file attempting to launch from
any location on the drive where 'Downloaded Program Files' is in the path, will trigger the rule. If the localized operating system
does not include the folder name 'Downloaded Program Files,' you can accomplish the same results by creating an environment
variable on each client that sets, for example, 'DWNPRGFILES' to the equivalent location of the 'Downloaded Program Files' folder
on the localized operating system. (This can be done in the System properties in Control Panel on Windows 2000 and above, and
requires a reboot to be applied.) Once this has been completed, you can edit the Access Protection rule to use
'**\%DWNPRGFILES%\**\*.exe' to accomplish the same results as the default rule."

and.... have 2 questions

1. what do you think RejZoR is it posible to block... for example, the new pcaudit´s dlls creation in "system32", with the dll´s predefined rules? and is it posible to create some rules to protect aplications like "explorer.exe" against global hooks?

2. is there any way to exclude (for example whit wilcards like <> or something), aplications, process or folders in the acces proteccion rules creation


tanks

 

You can do the same for *.COM files (with all actions blocked). Again only recommended for Windows 2000/XP.

EXE are used way too much,so we can't use such generic blocking in any way.

 

You need to disable SCR rule when installing new screensavers,otherwise you won't be able to install them. Those that are already on your disk should work without any problems.