Tag Archives: McAfee

Ransomware updates

(1) Raj Samani, Chief Scientist at McAfee, describes an attempt to explore the motivations that drive ransomware gangs. Why ransomware? Let’s ask the bad guys 

Perhaps the most useful and interesting fact to emerge from these exchanges is that ‘1 in 3 of the email addresses were fake/non-existent [implying] that almost one third of ransomware could potentially be pseudo since the promised ‘helpdesk’ does not even exist.’

(2) Bleeping Computer reports the arrest of five Romanian distributors of spam associated with the CTB-Locker and Cerber ransomware families: Five Romanians Arrested for Spreading CTB-Locker and Cerber Ransomware

David Harley

Breaking news: Intel Buys McAfee

Intel announced today that it has bought out McAfee, http://mcafee.com/us/about/intel_mcafee.html

It’s definitely a time of consolidation in the industry, and this is an interesting move on the part of a player that hasn’t so far gotten it’s feet wet in the software security arena (although Intel Capital has invested in other AV companies such as AVG).

What this means for consumers could be interesting, as the AV could be much more closely tied to the processor architecture.
Anyway, congratulations to all my friends at McAfee, next time we meet, the drinks are on you.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Update 20/08/2010: Of course, I neglected to mention that Intel did of course have an AV product called LANDesk some years ago, that was bought by Symantec, so Intel isn’t totally new to this game.

That False Positive: the Real Positive

If you’re expecting me to try to capitalize on the misfortunes of McAfee (and more so of  its customers) because I work for another vendor, boy, are you looking at the wrong blog. This is yet another case of “there but for the grace of God…”: no vendor is immune to false positives, and while we would all like to achieve the goal of 100% detection with 0% false positives, it isn’t achievable: not with antivirus, not with any of the panaceas du jour that are already being touted in some quarters, not with any other operating system that you may happen to prefer to any of Microsoft’s. That’s a technical issue, and no amount of shouting “this shouldn’t happen” and suggesting that red-hot pokers should be thrust into McAfee’s collective eyes will change it.

Any honest researcher will acknowledge that there is a constant, unavoidable trickle of false positives that mostly go unnoticed. Unfortunately, every so often a false positive will cause enough damage to cause a PR disaster. Most of us have been there, and those who haven’t surely will.

This does not mean at all that I aim to trivialize the impact of an event like this on the customers who are affected by it. But the measure of a vendor’s worth isn’t whether it generates a false positive, or whether it offers a convincing auto-da-fé before being burned at the stake on a fire fed by its own product packaging, but what positive act of remediation it responds with.

There is plenty of comment around demonstrating the impact of this FP on McAfee customers, and while I suspect that some of it is will be seized on with the intention of proving that the AV industry is staffed with incompetents and worse – it isn’t (in general)! – that doesn’t mean that the community at large doesn’t have a right to know what happened.

What I’m not seeing is acknowledgement that McAfee have made strenuous attempts to offer help to people and companies affected by this issue, and pointers to those attempts. The company did it what any responsible company would do and withdrew the update as soon as they became aware of the problem, and generated an amended update as quickly as possible. I don’t see corporate spin here: I see a company concerned with limiting the damage to its customers, not just to its own reputation.

So here are a couple of pointers and some relevant extracts.

http://us.mcafee.com/en-us/landingpages/npdatupdate.asp?cid=77151 offers a quick guide to remediation for consumers.

http://siblog.mcafee.com/support/mcafee-response-on-current-false-positive-issue/ 

Corporate Customers
– These entries in our virus information library and the knowledge base provide workarounds for this issue for corporate customers
– Customers are discussing the issue in our online support community

Consumers
– This support page provides information for impacted consumers
– Consumers are also discussing the topic in the online community

http://siblog.mcafee.com/support/a-long-day-at-mcafee/ 

“If you are a enterprise/corporate account, and you have an issue these entries in our virus information library and the knowledge base provide workarounds for this issue. If you are a consumer and have an issue, this support page provides information for impacted consumers or call +1 866 622 3911. We have teams of people standing by to help. (To contact McAfee by phone in your region, go to the “Contact Us” page on our Web site and select your country for the correct number.)”

The essential steps are:

  • checking that you don’t have the defective DAT
  • if you do, and you have the looping boot problem, safebooting to remove  the defective DAT and de-quarantining or replacing svchost.exe

The McAfee knowledgebase article at https://kc.mcafee.com/corporate/index?page=content&id=KB68780 also refers.

David Harley FBCS CITP CISSP
AVIEN Chief Operations Officer
Mac Virus
Small Blue-Green World
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/blog
http://macvirus.com/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://chainmailcheck.wordpress.com
http://amtso.wordpress.com