Slashdot Mirror

Computerworld reports that McAfee has reacted to user complaints by shutting down their support forum. The forum seems to be back up now. That was an extremely dumb move to pull after the story was already in the New York Times, Business Week, and on TV.

Many frantic users in the forum. The big losers are the enterprise users who bought into McAfee's premium services, with automatic corporate-wide updating. There's no fully automatic, reliable fix yet for systems already damaged. In some cases, it's apparently necessary to bring in a new copy of "svchost.exe"; the one in quarantine is bad.

This points up a major risk to US computer infrastructure. Any program with remote update is potentially capable of taking down vast numbers of systems. Ones like McAfee or Windows Update, which deploy updates to all targets simultaneously, can cause widespread damage quickly. Remote updating by vendors may need to be regulated, as a public policy issue.

Go to add/remove programs and uninstall it. If that doesn't work or it leaves shit behind follow this:

https://kc.mcafee.com/corporate/index?page=content&id=kb50602

Then, you will need to get something new.

-NOD32/eset has a long history of doing extremely well in most antivirus testing that I've read about. However, it is not free.

-AVG used to be an excellent free AV, then a mediocre one, then a malicious one, then mediocre again, and now I hear it is still improving.

-Avira has an excellent free AV that I have been using regularly since AVG started to slide downhill. The downside is an ad that comes up for the pay one when it updates.

-I have also heard some good things about Avast (free), Windows Security Essentials (free, shockingly), and Trend Micro (not free).

The story just hit ABC News, via the Associated Press: "McAfee Antivirus Program Goes Berserk, Reboots PCs" There are stories on the Huffington Post and NextGov. The story just broke into mainstream news in the last hour. It just hit the New York Times.

There's nothing on McAfee's home page about this yet. No items in their "News" or "Threat Center" or "Breaking Advisory" sections. There's supposedly a McAfee Knowledge Base article, "False positive detection of w32/wecorl.a in 5958 DAT", but their knowledge base site is overloaded. When it eventually loads, there's a download link to a patch. But there's nothing like an apology. All they say is "Problem: Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010."

McAfee has botched their damage control. They should be out there apologizing. Meanwhile, you can watch McAfee stock drop.

http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
McAfee Removal tool.

Most malware now a days comes via vulnerabilities like exploits

Most malware these days is spread via social engineering. Go to a random AV vendor's site and look the top ten viruses for Windows. At any given time, most of them will be worm/trojan combos that spread via social engineering. Checking McAfee's site right now, it looks like three of the top ten actually spread via exploits.

If you bother to RTFA (I must be new here, right?) you'll see that it wasn't JUST an IE zero-day that was used in the attack.

"While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios." - George Kurtz

So IE is partially to blame, but you can't just say that this is MS's fault.

What is even MORE ironic is the whitepapers page http://mcafee.com/us/threat_center/white_paper.html that links to the article saying that adobe reader is going to be a upcoming threat in 2010, ALSO links to adobe reader!

And while we're at it, how about a link to the actual report? (warning: PDF)

Do people really still fear PDFs? I can't believe Acrobat Reader is still so utterly utterly broken out of the box when every single other PDF reader will open a PDF more or less instantaneously.

While I can believe that .cm is a mistype for .com, what about .co, .con, .om? They don't seem to be high risk websites. I also bet that .con is a more common mistype than .cm

It hardly matters. What many of the press reports (including El Reg) seem to ignore is the second most risky TLD in the world: .com.

I'll bet you dollars to donuts that, because of the size and popularity of the TLD, .com is significantly more of a threat to the average Internet user than .cm.

And while we're at it, how about a link to the actual report? (warning: PDF)

If Linux malware is unheard of, why does McAfee sell LinuxSheld?

The question isn't why they sell it, but why customers buy it, and that is most likely for "Benefit" 4:

LinuxShield protects Microsoft Windows systems by blocking Microsoft Windows viruses from passing through the Linux environment

If Linux malware is unheard of, why does McAfee sell LinuxSheld?

Anyway, people have been releasing internet-wide, UNIX malware malware for at least 21 years.

Right. A big problem is that 75% of US utilities use a protocol called DNP, which has been around since 1990 and has no security whatsoever. DNP is often transported over IP networks, ones which are hopefully not connected to the Internet. There's a secure version of DNP, with cryptographic authentication (not encryption) but it was only standardized last year and is still in test.

DNP is a master/slave system; there's a "master station" which makes all the decisions, and slave devices which report and obey. It's not really very distributed. That's a relatively simple situation to secure, and even that isn't widely implemented. Systems where there are multiple nodes making decisions don't fit the DNP security model well.

Here's a worrisome diagram. Windows machines on a LAN which can get to a power company's SCADA network, connected to the Internet through McAfee Firewall Enterprise Edition boxes.

Why hell yes, they do.
In my brief six month stint in working as a phone agent for one of the Devils of the Internet, they rolled out their branded copy of McAfee. End Users, having been scared into clicking NO to anything asking if they trust something, would manage to block themselves off from their high speed connection except in Safe Mode, where most of the time, McAfee would sod off long enough to let them get online to get the McAfee Removal Tool (affectionately named MCPR2.exe).

One run of this util later, their connections suddenly worked again, and they stopped screaming that their "internets are down".

It was fun times.

I've noticed over the last few years a growing trend toward host-based detection systems, like the McAfee product line for example.The US government or at least the DoD is really jumping on this band wagon.

Any thoughts about this approach?

McAfee has a removal tool to clean up after itself. I can't personally say it's complete but I know it does get things that a normal uninstall misses.

I've seen this pop up before... On my roommate's computer. It appears a lot like a Windows Vista secure desktop warning by taking up the whole screen with a darkened border. The message follows a format that looks a lot like other Vista menus and messages. To the user, it doesn't look like it's a message from the website... But rather from Windows.

I could easily see how most people could click the screen (literally anywhere) where it asks to download a fix called "install.exe." Plus, if you are one of the poor users who uses the terrible AV solution, that seems to have an agreement with anyone with a large user base, you're totally screwed because this virus seems quite effective at knocking it dead out.

I'm more concerned with the fact that this is popping up in what are normally quite trustworthy sources. I was initially afraid that Yahoo had sold out, it just seems like they got the same treatment as the NYTimes. This speaks more to the vulnerabilities of the webservers that are hosting these sites to me. Does anyone know what platform they're sitting on? I'd like to know if there's a hole out there that I should concern my company with... I'm totally serious.

Yeah you can.. Download the dats manually and run them:
http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=uk&segment=medium

the XSS affects all browsers, that's the point. It can be easilly used as part of a phishing scam, where the only defence is a clued-up user. And Linux users *may* end up at Mcafee's site, if they're running this or this

the XSS affects all browsers, that's the point. It can be easilly used as part of a phishing scam, where the only defence is a clued-up user. And Linux users *may* end up at Mcafee's site, if they're running this or this

Imagine if every inbox were protected by a state-of-the-art spam filter. We could save about 75% of the spam energy used today â" 25 TWh per year; that's like taking 2.3 million cars off the road.

My God! That is fantastic! If only we had the option to purchase a "state-of-the-art spam filter!" Wait, I know! McAfee, the people who sponsored and paid for this research, have SpamKiller! It's perfect.

Although I can't access the PDF (download hangs), could you please direct me to the part of the 'research' where you analyze the amount of energy used to perform complex computational functions on tokens from e-mails against a database. And prove that this is less than the energy wasted flipping though e-mails and deleting spam? I mean, the network usage is going to be the same so ... that would have to be some pretty impressive and efficient Bayesian filtering with an amazing database technology to drop below viewing and deleting e-mails.

And maybe you could factor in the cost and subscription to said state-of-the-art spam filter?

What? You didn't include that analysis in your research? It sounds like a very crucial part of convincing me to acquire a state-of-the-art spam filter. You missed that part?

You don't say.

Truecrypt is not the solution your looking for. For starters, management won't by into it because Truecrypt does not have key escrow. Nor does it have any sort of auditing or compliance features, which will be vital in a corporate setting. (For ill or good is a manner of opinion, but the reality is reliable reporting is the key between having a stolen laptop be reported as a property loss, or having to spend thousands on investigating what data was on the laptop, and if there is any chance that PII was on the device, sending out warnings.)

Which means that you'll have to look into other products. Everything is expensive, to varying degrees of expensive. Some solutions are:

• McAfee (also look at their USB encryption products.
• WinMagic

Both products work with Seagates Momentous FDE.3 drives, and will software encrypt non FDE drives.

McAfee also offers the ability to lock out USB devices from running on computers (as does a product called Sanctuary, but if you go McAfee, just bite the bullet and use one provider)

As far as speed differences: The Seagate FDE (a SATA drive) on my laptop (A Dell D620 (1.8Ghz)) is faster, even with the WinMagic management software installed then the (unencrypted) PATA drive on my Dell GX620 (A 3.0ghz Pentium D) In general you can expect a 10-15% performance decrease with software encryption. How much this effects the user will depend on what they do. The only real way to know is to test.

Instead of trolling maybe you should check facts. http://www.mcafee.com/us/enterprise/products/anti_virus/file_servers_desktops/virex.html http://www.symantec.com/norton/macintosh/antivirus http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/mac/

Here's McAfee's explanation of how it works:

1. A user receives a file that the scan agent deems suspicious (for example, an encrypted or packed file) and for which there is no signature in the local .DAT database.
2. Using McAfee Artemis Technology, the agent sends a fingerprint of the file for instant lookup to the comprehensive database at McAfee Avert® Labs.
3. In less than a second, if the fingerprint is identified as known malware, an appropriate response is sent to the user to block or quarantine the file.

In other words, every time you download a binary file, McAfee HQ knows about it and logs it. Was this dreamed up by the RIAA, the NSA, or the anti-child-porno people?

If enough is known about how the malware is behaving to know that it is suspicious, [we will] fingerprint the file and send it in the cloud to AvertLabs so we can look at it, provide people a piece of protection and send it immediately back to them.

They only match the fingerprint (probably a set of some hashes) against an online database and, if there is a match, the "fix" for that malware is downloaded and executed.
Nothing "magic" here, it's just an online signature database.
See http://www.mcafee.com/us/enterprise/products/artemis_technology/index.html

If they actually *did* online analysis, as the article suggests, just sending the alleged malware would potentially violate copyrights/NDAs/etc.
Not to mention that automated online analysis of unknown malware is a very difficult problem.

I don't know, viruses haven't been so kind for a while now. As an example, ten years ago there was this virus from 98' that intended nothing but harm to the infected computer. It would trash the hard drive and attempt to flash the bios to make your computer unbootable. Nowadays the viruses seem to be more about making money than inflicting damage.

Maybe. But Mcafee directs readers to this link which is redirected to the site I mentioned

Maybe. But Mcafee directs readers to this link which is redirected to the site I mentioned

McAfee still has it "Low-profiled:" http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142518 ---

No, they are not 'supporting Linux'. Nothing in the McAfee statement says anything about Linux - the whole Linux angle is a fantasy dreamed up by trolls here on Slashdot.

McAfee do produce a 'virus scanner for Linux', but this is not 'supporting Linux', it's snake oil. It's blurb says:

McAfee LinuxShield(TM) offers continuous on-access scanning for superior protection from the growing number of viruses, worms, and other malicious code targeting Linux systems....

So how big is this 'growing number'? Null, nill, zilch, none, zero. No single Linux virus has ever been found in the wild. Which isn't surprising, given the heterogeneity of the Linux computing environment, the openness and general security of Linux kernel level code, and the practice of not allowing user-level code to run as root. So McAfee are selling a cure for a disease which does not exist. Oh - yes - the 'virus scanner for Linux' does scan for Windows viruses on Linux systems.

These people are people who make their living out of malicious software. If malicious software goes away, their business dies. So of course they're spreading FUD about open source software. You'd expect them to.

But even if all this were not so, even if McAfee's Linux products were actually useful for something, McAfee is a member of the Business Software Alliance, and have strong views on software piracy. They say, 'Software piracy is the illegal distribution and/or reproduction of software'. It is illegal to distribute GPL'd software without the full source code of what it is linked to. McAfee can't pick and choose which software the law applies to - either it applies to no software at all, or it applies to all software. If they are using GPL software without abiding by the terms of the license, then they are 'software pirates' (and on an epic scale). They cannot have it both ways.

No, they are not 'supporting Linux'. Nothing in the McAfee statement says anything about Linux - the whole Linux angle is a fantasy dreamed up by trolls here on Slashdot.

McAfee do produce a 'virus scanner for Linux', but this is not 'supporting Linux', it's snake oil. It's blurb says:

McAfee LinuxShield(TM) offers continuous on-access scanning for superior protection from the growing number of viruses, worms, and other malicious code targeting Linux systems....

So how big is this 'growing number'? Null, nill, zilch, none, zero. No single Linux virus has ever been found in the wild. Which isn't surprising, given the heterogeneity of the Linux computing environment, the openness and general security of Linux kernel level code, and the practice of not allowing user-level code to run as root. So McAfee are selling a cure for a disease which does not exist. Oh - yes - the 'virus scanner for Linux' does scan for Windows viruses on Linux systems.

These people are people who make their living out of malicious software. If malicious software goes away, their business dies. So of course they're spreading FUD about open source software. You'd expect them to.

But even if all this were not so, even if McAfee's Linux products were actually useful for something, McAfee is a member of the Business Software Alliance, and have strong views on software piracy. They say, 'Software piracy is the illegal distribution and/or reproduction of software'. It is illegal to distribute GPL'd software without the full source code of what it is linked to. McAfee can't pick and choose which software the law applies to - either it applies to no software at all, or it applies to all software. If they are using GPL software without abiding by the terms of the license, then they are 'software pirates' (and on an epic scale). They cannot have it both ways.

1) #include is just a way to include one file in another during compilation. Whether the result is a derived work of the header file is a complex question. There are certain cases that are quite clear and certain cases that are not so clear. One tricky case is Linux kernel modules.

I don't know what you mean by "create your own header file using part of it". When you #include a header file in a code file, the compiled code uses parts of the header file. The question is whether the compiled code is a derivative work.

2) You seem confused about how the GPL applies. The GPL applies when you distribute a derivative work of a work that is licensed under the GPL. I can't understand what you mean by "include GPL source code to create your code".

McAfee's kernel modules #include kernel header files. If they are derivative works of the Linux kernel, then they become subject to the GPL. Nobody can answer this question with certainty because there is no good case law and the laws themselves are not crystal clear.

3) McAfee most certainly does produce or sell products for Linux, otherwise there would be no issue. The issue is about the code they use to scan files as they are used on Linux boxes.
http://www.mcafee.com/us/enterprise/products/anti_virus/file_servers_desktops/linuxshield.html

The issue is about their Linux kernel modules. McAfee has been trying to get a stable kernel interface so that they don't need to include kernel header files, but for various reasons, this has not happened.

IMO, McAfee can make a strong showing that they took only what they had to take out of engineering necessity. This would mean that there work is not a derivative work. (See, for example, Lexmark v. Static Controls.)

"And no, I don't believe they are using GPL code. That's not what this is about. They are afraid of their (important) customers demanding McAfee support GPL products."

So they've been faking all their posts to the Linux kernel group? And, of course, this page must be a hoax:
http://www.mcafee.com/us/enterprise/products/anti_virus/file_servers_desktops/linuxshield.html

Damn, they're good.

So as far as I can tell, here's what this story is actually about:

McAfee makes a virus scanner for Linux. Presumably the "on-demand" scanning uses a closed-source kernel module. Some kernel developers (i.e. copyright holders) assert that it violates the GPL to distribute closed-source kernel modules (although NVIDIA's and ATI's lawyers presumably disagree). This has never been tested in court. If one of the kernel copyright holders decided to litigate and won, then McAfee might have to stop selling their product, or significant alter it. Since there is a risk of this happening, they are required to disclose it to investors.

Nah, I would guess it more likely has to do with the various McAfee appliances (i.e. Messaging or Web Security). They could be using GPL code (such as a modified kernel and TCP/IP stack, or portions of some other OSS package).

No anti-virus software whatsoever? Are you're talking about simple-minded myths?

http://www.symantec.com/nav/nav_mac/
http://www.mcafee.com/us/enterprise/products/anti_virus/file_servers_desktops/virex.html
http://www.clamxav.com/

That's off the top of my head - there may be more, but that's the big three...

Argh. The report (possible sign-in required) DOES NOT say that the US is conduction cyber-espionage activities. (Note: the linked-to article in the parent points to the 2005 report) It does say that there are an "estimated 120 countries working on their cyberattack commands," which is quite different from actually being involved in espionage.

(Note that I'm not asserting that the US is not conducting electronic espionage. I would hope that we are. Heck, we did electronic espionage long before the internet; why should we stop now?)

Most everyone hates botnets, but no one wants to actually do anything about it. I commend them for actually doing something about it.

Congratulations on doing the wrong thing about it. But I guess the appearance of action is better than a wise and considered inaction.

In case you didn't know, botnets don't use static IRC services for command and control any more. (http://www.mcafee.com/us/local_content/white_pape rs/threat_center/wp_vb2006_myers.pdf) (http://honeyblog.org/archives/32-Steganography-in -Botnet-Command-Control.html) (http://www.securityfocus.com/news/11473).

This unsanctioned action by the ISPs is simply fighting the last war with untargeted dumb weapons. The only thing they're accomplishing is collateral damage.

You've obviously never used Norton Internet Security 2007 or McAfee Internet Security Suite 2007.

Maybe an aliened version of this.....

http://shop.mcafee.com/Products/LinuxShield.aspx?C ID=6005&WT.mc_id=semd|ggl|us_SMB_Linux_en|s4A7|s

it also helps if you design the code based on security from the beginning instead of attempting to bolt-on security like it's another feature when it definitely isn't.

Because, you see, http://mcafee.com/ doesn't even mention that this has happened, either. The McAfee site search returns empty results. Besides, Google searches on `nordea mcafee` and `nordea robbery` also didn't return anything comprehensive. Did a McAfee contact whisper it secretly in the ZDNet editor's ear?

Because, you see, http://mcafee.com/ doesn't even mention that this has happened, either. The McAfee site search returns empty results. Besides, Google searches on `nordea mcafee` and `nordea robbery` also didn't return anything comprehensive. Did a McAfee contact whisper it secretly in the ZDNet editor's ear?

The vast majority of the virus scanning/blocking software is THIRD PARTY, as is much of the spyware detection software. For your reference:

http://www.symantec.com/
http://www.mcafee.com/

Symantec said that it will release an edition of Norton Anti-Virus for OSX which detects viruses for Windows.

George Kurtz would be a good internal CEO replacement candidate.

They do:

http://www.mcafee.com/uk/enterprise/products/anti_ virus/file_servers_desktops/linuxshield.html

They also can epo manage these in a corporate environment.

http://www.mcafee.com/us/local_content/misc/vista_ position.pdf

They *arent* stopping the need for this software, just making it harder for the competition.

Windows OneCare is not built into Windows Vista and must be bought seperatly. You can thank Symantec for that. The only thing that is integrated into Vista is Windows Defender, which the AV companies will probably sue MS over, and I can bet that both OneCare and Defender use the same protocol that MS is telling the AV vendors to use.

As For The Competition that MS is trying to "Screw"...
Trend Micro runs on Vista
Computer Associates runs on Vista
Avast runs on Vista
Sophos Runs on Vista
AVG Runs on Vista
Mcafee runs on vista
Symantec runs on vista

You can find the ad on mcafee's homepage. http://www.mcafee.com/us/local_content/misc/vista_ position.pdf