Endpoint Protection

 View Only
  • 1.  McAfee Learning Experience

    Posted Apr 22, 2010 09:21 AM
    I'd like to talk about what happened to McAfee customers yesterday.   As you may have read in the news,  they released a bad antivirus definition that had effects similiar to an Internet worm.  

    http://isc.sans.org/diary.html?storyid=8671

    Given that Symantec has issued new recommendations (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948) to increase the bloodhound heuristics level from default to maximum and that the timing/frequency of AV definition updates are controled by the SEPM manager (unless you deploy a separate Live Update server), what assurances do we have that running at the Symantec Security Response settings won't put entities such as ours at higher risk for this type of scenario?   

    I'm already getting asked by management about this and I feel like I've got my neck on the line because, to me, by using the recommended Security Response settings puts us at further risk.   So I see two arguments here: 1) Multiple updates plus high heuristics could equal higher risk of a bad definition experience or false positives; 2) Multiple updates plus high heuristics means we have better protection and will get the "corrective definition that fixes the bad one" sooner vs. later.   

    Thoughts?


  • 2.  RE: McAfee Learning Experience

    Posted Apr 22, 2010 09:35 AM
    I for the past year have run the heuristics on the highest settings. I've noticed two things:
    A. It doesn't really seem to detect anything more than it did
    B. I've not seen a false alert yet.

    I also run a script that downloads rapid release defs when I "see signs" of increased activity or "risk out there".
    I was running it 24/7, but decided to scale back and run it only sometimes
    As far as the rapid release defs, I do believe they have saved a computer or two here over the last several months.

    It's risky, but so is under protection. Computing on the Internet today is in itself a calculated risk..............


  • 3.  RE: McAfee Learning Experience

    Posted Apr 22, 2010 09:39 AM
    First, I would test these settings until you can't test any more. Create a group in SEPM and move 15-20 clients into it and monitor.

    Second, I agree with both of your arguments. You'll have to figure out what works best for you by testing but I don't think there is any guarantee that something won't break. Hopefully Symantec catches something in their QA before releasing but to expect it to be tested against every product is not reasonable. We run so many different apps here, heck I consider it a miracle something hasn't happened. Also, you could choose to designate a test box to receive LUs before deploying into production.


  • 4.  RE: McAfee Learning Experience

    Posted Apr 22, 2010 09:52 AM
    What I used to do when  I managed SAV at PFG.......
    We downloaded new defs constantly - the newest possible. These defs went to a small pilot group in the company, and then later to the masses. There was about an hour delay between the two - pilot, then an hour later, a script would update everyone else.
    This allowed me to watch the helpdesk and other signs of trouble. No trouble, do nothing, trouble, then stop the script from updating everyone else if the pilot group had troubles. A bit of work, but it ensured that some sample computers ran the new defs for a while before everyone else did.
    It did one time prevent a bigger trouble. I was able to stop the push and roll back the pilot group so the number of annoyed people was minimized.


  • 5.  RE: McAfee Learning Experience

    Posted Apr 22, 2010 10:00 AM
    ShadowPapa/Brian -

    I like both of your arguments.   Risk assessment in this situation is definitely calculated.     Also testing is an interesting venture.   Although, I'm not sure how much that would have helped unless you have a very homogeneous environment (as far as having the same OS SP level running across network).    I think that the bad definition updates had a propensity to affect XP3 machines more than XP2.