Andrew Berges

Configuration Manager, Security, and other musings from a self-confessed IT geek.

July 2006 - Posts

McAfee VirusScan Enterprise 5100 Engine Released
As posted on the McAfee engine-beta mailing list:

I apologise with the delay of this message but we have experienced some issues posting the various Engine packages, which are still in the process of being resolved, but I'm pleased to announce that the 5.1.00 AV Engine has concluded its beta cycle.
The Windows version of the 5.1.00 Engine has been released in an Engine-only SuperDAT.  In approximately 4 weeks time it will be incorporated into the normal SuperDAT and placed on the FTP site and the default McAfee MAA repositories.
The 5.1.00 Windows and Unix command line scanners are available via the main McAfee download.
The 5.1.00 version of the Netware Engine is still undergoing testing and will be released in the mid August timeframe. The main McAfee Beta site reflects this by having a hyperlink to the Release Candidate version of this Engine and the Beta forum will remain open for discussion until this Engine has been fully released.
Could you please ensure that you remove all Beta and Release Candidate versions of the engine prior to upgrading to the official release code. In order to do this please review the guidelines below.
McAfee Engine Beta Team
The following text aims to provide scenarios and highlight potential pitfalls for upgrading from the 4.4.00 or pre RTW 5.1.00 Engines.

How to deploy the 5.1.00 Engine update effectively.
Note that it is expected that the 5.1.00 Engine will be rolled into the main update site & all update packages approximately 4 weeks after the release of the Engine Only SuperDat package.
On the release of the 5.1.00 Engine only SuperDat package the following changes will also occur:
An ePO 3.x deployable 5.1.00 Engine-only package will be released. This is so that the 5.1.00 Engine can be added to the ePO 3.x repository, or to a stand-alone MAA installation.
Update Scenarios:
1. Not using ePO, Not using local MAA, Not Using CommonUpdater Site.
Update the engine locally using the Engine-only SuperDat package.
This will require a force (/F) option if you're running a pre RTW 5.1.00 Engine and it will also require a minimum of 4777 Anti-Virus definition (DAT) files too.
2. Not using ePO, Not using local MAA, Using the CommonUpdater Site.
Update the engine locally using the Engine-only SuperDat package (as in 1. above).
3. Not using ePO, Using local MAA.
Download and check-in the Engine-Only ePO package into your MAA installation and follow the product user guide as normal.
4. Using ePO 3.x
ePO 3.x has an integrated MAA repository with additional functionality compared to stand-alone MAA.
Download and check-in the Engine-only ePO package to roll out to your client machines.
Note: ePO 3.x has the option of checking these packages into one of three branches - Current, Previous & Evaluation. This means there are more options for deploying the 5.1.00 Engine.
If the Engine is checked-in to the current branch and providing the ePO agents have default "update" settings, the 5.1.00 Engine will be updated on all client machines.
If you do not want to rollout to all client machines immediately, please check the package in to the evaluation branch and change the ePO agent "update" settings so the relevant update option (SuperDAT or Engine) is using the evaluation branch.
Once satisfied with the 5.1.00 Engine, check the package into current and reset default agent "update" settings to current.
Make sure you have configured an Agent Update task when changing agent settings.
Wireshark Vulnerability
As reported by SANS-ISC, Wireshark (the newly-rebranded Ethereal packet sniffer) "announced yesterday that there is a vulnerability which could cause it to crash, use up all available memory, or potentially execute arbitrary code."

Might want to upgrade.

McAfee Common Management Agent Vulnerability
For anyone administering an ePO environment that hasn't already moved to the 3.5.5 agent, here's quite a good reason to do so.

Vulnerability Details:

A security vulnerability exists in McAfee Common Management Agent. A successful exploit of the security flaw would allow an attacker to place arbitrary files on the machine running the indicated software.  These files would not be limited to a specific location on the machine, and an attacker would be able to place a file in an arbitrary location. In order to accomplish this exploit, an attacker would have to have network access to the client machine and manage to construct a message consisting of proprietary information. The attack is quite complicated and requires several steps of reverse engineering of the software as well as the communication. The flaw will allow for substitution of the update package with arbitrary files. The update mentioned does not allow improper files to be written to disk and provides validation of the packages, and individual files.
McAfee PUP FYI for PsExec users...
I've been having issues with PsExec getting flagged as a Potentially Unwanted Program in my environment by VirusScan Enterprise, which has an exclusion for PsExec set via the ePolicy Orchestrator agent policy. 

I find this quite annoying, since I've got several scripts that depend on PsExec...

At any rate, the proper exclusion name used to be RemAdm-ProcLaunch, but apparently if you're using a more recent version of PsExec, you need to enter RemAdm-ProcLaunch!171.
VirusScan Enterprise 8.0i Patch 13 Released
Currently available for download from PrimeSupport



1.  ISSUE:

Significant performance loss may be experienced by processes that frequently write data to the same file, usually an .INI or .LOG file, and usually multiple writes per second. The issue was only noticed after applying VSE80HF256301.



    The file system filter driver has been updated to resolve the issue.


2.  ISSUE:

McAfee Installation Designer (MID) creates VirusScan Enterprise installation files that include a configuration change file (VSECFG.CAB). If also managed by McAfee AutoUpdate Architect (MAA), where a configuration change file is hosted in the repository, after a patch update the original configuration change file is installed and applied. Updating from the MAA repository again does not reapply the newer configuration change file.



    After this Patch release is installed, the most recent configuration change file (.CAB file) is applied.



    If VSECFG.CAB has been deleted, it is created and the settings applied when a Patch is installed.


3.  ISSUE:

    Access Protection rules that contain references to a drive letter may not work on Dynamic Disk volumes.



    The file-system filter driver has been updated to resolve this issue.


4.  ISSUE:

    Installing Patch 12 to systems where Patch 11 was installed could result in a successful patch installation, although the product still shows Patch 11 is installed.



    This release ensures that updating systems with Patch 11 will show that Patch 13 is installed after successful installation.


5.  ISSUE:

    Where the ScriptScan module, SCRIPTPROXY.DLL, was unregistered, or disabled after Hotfix 241572 was applied, the patch installation would reregister SCRIPTPROXY.DLL.



    This release does not register the ScriptScan module.


6.  ISSUE:

Patch installations via ePolicy Orchestrator or Protection Pilot, where the Patch failed to install on the end node, would not make further attempts to install. The installation detection script would write a registry value confirming the Patch was installed before installation had completed.



    The installation detection script used by ePolicy Orchestrator and Protection Pilot now writes a registry value confirming the Patch is installed when the installation is completed.


7.  ISSUE:

    Detection alerts from the Cookie Scan feature can be of sufficient number to cause concern.



Alerts for cookie detections can now be disabled by adding a dword "bCookieAlerts" to the registry key HKLM\Software\Network Associates\TVD\Shared Components\Alert Client\VSE, and setting the value to "0" zero.  This release does not add the value.


8.  ISSUE:

    Where the Anti-Spyware Module was checked into an ePolicy Orchestrator or Protection Pilot repository, after a current Patch was installed the module would attempt to install repeatedly.



    This is resolved by HotFix MASE80HF273746 included with this release. See also "Known Issues" number 1.


9.  ISSUE:

    Local tasks would fail to run at the scheduled time if created after Patch 12 or later was applied. The corresponding task configuration file was being modified with incorrect data.



    This release ensures the task configuration files contain correct data.



    If you already have Patch 13 installed and are experiencing this issue, contact McAfee Support for HotFix 280107.


I believe this is a complete set of issues also resolved by Patch 12 (never released) and included in Patch 13, although I compiled it myself, so it could be subject to error:


42. ISSUE:

The user interface option that allows you to password-protect the "On-Access Scanner: Detection" page mistakenly protects both the On-Access Scan "Detection" and On-Access Scan "Set Exclusions" property pages. A user could not add exclusions.



    Choosing to protect the "On-Access Scanner: Detection" page from the "User Interface Options" now protects only the On-Access Scan "Detection" page.


43. ISSUE:

    A delay in responsiveness of the script engine would occur when executing scripts sequentially.



    Scripts terminate correctly, allowing the script engine to respond to subsequent script commands.


44. ISSUE:

    An "Access denied" error appeared in an application that used the "delete-on-close" flag when working with temporary files. The file system filter driver would lose track of the "delete-on-close" flag.



    The updated file system filter driver resolves this issue, allowing temporary files to be utilized as expected.


45. ISSUE:

    Null entries are seen in the ePolicy Orchestrator database under the severity field due to the VirusScan Enterprise 8.0i extended NAP file.



    The extended NAP file has been modified to correctly handle the severity field.


46. ISSUE:

    When disabled, the ScriptScan feature will remain registered and still handles VB Script and Jscript operations, even though it is not scanning.



    When the ScriptScan feature is disabled, the component is unregistered, and when enabled the feature is registered.


47. ISSUE:

The error "Access Denied" is seen when accessing a remote share. This can occur when user profile information is redirected by a Microsoft Windows group policy object, and the user tries to save a file to their "My Documents" folder.



    The issue has been resolved in the updated common scan components.


48. ISSUE:

    In environments using Distributed File System shares, a noticeable increase in network traffic activity may be experienced.



    The file system filter driver has been updated to resolve the issue.


49. ISSUE:

    During shutdown the VSTSKMGR.EXE process may crash with an error similar to "VSTSKMGR.EXE – the exception privileged instruction 0x00000096 occurred in the application at location 0x0012e80d."



    An update to VSTSKMGR.EXE, the McTaskManager Service, resolves the issue.


50. ISSUE:

    After applying VirusScan Enterprise 8.0i Patch 11, when a system resumes from the hibernation power saving state, the on-access scanner may be paused.



    The on-access scanner now correctly is enabled when the system resumes from hibernation.


51. ISSUE:

    A vulnerability exists in the Common Management Agent (CMA) where an unexpected file can be run with system privileges. Communication between the VirusScan Enterprise plug-in and CMA can be utilized as a mechanism to exploit this vulnerability.



    The VirusScan Enterprise plug-in, VSPLUGIN.DLL, has been updated to prevent the potential exploit.


52. ISSUE:

    When accessing some Japanese named files with a long filename, the on-access scanner service, MCSHIELD.EXE, could crash or cause the accessing application to stop responding.



    MCSHIELD.EXE has been updated to resolve this issue.


53. ISSUE:

    The memory scan feature of an on-demand scan did not detect potentially unwanted programs that were resident in memory.


    The memory scan feature did not use the exclusion list.


    The memory scan feature failed to record when a detection was successfully cleaned.



    The issue has been resolved in the updated on-demand scan components.


54. ISSUE:

    After applying VirusScan Enterprise 8.0i Patch 11 where the Anti-Spyware Enterprise module is installed, the Cookie Scan feature detects the same cookie twice.



    The issue has been resolved in the updated common scan components.


55. ISSUE:

    In ePolicy Orchestrator, the "Top 10" virus report shows a "_" character as the virus name.



    The issue has been resolved in the updated common scan components.


56. ISSUE:

    If the ePolicy Orchestrator Agent is installed, the on-access scanner could crash when resuming from the hibernation power-saving state.



    The issue has been resolved in the updated on-access scanner.