My.McAfee is Back!

• CIO Finally!  I am so thrilled to be able to use the name “McAfee” again.  The recent change and spin off from Intel is very exciting for me and the rest of the McAfee family.

It’s a new fresh start for our company, and a continuation of the innovating great security products to combat cyber criminals and threats.  We want to make the world safer.  The key is “Together Is Power”.  This speaks volumes to our approach to technology, partnerships in the industry, and our relationships with our valued customers.  We believe that no one person, product, or organization can fight cybercrime alone. It’s why we rebuilt McAfee around the idea of working together. People working together. Products working together. Organizations and industries working together. Our goal is to spread this collaborative attitude to our customers, partners, even competitors. All uniting to overcome the greatest challenge of the digital age—cybercrime—and making the connected world more secure.

With the fresh start I plan to share thoughts along the way.  My commitment is to share thoughts, opinions, and tips.  I wont expose customer names or specific information about anybody, but I will share common issues and topics that I discuss weekly.

The best of McAfee is on the way.  And I hope the best of me is too.

Stay tuned

/JT

integrating ePolicy Orchestrator and McAfee Vulnerability Manager

Integrating ePO 5.0.1 and MVM 7.5 Rev 1.0

Integrating ePolicy Orchestrator and McAfee Web Gateway

Integrating ePO 5 and MWG 7 Rev 1.0

Integrating ePolicy Orchestrator and McAfee Email Gateway

Integrating ePO 4.6.6 and MEG 7 Rev 1.0

Integrating ePolicy Orchestrator and McAfee Asset Manager

Integrating ePO 5.0.1 and MAM 6.6 Rev 1.0

Integrating ePO 4.6.6 and MAM 6.6 Rev 1.0

Integrating ePolicy Orchestrator and Firewall Enterprise Control Center

Integrating ePO 4.6.6 and Control Center 5.3.1 Rev 1.0

Openfiler Follies

Over the past couple weeks I have been working tirelessly on building my new ESX 4.1 environment.  My goal is to have multiple serves and workstations running so I can use McAfee MOVE and MOVE AV. 

Due to a lack of financial backing for this project I was uable to purchase a “real” SAN.  So I went with an open source option called Openfiler. 

Great tool and all, but I learned very quickly. 

1.  Backup your confguraiton file.  I rebooted my server and lost the entire configuration.  Thus my entire 500 Gb volume was lost.

2.  When installing the Openfilre OS, let it delete all partitions from all hard drives.  I chose to partition manually and found out that this process does not reformat the hard drives.  In the end there were GPT volumes left behind and locked my drives in the RAID.  The RAID appeared as 100% full and I couldn’t remove the data.

3.  When you need help Google it.  I found some great forums out there and they helped a lot

http://www.linuxquestions.org/questions/linux-general-1/cant-get-rid-of-gpt-disk-label-729209/

EndPoint Encryption 6.0 With Agent Handlers

When pushing EndPoint Encryption to a machine on a LAN everything works just fine.  When pushing to a machine in the DMZ that checks into an Agent Handler in the DMZ the Endpoint Encryption Software stops working.

From what I can see thus far, is the EEPC software uses a separate data channel 5555 to send data to the ePO 4.5 Server.  ePO 4.5 Server uses 5556 to communicate back to the agent.  I cannot figure out why ePO wont automatically redirect the traffic to the Agent Handler in the DMZ since the ePO server is obviously out or reach from the DMZ agents.

The EEPC software itself installs, but when the policy is enabled to encrypt the drive or boot sector (either / or) the agent log starts posting two lines “Sending the next batch of 1 data channel items” and a second line “Agent failed to communicate with the ePO Server”

The agent is in fact running an ASCI, but it is not sending the EEPC data on the 5555 data channel.  The EEPC Agent only tries to resolve the ePO server by name and IP address.  It is not configured to be aware of the AH IP address(s)

-J

How to remove Trend Micro

I recently learned that McAfee made a little mistake on VirusScan 8.7 Patch 3.  In this patch McAfee forgot to include the removal piece for Trend Micro products.  If you need to go about removing any Trend Micro products you need to manually remove them or request a copy of VirsuScan 8.7 Patch 2 from McAfee Support.  The Patch 2 version has the correct configuration to stop Trend services and remove the products.

It is important to know that password protection must be turned off on the Trend products or else the removal will fail.

Trust me the manual removal of a Trend product is lengthy and difficult.  Use VirusScan 8.7 Patch 2 to do the work for you.

-J

False positive detection of w32/wecorl.a in 5958 DAT

Corporate KnowledgeBase ID:		KB68780
Published:		April 21, 2010

Environment

For details of all supported operating systems, see KB51109

Summary

McAfee is aware of a w32/wecorl.a false positive with the 5958 DAT file that was released on April 21, 2010.

Background

For more background regarding the cause of this error, please see McAfee Response to DAT Version 5958 False Positive Error

.

Problem

DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.

Solution

The issue is resolved in the 5959 DAT file release (April 21, 2010), which is available from the McAfee Security Updates page at:

http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

NOTE: Posting of the 5959 DAT file is currently in progress. It may take several hours for the new DAT file to replicate out to all McAfee download servers.

IMPORTANT: If you are already affected by this issue, you must still either replace or restore svchost.exe.  McAfee is continuing to work on an automated solution to fully resolve the issue for affected customers.

Please watch for updates on this issue, which will be sent on a timely basis through Support Notification Service (SNS) and Platinum Proactive notifications.

To subscribe to SNS, visit http://my.mcafee.com/content/SNS_Subscription_Center.

This article will be updated as additional information becomes available.

Recommended Manual Recovery Procedure using the Extra DAT where DAT 5958 is currently installed

1. Locate the extra.dat from here and unzip
2. Boot in safe mode with “Network Option“ enabled
3. Copy Extra DAT into c:program filescommonfilesmcafeeengine
4. If svchost.exe exists in (c:windowssystem32) and is not a “0“ byte file, skip to step 5
5. If svchost.exe deleted,  Pull up the VSE console and open “Quarantine manager“

Click on the detection and select “Restore“

1)      If the VSE console does not come up:
C:program filesmcafeevirusscan enterprisemcconsol.exe /standalone
This will pull up the VSE console. Click on the detection and select “Restore“

2)      If steps  4 and 4.1 do not work OR if svchost.exe is “0“ bytes:

1. When possible Copy svchost.exe from the local C:windowsServicePackFilesi386svchost.exe or if not present c:windowssystem32dllcachesvchost.exe
2. Copy svchost.exe from an unaffected system to c:windowssystem32 directory (same OS) from external media (USB, CD etc.)

If  “paste“ is grayed out, use the following commands:

Start -> run -> cmd

Run the following command “copy from

to [destinationfolder]“

Example:  copy x:svchost.exe c:windowssystem32
<ol>
<li>Reboot in normal mode</li>
<li>Use the product update to update to 5959</li>
<li>Delete the Extra DAT file in c:program filescommonfilesmcafeeengine</li>
</ol>
<strong>Alternate Manual Recovery Procedure using DAT 5959 where DAT 5958 is currently installed</strong><strong> </strong>
<ol>
<li>Boot in safe mode with “Network Option“ enabled</li>
<li>If svchost.exe not deleted (look in c:windowssystem32svchost.exe) and is not 0 byte then network connection should be possible – skip to step 5</li>
<li>If svchost.exe deleted or if it is “0“ bytes, then network connection may not be possible</li>
<li>If svchost.exe deleted,  Pull up the VSE console and open “Quarantine manager“</li>
</ol>
Click on the detection and select restore

1)      If the VSE console does not come up:

C:program filesmcafeevirusscan enterprisemcconsol.exe /standalone

This will pull up the VSE console

2).    If steps 4 and 4.1 do not work OR svchost.exe is �0� bytes:
<ol>
<li>When possible Copy svchost.exe from the local C:windowsServicePackFilesi386svchost.exe or if not present c:windowssystem32dllcachesvchost.exe</li>
</ol>
b. Copy svchost.exe from an unaffected system to c:windowssystem32 directory (same OS) from external media (USB, CD etc.)

If “paste“ is grayed out, use the following commands:

Start -> run -> cmd

Run the following command “copy from

to [destinationfolder]“

Example:  copy x:svchost.exe c:windowssystem32

1. Download the 5959 SuperDAT from here
2. Run the SuperDAT program
3. Reboot in normal mode

Related Information

Threat Center (McAfee Avert Labs)	http://www.mcafee.com/us/threat_center/
Search the Threat Library	http://vil.nai.com/
Submit a virus sample	https://www.webimmune.net/default.asp
Security updates and DAT files	http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

For additional information about EXTRA.DAT files, see KB68759.

To deploy the EXTRA.DAT via ePO 4.0 (KB52977)

Step 1 – Check in the EXTRA.DAT NOTES:

• You cannot check in packages while any pull or replication tasks are in progress.
• If your environment requires testing new packages before deploying them, McAfee recommends using the Evaluation branch. After you finish testing the packages, you can move them to the Current branch on the Software, Master Repository tab.

1. Log on to the ePO 4.0 console. To open a remote console through Internet Explorer type one of the URLs below in your browser:https://<servername&gt;:8443
   https://<ipaddress_of_server&gt;:8443
2. Click the Software, Master Repository tabs.
3. Click Check In Package.
4. Select extra.DAT.
5. Click Browse and locate the downloaded extra.DAT, then click Open.
6. Click Next. Information is displayed about the Extra.DAT you are about to add to the repository.
7. Click Next.
8. Select the branch where you want to add the extra.DAT. The default branch is Current.
9. Click Save. The Extra.DAT will now be listed under Packages in the Master Repository list on the Master Repository page.
10. Run a Repository Replication task to distribute the Extra.DAT file out to all distributed or remote repositories.

Step 2 – Deploy the EXTRA.DAT

1. Create a new ePolicy Orchestrator Agent Update task, and set the schedule to Run Immediately.
2. Perform an Agent Wakeup call to send the new Update task to your clients and apply the extra.DAT.NOTE: If you prefer, you can reschedule an existing ePO Agent update task to deploy the extra.DAT.

To deploy the EXTRA.DAT via ePO 4.5 (KB67602)

Step 1 – Check in the EXTRA.DAT

NOTES:

• You cannot check in packages while any pull or replication tasks are running.
• If your environment requires testing new packages before deploying them, McAfee recommends using the Evaluation branch. After you finish testing the packages, move them to the Current branch on the Software, Master Repository tab.

1. Log on to the ePO 4.5 console. To open a remote console through Internet Explorer, type one of the URLs below in your browser:https://<servername&gt;:8443
   https://<ipaddress_of_server&gt;:8443
2. Click Menu, Software, Master Repository.
3. Click Actions and select Check In Package.
4. Select extra.DAT.
5. Click Browse and locate the EXTRA.DAT, then click Open.
6. Click Next. Information is displayed about the extra.DAT you are about to add to the repository.
7. Click Next.
8. Select the branch where you want to add the extra.DAT. The default branch is Current.
9. Click Save. The extra.DAT will now be listed under Packages in the Master Repository list on the Master Repository page.
10. If you have distributed repositories, run a Repository Replication task to distribute the extra.DAT to all Distributed or Remote repositories.

Step 2 – Deploy the extra.DAT

1. Create a new ePolicy Orchestrator Agent Update task, and set the schedule to Run Immediately.
2. Perform an Agent Wakeup call to send the new Update task to your clients and apply the extra.DAT.NOTE: If you prefer, you can reschedule an existing ePO Agent update task to deploy the extra.DAT.