Intel sells anti-virus business, waits 12 years, buys anti-virus business

The big news in the IT security industry today is the announcement that Intel plans to acquire McAfee for a jaw-dropping $7.68 billion.

 

Yes, that’s “billion”. Oh to have such pocket money.

 

Of course, those of us with long memories will know that Intel is no stranger to the computer security industry.

 

Indeed they used to have their own anti-virus product (Intel LanDesk Virus Protect) which they sold to Symantec in 1998.

 

 

Now, Intel is purchasing Symantec’s arch-enemy McAfee and re-entering the business.

 

Read More…

 

 

McAfee Antivirus Plus Free For 6 Months

 

 

This McAfee Antivirus Plus provided by EMC-IOMEGA,no need product key and download software client and run the installer only.

 

Go to this web page and click ‘Download’ icon,then enter in your name,email and password,click ‘I Agree’.

 

A print receipt set up for you and click ‘Download’.You need go to your email inbox and getting email sending by McAfee,click the activation link.

 

Click ‘Download’ icon after success activate the link,follow the instruction to process and you will getting McAfee Antivirus Plus for six months.

 

Source : techgravy.net

Scareware hackers exploit McAfee false positive problem

Hackers are exploiting a problem with McAfee’s anti-virus product that has caused hundreds of thousands of computers around the world to repeatedly reboot themselves.

 

The New York Times (and many other news outlets) have reportedon the problems businesses suffered after a detection update issued by McAfee yesterday caused its anti-virus product to mistakenly detect a harmless Windows file, svchost.exe, as “W32/Wecorl.a” and caused computers to become inoperable.

 

To its credit, McAfee is discussing the problem on its online community forum, has apologised, withdrawn the buggy update, and advised customers on how to manually fix the affected computers.

 

But what might be making McAfee’s job of getting reliable information about the false positive problem out to the masses that much harder is that malicious hackers are exploiting the situation.

 

By using blackhat SEO techniques, cybercriminals have managed to get poisoned webpages high in the search rankings if you hunt for information on the McAfee false positive.

If you click on a dangerous link like this then you risk the chance of your computer being hit by a fake anti-virus attack (also known as scareware) which may attempt to con you out of your credit card details or trick you into install malicious code onto your computer.

 

Sophos detects the malware proactively as Mal/FakeAV-BW.

 

The last thing you want to happen if you’re searching for advice on how to fix a problem with the other computers in your company.

 

And it’s not just McAfee’s false alarm problem that these hackers are exploiting. Looking a little deeper at the poisoned domains, allows us to view a cache of hundreds of other pages that this gang have created around a wide range of topics.

Be careful out there folks..

 

 

* Image source: peasap’s Flickr photostream (Creative Commons)

By Graham Cluley, Sophos

 

McAfee signature update Kill Windows systems

 

A flawed signature update (DAT 5958) from McAfee yesterday (Wednesday) caused the system file svchost.exe to be identified and quarantined as the virus W32/Wecorl.a under Windows XP SP3. This resulted in affected systems rebooting (30 second countdown) and then entering an endless boot loop, repeatedly restarting.

 

According to McAfee’s user forum, large numbers of businesses are affected. To resolve the problem, the vendor is advising users to download an updated signature (DAT 5959) on an unaffected computer, copy it to a USB drive, restart the affected computer in safe mode with network support (press F8 while booting) and connect the USB drive. Double-clicking on the file 5959xdat.exe will then install the new signature. In most cases, users will then need to restore the svchost.exe file. McAfee has provided instructions for doing so.

 

Alternatively, the file extra.dat (direct download) can be used to prevent the flawed signature from disabling the system. Users should copy this file onto a USB drive, copy it from there into the c:\Program Files\Common Files\McAfee\Engine folder on the affected system (in safe mode) and restart the computer. Here again, svchost.exe will need to be manually restored or retrieved from quarantine.

 

These fixes involve a fair bit work for administrators, as it is not possible to resolve the problem from a central management console. On large networks this is likely to result in a few late nights. McAfee has also released an automated solution in the form of an executable file (direct download).

 

McAfee has a function for intercepting false positives, but this only works for files on the hard drive – the problem here, according to McAfee, is that the false positive is triggered by the memory scan, which can’t be intercepted.

 

As an interesting side note, McAfee’s bug added an extra dose of realism to a disaster exercise being held by one Iowa community, when the emergency centre computers and communications systems failed. The teams were forced tofall back on old radio systems.

 

As past stories from The H show, McAfee is not alone among anti-virus vendors in causing disruption through issuing a flawed update.

 

 

Source : www.h-online.com

Tests Show Problems With AV Detections

Dateline: Moscow.

 

Here at a security press conference held by Kaspersky Lab, the company demonstrated how some malware detections are easily triggered by innocuous programs.

 

The problem arises when one vendor detects a threat. Samples are often passed on to other vendors, through multi-scanning services like VirusTotal. The fact that another vendor, particularly a respected one like Kaspersky, detects a threat is enough of a reason to take a serious look at the sample.

 

After suspecting such problems, Kaspersky created a test which demonstrated the phenomenon. They wrote a series of simple and innocuous programs, compiled them, created false detections for them in their engine, and then submitted the files to Virustotal. Only Kaspersky detected the files at this point.

 

But standard procedure with VirusTotal is that if at least one of the products detects a submitted sample, it is submitted to the others who didn’t detect it. The idea is that they can then analyze the file and create their own detection.

 

Instead, what they found was that other companies were creating detections for the false submissions from Kaspersky. The programs create some variables and perform simple mathematical operations on them. They don’t even touch the file system. Kaspersky provided me with the programs and the source code.

 

Click on these to see some of the detections:

• http://www.virustotal.com/analisis/5aee7…1264831301
• http://www.virustotal.com/analisis/0de6d…1264867956
• http://www.virustotal.com/analisis/b2a11…1264867934
• http://www.virustotal.com/analisis/7e79b…1264867923
• http://www.virustotal.com/analisis/0b974…1264831241
• http://www.virustotal.com/analisis/0b974…1264867640

 

But it turns out that the fact that Kaspersky was detecting the threats was not the only reason the others were. The real problems were the aggressive heuristics in the products and that fact that only a static scan was performed.

 

And there is something suspicious about a program that appears to do nothing and then exits. Other vendors I communicated with on the matter said that the behavior was not surprising and that a live on-access detection on a system with their product installed would not be the same. For instance, F-Secure said that “[o]n the end users Windows box, these alerts would show up as a prompt, asking the user whether he really trusts the program. In addition, we have massive whitelist databases in our back-ends, so such prompts would only appear from new, unknown applications.”

 

I suspected that the compiler used to generate the samples might itself be an issue, so I asked Kaspersky about it. They used the mingw crosscompiler, a gcc version for Linux that generates Win32 binaries. It’s possible that the same source code compiled with Microsoft Visual Studio would have generated a different reaction in the anti-malware products, not that it should make a difference. But Kaspersky then creates a “hello world” program with the same compiler and settings and uploaded it to VirusTotal; hours later, even though there were no Kaspersky detections, 2 other products called the sample “suspicious”.

 

This problem is not entirely new; Hispasec Sistemas Lab of Spain, the company that operates VirusTotal, wrote about it a few months ago (original Spanish, Google translation to English). As they point out, the volume of samples coming into company labs is so enormous that the vast majority has to be handled by automated analysis processes, and perhaps they are designed to be a little more paranoid than humans.

 

Kaspersky Lab has written an Analyst’s Diary entry on the issue as well.

 

By Larry Seltzer from PCMag.com

 

 

(McAfee) Operation Aurora Overview (Video)

 

Find out what operation aurora is, what’s at risk, and how to protect your organization.

 

How To Remove Win32/Mabezat, Win32/Mabezat.A, Win32/Mabezat.B, Worm.Win32.Mabezat.b

Overview

This description is for a worm that is capable of spreading through removable devices and network shares.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.

Read more