Wednesday 5 October 2016

LDAP Authentication issues in USM and OSSIM v5.3.2

If you are using LDAP authentication for your OSSIM or USM installation you may want to hold off the v5.3.2 upgrade.

In a recent message from AlienVault, an issue has been detected during the password reset process post upgrade.  The Password reset process was initiated to improve the security of password storage within OSSIM and USM, however this process is not working correctly for LDAP authentication.

LDAP Authentication issues in USM and OSSIM v5.3.2

If you are using LDAP authentication for your OSSIM or USM installation you may want to hold off the v5.3.2 upgrade.

In a recent message from AlienVault, an issue has been detected during the password reset process post upgrade.  The Password reset process was initiated to improve the security of password storage within OSSIM and USM, however this process is not working correctly for LDAP authentication.

Friday 30 September 2016

Collecting McAfee ePO threat data using AlienVault OSSIM

If you are using AlienVault OSSIM you can collect ePO Threat Data and add it to your SIEM Security Events.

AlienVault have already development a database plugin to connect to the ePO Database, collect and parse the data into the OSSIM Database, but I have struggled to get this to work with our MS-SQL Database cluster, resulting in 'ParserDatabase [INFO]: Can't connect to MS-SQL database' errors.

The steps for enabling the plugin and collecting the data are:

  • Enabling the Plugin
  • Creating a local configuration file
  • Configuring the database connection
  • Troubleshooting connection errors

Tuesday 30 August 2016

VirusScan 8.8 P8 release - Windows 10 Anniversary Edition

After some issues with VSE 8.8 not being compatible with Windows 10 Anniversary edition, Intel Security have now release Patch 8 which adds compatibility for the current build of Windows 10.

Patch 8 (build 8.8.0.1588) has been released to the update site, and if you are running ePO 5.1.1 or later the Software Manager will be able to pull this update into your Master Repository.

Full details for this release can be found in the release notes PD26631 and the supported platforms, environments and operating systems can be found in KB51111

Friday 26 August 2016

ePolicy Orchestrator update fixes multiple Oracle Java vulnerabilities - July 2016

ePO is vulnerable to the following CVEs reported in Oracle's July 2016 Java SE update.

Collectively, these vulnerabilities affect integrity and availability of the server.

AFFECTED SOFTWARE
ePO 5.1.3 and earlier
ePO 5.3.2 and earlier

REMEDIATED/PATCHED VERSIONS

Oracle Java 7.0 officially reached End of Life (EOL) status in April of 2015. The Java version currently supported in ePO 5.1.x and 5.3.x has been upgraded to Java 8.0. This issue is remediated with ePO 5.x Hotfix 1151890. These fixes will be included in the next ePO patch when scheduled.

ePO 5.1.3 + Hotfix 1151890 (EPO5xHF1151890.zip)
ePO 5.3.1 + Hotfix 1151890 (EPO5xHF1151890.zip)
ePO 5.3.2 + Hotfix 1151890 (EPO5xHF1151890.zip)

McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see McAfee Knowledge Base article SB10166.

Thursday 16 June 2016

ePolicy Orchestrator update fixes multiple Oracle Java vulnerabilities - May 2016

ePO is vulnerable to multiple CVEs reported in Oracle's April 2016 Java SE update. Collectively, these vulnerabilities affect confidentiality, integrity, and availability of the server.

Monday 13 June 2016

(ISC)2 SecureLondon 2016


This conference explores the impact of the rise of the virtual organisation on security practice; the solutions that are emerging to tackle this environment; and the lessons being learned within professional practice. Acknowledging the need to step away from the technology–driven approach that often dominates traditional systems security management, delegates will explore the foundational concepts that drive security and still apply in a world that is designed to be much less defined than in the past.
(ISC)2Members - Free
(ISC)2 Chapter Members: 50% discount
ISF Members: 15%
ISSA/ISACA Members: 10% discount
Registration available here

Friday 10 June 2016

PSRemoting Domain Controllers - Least Privilege access

Remoting Domain Controllers can speed up SysAdmin operations and enable SysAdmins to schedule automation tasks, lets be honest thats why we like Powershell so much.  Being able to remote a domain controller requires elevated permissions and based on the Principle of least privilege we don't want to configure scheduled tasks using Domain Admin credentials.

Thursday 9 June 2016

Becoming an Associate of (ISC)2


With the shortfall in the cybersecurity workforce projected to be 1.5 million globally in five years*, businesses are pressed to find qualified candidates to protect their organisation against cyber threats. The need for candidates to prove their capability is more important than ever.
The Associate of (ISC)² allows those just starting out in the information security workforce to demonstrate their competence in the field. Associates have passed a rigorous (ISC)² certification exam, proving their cybersecurity knowledge, and maintaining their continuing professional education (CPE) requirements while working toward completing the experience requirements to become fully certified as a CISSP, SSCP, CCSP, HCISPP, CCFP, CAP or CSSLP.

*2015 Global Information Security Workforce Study

Tuesday 24 May 2016

Inside the Verizon Data Breach Investigations Reports Webcast

Verizon’s 2016 Data Breach Investigations Report (DBIR) provides a comprehensive analysis of data breach patterns seen in 2015. As a contributor, Intel Security provided anonymized breach data and co-authored a section focusing on post-breach fraud and what happens to data once it has been stolen from the breached entity.

Earn one CPE credit for attending the live webcast.

Wednesday, June 8, 2016 11:00AM PT | 1:00PM CT | 2:00PM ET
REGISTER: https://events.demand.intelsecurity.com/ISecWebcast-6-08-16?s=DFMSNS

Thursday 12 May 2016

McAfee to Intel Security Migration



On May 12, 2016, the SNS Internet domain migrated from snssecure.mcafee.com to sns.secure.intelsecurity.com.

Thursday 7 April 2016

Update Lync LineURI with Active Directory Phone Number

In this series of Blog posts I will explain how we can use the Lync Powershell Modules to help automate some Bulk Lync user tasks. While most of these task can be completed using PowerShell Remoting using the OCSPowershell provider endpoint provided by the Lync server, some of the error forwarding through the proxy doesn't work as expected. In this case we can utilise the Lync Management Shell locally on our administration console.

Mass enabling Enterprise wide options in Lync can be laborious using the Control Panel, bulk changes can be best achieved using the Lync Management Shell. The Management Shell is a PowerShell session with the Lync Modules Imported at Runtime.

This is the second post in this Series detailing some tooling to help bulk enable an organisations Lync Users.

Wednesday 6 April 2016

Installing Lync Modules on Administrative Consoles

In this series of Blog posts I will explain how we can use the Lync Powershell Modules to help automate some Bulk Lync user tasks. While most of these task can be completed using PowerShell Remoting using the OCSPowershell provider endpoint provided by the Lync server, some of the error forwarding through the proxy doesn't work as expected. In this case we can utilise the Lync Management Shell locally on our administration console.

Monday 4 April 2016

Installing Parallels Desktop 10 Tools for Windows 10

I came across an issue when running a Windows 10 Enterprise guest in Parallels Desktop 10 where the "Install Parallels Tools" option was missing on the Actions menu, it should have looked something like this, but it wasn't there.

Thursday 17 March 2016

Migrating existing MBSA Security Scan Results between Servers

Microsoft Baseline Security Analyzer (MBSA) checks for available updates to the operating system, Microsoft Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server. MBSA also scans a computer for insecure configuration settings. When MBSA checks for Windows service packs and patches, it includes in its scan Windows components, such as Internet Information Services (IIS) and COM+.

If you ever need to move MBSA from one server to another you may notice, once you have installed MBSA on your destination server that your existing security scan reports are no longer available and the option is greyed out:

Tuesday 8 March 2016

KeRanger - OSX Ransomeware

March 4th Palo Alto Networks Research Center detected the first known fully functional Ransomware on OSX.

Ransomware is a type of Malware that restricts access to the affected computer system in some way, typically by encrypting the User files on a computer using an Asymmetric Encryption algorithm where the Private Key required to decrypt the files is not stored on the infected machine, and to get access to the Private key the infected party would be required to pay the 'Ransom' to unlock their files. The transactions are normally conducted using digital currency such at BitCoin.

Thursday 3 March 2016

Rogue System Detection 5.0.3 Now Available

McAfee Rogue System Detection sensors use passive and active network discovery techniques to detect systems connected to the network. When a sensor detects a system on the network, it sends a message to McAfee ePO software, which checks to see whether the detected system has an active McAfee agent installed. If the detected system is unknown to the server, McAfee Rogue System Detection provides information to McAfee ePO software to allow you to take remediation steps, which include alerting administrators and automatically deploying a McAfee agent to the system.

Rogue System Detection 5.0.3 is now available, rated Recommended.

Monday 29 February 2016

Troubleshooting On-Demand Scan Performance with VSE 8.8 Patch 5 and 6

After upgrading an endpoint to VSE 8.8 (patch 5 or 6), the system becomes slow or unresponsive during On-Demand Scans.  System performance can be improved by making some changes to the System Utilisation settings to reduce resource use.

Sunday 28 February 2016

McAfee Labs has released an updated Threat Advisory for W97M/Downloader and X97M/Downloader.

W97M/Downloader and X97M/Downloader are Microsoft Office files that contain a malicious macro. The only difference between them is that W97M detections are related to Word files and X97M detections are related to Excel files. The macro downloads and executes other malware on the infected machine. The malicious Office file usually arrives on a machine as an attachment as part of spam or phish emails. The file can be a Word document (.doc file and .docx file) or an Excel workbook (.xls file and .xlsx file).

Saturday 27 February 2016

McAfee Labs Threat Advisory for Ransomware-Locky

Ransomware-Locky is a ransomware that upon execution encrypts certain file types present in the user’s system.
The compromised user has to pay the attacker to get the files decrypted.

Friday 26 February 2016

End of Life for McAfee 5700 Anti-Malware Engine


The End of Life (EOL) and End of Support (EOS) date for the McAfee 5700 Anti-Malware Engine is February 29, 2016. Intel Security requests that all customers update to the McAfee 5800 Anti-Malware Engine as soon as possible.

For a product that uses the McAfee Anti-Malware Engine to be fully supported, a supported product version and a supported engine must both be deployed. If either the product version or the engine is not supported, then the total product configuration is not supported.

You can download the 5800 Engine from the Security Updates page

McAfee Agent 5.0.2 Hotfix 1110392 is now available

Multiple McAfee endpoint products include a private mechanism to access settings and files protected by self-protection rules. This mechanism is not sufficiently secure and may be misused to access registry keys and files that should be protected from tampering.
When VirusScan Enterprise (VSE) is present on the device, processes that attempt to use this private mechanism are scanned upon access, but if not detected as malware could gain access to McAfee products protected resources.
This trusted access bypass vulnerability allows access to resources normally protected by the vulnerable products.
Though McAfee Agent 5.0.x, ship the vulnerable technology, it has already transitioned to a new self-protection mechanism that doesn’t rely on the vulnerable technology. However it requires an update to fully disable the vulnerable technology.
This release includes:


  • Fixes as described in PD26386 - McAfee Agent 5.0.2 Hotfix 1110392 Release Notes
  • Hotfix 1110392 is rated mandatory due to a security fix as described in the release notes.

To download McAfee Agent 5.0.2 Hotfix 1110392 (MA502HF1110392WIN.zip), go to the product downloads site Refer to Security Bulletin SB10151 for additional details

VirusScan Enterprise 8.8 Patch 7 Now Available



VirusScan Enterprise 8.8 Patch 7 is now available. 

This update has been scored 'mandatory' by Intel Security. This score is based on the Security Vulnerability which has been previously identified and since patch in this release.

Multiple McAfee endpoint products include a private mechanism to access settings and files protected by self-protection rules. This mechanism is not sufficiently secure and may be misused to access registry keys and files that should be protected from tampering.

This release includes new features, fixes, and enhancements including:
  • A vulnerability is addressed in this release. See SB10151 for details.
  • This release is rated “Mandatory”.
  • See release notes for MA 5.x version restrictions. 
  • TIE customers are advised to use 1.0.140 or later.
  • Adds Windows 10 TH2 Support, including the Secure/UEFI feature.
  • Adds 5800 engine (for new installations)
  • Please review your Windows service dependencies practices. See KB85374.


For a full list of changes, see the Release Notes in PD26382
For a list of known issues, see KB70393

Wednesday 17 February 2016

McAfee Customer Submission Tool 2.4 Now Available

This tool integrates into Microsoft Outlook. It allows users to quickly and easily submit missed spam samples and samples that were wrongly categorized as spam to McAfee Labs. McAfee Customer Submission Tool version 2.4 can also be used with McAfee Quarantine Manager to black or white list email addresses when submitting the samples.

McAfee Customer Submission Tool (MCST) 2.4 is now available. This release includes new features, fixes, and enhancements including:

  • Support for Outlook 2013
  • Support for Exchange 2013
  • Bug fixes

To download MCST 2.4, go to the Product Downloads site.

For a full list of changes, see the Release Notes in PD26356

Tuesday 16 February 2016

SiteAdvisor Enterprise now supports Firefox 44

SiteAdvisor Enterprise 3.5 Patch 4 HF1076106 is now available.

This hotfix includes a signed SAE extension for use in Firefox with Firefox 44 support.

To download SiteAdvisor Enterprise 3.5 Patch 4 HF1076106, go to the Product Downloads site

Tuesday 9 February 2016

McAfee DAT Reputation 1.0.4 Mandatory Upgrade AutoUpdate Schedule

A new version of McAfee DAT Reputation for Enterprise, v1.0.4, will be available from the CommonUpdater3 download sites with DAT Reputation ON and Safety Pulse OFF.

This release is a mandatory upgrade for all customers running DAT Reputation and will include reported issues listed in the following Knowledge Base articles:


It will also include a new certificate required because of an upcoming expiry date.

An updated DAT Reputation ePO Extension (v1.0.2) will also be posted for DAT Reputation 1.0.4. This new extension is an optional update for existing DAT Reputation users and provides Windows 10 OS endpoint support.

Customers can test this release in a representative subset of their production environment by configuring the systems in this group to update from CommonUpdater3 locations. For details on how to configure AutoUpdate to use a different update location, see KB86251:

This update will be phased as follows:

CommonUpdater3 - Planned for February 9, 2016:

  • ftp://ftp.nai.com/commonupdater3
  • http://update.nai.com/products/commonupdater3

CommonUpdater - Planned for February 16, 2016:

  • http://update.nai.com/products/commonupdater
  • ftp://ftp.mcafee.com/commonupdater

CommonUpdater2 - Posting of DAT Reputation to CommonUpdater2 locations remains postponed:

  • ftp://ftp.nai.com/commonupdater2
  • http://update.nai.com/products/commonupdater2

McAfee Labs has released an updated Threat Advisory for W32/Pinkslipbot.

The W32/Pinkslipbot worm is capable of spreading over network shares, downloading files, and updating its software. Additionally, it is capable of receiving back door command from its IRC command and control center. It attempts to steal user information and upload it to FTP sites.

Monday 8 February 2016

ePolicy Orchestrator update fixes multiple Oracle Java vulnerabilities


ePO is vulnerable to the multiple CVEs reported in Oracle's January 2016 Java SE update. Collectively, these vulnerabilities affect confidentiality, integrity, and availability of the server.

AFFECTED SOFTWARE

  • ePO 5.1.3 and earlier
  • ePO 5.3.1 and earlier


REMEDIATED/PATCHED VERSIONS
The vulnerability is remediated in these versions:

  • ePO 5.1.3 + Hotfix 1117371 (EPO5xHF1117371.zip)
  • ePO 5.3.1 + Hotfix 1117371 (EPO5xHF1117371.zip) 


McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see McAfee Knowledge Base article SB10148.

Tuesday 26 January 2016

Intel Security - SNS Product Digest Jan 2016

This months Product Digest from Intel is out, this issue covers:
  • Threat Projections for 2016 Webcast
  • Endpoint Security 10.1 FAQ's
  • New fileless Malware true to name
  • Technical Product Updates
To read the online version please visit the  January 2016 SNS Journal


Monday 25 January 2016

McAfee Firewall Product - Technical Support to Transition to Forcepoint

It should be no surprise that McAfee Next Generation Firewall (NGFW) and McAfee Firewall Enterprise products are now part of Forcepoint(TM), formerly known as Raytheon|Websense. 

Technical Support contacts for these products will remain the same until customers are notified that the transition to Forcepoint is complete.

Divestiture details and a FAQ link can be found in Knowledge Base (KB) article KB86390

Saturday 23 January 2016

McAfee Labs Threat Advisory for NanoLocker

NanoLocker is a ransomware that encrypts certain files on infected machines with public key cryptography. The compromised user has to pay a ransom to the attacker to receive the secret key allowing to decrypt the files.

McAfee detects this threat under the following detection name:
  • Ransomware-FCO!partialMD5
Detailed information about the threat, its propagation, characteristics and mitigation can be viewed in the Threat Advisory.

This notification was initially communicated through the McAfee SNS service, to receive Threat Advisories directly from Intel Security please visit the SNS Centre and sign up to "Malware and Threat Reports"

Monday 18 January 2016

McAfee ePolicy Orchestrator Vulnerability patched


ePolicy Orchestrator (ePO) is packaged with Apache Commons Collections library version 3.2.1 (commons-collections-3.2.1.jar) which is vulnerable to insecure deserialization of data, which may result in arbitrary code execution.

CERT/CC Vulnerability Note VU#576313
The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.

Remediation

This issue is remediated with ePO 5.x Hotfix 1106041. These fixes will be included in the next ePO patch release.

  • Users of ePO 4.6.x are recommended to upgrade to ePO 5.1.3 or 5.3.1 and then apply hotfix EPO5xHF1106041.zip.
  • Users of ePO 5.0.x and 5.1.x should upgrade to ePO 5.1.3 or 5.3.1 and then apply hotfix EPO5xHF1106041.zip.
  • Users of ePO 5.3.0 should upgrade to ePO 5.3.1 and then apply hotfix EPO5xHF1106041.zip.
Product
Type
File Name
Release Date
ePO 5.3.1
Hotfix
ePO5xHF1106041.zip
December 30, 2015
ePO 5.1.4
Patch
TBD
Q2 2016
ePO 5.1.3
Hotfix
ePO5xHF1106041.zip
December 30, 2015


Recommendation

Intel Security recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see the Knowledge Base article SB10144

See the ePolicy Orchestrator 5.x Hotfix 1106041 Release Notes for further details at:

Friday 15 January 2016

McAfee Labs Threat Advisory for JS/Nemucod

JS/Nemucod is a JavaScript downloader trojan that targets users through malware spam campaigns. JS/Nemucod downloads additional malware and executes it without the user’s consent. JS/Nemucod usually arrives through malicious spam emails with .zip extensions. When a user opens the .zip file and double clicks the JavaScript, the default web browser opens and executes the script.

Thursday 14 January 2016

Intel Security 5800 Engine Auto Update scheduled for January 20, 2016

On January 20, 2016, VirusScan Enterprise and other Intel Security Enterprise products that use the Anti-Malware Engine will automatically update to the 5800 Engine as part of the daily DAT update. The DAT update on this day will include an additional ~3.5MB of data due to the 5800 Engine binary being included.

Intel Security first releases the Anti-Malware Engine updates for elective download. This allows you to download Engine packages for manual installation over a period of three months. After the three-month period, the Engine is put on an AutoUpdate posting. This means that your point product will automatically update to the new release. The old Engine reaches end of life six months after elective downloads begin.

The 5800 Anti-Malware Engine succeeds the current 5700 Engine and includes the following improvements:
  • Enhancements to Portable Document Format (PDF) format to improve exploit detection capabilities
  • Improved handling of Windows Executable format
  • Improved unpacking of .NET, Shockwave Flash, Visual Basic for Applications and generic unpacking improvements to detect more threats
  • Enhancements to live memory scanning in Windows for detecting and removing malicious processes, threads and files
  • Performance optimizations around initialization and scanning
  • New supported platforms: Windows 10, FreeBSD 10.x, Solaris 11 for SPARC
NOTE: Windows 10 support is dependent upon the product using the scan engine. For example, both the 5700 and 5800 scan engines support Windows 10 with VirusScan Enterprise 8.8, provided patch 6 is also installed.

IMPORTANT:  VSE 8.7i endpoints must be using VSE 8.7i Patch 5 + Hotfix 1038699 or later to install the 5800 Anti-Malware Engine.

Release Schedule for the 5800 Engine
  • RTW (Elective download) September 3, 2015
  • Auto-update January 20, 2016
Deployment

5800 Engine ePO packages are available for Linux (32bit and 64bit), Mac OSX and Windows (32bit and 64bit)

You can download the 5800 Engine from the Security Updates page.

For more information about deploying or delaying the 5800 Engine update please refer to KB66741

This information was initially available via the Intel Security SNS Service on January 12th. For more information regarding the Intel SNS please visit the SNS Community

Wednesday 6 January 2016

McAfee ePolicy Orchestrator Precheck Tool 1.0.0 now available

Before you install or upgrade McAfee ePO, run the Installation and Upgrade Precheck tool to reduce or prevent installation or upgrade issues.
The Installation and Upgrade Precheck tool performs these checks:

  • Confirms that your server meets the McAfee ePO and SQL Server hardware requirements.
  • Confirms that you have the necessary SQL Server access and permissions.
  • Verifies that the services that must be stopped, can be, and that no third-party software can cause the services to start unexpectedly.
  • Identifies the SQL Server browser status.
  • Determines whether database encryption is enabled.
  • Determines whether the SQL Server auto-close feature is enabled.
  • Identifies the database recovery model.
  • Checks for Microsoft Windows scheduled tasks and automatic updates.
  • Determines whether Microsoft Windows 8.3 naming is enabled.
  • Checks for pending file rename operations in this registry
  • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations. Checks for OS permissions.
  • Identifies the versions of McAfee ePO that the server OS and version support.

For upgrades, the Installation and Upgrade Precheck tool performs these added checks:

  • Verifies that no file handles are open in the McAfee ePO directory.
  • Provides a list of running McAfee ePO server tasks and warns you to disable them.

To download Installation and Upgrade Precheck Tool 1.0.0 for ePolicy Orchestrator, go to the product downloads site.

For a full list of changes, see the Release Notes in PD26166

For a list of known issues, see KB85819

Tuesday 5 January 2016

Intel Security announce EOL for MOVE AV 3.5

Intel Security have recently announce the End Of Life date for MOVE AV 3.5.x Agentless and MOVE AV Multi-Platform 3.5.x

The MOVE AV Agentless/Multi-Platform 3.5.x releases have been removed from the Product Downloads site, leaving only the MOVE AV Agentless/Multi-Platform 3.6 or later available for download for existing customers that have MOVE AV Agentless/Multi-Platform 3.5.x installed.

If you are a MOVE AV Multi-Platform user upgrade instructions are available on page 29 of the Product Guide

If you are a MOVE AV Agentless user upgrade instructions are available on page 71 of the Product Guide

To read the full announcement please read KB86348

McAfee Endpoint Security 10.1.0 Released

McAfee's latest Endpoint Protection Suite was released on 14th December 2015.

This latest version is the first full endpoint suite released since Intel acquired McAfee in early 2011. The new architecture model adopts the Common Service Bus model, where common elements of all the endpoint stack are devolved from each product into a common bus. These common components include but are not limited to:

  • Logging
  • Package Management
  • Threat Event Management
  • Global Threat Intelligence
  • Scheduling
The new architecture model can be seen below.


Support


McAfee have created a new Product Sub Place within the only Community forums which can be used for peer-to-peer self service discussions and can be found here and a new Expert Centre has been created containing links to Knowledge Base content, Getting Started guides, additional resources and trials. Take a look here.