Intel Security - SNS Product Digest Jan 2016

This months Product Digest from Intel is out, this issue covers:

• Threat Projections for 2016 Webcast
• Endpoint Security 10.1 FAQ's
• New fileless Malware true to name
• Technical Product Updates

To read the online version please visit the  January 2016 SNS Journal

McAfee Firewall Product - Technical Support to Transition to Forcepoint

It should be no surprise that McAfee Next Generation Firewall (NGFW) and McAfee Firewall Enterprise products are now part of Forcepoint(TM), formerly known as Raytheon|Websense. 

Technical Support contacts for these products will remain the same until customers are notified that the transition to Forcepoint is complete.

Divestiture details and a FAQ link can be found in Knowledge Base (KB) article KB86390

McAfee Labs Threat Advisory for NanoLocker

NanoLocker is a ransomware that encrypts certain files on infected machines with public key cryptography. The compromised user has to pay a ransom to the attacker to receive the secret key allowing to decrypt the files.

McAfee detects this threat under the following detection name:

• Ransomware-FCO!partialMD5

Detailed information about the threat, its propagation, characteristics and mitigation can be viewed in the Threat Advisory.

This notification was initially communicated through the McAfee SNS service, to receive Threat Advisories directly from Intel Security please visit the SNS Centre and sign up to "Malware and Threat Reports"

McAfee ePolicy Orchestrator Vulnerability patched

ePolicy Orchestrator (ePO) is packaged with Apache Commons Collections library version 3.2.1 (commons-collections-3.2.1.jar) which is vulnerable to insecure deserialization of data, which may result in arbitrary code execution.

CERT/CC Vulnerability Note VU#576313
The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.

Remediation

This issue is remediated with ePO 5.x Hotfix 1106041. These fixes will be included in the next ePO patch release.

• Users of ePO 4.6.x are recommended to upgrade to ePO 5.1.3 or 5.3.1 and then apply hotfix EPO5xHF1106041.zip.
• Users of ePO 5.0.x and 5.1.x should upgrade to ePO 5.1.3 or 5.3.1 and then apply hotfix EPO5xHF1106041.zip.
• Users of ePO 5.3.0 should upgrade to ePO 5.3.1 and then apply hotfix EPO5xHF1106041.zip.

Product	Type	File Name	Release Date
ePO 5.3.1	Hotfix	ePO5xHF1106041.zip	December 30, 2015
ePO 5.1.4	Patch	TBD	Q2 2016
ePO 5.1.3	Hotfix	ePO5xHF1106041.zip	December 30, 2015

Recommendation

Intel Security recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see the Knowledge Base article SB10144

See the ePolicy Orchestrator 5.x Hotfix 1106041 Release Notes for further details at:

McAfee Labs Threat Advisory for JS/Nemucod

JS/Nemucod is a JavaScript downloader trojan that targets users through malware spam campaigns. JS/Nemucod downloads additional malware and executes it without the user’s consent. JS/Nemucod usually arrives through malicious spam emails with .zip extensions. When a user opens the .zip file and double clicks the JavaScript, the default web browser opens and executes the script.

Intel Security 5800 Engine Auto Update scheduled for January 20, 2016

On January 20, 2016, VirusScan Enterprise and other Intel Security Enterprise products that use the Anti-Malware Engine will automatically update to the 5800 Engine as part of the daily DAT update. The DAT update on this day will include an additional ~3.5MB of data due to the 5800 Engine binary being included.

Intel Security first releases the Anti-Malware Engine updates for elective download. This allows you to download Engine packages for manual installation over a period of three months. After the three-month period, the Engine is put on an AutoUpdate posting. This means that your point product will automatically update to the new release. The old Engine reaches end of life six months after elective downloads begin.

The 5800 Anti-Malware Engine succeeds the current 5700 Engine and includes the following improvements:

• Enhancements to Portable Document Format (PDF) format to improve exploit detection capabilities
• Improved handling of Windows Executable format
• Improved unpacking of .NET, Shockwave Flash, Visual Basic for Applications and generic unpacking improvements to detect more threats
• Enhancements to live memory scanning in Windows for detecting and removing malicious processes, threads and files
• Performance optimizations around initialization and scanning
• New supported platforms: Windows 10, FreeBSD 10.x, Solaris 11 for SPARC

NOTE: Windows 10 support is dependent upon the product using the scan engine. For example, both the 5700 and 5800 scan engines support Windows 10 with VirusScan Enterprise 8.8, provided patch 6 is also installed.

IMPORTANT:  VSE 8.7i endpoints must be using VSE 8.7i Patch 5 + Hotfix 1038699 or later to install the 5800 Anti-Malware Engine.

Release Schedule for the 5800 Engine

• RTW (Elective download) September 3, 2015
• Auto-update January 20, 2016

Deployment

5800 Engine ePO packages are available for Linux (32bit and 64bit), Mac OSX and Windows (32bit and 64bit)

You can download the 5800 Engine from the Security Updates page.

For more information about deploying or delaying the 5800 Engine update please refer to KB66741

This information was initially available via the Intel Security SNS Service on January 12th. For more information regarding the Intel SNS please visit the SNS Community

McAfee ePolicy Orchestrator Precheck Tool 1.0.0 now available

Before you install or upgrade McAfee ePO, run the Installation and Upgrade Precheck tool to reduce or prevent installation or upgrade issues.
The Installation and Upgrade Precheck tool performs these checks:

• Confirms that your server meets the McAfee ePO and SQL Server hardware requirements.
• Confirms that you have the necessary SQL Server access and permissions.
• Verifies that the services that must be stopped, can be, and that no third-party software can cause the services to start unexpectedly.
• Identifies the SQL Server browser status.
• Determines whether database encryption is enabled.
• Determines whether the SQL Server auto-close feature is enabled.
• Identifies the database recovery model.
• Checks for Microsoft Windows scheduled tasks and automatic updates.
• Determines whether Microsoft Windows 8.3 naming is enabled.
• Checks for pending file rename operations in this registry
• HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations. Checks for OS permissions.
• Identifies the versions of McAfee ePO that the server OS and version support.

For upgrades, the Installation and Upgrade Precheck tool performs these added checks:

• Verifies that no file handles are open in the McAfee ePO directory.
• Provides a list of running McAfee ePO server tasks and warns you to disable them.

To download Installation and Upgrade Precheck Tool 1.0.0 for ePolicy Orchestrator, go to the product downloads site.

For a full list of changes, see the Release Notes in PD26166

For a list of known issues, see KB85819

Intel Security announce EOL for MOVE AV 3.5

Intel Security have recently announce the End Of Life date for MOVE AV 3.5.x Agentless and MOVE AV Multi-Platform 3.5.x

The MOVE AV Agentless/Multi-Platform 3.5.x releases have been removed from the Product Downloads site, leaving only the MOVE AV Agentless/Multi-Platform 3.6 or later available for download for existing customers that have MOVE AV Agentless/Multi-Platform 3.5.x installed.

If you are a MOVE AV Multi-Platform user upgrade instructions are available on page 29 of the Product Guide

If you are a MOVE AV Agentless user upgrade instructions are available on page 71 of the Product Guide

To read the full announcement please read KB86348

McAfee Endpoint Security 10.1.0 Released

McAfee's latest Endpoint Protection Suite was released on 14th December 2015.

This latest version is the first full endpoint suite released since Intel acquired McAfee in early 2011. The new architecture model adopts the Common Service Bus model, where common elements of all the endpoint stack are devolved from each product into a common bus. These common components include but are not limited to:

• Logging
• Package Management
• Threat Event Management
• Global Threat Intelligence
• Scheduling

The new architecture model can be seen below.

Support

McAfee have created a new Product Sub Place within the only Community forums which can be used for peer-to-peer self service discussions and can be found here and a new Expert Centre has been created containing links to Knowledge Base content, Getting Started guides, additional resources and trials. Take a look here.