Category Archives: Data Loss Prevention

Android Click-Fraud Apps Briefly Return to Google Play

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

Click-fraud apps frequently appear on Google Play and third-party markets. They are sometimes hard to identify because the malicious behavior that simulates clicks is similar to the behavior of many legitimate applications (using common API calls and permissions). Further, part of the malicious code does not reside in the original malware and comes from a control server. Using special methods to perform the clicking allows the attackers to decide when and how pursue their fraud.

The McAfee Mobile Malware Research Team recently found on Google Play a group of Android/Clickers published by the developer “TubeMate 2.2.9 SnapTube YouTube Downloader J.” Five apps were updated on Google Play on August 4 and were removed a few days later, along with the developer profile.

By checking “” on GooglePlay we saw something suspicious in this application: a nonsense name, no description, and poorly reviewed. Of course, those traits do not guarantee an app is malicious, but this lineup should serve as a warning for Android users looking for new apps.


Analyzing and reverse engineering this sample shows us a DeviceAdminReceiver class that connects to a hardcoded URL to obtain parameters that indicate how and where to perform click-fraud activities:

This function is part of a service initiated by a receiver related to DeviceAdmin.

Once the URL is requested, the control server returns an HTML page with the parameters in an uncommon way—inside the title tag, as we see in the following:

All the parameters are in one line, but the malware interprets them using the string “eindoejy” to separate them, obtaining the target URL, JavaScript functions to perform clicks, HTTP headers used in the fraudulent HTTP request, and another Google Play package to monetize the clicks in the abused ad network. We thought that string “eindoejy” could be an anagram of “I enjoyed” or “die enjoy,” but we found other variants in which the word used to split the parameters is different.

Once installed, Android/Clicker.BN adds an icon to the main menu that is not related to the downloaded app from Google Play. The new icon appears to be a system utility. Some examples of the icons loaded by the malware:

When Android/Clicker.BN executes, it requests device administration privileges:

Some of the apps can access YouTube inside a WebView and list trending channels, others lock and blacken the screen, and others crash the UI while in the background running click fraud—which not only harms advertisers and publishers, but also generates malicious traffic on infected devices, impacts battery and overall usage performance, and opens the door to new malicious payloads.

McAfee Mobile Security detects this threat as Android/Clicker.BN!Gen and prevents its execution. To further protect yourself against malicious apps, use only legitimate app stores, and pay attention to suspicious traits such as nonsense names, missing descriptions, and poor reviews. Also verify that the app’s request for permissions are related to its functionality. Be wary when apps request device administration API access, which is usually requested only by security apps, antimalware, mobile device management, or corporate email clients. Most apps and games will never ask for device admin rights.

Source : : Blog

Intel Security Launches ‘Threat Landscape Dashboard’

Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

Every week, we read in the news of another breach or targeted campaign, as more patches are released to protect against the next strain of sophisticated malware. For the administrators responsible for safeguarding a company’s systems, networks, and digital information, keeping up is an overwhelming task, made doubly difficult because it is often hard to determine the most significant threats.

To serve those admins, Intel Security began work nine months ago to design a new dashboard that identifies the most significant threats and illustrates the relationships between them.

We want to assist security practitioners when they make decisions about which vulnerabilities should be patched first, based on the prevalence of attacks that exploit those vulnerabilities.

Using vulnerabilities as the pivot point, the Threat Landscape Dashboard illustrates the relationships among exploit kits, campaigns, and ransomware. For example, the RIG exploit kit takes advantage of vulnerabilities that are used to spread certain ransomware families. Further, some of these vulnerabilities are also seen in targeted campaigns. Consequently, we can show links between exploit kits and targeted campaigns through vulnerability correlation. We also calculate a “risk score” for each threat and campaign, and recently added a “media score,” too. Monitoring and processing information from social media feeds, we calculate a score for the press attention received by the specific threat or campaign.

On each threat’s details page, we provide reference links to more information about the threat, including the source, blogs, and whitepapers. The dashboard also supports RSS feeds.

This is just the beginning for the Threat Landscape Dashboard; we are eager for your feedback. In the near future we plan to expand the dashboard with detailed threat descriptions and more contextual data. That information will be available through the RSS feed so users can import the feed and, based on keywords, filter the incoming stream.

To view the Threat Landscape Dashboard, visit It is also accessible through the Threat Center at

Source : : Blog

Patches Resolve ePO 5.1.3 Vulnerability


Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

A vulnerability in ePO 5.1.3 has been discovered and resolved.



The vulnerability is remediated in these versions:
• ePolicy Orchestrator 5.1.3 Hotfix 1110787.
• Fix will be included in 5.1.4 (when available).
• Issue never impacted ePO 5.3.0 or higher

• CVE-2017-3902 (CVSS: 4.0; Severity: Medium)
A cross-site scripting (XSS) vulnerability in the Web user interface (UI) in ePO 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows authenticated users to inject malicious Java scripts via bypassing input validation.

Intel Security recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10184 – Intel Security – Security Bulletin: ePolicy Orchestrator update fixes cross-site scripting vulnerability (CVE-2017-3902) (

For more information on the hotfix see the ePO 5.1.3 Hotfix 1110787 Release Notes:
PD26861 –

Source : mcafee-antivirus-setup : Blog

Cloud Network Security for Amazon Web Services


Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

Security mammoth McAfee has declared the dispatch of another virtual security stage for Amazon Web Services (AWS) which intends to give propelled insurance to organizations working in people in general cloud.

The new item, named the Virtual Network Security Platform (vNSP), has been intended to secure workloads on AWS against cutting edge malware which can achieve a business through different channels, including cross-site scripting, SQL infusion assaults and botnets.

The risk in these cases likewise develops in the event that one virtual server is traded off, as malware can be exchanged to other powerless machines in a similar client condition.

As indicated by a McAfee release in lieu of observing the whole system section, the new vNSP works at the individual workload level. The organization contends this guarantees perceivability of between section activity, counteracts single purpose of disappointment hazard and uses security assets more productively than customary strategies.

View image on Twitter

‘AWS makes a considerable measure of progress, for example, security of the cloud, however clients are as yet in charge of their security in the cloud — including securing their working frameworks, applications and information movement,’ remarked Shishir Singh, VP and general administrator of the Network Security specialty unit at McAfee.

‘While firewall setups are imperative, security groups and cloud planners need to address misuse counteractive action, malware assurance and pick up perceivability into the parallel development of dangers. With McAfee Network Security Platform, clients can move past the essentials to more refined assurance of their cloud arrange,’ he included.

The security supplier is currently permitting free early sees of the innovation in 72-hour ‘test drive’ trials. Clients will have the capacity to direct tests to mirror certifiable digital assaults, design approach and audit the announcing dashboards.

Source : mcafee-antivirus-setup : Blog

Intel Security to become McAfee in 2017


Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

Intel Security is set to end up McAfee in April 2017, as per Chris Young, Intel Security general supervisor and future CEO of the new organization, in which Intel will hold a 49% stake.

“When we turn into an autonomous organization, we will be one of the biggest unadulterated play digital security organizations on the planet,” he told Intel Security’s yearly Focus meeting in Las Vegas.

“Not just will we be one of the biggest, however we won’t rest until we accomplish our objective of being the best,” said Young.

This is the principal Focus occasion since Intel reported arrangements to turn off its security business as a free organization in association with venture firm TPG, five years in the wake of procuring McAfee.

Young focused on his vision for the new company, its roadmap for achieving that, the need for rapid innovation and the importance of cross-industry collaboration.

“One of the things I love about this conference is that we all come together to find ways to win, to work together,” he said.

First, Young highlighted the publication of the book The Second Economy – the race for trust, treasure and time in the cyber security war.

The main objective of the book is to help chief information security officers (CISOs) communicate the battles facing everyone to others in the c-suite.

“So that we can recruit them into our fight. We need to enlist others on our journey if we are to be successful,” he said.

Challenging assumptions

The book is also aimed at encouraging information security professionals to challenge their own assumptions.

“I plan to send two copies of this book to the winner of the US presidential election, because cyber security is going to be one of the most important topics they could possibly face,” said Young.

“The book is about giving more people a view of the dynamism of what we face in cyber security, which is why we have to challenge our assumptions continually,” he said. “That is why we challenge our assumptions in the book as well as our assumptions about what we do every day.”

Young said Intel Security had been asking thousands of customers to challenge the company’s assumptions over the past 18 months so it can improve.

“This week, we are going to bring a lot of that feedback to life in the delivery of a tremendous amount of innovation across our entire portfolio,” he said.

Young then used a video to underline the message that the McAfee brand is built on the belief that there is power in working together, and that no one person, product or organisation can provide total security.

By enabling protection, detection and correction to work together, the company believes it can react to cyber threats faster.

By linking products from different providers to work together, the company believes the security of networks becomes better. By bringing companies together to share threat intelligence, better ways can be found to protect each other.

The company said cyber crime is the greatest challenge of the digital age, and this can only be overcome by working together. It revealed a new tagline: “Together is power”.

The video also revealed the new independent company’s logo, which Young called a symbol of its new beginning and a visual representation of what is core to the company’s strategy.

“The shield means defence, and the two interlocking components are a symbol of the togetherness we are about in the industry,” he said. “The red colour is a callback to our legacy in the industry.”

Three main reasons for independence

According to Young, there are three main reasons behind the decision to become an independent company.

First, is to be completely focused on cyber security at a company level, solving customers’ cyber security problems and dealing with customers’ cyber security challenges.

Second is innovation. “Because we are committed and dedicated to cyber security alone at company level, our innovation is centred around it,” said Young.

Third is growth. “Our industry is moving faster than any other sub-segment of IT. We have to grow as quickly, if not more quickly than everything that is happening in our space,” he said.

The new company will have 7,500 employees and more than $2bn in revenue with a growing profit base.

“The challenges in our industry have moved on and so must we,” said Young. “We are looking forward, and will accelerate what we are doing as a new organisation so we can be better at solving security challenges in the future.”

He added that in the past year, the company has invested more than $500m in research and development.

Record numbers

According to Young, the company also has 21% more engineers than at the start of 2016, as well as 25% more product managers and 19% more professional services staff, with another 11% to come in the next few months.

“This week, we are announcing 18 new product and partner innovations – a release across every single part of our product portfolio, in addition to the integration of new partners. It is a record number of solutions and innovations for any year in this company’s history,” he said.

He detailed some of these innovations, before announcing the company’s decision to make the McAfee data exchange layer (DXL) available to everyone in the industry for real-time threat intelligence sharing between different point products in their infrastructure.

“We are doing this because it is the right thing for our industry in order to move forward,” he said, calling on attendees to challenge every supplier they do business with to integrate with DXL.

“There are no more excuses. In the past, suppliers said they could not integrate with DXL because they first had to become members of the Intel Security Innovation Alliance. But there is no excuse now. It is open. Everybody can use it,” said Young.

Source : mcafee-antivirus-setup : Blog

New Server Security Release Makes Borderless Cloud Security a Reality


Tags : , Install McAfee , McAfee Internet Security , McAfee Total Protection , McAfee Antivirus , McAfee Smart Phone Security and McAfee Identity Protection.

Cloud Workload Discovery, initially declared in July 2016, secured Amazon Web Services (AWS) and Microsoft Azure. Cloud Workload Discovery for crossover cloud, accessible on December 15, 2016 stretches out scope to VMware and OpenStack private mists.

As the half and half server farm extends, finding the blind sides continues getting harder. Associations battle to survey their end-to-end security pose for workloads and stages, screen and ensure workloads over all mists and keep up administrative consistence.

Cloud Workload Discovery for crossover mists gives end-to-end perceivability into all workloads and their basic stages to make borderless cloud security a reality. With profound perceivability, appraisal and remediation for register, stockpiling, and system as appeared in the chart underneath, associations can evaluate end-to-end security act (workloads and stages), screen and ensure workloads over all private and open mists and keep up administrative consistence.

How Cloud Workload Discovery Works

Cloud Workload Discovery for hvbrid cloud provides three main capabilities:

  • Discovery of weak security controls for VMware, OpenStack, AWS and Microsoft Azure
  • Platform security audit, including firewall and encryption settings, for AWS and Microsoft Azure
  • Traffic and network threat visibility for AWS.

These insights lead to faster detection while while McAfee® ePolicy Orchestrator® (McAfee ePOTM)  or DevOps tools such as Chef, Puppet, and OpsWorks enable quick remediation.

Cloud Workload Discovery’s integration with McAfee ePO, a single management platform with simplified workflows, gives organizations effective control to help implement security solutions across physical, virtual and cloud environments.  Since Cloud Workload Discovery is agentless and powered by API integration with cloud providers, security administrators just enter their cloud account credentials in McAfee ePO to instantly discover workloads, address threat alerts and enforce policies.   Quick time to value and a low learning curve mean that you can significantly improve your cloud workload security with minimal involvement from your IT Security team.

Source : mcafee-antivirus-setup : Blog

Release Schedule Change – 5900 Anti-Malware Engine Beta Refresh


The McAfee Anti-Malware Engine, a core component of the McAfee Endpoint and Gateway products, uses patented technology to analyze potentially malicious code to detect and block Trojans, viruses, worms, adware, spyware, and other threats.

The 5900 Anti-Malware Engine Beta Refresh and VirusScan Command Line 6.1.0 Beta release schedule has changed to take an opportunity to further improve the engine performance in relation to new JavaScript versions, based on work done during the previous Beta cycle.

New planned schedule
5900 Engine Beta 3 – January 17, 2017
VirusScan Command Line 6.1.0 products Beta 3 – by January 21, 2017
Release Candidate (RC) packages of 5900 Engine and VirusScan Command Line 6.1.0 products – mid-February 2017
5900 Engine (Elective download) general availability (GA) and VirusScan Command Line 6.1.0 products GA – late February 2017
5900 Engine (AutoUpdate) GA – late April 2017

New features in the 5900 Anti-Malware Engine

The 5900 Anti-Malware Engine is a yearly Engine release that will succeed the current 5800 Engine and includes the following improvements:

Detection and Performance Enhancements:

Enhanced support of JavaScript to detect more threats.
Improved support for Microsoft Office (OLE) file format.
Improved unpacking of Dotfuscator and MPRESS packed files.
Enhancements to DAT content to improve predictability of content processing.

Platform Enhancements
New Platform Support
Windows 10 Anniversary Update
Windows Server 2016

Where are the Beta/RC Packages available?
They are available from the Engines area of the McAfee Enterprise Beta site:

For complete information about the 5900 Anti-Malware Engine, see KB66741:

Source : : Blog

McAfee Launches Free Tool That Removes Pinkslipbot Leftovers That Use Your PC as Proxy



McAfee launched AmlPinkC2 free tool which is window command line application. It deletes remnant files of Pinkslipbot infections that permission the malware to continue to use the previously infected computers as proxy relays, even if the original malware’s binary has been hose downed and removed from infected hosts.

typical Pinkslipbot control server

System Requirement:

To use this tool, you must have:

  • A computer running Windows XP or higher
  • An active network connection

What is the Pinkslipbot?

what is the pinkslipbot

Pinkslipbot is a banking trojan that became visible in 2007 and is also tracked under three other names, such as Qakbot, Qbot, and PinkSlip.

This banking trojan isn’t always active, and it keeps coming back in waves, as part of very well-planed campaigns. In the past years, numerous cyber-security companies have tracked its attacks and broken down its different versions [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].

The most recent campaign was spotted by IBM security researchers, who noticed Pinkslipbot versions that caused Active Directory lockouts on infected computers.

McAfee finds new wrinkle in Pinkslipbot infections

One of the companies that have historically tracked Pinkslipbot campaigns is McAfee. Its researchers presented an analysis of the trojan’s C&C server infrastructure and its method C&C communications at last year’s Virus Bulletin security conference.

Last week, while looking over past and present Pinkslipbot campaigns, researchers found a new wrinkle in the trojan’s mode of operation.

Researchers say Pinkslipbot authors are much clever than they initially thought. According to McAfee, besides stealing the user’s data, the banking trojan also uses infected hosts as proxy servers to relay information from the central C&C server to other infected hosts, in a mesh-like network.

New McAfee tool removes last remnants of Pinkslipbot infections

According to McAfee, most security tools remove only the malware’s main binaries, crippling the trojan’s ability to collect passwords from infected hosts.

These Pinkslipbot removal procedures leave intact the code that creates these proxy servers, which run via the Windows UPnP (Universal Plug and Play) service.

McAfee’s new tool will remove these remaining files and prevent Pinkslipbot from using users’ PCs to relay C&C commands or to hide the exfiltration of stolen data through a mesh of proxies.

Source : : Blog

Dangerous hole found in McAfee ePO antivirus central management suit


Intel Security’s McAfee has released a patch for a critical SQL injection flaw in ePolicy Orchestrator or ePO, its admin console used to centrally manage software and antivirus on tens of millions of enterprise devices worldwide.

Cisco’s Talos security team disclosed details of the issue today, warning that anyone on the web can send a specially crafted HTTP POST in an SQL query that causes an ePO database to spill enough information to profile users or monitor IT infrastructure.

“An attacker can use any HTTP client to trigger this vulnerability,” Talos researchers said.

ePO is used by 30,000 enterprise customers worldwide, and is responsible for keeping 60 million devices secure, according to McAfee.

McAfee has given the bug the highest CVSS v3 Base score of 10.0, noting that the bug is not complex to exploit and doesn’t require user privileges or interaction.

Affected products include ePO 5.1.3 and earlier and ePO 5.3.2 and earlier. The company has released hotfix files to address the issue.

Security admins use the ePO console to centrally manage antivirus and software polices via software agents that are installed on endpoint devices. Talos researchers discovered that the bug can also be used to impersonate these agents and cause information disclosure.

McAfee ePO antivirus central management suit

Given ePO’s role in managing endpoint antivirus, the software is likely to be an attractive target to attackers. It serves as yet another reminder that flaws in security software can widen a user’s attack surface, as a former Mozilla engineer highlighted recently.

“Vulnerabilities like this can allow deep insight into the organization without an attacker requiring any privileged access to centralized platforms such as Active Directory, with this access an attacker can profile users and the infrastructure passively,” said Talos.

Talos says the vulnerability lies within the application server for ePO’s Apache Tomcat-based administrator management console. The server is reachable via the console directly, or by way of a custom protocol, known as SPIPE, that hands off communication between agents and the console.

Talos’ detailed writeup is available here, where it explains that to mitigate this attack ePO customers can shut off direct access to the console and limit it to SPIPE.

“To ensure that an attacker does not have direct access to the vulnerability and instead has to use just SPIPE as an agent, verify that port 8443 that the McAfee ePolicy Orchestrator Console is bound to is inaccessible by ePolicy Orchestrator’s agents and can only by accessed by Administrators,” wrote Talos.

Source : : Blog

McAfee Total Protection for Data Loss Prevention: Product overview


Intel Security’s McAfee Total Protection for Data Loss Prevention is a complex suite consisting of four distinct data loss prevention (DLP) tools that can be deployed on hardware and virtual appliances. The DLP suite includes McAfee DLP Monitor, McAfee DLP Discover, McAfee DLP Endpoint and McAfee DLP Manager. Endpoint agents for McAfee Total Protection for Data Loss Prevention are deployed and managed through the McAfee ePolicy Orchestrator, while the McAfee DLP Manager appliance acts as the central control hub for the full suite.

McAfee DLP Monitor

McAfee DLP Monitor is a network appliance-based tool for monitoring and controlling sensitive information that can be deployed using either Switched Port Analyzer ports or network taps.

This DLP product, which can track and report on sensitive data in motion in real time, is a network appliance capable of detecting over 300 content types transiting over any TCP-based port and protocol. It can classify content at up to 200 Mbps.

The appliance is available as either the hardware-based McAfee DLP 5500 appliance or as a VMware virtual machine.


McAfee DLP Discover

McAfee DLP Discover is a data at rest discovery tool capable of scanning and detecting over 300 content types in many different kinds of file repositories. Supported file types include Microsoft Office documents, multimedia files, source code, design files, archive files and encrypted files.

It is capable of scanning common file repositories, including Common Internet File System, Network File System, FTP/FTP Secure, HTTP/HTTPS, Microsoft SharePoint and EMC Documentum. It’s also capable of scanning Microsoft SQL, Oracle, DB2 and MySQL databases for sensitive information.

This appliance-based tool is available as either the hardware-based McAfee DLP 5500 appliance or as a VMware virtual machine.

McAfee DLP Endpoint

McAfee DLP Endpoint is a data in use monitoring and control data loss prevention tool supporting Windows 7 SP1 and 8.x and Mac OS X 10.8.5 to 10.10 endpoints.

This product is deployed and managed using McAfee ePolicy Orchestrator (ePO). It can be purchased separately from the McAfee DLP suite, thereby allowing smaller organizations already using McAfee ePO to field endpoint-only data loss prevention.

McAfee DLP Endpoint has a variety of rules and policies to help protect sensitive data in use. Cloud-aware cloud protection rules block sensitive files from being synced to cloud services, such as Box, Dropbox, Google Drive, Syncplicity and OneDrive. Application file access protection rules block access to sensitive files, through means such as Skype file transfer, Nero burning and iTunes syncs. Web protection rules now offer Google Chrome support, in addition to Mozilla Firefox and Internet Explorer (enhanced protected mode) support.


McAfee DLP Manager

The McAfee DLP Manager appliance is the central controller for the complete McAfee Total Protection for Data Loss Prevention suite, and it is the integration point for the McAfee ePolicy Orchestrator server.

While it can be used to manage select McAfee DLP tools, McAfee DLP Manager must be used with McAfee ePO to manage McAfee Endpoint.

The DLP Manager allows organizations to manage up to 39 McAfee DLP components and to view all incidents generated by McAfee DLP components. Searches and reports for all McAfee DLP components can be generated through the DLP Manager. It also comes with a number of preconfigured policies to help manage McAfee DLP components.


McAfee Total Protection for Data Loss Prevention is designed to cover the data protection needs of a variety of enterprises; those needs include controls and policies for corporate data standards, regulatory compliance and protection against both insider threats and external attackers.

The software suite is designed to scale easily from midsized organizations to large enterprises. It covers endpoint data in use, network data in transit and data at rest for several file types and databases. While McAfee Total Protection for Data Loss Prevention covers data generated and used by third-party cloud services, it does not cover mobile devices, like smartphones.

Organizations interested in the McAfee DLP suite should contact the vendor or an authorized reseller for more information on pricing and licensing.

Source : : Blog