McAfee releases VirusScan with intrusion prevention

The latest version of McAfee's VirusScan Enterprise software contains so-called "intrusion prevention" features which can protect...

The latest version of McAfee's VirusScan Enterprise software contains so-called "intrusion prevention" features which can protect computers from attacks such as buffer overflows, which are often used by viruses, worms and malicious hackers to compromise vulnerable Microsoft Windows machines.

VirusScan Enterprise 8.0i integrates IPS (intrusion prevention services) and firewall technology with anti-virus software to protect personal computers and file servers from new malicious code outbreaks automatically.

The latest version of VirusScan also has features to manage new malicious code outbreaks, limiting the damage they cause, the anti-virus software company McAfee said.

The announcement comes as anti-virus software makers and networking equipment suppliers look for ways to harden machines against possible compromise and crack down on a host of threats, from spam and spyware to bogus web pages used in phishing scams.

The latest version of VirusScan incorporates host IPS technology from McAfee's acquisition of Entercept Security Technologies in April 2003.

The Entercept technology allows VirusScan to spot malicious code used to exploit vulnerabilities in the Windows operating system and Microsoft applications such as Internet Explorer, Outlook and Microsoft Office, said John Bedrick, group marketing manager for systems security at McAfee.

The product requires periodic updates from McAfee, but Bedrick was reluctant to call the IPS updates "signatures", for fear of lumping them in with the frequent anti-virus updates that are required when new worms and viruses appear.

For example, VirusScan 8.0i spots malicious code that tries to exploit a known vulnerability in older versions of a Windows component called the Local Security Authority Subsystem Service (or LSASS).

The recent Sasser and Gaobot worms spread by compromising machines using vulnerable versions of LSASS.

VirusScan 8.0i protects Windows machines from any of those threats. However, unlike anti-virus software, it does not require a new "signature" for each worm that targeted LSASS, Bedrick said.

The new features are part of Protection-in-Depth, a McAfee program intended to provide many layers of defence against malicious computer activity.

McAfee has also added a small set of IPS features that will provide the maximum protection to users while creating the minimum of "noise" such as blocking valid traffic, Bedrick said.

Whereas a comprehensive IPS product like Entercept's prevent buffer overflows of any kind, VirusScan 8.0i limits buffer overflow protection to the 30 or so Windows applications and services that most McAfee customers use.

"The idea was to pick the applications and services that were the most commonly exploited," he said.

In doing so, McAfee had to strike a careful balance between making VirusScan more proactive and turning it into a nuisance for users, he said.

The release of VirusScan 8.0i is part of a larger push into the IPS arena at McAfee. In June the company, formerly Network Associates, announced new versions of two intrusion prevention (IPS) products, IntruShield and Entercept, that it said will make it easier to protect corporate networks from so-called "zero day" attacks, attempts to break in to networks using previously unknown vulnerabilities.

The company also plans future releases that will enhance the ability of its products to spot malicious code before it can infect a customer network. Future features may include wizards and rules for configuring proactive security, he said.

McAfee VirusScan 8.0i is not sold as a standalone product, but is sold in suites, such as McAfee Total Virus Defense, with other McAfee products.

The product is available for free to existing customers with valid support agreements, and to new customers through McAfee and its partners.

Paul Roberts writes for IDG News Service

Read more on IT strategy