McAfee releases VirusScan with intrusion prevention

Anti-virus software company McAfee said Monday that a new version of its VirusScan Enterprise software contains so-called “intrusion prevention” features that can protect computers from attacks such as buffer overflows, which are often used by viruses, worms and malicious hackers to compromise vulnerable Microsoft Windows machines.

VirusScan Enterprise 8.0i integrates intrusion prevention services and firewall technology with anti-virus software to protect personal computers and file servers from malicious code outbreaks automatically.

The announcement comes as anti-virus software makers and networking equipment vendors look for ways to harden machines against possible compromise and crack down on a host of threats, from spam and spyware to bogus Web pages used in phishing scams.

The new version of VirusScan incorporates host IPS technology from McAfee’s acquisition of Entercept Security Technologies in April 2003. The Entercept technology allows VirusScan to spot malicious code used to exploit vulnerabilities in the Windows operating system and Microsoft applications like Internet Explorer, Outlook and Microsoft Office, said John Bedrick, group marketing manager for systems security at McAfee.

The product requires periodic updates from McAfee, but Bedrick was reluctant to call the IPS updates “signatures,” for fear of lumping them in with the frequent anti-virus updates that are required when new worms and viruses appear.

For example, VirusScan 8.0i spots malicious code that tries to exploit a known vulnerability in older versions of a Windows component called the Local Security Authority Subsystem Service (or LSASS). The recent Sasser and Gaobot worms spread by compromising machines using vulnerable versions of LSASS. VirusScan 8.0i protects Windows machines from any of those threats. However, unlike anti-virus software, it does not require a new “signature” for each worm that targeted LSASS, Bedrick said.

The new features are part of Protection-in-Depth, a McAfee program intended to provide many layers of defense against malicious computer activity, McAfee said.

While IPS features in VirusScan improves that product’s ability to spot malicious computer code, the new features do not turn VirusScan into a full-fledged IPS product. Instead, McAfee added a small set of IPS features that will provide the maximum protection to users while creating the minimum of “noise” such as blocking valid traffic, Bedrick said.

Whereas a comprehensive IPS product like Entercept’s prevent buffer overflows of any kind, VirusScan 8.0i limits buffer overflow protection to the 30 or so Windows applications and services that most McAfee customers use, he said.

“The idea was to pick the applications and services that were the most commonly exploited,” he said.

In doing so, McAfee had to strike a careful balance between making VirusScan more proactive and turning it into a nuisance for users, he said.

The release of VirusScan 8.0i is part of a larger push into the IPS arena at McAfee. In June the company, formerly Network Associates, announced new versions of two intrusion prevention products, IntruShield and Entercept, that it said will make it easier to protect corporate networks from so-called “zero day” attacks, attempts to break in to networks using previously unknown vulnerabilities.

The company has more announcements planned for future releases that will enhance the ability of its products to spot malicious code before it can infect a customer network. Future features may include wizards and rules for configuring proactive security, he said.

McAfee VirusScan 8.0i is not sold as a stand-alone product, but is sold in suites, such as McAfee Total Virus Defense, with other McAfee products. The product is available for free to existing customers with valid support agreements, and to new customers through McAfee and its partners, McAfee said.