Content
Frequently Asked Questions
Do you have a question for McAfee® Avert® Labs? Find answers to some of the most commonly asked questions.
- When should I contact McAfee Avert Labs?
- I believe my system has a threat in it, but your software hasn't detected anything. What should I do?
- If I call you and describe unusual behavior or potentially infected files on my computer, can you analyze it and tell me exactly what might be happening?
- Can McAfee Avert Labs assist me with product issues?
- What happens if McAfee VirusScan® detects a threat that it cannot clean?
- Can JPG, GIF, and other data files be infected?
- Does McAfee VirusScan detect all security exploits?
- Why do I need to update my engine as well as my DATs?
- What kinds of attacks are usually targeted at enterprise networks and network servers?
- What's the best defense against phishing scams?
- How can I prevent my PC from becoming a zombie PC?
1. When should I contact McAfee Avert Labs?
If you think your computer, server, or network may be infected with a virus or Trojan or may have a new potentially unwanted program (PUP), you can submit a sample to us for analysis. If you would like to get information on a threat that is not listed in the Threat Information Library, you may send an e-mail inquiry to McAfee Avert Labs including a sample for analysis. If you think a harmless file has been detected as a virus, you can send a sample to our labs to determine whether it is a false positive or a virus. We will send you an automated reply stating that the sample is already detected; you will need to reply to this message to tell us that you believe it to be an incorrect identification.
2. I believe my system has a virus, but your software hasn't detected one. What should I do in that case?
If McAfee VirusScan fails to detect or clean a known virus, it probably means that your scan engine or DAT files are out of date. McAfee releases a new version of the scan engine every three months or so. We highly recommend that you update the scan engine as soon as the new versions become available, so that you have the best possible coverage. New DAT file updates are released every business day (Monday through Friday) at approximately 6:00 P.M., GMT. We suggest that you update your DAT files daily. Our technical support team can help you determine your current versions and can help you with updates.
3. If I call you and describe unusual behavior or potentially infected files on my computer, can you provide an analysis and tell me exactly what might be occurring?
In most cases, it's difficult to tell you exactly which threat you might have from just a verbal description. For best results, we advise tat you download and install the most recent scan engine and DAT files, which will very likely detect any threat that may be active in your system. If you find no malware and you still believe you may have one, submit a sample to McAfee Avert Labs for analysis.
4. Can McAfee Avert Labs assist me with product issues?
McAfee Avert Labs is a threat research organization that helps detect, describe, and provide remediation for viruses, Trojans, and Potentially Unwanted Programs. Our research labs do not work with product-related issues. If you are a business user and need assistance with a McAfee product, please visit Technical Support. If you are a home or home office user, please visit McAfee Help.
5. What happens if McAfee VirusScan detects a file that it cannot clean?
When a virus infects a file, McAfee VirusScan cleans the virus and repairs the file. Trojans and worms behave differently. Trojans and worms are self-contained, and do not need to be part of another program or file to spread. The best way to eliminate these kinds of threats is to delete them. If McAfee VirusScan has detected a threat and is unable to delete it, the best thing to do is to run another scan to see if the file is still there. At times, even though McAfee VirusScan has deleted the malicious file, you may get a message that cleaning has failed.
For best results, make sure that you have downloaded and installed the latest scan engine and DAT files. If you are running Microsoft® Windows® ME or Microsoft Windows XP, disable System Restore and scan again. Potentially unwanted programs (PUPs) may include multiple files that may plug into the operating system in such a way that simply deleting them can stop your system from working properly.
We invite you to submit samples of PUPs that you cannot clean to Avert so that we may add proper removal code to the DAT files. And finally, check the Threat Information Library for details on the Trojan or worm that you detected. Some malicious codes require special removal instructions. Before you delete any files, make sure you note the names of the files you detected. To move, copy, or delete detected files, you may need to temporarily disable your anti-virus software. Remove any associated files from the registry and INI files. Or you may choose to restore your registry or INI files from a clean backup.
6. Can JPG, GIF, and other image files be infected?
Yes. Some software programs have vulnerabilities that contaminate JPG image files with malicious code. Contaminated JPG files can carry or launch a virus, worm, or Trojan on unpatched systems.
7. Does McAfee VirusScan detect all security exploits?
VirusScan detects viruses, worms, and Trojans. However, if we discover a specific virus, worm, or Trojan that exploits a popular vulnerability, we will incorporate detection for the exploit whenever possible. We also recommend that you keep all your software as up to date as possible. Visit your vendors' Web sites regularly to see what patches are available for your applications. If you need protection from other types of security threats, McAfee offers a wide range of products to address those. Contact your sales or support representative for assistance.
8. Why do I need to update my engine as well as my DATs?
When you update your scan engine, you'll have the most robust detection and cleaning available. McAfee continually refines detection and repair techniques so you have the most up-to-date, efficient protection. We often improve the scanning engine to support new file formats and new infection methods.
9. What kinds of attacks are usually targeted at enterprise networks and network servers?
Large-scale network attacks generally fall in three major categories:
- Reconnaissance—These include host sweeps, TCP or UDP port scans, e-mail recons, and indexing public Web servers to find cgi holes.
- Exploits—Attackers take advantage of hidden features or bugs to gain access to the system. The attacks may be in either encrypted or unencrypted data. Nuisance programs like spyware can be in thnis group.
- Distributed Denial of Service (DDoS) Attacks—In a DDoS attack, the attacker attempts to crash a service (or the machine), overload network links, overload the CPU, or fill up the disk. The attacker does not always try to gain information. Sometimes it is strictly an act of vandalism to prevent you from using your computer.
McAfee offers intrusion prevention solutions so you can detect known attacks (using custom signatures), new/zero-day (using anomaly techniques), encrypted attacks (using advanced SSL decryption), and DDoS attacks (using hybrid algorithms employing statistical and heuristic methods). The combination of these techniques significantly increases the capability and accuracy of the system, reducing false positives and false negatives.
10. What's the best defense against phishing scams?
Phishing is an Internet scam where attackers try to trick consumers into divulging sensitive personal information. Usually, this involves sending messages with fraudulent e-mail and Web sites that look like they are being issued by legitimate companies (for example, order confirmations, requests for account and personal information updates, and password requests).
We consider these fraudulent e-mails to be spam. If you fall prey to a phishing scam, you are vulnerable to identity fraud and potential financial losses through fraudulent transactions. The best defense against phishing is to stay on top of your anti-spam protection and to be wary of any e-mail messages that look suspicious. Make sure your spam-blocking software performs the following functions:
- Automatically blocks malicious or fraudulent e-mail
- Automatically detects and deletes malicious software
- Automatically blocks outgoing delivery of sensitive information to malicious parties
Above all, never ever click on a link or respond to an e-mail if you have any doubts about it. If you want to determine whether the e-mail is legitimate, call or write to the sender.
Spear phishing is similar to phishing. As in phishing, the e-mail appears to come from a legitimate source, such as a bank, internal IT department, internal employee, or a company your employer does business with. While phishing e-mails are sent to a large distribution list of potential victims, spear phishing e-mails are sent to a small number of people and target specific recipients. The e-mail sender information may be spoofed, so the e-mail appears to come from a trusted source. For example, you may get e-mails that appear to be from a stockbroker you already have a relationship with through your company's investment plan. The spear phishers obtain this information from public accounts and stock records of listed executives. When you suspect that you might be the target of a spear phishing scam, follow the same common-sense precautions mentioned above.
11. How can I prevent my PC from becoming a zombie PC?
Your computer becomes a "zombie" when a virus or Trojan software installs that then allows an unauthorized person remote access to your PC via the Internet and then issue commands. A collection of compromised PCs is called a "botnet" (short for a robot network). A botnet can have tens or even hundreds of thousands of zombie computers. Extensive botnets give hackers huge amounts of bandwidth, which they use for various illegal activities, such as sending large volumes of spam messages, installing adware, or committing DDoS (distributed denial of service) attacks against companies or organizations. A single PC in a botnet can be used to send thousands of spam messages per day. Botnets are a frequently traded commodity among spammers and attackers.
How do you know if your PC has become a zombie? If your PC has Trojan software installed, you may notice that it runs slower than usual, the Internet connection is slower than normal, and the machine behaves erratically. If your PC is being used to send spam or perform distributed denial of service (DDoS) attacks, you may notice some unusual Internet activity. If you have an external modem or broadband router, the data light may be on for long periods of time, even when you are not using the Internet. If you have a desktop firewall installed, you may receive notification messages informing you that programs are trying to access the Internet.
You can protect your computer from becoming a zombie by installing proven anti-virus and firewall software, and by making sure your anti-virus software is always up to date. New viruses are discovered every day, so out-of-date antivirus software can be ineffective. Any PC connected to the Internet via a broadband or an always-on connection is particularly at risk of infection. Because the PC is connected to the Internet all the time, there is a greater likelihood that the PC will be port-scanned and then hacked. (Port scanning is scanning for IP addresses on the Internet.) To determine whether you have a virus or Trojan installed on your PC, scan your computer for free from this Web site: http://us.mcafee.com/root/mfs/default.asp?cid= 9913.
