We run McAfee as our corporate antivirus software. It’s fairly nice to manage via ePolicy Orchestrator, and I haven’t really had any issues with it, apart from corrupt Framework agent files now and then etc. Until I rolled out VirusScan 8.5 + AntiSpyware.
We use several remote admin tools on our network, one of them being TightVNC. So, because of this, in the Unwanted Programs Policy, I disable the category to detect remote admin tools, thinking that our remote tools would be safe.
I roll out 8.5 to a few machines here and there for testing purposes. It’s been running on my entire department’s machines since the 21st December, and it has been running on about 7 additional test workstations scattered throughout the environment for the past two weeks with no issues.
So today is the big rollout day where we deploy 8.5 to the rest of the company.
The next thing, I notice that our monitoring workstation has a virus alert on the screen. I go take a look – and discover that McAfee has gleefully deleted Tight VNC – detecting it as RemAdm-TightVNC. Hmmm… RemAdm… Remote Admin perhaps? That category that was UNSELECTED for detection? Yep.
Since our monitoring workstation is set up in a really inconvenient place to work on it (hence the desire for VNC), I decided to try remotely execute a few commands in an attempt to solve the situation.
Oooh. Guess what – psexec is detected as RemAdm-PSKill.
What I find hilariously funny is that I have PSTools installed on my workstation – in my Windows directory for that matter, and I have been running McAfee VirusScan 8.5 for the past month with EXACTLY the same policy that is installed on our monitoring station, yet it has NOT picked it up. It also fails to pick up UltraVNC which I have installed on this workstation. Gotta love the selective detections.
So I add all those detections as specific exclusions in the Unwanted Programs Policy. Then I get to thinking, “What else is this fucking software going to detect and delete?”
To the knowledgebase, Batman!
I find an article referencing Antivirus 8.0i, explaining how to get a list of PuPs (Potentially Unwanted Programs) from a command line tool called csscan.exe. The article says to run csscan.exe /TARGET APPLIST >c:\applist.txt
I run it and view the resulting applist.txt.
CommonShell Command Line Scanner (VSCORE.13.3.1.100)
Engine Version : 5100.0194 AV DAT Version : 4947.0000 223716 detections Built Tuesday, January 23, 2007 Extra DAT : 0 detections
Summary :- FilesFound : 0 FilesScanned : 0 FilesNotScanned : 0
ObjectsFound : 0 ObjectsInfected : 0 ObjectsCleaned : 0 ObjectsDeleted : 0
FilesInfected : 0 FilesCleaned : 0 FilesMoved : 0 FilesDeleted : 0
Wow, quite a list. Well, I figure that since the article was applicable to 8.0i and not 8.5, they might have changed the command line a bit.
Indeed they had. Now there was a nifty parameter called PupList.
Please wait … retrieving list of names from the Anti-PUP DAT Detection name list retrieval failed
Fun fun. So I try all the other *List parameters, and discover that the only one that works is VirList, which helpfully lists most detections in the DAT files.
I also discovered that csscan.exe can be used to restore the backups that are made before files are deleted.
csscan.exe /BackupDir C:\Quarantine /RestoreBackup RemAdm-TightVNC
There’s quite a lot of nifty things that can be done with that csscan.exe. Pity it’s not documented somewhere useful. :p