I Haven't A Clue.
Friday, 23 October 1998
Updated Saturday, 5 December 1998

In a recent press release, McAfee's VirusScan 4.0 is touted on the Network Associates website as dealing with Back Orifice and NetBus.

They say: "VirusScan 4.0 combines desktop detection of over 22,000 viruses, Active X and Java hostile applets, Internet and corporate e-mail infection and security threats like Back Orifice and Net Bus, into a single easy-to-use package."

There's no question about this. It says the product detects Back Orifice.

IT DOES NOT DO SO.

I have updated, just days ago to version 4.0. I have made four attempts to communicate with them over three days, all without success. They have no live humans of the right sort who answer their phones, so I am forced each time to wait out their customer service queue at my expense on a long-distance call. Each time I called, I explained to the service person or to a voicemail machine that I hoped to explain to my website's 2000-daily visitors what was going on and what NAI does or will offer. I asked the same questions each time, or at least attempted to do so.

• Why, if their press release says what it says, doesn't VirusScan perform?
• Why, in view of their competition's fast responses to Back Orifice and other trojans, hasn't their McAfee product been updated to protect its users?
• Do they have some product that does work? (I know they've bought Dr. Solomon but can't confirm it ever dealt with BO.)
• And finally... why aren't they answering my questions?

The McAfee product, of all the major virus-scanning packages, appears to have been the least responsive to the rash of remote-admin trojans. They've taken the longest even to comment on the subject.

I had hoped to make positive statements about Network Associates' offerings and/or progress in this respect, but they have made that quite impossible.

I use their product; have used it for many years. But I no longer recommend it.

I am in process of building a page which describes the many countermeasures against BO and the other similar trojans. It's a large task of information-gathering and web-page construction, and will require some days. Stay tuned! Maybe by the time I post that page NAI will have spoken.

Meanwhile, be warned... where BO and NetBus are concerned, I have positively determined that McAfee VirusScan 4.0, as of this date, does not deliver as promised. Don't rely on it. Take other measures, such as AVP and/or BODetect.

Update Saturday, 5 December 1998:

Several people have written to inform me that McAfee does detect Back Orifice. In fact, this was the case by the end of October, however I found at the time that McAfee did not detect BO or its components entirely reliably. I apologize to one and all for the slow update of this page.

Today, after upgrading to McAfee's very latest this very morning; I have found no significant change. This morning's test determined that McAfee's VirusScan:

• Does usually find Back Orifice clients and servers on a file scan
• Never sees it in memory
• Cannot terminate or delete a running Back Orifice
• Sometimes misses BO servers for no reason
• Sometimes fails to see the keylog .dll BO creates (usually named windll.dll but it can be renamed)
• Fails utterly to spot a BO server I have here which is unaltered and uncompressed, but encapsulated (with other data at beginning and end of the file).

Therefore my recommendation still stands. Do not rely on McAfee for protection against BO.

I have an assortment of trojans in my archives, and I set McAfee to work scanning those files. It successfully spotted a number of them. Although I have not checked it for consistency, it found:

• Sockets de Troie, version 2.3 and the prior one (2.0?)
• Genvirus, a utility used to create a virus which executes Sockets de Troie
• NetBus, client and server, versions 1.53 and 1.60
• Master's Paradise server
• All of Netnija's Back Orifice plugins

It did NOT find:

• NetBus version 1.70
• phAse zero, a trojan comparable to NetBus
• BackDoor, another trojan, also much like NetBus
• DeepThroat, yet another remote-admin trojan
• Girlfriend, a Russian trojan which I believe is gaining popularity
• NetSpy, a slick-looking trojan that masquerades as a "protector."

I've used McAfee and been happy with it for a very long time. But partial solutions to things like viruses and trojans can be worse than none at all, because of the false confidence factor.

McAfee was approximately the slowest of the major/popular Win95 antivirus tools to incorporate any protection at all for Back Orifice, and it is woefully inadequate. Its inattention appears to extend to the other trojans, and I am concerned therefore that viruses, too, may get poor coverage from McAfee.

I've read elsewhere that McAfee's customer service is poor, with speculation that it's suffering from acquisition-itis. Apparently the disease extends to the product's quality and maintenance as well.

I'm sorry to see the McAfee folks go this way, because I've always liked them. I'm sorry too, that they chose to snub my efforts to communicate. C'est la vie.

If the news gets better from McAfee, I'll post it here.