McAfee product coverage and mitigations for malware or indicators associated with the recent attacks (a.k.a. Dragonfly, Energetic Bear, Havex/SYSMain) on industrial control systems (ICS’s) are listed below.
The Havex remote access tool is common across these associated attacks or campaigns–including Dragonfly. We have seen Havex in ICS-specific targeted campaigns. It can detect and affect ICS- and SCADA-specific services, such as OPCServer (OLE for Process Control).
McAfee Product Coverage and Mitigation
- McAfee VirusScan (AV): Known, associated, malware samples are covered by the current DAT set (7486). Updated coverage will be included in the July 2 DAT set
- McAfee Web Gateway (AV): Same as VirusScan coverage.
- McAfee Application Control: Provides coverage via whitelisting. Nonconforming executables will not run.
- McAfee Next Generation Firewall: Partial coverage (for malware artifacts) is available via built-in McAfee AV inspection of mail, web, and file transfers.
Please check back often for updated technical details and product coverage.