Security

McAfee spent three years researching and developing a new vertical interface for its consumer security suites, and has made them far better in the process. The improved detection engine includes enhanced download scanning, faster scan and start-up times, and a stronger firewall.

Check out this First Look video for a tour of McAfee AntiVirus Plus. If you're interested in McAfee Internet Security 2010 or McAfee Total Protection 2010, note that those upgrades have more features tacked onto the same security engine, but they lack trials.

Microsoft fixed 26 vulnerabilities in 13 security bulletins as part of its Patch Tuesday, including critical ones for Windows that could be exploited to take control of a computer and one that has resided in the 32-bit Windows kernel since its release 17 years ago.

The top priorities for deployment are bulletins plugging holes in the SMB (Server Message Block) Protocol, Windows Shell Handler, ActiveX via Internet Explorer, DirectShow, and the 32-bit version of Windows, Jerry Bryant, a lead senior security communications manager at Microsoft, wrote in a blog post.

The DirectShow bulletin should be at the top of the list, according to Bryant. It is critical for all supported versions of Windows except Itanium-based server products. To exploit the hole, an attacker could host a malicious AVI (Audio Video Interleave) file on a Web site, and lure a user to visit the site or send the file via e-mail so the user could open it.

In the SMB bulletin, critical for all versions of Windows except Vista and Server 2008, an attacker would need to host a malicious server and convince a client system to connect to it, or an attacker could try to perform a man-in-the-middle attack by responding to SMB requests from clients, Bryant said.

In the critical Windows Shell Handler vulnerability, which affects Windows 2000, XP, and Server 2003, an attack could come via a specially crafted link that appears to be valid to the ShellExecute API (application programming interface).

The cumulative update for ActiveX Killbits is critical, but a Killbit does not address the underlying vulnerability. It is a registry setting that keeps the vulnerable ActiveX control from running in IE.

The vulnerability affecting the 32-bit Windows kernel, which Microsoft announced last month, after Google engineer Tavis Ormandy disclosed it on a security e-mail list, could allow an attacker to elevate privileges to full system access, once the attacker is already in the system.

Microsoft's Adrian Stone and Jerry Bryant explain the security bulletins in a video on the Microsoft Security Response Center blog.

(Credit: Microsoft)

Much as been made of the fact that the hole is 17 years old, but Ormandy said he informed Microsoft about it in June 2009. "You can criticize them for taking a long time to fix a bug," but not if they didn't know about it, said Pedram Amini, who runs the Zero Day Initiative.

Microsoft is aware of publicly available proof-of-concept code for that issue, but is not aware of any active attacks at this time, Bryant wrote.

The most important bug for IT security teams is the one affecting DirectShow, said Andrew Storm, director of security compliance at security firm nCircle. "The nature of the exploit lends itself to drive-by attacks that leave unsuspecting victims infected," he said. "Since media is what excites people most on the Internet today, an exploit of this bug would make it extremely easy to entice users to watch videos that are actually gateways to malware."

Meanwhile, the Shell Handler vulnerability has the potential for an unlimited amount of damage, which should make potential attackers take notice, he said.

This month's "sleeper update" is probably a hole in Windows TCP/IP (Transmission Control Protocol-Internet Protocol) that could allow remote code execution if specially crafted packets were sent to a computer with IPv6 enabled, said HD Moore, chief security officer of Rapid7. "While it has an exploitability rating of 2 based on the requirement for an attacker to be on-link to the target host, Wi-Fi access points provide link level connectivity to target systems" he said. "Customers should not confuse the exploitability index with exposure severity--the priority of this patch should be raised where mobile users are prevalent."

Two bulletins, both rated "important," affect older versions of Microsoft Office and could allow an attacker to remotely execute code on the computer via a hole in PowerPoint or via a specially crafted Office file.

The bulletins affect Windows 2000, XP, Vista, and Windows 7, as well as Server 2003 and 2008, Office XP, Office 2003, and Office 2004 for Mac, according to the advisory.

Microsoft also issued a security advisory to provide a work-around for a publicly known hole in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

And Microsoft updated its Malicious Software Removal Tool to include the Win32/Pushbot, a worm that spreads via MSN Messenger and AIM, and opens a backdoor so an attacker can take complete control of the machine.

Microsoft is still working on patches for a hole disclosed last week in Internet Explorer that could lead to data leakage and an SMB hole that was disclosed in November.

"The [SMB] issue cannot be used to allow an attacker to take control of a system remotely, but instead can result in a system becoming unresponsive due to resource consumption," Microsoft said in a statement. "At this time, Microsoft is not aware of any attacks using this vulnerability."

Updated 12:33 p.m. PST with nCircle and Rapid7 comment.

"Bomb Blast." "Jackson is still alive: proof." "Obama cursed by Pope." These are just a few of the subjects used by cybercriminals last year to trick people into opening malware-infected e-mails.

Spam that uses the latest news headlines was just one of the hot trends last year in the world of cybercrime, according to McAfee's "Q4 Threats Report" (PDF), released Tuesday. The latest threat assessment also noted a rise in "hacktivism," or politically motivated cyberattacks.

Though spam levels in the fourth quarter actually dropped by 24 percent from the third quarter, the daily volume of junk mail around the world still averaged 135.5 billion per day. To reach that level, spammers relied heavily on news stories, especially tragedies.

(Credit: McAfee)

The crash of an Air France plane and the death of Michael Jackson in June continued to be top themes for spammers to exploit throughout 2009, notes McAfee. The swine flu also triggered a slew of e-mails claiming to be from the Centers for Disease Control but which actually carried viruses in the form of Zeus Trojans. The surge in unemployment led to a rise in spam touting get-rich-quick schemes. And as always, terrorism and unrest around the world contributed to subject lines designed to scare people into opening malware in their in-box.

(Credit: McAfee)

Hacktivism also rose as a form of cybercrime in 2009. In October, Polish government systems were reportedly attacked from somewhere in Russia. In December, a group calling itself the Iranian Cyber Army launched an attack against Twitter by using credentials stolen from a Twitter employee. Also in December, e-mails from the Climatic Research Unit at the University of East Anglia in the U.K. were hacked about two weeks prior to the Copenhagen Climate Conference. Some believe the attack was the work of Russian freelance hackers hired by people looking to disprove global warming.

Across the world, the U.S. held the title as the top spam producer, followed by Brazil, and India. China took the top spot away from the U.S. as the leading purveyor of botnet zombies, which infect computers to send out spam.

"In Q4, we saw spam activity drop, but identified some interesting trends developing in terms of the geographic distribution of cyber threats and the types of threats executed," said Mike Gallagher, senior vice president and chief technology officer at McAfee Labs, in a statement. "China emerged as the worldwide leader in both zombie production and the execution of SQL-injection attacks, while Internet-based attacks played a bigger role and will continue to do so as cybercriminals target the most popular social destinations in 2010."

To entice security researchers to look for holes in the Chrome browser, Google has announced it will pay $500 for bugs found in the code. But several experts say that's not enough money to motivate skilled vulnerability researchers.

"I think it's ridiculous," Charlie Miller, a senior security researcher at Independent Security Evaluators, said when asked Monday for his opinion of Google's new bug bounty program. "It's insulting. It's so low."

Under Google's new "experimental" incentive program, announced last week, people will get paid $500 for select interesting and original security vulnerabilities discovered in Chrome, or $1,337 for particularly severe or clever bugs. That figure refers to the geek term for elite, or "leet," which can be spelled out using the numbers.

Mozilla pays $500 to researchers who find valid security bugs in the Firefox browser, the Thunderbird e-mail client, or the Mozilla suite.

Jeremiah Grossman, chief technology officer and co-founder of WhiteHat Security, said Google's plan could be the start of an interesting trend.

"If a researcher is purely interested in the dollar reward, then by all means he should go where the dollar is highest. But if you happen to find one because it's fun and interesting to you, then you'll get paid too," he said. "I've been suggesting Microsoft should do this for a long time but they have a moral issue with it."

Microsoft is sticking with its no-bounty stance.

"Microsoft does not offer compensation for information regarding security vulnerabilities. We do not believe that offering compensation for vulnerability information is the best way we can help protect our customers," said Dave Forstrom, group manager of Microsoft Trustworthy Computing. "We also do not think it fosters the growth of a healthy ecosystem."

You would think Google would be roundly praised for offering to pay researchers for work they often do for free. But not everyone is impressed.

"It's probably better to pay professional QA [quality assurance] people and pen [penetration] testers than to expect the public to do your testing for you on the cheap," said Gary McGraw, chief technology officer at Cigital and a specialist in secure code writing processes. "No excellent professional tester I know would be attracted by a bounty like that--perhaps adolescents would do it for beer money (or rather Red Bull and vodka money)."

Miller's criticism might be particularly stinging, given that he announced a campaign called "No More Free Bugs," about a year ago. He argued that vendors should pay when outside researchers discover vulnerabilities in their commercial software instead of freeloading on the efforts of volunteer bug hunters whose work ends up making the products safer.

"In some senses this is my dream come true," Miller said. "I've been begging vendors for this. And then when it happens I'm bitter and critical," because it's so much lower than what researchers can make from bounty programs at VeriSign iDefense's Vulnerability Contributor Program and the Zero Day Initiative run by 3Com's TippingPoint.

"If I did find a bug in Chrome, I could sell it to the Zero Day Initiative and make $2,000 and it still gets reported to Google eventually, so why would I give it to Google for $500? It doesn't make sense," he said.

Pedram Amini, who runs the Zero Day Initiative, wouldn't say exactly how much the program pays for bugs, but did allow that "on average it's over 10 times what Google's offering."

"Google is the first huge company to create a bug bounty. I'm happy they're doing it. It's a step in the right direction," he said. "But pricing-wise, they're not going to be able to compete with other bug bounty programs."

On the bright side
Granted, it might be easier to find bugs in beta software than in products that have been released to the public, which the Zero Day Initiative focuses on, according to Amini. And it's wise for Google to do something to attract the attention of researchers to its browser, which is much newer and has fewer users than the other major browsers, he said.

"I think there is going to be a subset of people who will use the Google program," he said. "One thing that is certain--vulnerabilities do have value."

Google's pay scheme is at the low end of what iDefense pays, according to Rick Howard, director of iDefense Intelligence.

"Google has always shown that it is willing to take on large and complex projects for which it has no past experience and make a success of it. I see no reason why they should not succeed in this one," Howard said.

And Google doesn't always go cheap. Last July, it paid more than $8,000 to a team of researchers that won a Native Client Security Contest.

Asked to comment on complaints that $500 is too little compensation for bug hunters, Chris Evans of the Google Security Team wrote in an e-mail: "We took care to design the program to allow for a wide variety of bugs to qualify for payment and to make it easier for researchers to participate--for example, we don't necessarily need a working exploit (which is often much more difficult than finding a bug) and we're interested in bugs even if they manifest within the Chromium sandbox."

Chromium is the open-source project for Google's Chrome browser and unreleased Chrome operating system. Evans said it was too early to say whether Chrome OS would be included in the bounty program after it launches.

"Chromium has already benefited from collaboration with security researchers, and we expect they will continue to scrutinize the Chromium code and help us improve it regardless of any action we take," he said. "To them, this reward can be seen as a token of appreciation. To others, we hope the addition of a reward may encourage new people to participate beyond how they might have otherwise."

Verizon temporarily blocked traffic from some Web sites affiliated with the 4chan online forum on Monday after finding that some affiliate sites were apparently launching network attacks.

"Our network security system found traffic from some 4Chan Web sites that had strong potential to disrupt the Verizon Wireless network, affecting our customers' use of their services," Verizon spokesman Jeffrey Nelson wrote in an e-mail to CNET. "With continuing investigation, and ensuring no current risk of harm, we are giving the green-light to all 4Chan traffic. We will continue to monitor for any possibility of network harm."

He also posted an explanation on Twitter: "Never a block on 4Chan but some of its other sites were launching network attacks."

It was unclear which sites were affected and exactly what the trouble was. The sites appear to have been "explicitly blocked" for as long as three days, according to the 4chan status page.

In July, AT&T blocked a 4chan server after another site launched a denial-of-service type of attack called a SYN Flood attack on the site. 4chan users, notorious for their Internet pranks, responded angrily by posting a fake story on CNN's iReport citizen journalism site alleging that AT&T CEO Randall Stephenson had died.

Update 1:51 p.m. PST: Verizon posted this statement on the company's policy blog:

"Recently, Verizon Wireless security and external experts detected attacks from an IP address associated with the 4Chan family of web sites that was disruptive to our customers and our network. To protect both, we eliminated connectivity to the IP address. At no time was 4Chan itself blocked. Ongoing network security team monitoring has now determined there is no longer an immediate threat. Connectivity to those sites is being restored later today.

"Typically, these attacks involve someone sending hundreds of thousands of messages to wireless devices to round up active customer addresses for follow-up activity including hacker attacks. These 'sweeps' can jam our network and deliver unwanted electronic messages that also can drain customer devices' battery life and slow their operation.

"We take being the nation's most reliable wireless network seriously. Seriously enough to protect our customers and our network from malicious attacks, even if we get dinged in the blogosphere. It's easy to complain about 'blocking' when your wireless data connection is stable, fast and reliable. But try connecting to the web from your Droid or Blackberry when attacks slow - and potentially block - use of our network all together.

"We monitor against attacks and potential attacks to ensure the integrity of the Verizon Wireless network. Our customers expect nothing less."

Some 4chan affiliate sites were temporarily blocked by Verizon over the weekend.

(Credit: 4chan)

One of the strengths of Vitamin D Video, which exited beta on Monday, is its ability to pick out humans in surveillance video, allowing more easy scanning of hours of security camera footage.

(Credit: Vitamin D)

Vitamin D, the start-up founded by three former Palm executives, said on Monday that it is ready with the final Version 1.0 of its software for Windows and Mac, which enables people to use a standard Webcam as a security system.

The company, which caught some interesting things on tape during beta testing, said that the single camera version of its software will continue to be free, as it was during beta testing. A version of Vitamin D Video that works with two cameras will cost $49, while a high-end edition that supports an unlimited number of cameras running off a single computer will cost $199.

The software works on both Macs and PCs and has as its biggest selling point the fact that it can pick out humans as opposed to just motion, allowing users to more easily pore over hours upon hours of surveillance footage.

The company uses artificial intelligence technology licensed from Numenta, a company started by Palm Pilot creator Jeff Hawkins.

"Vitamin D Video is an effective and inexpensive video monitoring tool that is easy to install and use. With this product available, there is no reason for any home, small business or school to be without video surveillance that really works," CEO Celeste Baranski said in a statement. "The enthusiastic response of our beta customers has already proven that Vitamin D Video works well in security applications, and is proving valuable for uses beyond traditional security."

Chinese authorities have broken a hacking-tool dissemination ring, according to state media.

Police in the central Hubei province arrested three people suspected of running the Black Hawk Safety Net, state news agency Xinhua reported Monday.

The Black Hawk Safety Net disseminated hacking tools and Trojans to its members, said Xinhua. The group had collected 7 million yuan ($1 million) in membership fees from 12,000 subscribers by the time it was shut down. The group had an additional 170,000 members who had joined for free, said Xinhua.

Read more of "China breaks up Black Hawk hacking ring" at ZDNet UK.

Bob Russo, general manager of the PCI Security Standards Council.

(Credit: PCI Security Standards Council)

If you own a bank account or use credit cards, chances are you've heard the term "PCI compliant." But you probably don't know what it means.

The term is heard more and more frequently these days as data breaches at merchants like TJX, parent of TJMaxx, and payment processors Heartland Payment Systems and RBS WorldPay land millions of card records in the hands of hackers. Criminals are using the data to make purchases and withdraw money from accounts of unsuspecting victims who did nothing wrong; they just owned a card.

It's a huge and growing problem. More than 80 percent of data stolen in breaches is payment card data, according to the 2009 Verizon Business Data Breach Report.

CNET asked Bob Russo, general manager of the PCI Security Standards Council, to explain what is being done to keep criminals from accessing consumer payment card data.

Q: So, what does the PCI Security Standards Council do?
Russo: The council was formed in September 2006 by the five major credit card brands, Visa, MasterCard, American Express, Discover, and JCB [Japanese Credit Bureau]. It was formed because each one of the brands has their own compliance programs and they still do, but they all use this standard as the foundation for their programs. There was a time when you could pick up the phone and call one brand and ask a security question and get one answer and call another brand and ask the same question and get a different answer. They all now use these standards that we manage as the foundation for those compliance questions.

What is the standard exactly?
Russo: It's the PCI, which stands for Payment Card Industry, data security standard. It's a set of 12 specific requirements that cover six different goals. It's very prescriptive. It says not only that you need to be secure but it tells you how to become secure. It's more about security than compliance. The goals are things like build and maintain a secure network, protect card holder data and regularly monitor and test the networks. That's the main standard. We manage three different standards. The first one covers everything from the physical security to logical security.

The second standard is PADSS, Payment Application Data Security Standard. These are for payment applications a merchant would buy off the shelf. For example, if you went to a restaurant and you ordered your meal and the waiter used a touch-screen terminal, that puts the order in the kitchen and it's tied to an ordering database. The application also takes the credit card at the end of the meal. We make sure these applications aren't storing prohibitive data, such as data on the magnetic strip on the card. If they stored that data and someone got a hold of it then they would be able to clone credit cards. There are literally thousands of applications out there and when it's compliant with the standard it gets listed on our Web site.

The last piece we manage is called PTS, PIN Transaction System. Anytime you enter a PIN number, for example, this standard would take effect. It looks at those PIN entry devices so when you go to a large department store and you buy something and you use a debit card they'll hand you a PIN pad and you key in your number. We certify those devices as well as unattended payment terminals, such as those used at gas station [islands], ticket kiosks, and transit systems, like the Boston underground.

There have been a number of big data breaches lately. Were the companies PCI compliant or not in those cases?
Russo: It's been our experience that none of the breaches that occurred have been compliant at the time of the breach. Becoming compliant with the standard is pretty much a snapshot in time. An assessment company would come in and go through all those requirements and check that this stuff is in place. If everything is in place they issue a report on compliance. It is then your responsibility as a merchant to maintain that compliance. If there are new patches to come out for the operating system you have to install those. One piece we ask for is that you turn the logging on. Forensics find all the information in the logs so we insist you turn the logging on. Except, if nobody ever looks at these logs and they're sending out alerts, what good is it? It's up to the merchant to make sure they stay in compliance and that they are secure. For each of those [big public] breaches credit card companies looked at the logs [and found] that none of them was compliant at the time of the breach.

But I thought Heartland executives said they were compliant.
Russo: They had that piece of paper that said they were compliant but they weren't. What happened at Heartland was a SQL injection attack [in which an attacker injects commands to a back end database using input fields on a Web site]. That's an old exploit and there are myriad ways to prevent that outlined in the standards. As it turns out they were not complaint at the time of the breach. [Heartland CEO Robert Carr eventually disclosed that the assessors had incorrectly informed the company that it was PCI compliant.]

But even if the merchant is PCI compliant that doesn't necessarily mean the shop is secure, right?
Russo: Exactly. That's why we say it's about security not compliance.

If that's the case, shouldn't the standard be improved so it is more effective?
Russo: That wasn't the case here. We have seen no evidence that if someone were compliant that they would have been breached. The standard is working. You only read about the one or two or four big breaches that happen. You don't hear about the thousands of merchants who aren't getting breached because they are compliant.

If a merchant is found to be not PCI compliant, what are the consequences?
Russo: Ninety percent of consumers don't understand the difference between credit card fraud and identity theft. If they hear that their credit card has been stolen, like at Heartland or TJX, many of them believe their identity is at risk. If that's the case many of your customers won't shop with you anymore because they are afraid you are not protecting their data and someone is going to steal their identity. That's the worst thing that can happen. The biggest problem would be if your customers walk away. There are reputational damages they have to deal with, which nine times out of 10 cannot be measured in terms of dollars.

There are also fines levied by card brands. There are lawsuits coming out of the woodwork when something like this happens, like shareholder lawsuits and class action customer lawsuits. They are paying to issuing banks for reissuing cards. And the government might now get involved. They're looking to find if stolen credit card information is being used to finance terrorism. You've got myriad people on your back if you suffer a breach. You may have FTC involved, and they require 20 years of audits. Every other year you would have to go through a complete audit. It's very expensive to suffer a breach. It's much better to be compliant and secure and not have to worry about this.

How much are the fines?
Russo: The brands set those; we're not responsible for the fines. We just set the standards and they are enforced by the brands and the federal agencies.

What part of the standard is mandatory and what is voluntary?
Russo: It's all mandatory. Nothing is voluntary. The rule is if you store, process, or transmit credit card data you must be compliant with the PCI standards. And that's a global rule.

What can consumers do to protect themselves?
Russo: Consumers need to take a little bit of responsibility now. You can watch your credit card activity online. I can watch all my credit cards online to see what I'm spending, and what my wife and my kids are spending. You really should be monitoring your credit card statements. If you have to, do it when the statement comes in the mail. If you do it online you can do it more often and set up alerts via email. Consumers by and large don't have a lot of liability when it comes to credit cards. A lot of credit cards are zero-liability. You just call the company and say this was not my charge and they won't hold you responsible for it.

Debit cards are treated differently than credit cards, right?
Russo: Debit cards are somewhat different. With a debit card you're actually using your own money coming out of your own checking account. The liability will vary depending on the card and the bank.

What are the biggest challenges for the industry?
Russo: Education is a big issue. Some of the smaller merchants that just come into the business don't really know what their responsibilities are with regard to handling credit cards.

Why do entire databases continue to get stolen?
Russo: All the information is contained in the logs so alerts are being set off to let you know something is going on, and if you're not looking at the logs on a regular basis somebody could be in there for weeks or even months stealing this data and you're not aware of it. There was a big merchant that got breached but they caught it immediately in their logs and they only lost four or five credit cards. So they did suffer a breach, but it was contained to only a few cards.

Is that the biggest problem? Ignoring the logs?
Russo: That's one of the things they're doing. In one case mentioned earlier if they were complaint there would have been no way for somebody to get in and get that data.

So it's a matter of failing to follow standard security policies?
Russo: Yes. They're not following basic security practices.

With the rise of credit card attacks being harvested via browsers, will PCI ever get into the business of certifying that the browser is secure? If you can certify what it takes to secure a Web site, why not the browser?
Russo: We're concerned about where credit card data is being collected and stored, not so much how you can get to see it. My browser does not need to be secure; the server holding the data does [for PCI compliance purposes].

If someone suspects a vendor is violating PCI requirements, how can that be reported?
Russo: Consumers can call the toll-free number on the back of their credit card.

What is your ultimate take-away message for readers?
Russo: Ultimately they need to make sure the merchants they're dealing with are PCI compliant. And if you're a merchant you really have to be careful because consumers are getting smarter and smarter and if they find out you are not protecting their data, credit card data or personal data, they're going to walk away. And that's going to be the downfall of your business.

Security suite vendor McAfee debuts its 2010 product line today, introducing an overhauled interface and new features in a bid to remain competitive. The change to its interface is as dramatic a shift as the one that Avast introduced in its 2010 suites, although McAfee's look is drastically different from any major security program currently on the market. Most of the features in McAfee AntiVirus Plus, McAfee Internet Security, and McAfee Total Protection are not new, but the presentation is so radical that the improvements are likely to be glossed over. Users of older McAfee should note that VirusScan Plus has been renamed AntiVirus Plus.

The biggest feature update comes to McAfee's real-time defense engine called Artemis. These engines are now a commonplace feature in the better antivirus programs. First introduced in late 2008, Artemis is McAfee's blend of blacklists, whitelists, and cloud analysis. In the 2010 versions, Brian Trombley, McAfee's director of consumer product management, said, Artemis works in conjunction with McAfee SiteAdvisor to scan downloads as they occur. The scans include using real-time URL, IP address, and domain name data to evaluate downloads for threats before they land on your hard drive.

The revamped engine allows McAfee to change its threat ratings on the fly, although the procedure has an escape hatch built in, so if it falsely flags a site as malicious, users can override the rating and push through. There is no user override for malicious files. By using McAfee's labs, malware research, e-mail research, and Web research, Trombley said that "the goal is to tie together actors and sites."

The new main interface for McAfee's home consumer programs.

(Credit: Screenshot by Seth Rosenblatt/CNET)

The firewall has changed, too, as McAfee has upgraded its home consumer firewall to match the one the company markets to businesses.

McAfee's new interface refocuses its features in a top-down format, which stands out from the typical left-nav and tabs design. At the top of the vertical window sits a notification bar, as many other security suites have. McAfee's stands out for not only color-coding what your status is, but also adding in what that means. So the "Your computer is secure" message is bolstered by a secondary one, "No action required." This may seem like a redundant statement, but Trombley said that three years of researching, the new interface and testing the improved features concluded that the change was essential for cutting down on user confusion.

Just below the status bar are supplementary status notifications, color-coded as well for ease of use. Real-time scanning, Updates, Firewall, and Subscription status sit on the left of the interface, while the time of your next scheduled scan and a link to change it reside on the right. Click on any of the four categories and the right pane change to reveal links to drill deeper into your security status. The Real-time scanning link, for example, offers additional links to scan, change your scan settings, or adjust real-time settings. This aspect of the interface is most similar to its competitors, although the big font and simplified terminology are appreciated for streamlining tasks.

Below all the status notifications are the guts of the program. Separated into four categories are Virus and Spyware Protection, Web and E-mail Protection, and Parental Controls (on McAfee Internet Security and Total Protection). Each one opens a small group of links that open further information about your scan settings, firewall and anti-spam controls, network protections, and parent control options.

Available at any time, the security report presents all essential security data in an easy-to-read, printable format.

(Credit: Screenshot by Seth Rosenblatt/CNET)

One thing that's notable about McAfee's updates is that none of the lesser products has its security features hamstrung in an effort to get more people to upgrade. What's available in McAfee Total Protection, the high-end version, is nearly identical to what's in the basic consumer McAfee AntiVirus Plus. What McAfee hopes users will find worth upgrading for is its included Mozy Online Backup, with McAfee Internet Security users getting 1GB of free storage and McAfee Total Protection users getting 2GB free; and parental controls.

The Home Network Defense feature is only available in McAfee Total Protection. It lets you see network settings of yours and other computers on your network, and to mark a computer on your home network as an intruder that will prevent it from accessing other computers on the network.

McAfee has discontinued several features from its previous versions. SystemGuards has been fully replaced by Artemis, and local backup has been replaced by Mozy. The Personal Information Protection, in which a user could enter personal data such as social security numbers or credit card information and expect to have its unintended dissemination over the Internet prevented was discontinued for not being effective. The PasswordVault for securing passwords on the Web has been replaced by browser-provided password protection, and the EasyNetwork system for local file sharing has been replaced by Windows 7's file-sharing system. This anticipates data just released, that in the few months that Windows 7 has been available to the public it has taken more than 10 percent of the operating system market share.

Intuitively, links on the right change as you click categories on the left.

(Credit: Screenshot by Seth Rosenblatt/CNET)

You should note that if you are switching to McAfee from another security vendor, it doesn't play nicely with other already-installed security apps and it will demand that you remove them before completing its own installation. Somewhat politely, it provides you with links to information on how to uninstall them.

As with most program overhauls, McAfee promises faster install times, faster scan times, more effective scans and a small memory footprint. CNET Labs hasn't finished testing the performance benchmarks against McAfee's competitors, and there's no third-party efficacy data yet available on McAfee 2010, but in empirical testing, the first fast scan finished in less than 10 minutes. Because of file marking, subsequent fast scans finished in less than one minute. Its first full scan took nearly 85 minutes.

According to McAfee, the first full scan will be 55 minutes faster on the 2010 version compared with the 2009 version. Subsequent full scans should be an astounding 120 minutes faster, from 135 minutes to 15 minutes. Also, according to McAfee, users should see their computers with the 2010 version start-up 300 percent faster than with the 2009 version, and that computer shutdowns with the new version should be 30 percent faster.

Mouse over a sub-category to reveal its status.

(Credit: Screenshot by Seth Rosenblatt/CNET)

The most likely reason for the massive improvement in start-up time is that, like a few other security vendors, McAfee doesn't fully load all of its processes by the time that you can start using programs on your desktop. Trombley said that this doesn't affect the security of the computer, only that the McAfee interface isn't full accessible until about 90 seconds after the system tray icons appear.

Overall, though, McAfee's 2010 products felt light and didn't interfere with heavy computer use over a half-day of testing.

A one-computer license for McAfee AntiVirus Plus 2010 costs $39.99, while a three-computer license for McAfee Internet Security 2010 retails for $69.99, but it is currently available on McAfee's Web site for $20 off. McAfee Total Protection 2010 costs $79.99 for a three-computer license, but is also discounted currently by $20 on its Web site.