However, running malware online carries the risk of C&C connection, data theft, and encryption.
McAfee: how bad is the worst antivirus?
- Thread starter Khushal
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Ok, you I understand more how the file comes from the internet with the MTW mark because it didn't block it, as you can see in the screenshot below. And it also doesn't remove the file when it is extracted from the compressed file, only if you do a scan. It seems that it doesn't detect it dynamically, as happens with most antivirus programs. It seems to me that it's about execution. Although a static file, even if it is malicious, does not pose a risk. The risks occur after it is executed.
I’m sorry I will be providing camera shots, I am extremely lazy today and not in a mood for screenshots.
So, I took this file, went on hex editor and appended bytes, from FF onwards, everything was randomly added by me, by literally tapping every key on the keyboard. These are random bytes.
I then downloaded the executable, which was immediately picked up by Download Advisor.
The detection details:
Note: This is a dedicated device for malware testing.
So, I took this file, went on hex editor and appended bytes, from FF onwards, everything was randomly added by me, by literally tapping every key on the keyboard. These are random bytes.
The detection details:
Note: This is a dedicated device for malware testing.
There's that, too lol.
Windows uses a bunch of minifilters which are arranged in an order, based on their altitude.
McAfee Minifilter is one of them.
McAfee for performance has for a while scanned local files (not downloads) only on-access. At least 4-5 years now.
The file until it’s analysed, is blocked by the McAfee Mini Filter and no app or program can access it.
When a detection occurs after opening the file, McAfee removes the file. Windows very briefly displays a “File Not Found” alert, which McAfee uses patented computer vision to “click” ok on, and immediately close.
There is no risk of exfiltration or any sort of malicious activity, because the file code never entered the memory and CPU space.
Downloads are scanned immediately, but on MalwareBazar, all files are in password protected archives. In the event where user will download this file not in a password-protected archive, Download Advisor will immediately remove the file.
Don't worry, it's even better this way, it's more realistic. It looks great, the photos are very clear.
McAfee has improved a lot, now it's not far behind the others considered by many to be the best Avs. 
Yes, I know that. I remember you saying a few years ago that you had a dedicated machine for testing. You are experienced and know what you are doing.
MD, and less frequently K, have previously detected password-protected files from MB on download; I do not know how they managed to do.
Check Point does it too, they first use passwords list, so infected is on the list.
Then they use patented methods to scan archive name and metadata for the password.
Lastly, as users have extracted the archive and this had led to a security incident, the archive hash is also added to the reputation database. McAfee adds to the database too at some point but they do not use password lists of grabbing methods.
As long as there is detection for the malware, users can not execute it.
Oh boy....my first dedicated device in the labs as Test Machine is a core 2 duo with a slow hardisk and low ram. My production machine is the old,slow but reliable Lenovo X61. Makes me old nowadays.
I bet you got higher specs their Trident.
| Detection Name | File | Date |
| Trojan:Script/STRRAT.DA | ...\\1c8071c09a7f4b7bce1339b71d2522547aae5b41ed8d80a821a990a2f2b991fc.js | 2025-07-08 |
| ti!9CE142439E55 | ...\\9ce142439e553f047639d272975b85c41da29191e532348f00653723e7f00299.bat | 2025-07-08 |
| ti!B97CD404CEAB | ...\\b97cd404ceab09bdd92003599566d946cead1d5d5dba528327821fe4f18108ec.msi | 2025-07-08 |
| ti!63D2E9F885C7 | ...\\63d2e9f885c7b2df3fc23658a5c13d3df968fbe205d9c973f4f42c775bd787af.exe | 2025-07-08 |
| ti!2F0F2CDC865F | ...\\2f0f2cdc865f7769b831943e2edb2a3090c3de28e45cb583a695257a6b771f3a.msi | 2025-07-08 |
| ti!CA9D03DF1842 | ...\\ca9d03df1842fbec86ce1be7fd74318cefaa44e61047c9667b3cc60667f0f9d9.exe | 2025-07-08 |
| Cache!257a6b771f3a | ...\\2f0f2cdc865f7769b831943e2edb2a3090c3de28e45cb583a695257a6b771f3a.msi | 2025-07-08 |
| ti!AE4E172D659C | ...\\ae4e172d659cdd1fb298a4bb02f361ac8db869e78cdfe5f4e21741337b088845.exe | 2025-07-08 |
| ti!6D7BD0F24261 | ...\\6d7bd0f24261739722d0d052000ea27767c6b73446aa5d0dd8d2b9b39a105563.vbe | 2025-07-08 |
| ti!D82BD404AE9E | ...\\d82bd404ae9e2a0e63509e6d4114cd139f029f6c27b30d5cde0713fe54f543eb.exe | 2025-07-08 |
| ti!19B6C6F8DA4D | ...\\19b6c6f8da4dd0a883cc647f0c5eaedd01a0bc1758beba1c8f9f97f4335b1f58.zip | 2025-07-08 |
| ti!C4C2A82A7D45 | ...\\c4c2a82a7d454bb85fa22f12d2571639c1640ba4a6790d708f4a229f91a7a99b.exe | 2025-07-08 |
| ti!DDD77057AED6 | ...\\ddd77057aed66ecef36d3b3997694acca1c72d4d23c32c684b9dff50e385b880.exe | 2025-07-10 |
| Real Protect-LS!c16f81a15b2a | ...\\Работен плот\\ddd77057aed66ecef36d3b3997694acca1c72d4d23c32c684b9dff50e385b880.exe | 2025-07-10 |
| ti!7FC0BCC654D5 | ...\\7fc0bcc654d5369fa6a18661eddfd91f058db076559f4517f0dd21f674d2fa3c.js | 2025-07-10 |
| Trojan:Script/Downloadagent.I | ...\\7fc0bcc654d5369fa6a18661eddfd91f058db076559f4517f0dd21f674d2fa3c.js | 2025-07-10 |
| Trojan:Script/ObfuBAT.EOFF | ...\\6caa23ad0e1f8b3cbfc3ec44de9bebfc53660a58df76f4756539edd5fdafee76.vbs | 2025-07-10 |
| ti!AB0105EC57D8 | ...\\ab0105ec57d87547362920516f6374f729f046f1a722eef189a1ef2d813ba00a.exe | 2025-07-10 |
| Trojan:Win/suspiciousLnk.C | ...\\fecd05a391d8dc00fc236e0808f8191bbcaee0f1b41b55d40f4c725f71f04848.zip | 2025-07-12 |
| hti!1dddaaaa | ...\\ab0105ec57d87547362920516f6374f729f046f1a722eef189a1ef2d813ba00a.exe | 2025-07-12 |
| ti!70A92CDCD65B | ...\\70a92cdcd65bad4c5ed38adf340d5123944acde22d94c44df7ee8178f778d761.cmd | 2025-07-12 |
| Trojan:Script/SuspiciousBat.A!2 | ...\\70a92cdcd65bad4c5ed38adf340d5123944acde22d94c44df7ee8178f778d761.cmd | 2025-07-12 |
| ti!AD5039A88038 | C:\\Windows\\System32\\wscript.exe | 2025-07-12 |
| ti!C5BE4A627FE0 | ...\\c5be4a627fe03ecc5c3768b579c77fc12b1a52738dfb7c0a5a2ee0fa122c28ac.exe | 2025-07-12 |
| ti!4BDF1C5B280B | ...\\Работен плот\\c5be4a627fe03ecc5c3768b579c77fc12b1a52738dfb7c0a5a2ee0fa122c28ac.exe | 2025-07-12 |
| hti!1dae93a9 | ...\\c5be4a627fe03ecc5c3768b579c77fc12b1a52738dfb7c0a5a2ee0fa122c28ac.exe | 2025-07-12 |
| ti!DEAC7649D369 | ...\\Работен плот\\6981d8702172dc39f302bdeb4917c0eb49f7c37b2a90bee41f64ccecc7e9497d.exe | 2025-07-14 |
All scripts were modified by declaring additional, random variables in them.
Yes @stonjean633, it’s 11th gen Core i5. My daily driver is MacBook Pro.
That's exactly what happened. When I ran the sample executable file, it was so fast that I ended up double-clicking without seeing it, lol, but I didn't click on the dialog box. I thought I had disabled the .exe block through group policy, which was kind of funny. Even so, McAfee reacted before WDAC blocked it. Yes, I ran the test again with the sample, and McAfee removed the malware almost instantly. I liked McAfee; they got the redesign right. I hope they keep it up.
There is a McAfee detection log as well in ProgramData/McAfee/wps. You will find all detection details there. The above table was from the log, I just used AI to format the JSON data to a nice tableThat's exactly what happened. When I ran the sample executable file, it was so fast that I ended up double-clicking without seeing it, lol, but I didn't click on the dialog box. I thought I had disabled the .exe block through group policy, which was kind of funny. Even so, McAfee reacted before WDAC blocked it. Yes, I ran the test again with the sample, and McAfee removed the malware almost instantly. I liked McAfee; they got the redesign right. I hope they keep it up.
I also like these alerts which don’t really make big deal out of things.
Last edited:
Btw notice that in the beginning, this file was detected as ti<part of MD5>. Now, it was identified as hti!<random ID> (heuristic threat intelligence). McAfee created some sort of heuristic for the file.That's exactly what happened. When I ran the sample executable file, it was so fast that I ended up double-clicking without seeing it, lol, but I didn't click on the dialog box. I thought I had disabled the .exe block through group policy, which was kind of funny. Even so, McAfee reacted before WDAC blocked it. Yes, I ran the test again with the sample, and McAfee removed the malware almost instantly. I liked McAfee; they got the redesign right. I hope they keep it up.
You're awesome at @Trident, you kill the snake and show your stick, literally speaking, of course. You never get it wrong, man. All the information you gave me over the years, I would check and verify what you said, and you were always right. There's even a log file. I always liked talking to you because of that. You speak directly and straightforwardly, without beating around the bush.There is a McAfee detection log as well in ProgramData/McAfee/wps. You will find all detection details there. The above table was from the log, I just used AI to format the JSON data to a nice table
I also like these alerts which don’t really make big deal out of things.
Final detection source hti (that’s the ex Artemis), means the heuristics considered several factors (including repuation) and determined that the file is malware.You're awesome at @Trident, you kill the snake and show your stick, literally speaking, of course. You never get it wrong, man. All the information you gave me over the years, I would check and verify what you said, and you were always right. There's even a log file. I always liked talking to you because of that. You speak directly and straightforwardly, without beating around the bush.
Yes, I noticed that, just as you said. Look at the screenshot of the quarantine: the same files, but one with ti and the other with hti. Amazing. Everything you say checks out.
That is precisely the verdict, ex Artemis.
And do you think TM would have the same offline reaction as McAfee with this ex Artemis malware? Would it detect it without a web connection?
Tbh I don’t think it will detect it. This is probably some 0 day that at the moment is being detected by reputation only. If anyone’s got TM installed they can test it maybe…?
What's the hash of the file? Or you got the link to the sample and share. Else upload it to VT and post it here. From the naming convention,we can can have an idea.
Ok, I understand. So TM works similarly to McAfee? @TuxTalk has been using TM for years, but I think he's offline.
You may also like...
-
-
Kaspersky Premium vs McAfee Advanced
- Started by Shadowra
- Replies: 87
-
Comparative Entreprise AV : CrowdStrike - Cynet - SentinelOne - Trend Micro Apex
- Started by Shadowra
- Replies: 21
-
-
McAfee Internet Security 1 device - 1 year € 7, 52- Started by Brownie2019
- Replies: 1