Update McAfee LiveSafe 16.0 R28

sona

Level 5
Verified
Nov 14, 2013
242
And now if you sign up to their auto-renewal, you get free VPN for 5 devices. Don't forget that too.
McAfee Auto Renewal! :ROFLMAO: I have purchased from Amazon so that McAfee does not get my card details. I use keepsolid and free 50GB free Winscribe. Good thing is that they sell the product as Internet Security 1device and I got unlimited device !

em.png

You’ll find it to be much lighter than f-secure. At least in my experience, it is.
I have not found any difference. But it is as light as FS and a full suite. I don't want to hurt anyone but I found that FS still needs to improve. That's why I am going to leave FS.
 

McMcbrad

Level 20
Oct 16, 2020
964
McAfee only scans on file execution. One of the reason why it's light. Though some users said that it chooses this based on system configuration. So on a high end PC it scans on file creation as well but I haven't seen this in action so can't verify.
Yes, that’s correct. I have noticed before that on my high end PC it automatically removes malware as soon as I download it. On some low-end machines it waits for you to run it. Then Windows actually gives you an error that file is not found, but McAfee is configured to terminate the window. But it’s not always that it detects malware instantly even on a high-end machine. It seems to depend on other factors as well... I have also noticed that in the McAfee definitions folder, there are 3 engines called perf, min, med... depending on your total RAM and other factors it chooses which engine to load in memory. It definitely has some smart logics behind.
This is totally different from the Endpoint protection where you have control over everything and my guess is that due to the 100% virus protection pledge, where they refund you the money if they fail, they have chosen to manage the settings instead of you. Just to avoid users getting infected, due to messed up settings and then bragging for a refund.

Another thing that you need to know about McAfee and I’ve observed it in SEP vs Norton and Trend Micro home vs business is that, Endpoint Protection detects more malware. ENS seems to use early warning service or something and it flags files as Artemis!, whilst home products still don’t detect anything at that point. Only after execution Real Protect Cloud might kick in.
 
Last edited:

SeriousHoax

Level 34
Verified
Mar 16, 2019
2,344
Yes, that’s correct. I have noticed before that on my high end PC it automatically removes malware as soon as I download it. On some low-end machines it waits for you to run it. Then Windows actually gives you an error that file is not found, but McAfee is configured to terminate the window. But it’s not always that it detects malware instantly even on a high-end machine. It seems to depend on other factors as well... I have also noticed that in the McAfee definitions folder, there are 3 engines called perf, min, med... depending on your total RAM and other factors it chooses which engine to load in memory. It definitely has some smart logics behind.
This is totally different from the Endpoint protection where you have control over everything and my guess is that due to the 100% virus protection pledge, where they refund you the money if they fail, they have chosen to manage the settings instead of you. Just to avoid users getting infected, due to messed up settings and then bragging for a refund.

Another thing that you need to know about McAfee and I’ve observed it in SEP vs Norton and Trend Micro home vs business is that, Endpoint Protection detects more malware. ENS seems to use early warning service or something and it flags files as Artemis!, whilst home products still don’t detect anything at that point. Only after execution Real Protect Cloud might kick in.
Ow I see. Someone in the forum who also was kind of a McAfee expert wrote that McAfee have three engines and it's detection varies depending on which engine it's using on your system. The way they do this seems clever but can be a bit of hit and miss.
 

McMcbrad

Level 20
Oct 16, 2020
964
Ow I see. Someone in the forum who also was kind of a McAfee expert wrote that McAfee have three engines and it's detection varies depending on which engine it's using on your system. The way they do this seems clever but can be a bit of hit and miss.
Its detection doesn’t vary based on your configuration, it varies on whether you use home products or not and also, whether it’s got access to the cloud. McAfee is highly reliant on the cloud and even their behavioural blocker is enhanced by the cloud. This can be observed in this video:

They have just configured ENS to be deny-by-default, focusing on high security in business environment, knowing that you have an admin to deal with false positives, whereas home products are allow-by-default, focusing on fp reduction.
 

SeriousHoax

Level 34
Verified
Mar 16, 2019
2,344
Its detection doesn’t vary based on your configuration, it varies on whether you use home products or not and also, whether it’s got access to the cloud. McAfee is highly reliant on the cloud and even their behavioural blocker is enhanced by the cloud. This can be observed in this video:

They have just configured ENS to be deny-by-default, focusing on high security in business environment, knowing that you have an admin to deal with false positives, whereas home products are allow-by-default, focusing on fp reduction.
What about McAfee GW edition? What is that? I often see it detecting threats on Virustotal that the standard version missed.
 

McMcbrad

Level 20
Oct 16, 2020
964
What about McAfee GW edition? What is that? I often see it detecting threats on Virustotal that the standard version missed.
McAfee Web Gateway, formerly known as McAfee GateWay Edition or Web Washer is an appliance, typically deployed in large organisations, such as banks.
You can view it as a business version of those secure routers, such as the ex Norton Core.

The Appliance blocks malware and attacks before they ever reach any system. McAfee END and GW are synchronised, whilst home products are not connected to the GW database.
The thing about home McAfee products is that they will only detect malware, once there is some obvious confirmation file is malicious. Whilst all business products act immediately in a default-deny kind of way.
Edit: to answer more accurately why GW detects malware when home products don’t, this is due to the lower threshold of maliciousness set. McAfee calculates a probability or likelihood that file is a threat, starting from 50 (unknown) to 100 (known malicious). Home products are somewhere at the 80 threshold (my guess) whilst business products can go down to 50 (clean all unknown files by default). Whitelisted files will logically score 0 (there is 0% chance that this is malware).
 
Last edited:

sepik

Level 11
Aug 21, 2018
513
Hi,
Installed 60 day trial version of McAfee LiveSafe on my secondary PC couple of days ago. Downloaded some fresh and not so fresh malware samples. No alert while downloading them. I was like...wtf. Then installed their browser add-on and re-downloaded some of the malware samples. Now it detects them almost instantly when downloading (in "browser-level"). Seems that it makes some kind of cloud lookup, before writing it to the disk.
It should detect the samples when reading/writing without the browser add-on.

I really hate when opening the GUI, there's no way to disable all kind of security reports etc etc. Then, automatic updates. When i go to automatic updates tab, it says, that automatic updates are disabled. I enabled it. Then back to the home screen and then back to automatic updates tab. I still says that automatic updates are disabled. But in settings, it says that updates are enabled....sigh. The firewall said, that it blocked some "suspicious" connections. I did an IP lookup check of those and they seems to be Microsoft "Azure" servers, maybe some telemetry things?

But after all, it is a solid product, good detection rates, resource friendly and the web filter is good. Not bad what McAfee used to be years ago.

Kind regards,
-sepik
 

McMcbrad

Level 20
Oct 16, 2020
964
Hi,
Installed 60 day trial version of McAfee LiveSafe on my secondary PC couple of days ago. Downloaded some fresh and not so fresh malware samples. No alert while downloading them. I was like...wtf. Then installed their browser add-on and re-downloaded some of the malware samples. Now it detects them almost instantly when downloading (in "browser-level"). Seems that it makes some kind of cloud lookup, before writing it to the disk.
It should detect the samples when reading/writing without the browser add-on.

I really hate when opening the GUI, there's no way to disable all kind of security reports etc etc. Then, automatic updates. When i go to automatic updates tab, it says, that automatic updates are disabled. I enabled it. Then back to the home screen and then back to automatic updates tab. I still says that automatic updates are disabled. But in settings, it says that updates are enabled....sigh. The firewall said, that it blocked some "suspicious" connections. I did an IP lookup check of those and they seems to be Microsoft "Azure" servers, maybe some telemetry things?

But after all, it is a solid product, good detection rates, resource friendly and the web filter is good. Not bad what McAfee used to be years ago.

Kind regards,
-sepik
The McAfee firewall incorrectly labels “discarded packets” as suspicious connections. Every incoming connection is subject to firewall rules and firewall might reject traffic, just like any other vendor does. However, McAfee then goes ahead and labels it “suspicious connection” which is more of “look how much we did for you” tactic, rather then protection.

As for the Web Advisor vs standard antivirus, McAfee has a very comprehensive reputation calculations. I don't know how it works, because they don't release this information to the public, however different products and components kick in at different score. Standard antivirus only deletes known malicious files already blacklisted/ described in definitions or performs data mining and sends this to the cloud. If file matches any of the machine learning models it will be labelled JTI/Suspect.<modelNumber>!<partialFileHash>. Sometimes it might simply be labelled "Suspect.<partialFileHash> meaning it looks malicious, but it can't be related to anything seen before. This is usually the case with brand new malware families.

Web Advisor (due to most risks coming from the web) & ENS go a step further and delete suspicious files. They have either been executed by "patient 0" and Real Protect has reported malicious behaviour, or McAfee's sandbox reported something. McAfee is already aware of the risk and file is on the queue for analysis: after some time it will be blacklisted and in few days definition will be released. File has not matched any machine learning model. This is usually the case with evasive malware, that was discovered some hours ago, as the data mining technique will extract "noise" from the file.
Suspicious files will be removed by Real Protect post-execution.

McAfee ENS, GW and others can be configured to go even further and delete unknown files.
I am not a fan of this to be frank, that's why I prefer ENS myself.
 
Last edited:

sepik

Level 11
Aug 21, 2018
513
@McMcbrad
Thanks for the reply.

"Discarded packets"
- maybe it blocks all the outgoing connections during the boot up stage? It does not care whether its made by Microsoft or some other program(s). This can be good in some situations, where malware can connect to a server during the boot up stage.
- Actually, my Symantec SEP blocks all outgoing connection during the boot up stage. That's why i always get yellow reclamation mark on my programs, they will not get an access to the internet before SEP is fully loaded.

"McAfee Internet Security/LiveSafe"
- Do these consumer products use the same "GTI" like McAfee Endpoint does? And if so, in "High" level or?
- How about intrusion prevention, do they share the same IPS signatures?

Kind regards,
-sepik
 

McMcbrad

Level 20
Oct 16, 2020
964
@McMcbrad
Thanks for the reply.

"Discarded packets"
- maybe it blocks all the outgoing connections during the boot up stage? It does not care whether its made by Microsoft or some other program(s). This can be good in some situations, where malware can connect to a server during the boot up stage.
- Actually, my Symantec SEP blocks all outgoing connection during the boot up stage. That's why i always get yellow reclamation mark on my programs, they will not get an access to the internet before SEP is fully loaded.

"McAfee Internet Security/LiveSafe"
- Do these consumer products use the same "GTI" like McAfee Endpoint does? And if so, in "High" level or?
- How about intrusion prevention, do they share the same IPS signatures?

Kind regards,
-sepik
I suggest you review the firewall rules to find out when McAfee might discard packets. Normally, sudden and uninitiated attempts for a remote device to connect are blocked. It doesn't matter if it's Microsoft or even mcafee.com.

I believe there is a setting in firewall to block all traffic during bootup, but I might be wrong. I suggest you take a look at the firewall settings, or consult McAfee documentation as I do not have the product installed currently.

McAfee GTI is one consolidated network for all products, however the decision products take based on the data is different. Please see the post above for more information. McAfee LiveSafe and Total Protection are configured to "Low" and this can't be changed. Web Advisor is configured on "Medium".
Real Protect Cloud and Client are configured to "Medium" meaning they use a smaller subset of classifiers, as compared to ENS configured on "Aggressive".

Intrusion Prevention signatures are same, but McAfee LiveSafe/TP will only block what's labelled as "High Risk", even if you set Intrusion Detection to "Aggressive". This means product will detect only known and confirmed exploits. Net Guard is also present, set to "High Risk Only", meaning product will block connection to known C&C servers, but will not be as proactive as ENS, where you can choose even "unverified".
 
Last edited:

amico81

Level 20
Verified
Jan 10, 2017
980
i had some packet loss during my trial with mcafee antivirus plus a few months ago.
tested with ping and tracert.
the lightness was amazing....fast app start and overall system performance. but terrible GUI with a lot of
recurring notifications. maybe i will give it a new try with version 16R28.
 

McMcbrad

Level 20
Oct 16, 2020
964
i had some packet loss during my trial with mcafee antivirus plus a few months ago.
tested with ping and tracert.
the lightness was amazing....fast app start and overall system performance. but terrible GUI with a lot of
recurring notifications. maybe i will give it a new try with version 16R28.
The UI is still not something to wow about. However, it's a bit easier to navigate.
 

sepik

Level 11
Aug 21, 2018
513
@amico81
Packet loss with McAfee antivirus Plus? Hows that possible, because it does not contain any firewall in the network level?
Kinda surprised how Netwalker 3 kicked some serious asses in recent Hub test. GData's Deepray/Beast combo did "well" but the damage was already done. It's too late. Somethin like Comodo containment might be the only one that survive Netwalker 3...
Kind regards,
-sepik
 
  • Like
Reactions: KonradPL

McMcbrad

Level 20
Oct 16, 2020
964
@amico81
Packet loss with McAfee antivirus Plus? Hows that possible, because it does not contain any firewall in the network level?
Kinda surprised how Netwalker 3 kicked some serious asses in recent Hub test. GData's Deepray/Beast combo did "well" but the damage was already done. It's too late. Somethin like Comodo containment might be the only one that survive Netwalker 3...
Kind regards,
-sepik
McAfee Endpoint Security offers containment as well.
 
  • Like
Reactions: KonradPL

amico81

Level 20
Verified
Jan 10, 2017
980
@sepik i dont know. i had a lot of "blocked suspicious connections" and maybe is there a correlation.

tested with cmd commands ping and tracert. re-test with windows defender and everything is fine
 
  • Like
Reactions: KonradPL
Top