McAfee LiveSafe 16.0 R28

[sona]

And now if you sign up to their auto-renewal, you get free VPN for 5 devices. Don't forget that too.

McAfee Auto Renewal! I have purchased from Amazon so that McAfee does not get my card details. I use keepsolid and free 50GB free Winscribe. Good thing is that they sell the product as Internet Security 1device and I got unlimited device !

You’ll find it to be much lighter than f-secure. At least in my experience, it is.

I have not found any difference. But it is as light as FS and a full suite. I don't want to hurt anyone but I found that FS still needs to improve. That's why I am going to leave FS.

 

[SeriousHoax]

McAfee only scans on file execution. One of the reason why it's light. Though some users said that it chooses this based on system configuration. So on a high end PC it scans on file creation as well but I haven't seen this in action so can't verify.

 

[ForgottenSeer 89360]

McAfee only scans on file execution. One of the reason why it's light. Though some users said that it chooses this based on system configuration. So on a high end PC it scans on file creation as well but I haven't seen this in action so can't verify.

Yes, that’s correct. I have noticed before that on my high end PC it automatically removes malware as soon as I download it. On some low-end machines it waits for you to run it. Then Windows actually gives you an error that file is not found, but McAfee is configured to terminate the window. But it’s not always that it detects malware instantly even on a high-end machine. It seems to depend on other factors as well... I have also noticed that in the McAfee definitions folder, there are 3 engines called perf, min, med... depending on your total RAM and other factors it chooses which engine to load in memory. It definitely has some smart logics behind.
This is totally different from the Endpoint protection where you have control over everything and my guess is that due to the 100% virus protection pledge, where they refund you the money if they fail, they have chosen to manage the settings instead of you. Just to avoid users getting infected, due to messed up settings and then bragging for a refund.

Another thing that you need to know about McAfee and I’ve observed it in SEP vs Norton and Trend Micro home vs business is that, Endpoint Protection detects more malware. ENS seems to use early warning service or something and it flags files as Artemis!, whilst home products still don’t detect anything at that point. Only after execution Real Protect Cloud might kick in.

 

[SeriousHoax]

Yes, that’s correct. I have noticed before that on my high end PC it automatically removes malware as soon as I download it. On some low-end machines it waits for you to run it. Then Windows actually gives you an error that file is not found, but McAfee is configured to terminate the window. But it’s not always that it detects malware instantly even on a high-end machine. It seems to depend on other factors as well... I have also noticed that in the McAfee definitions folder, there are 3 engines called perf, min, med... depending on your total RAM and other factors it chooses which engine to load in memory. It definitely has some smart logics behind.
This is totally different from the Endpoint protection where you have control over everything and my guess is that due to the 100% virus protection pledge, where they refund you the money if they fail, they have chosen to manage the settings instead of you. Just to avoid users getting infected, due to messed up settings and then bragging for a refund.

Another thing that you need to know about McAfee and I’ve observed it in SEP vs Norton and Trend Micro home vs business is that, Endpoint Protection detects more malware. ENS seems to use early warning service or something and it flags files as Artemis!, whilst home products still don’t detect anything at that point. Only after execution Real Protect Cloud might kick in.

Ow I see. Someone in the forum who also was kind of a McAfee expert wrote that McAfee have three engines and it's detection varies depending on which engine it's using on your system. The way they do this seems clever but can be a bit of hit and miss.

 

[ForgottenSeer 89360]

Ow I see. Someone in the forum who also was kind of a McAfee expert wrote that McAfee have three engines and it's detection varies depending on which engine it's using on your system. The way they do this seems clever but can be a bit of hit and miss.

Its detection doesn’t vary based on your configuration, it varies on whether you use home products or not and also, whether it’s got access to the cloud. McAfee is highly reliant on the cloud and even their behavioural blocker is enhanced by the cloud. This can be observed in this video:


They have just configured ENS to be deny-by-default, focusing on high security in business environment, knowing that you have an admin to deal with false positives, whereas home products are allow-by-default, focusing on fp reduction.

 

[SeriousHoax]

Its detection doesn’t vary based on your configuration, it varies on whether you use home products or not and also, whether it’s got access to the cloud. McAfee is highly reliant on the cloud and even their behavioural blocker is enhanced by the cloud. This can be observed in this video:


They have just configured ENS to be deny-by-default, focusing on high security in business environment, knowing that you have an admin to deal with false positives, whereas home products are allow-by-default, focusing on fp reduction.

What about McAfee GW edition? What is that? I often see it detecting threats on Virustotal that the standard version missed.

 

[ForgottenSeer 89360]

What about McAfee GW edition? What is that? I often see it detecting threats on Virustotal that the standard version missed.

McAfee Web Gateway, formerly known as McAfee GateWay Edition or Web Washer is an appliance, typically deployed in large organisations, such as banks.

https://www.mcafee.com/enterprise/en-us/assets/data-sheets/ds-web-gateway.pdf

You can view it as a business version of those secure routers, such as the ex Norton Core.

The Appliance blocks malware and attacks before they ever reach any system. McAfee END and GW are synchronised, whilst home products are not connected to the GW database.
The thing about home McAfee products is that they will only detect malware, once there is some obvious confirmation file is malicious. Whilst all business products act immediately in a default-deny kind of way.
Edit: to answer more accurately why GW detects malware when home products don’t, this is due to the lower threshold of maliciousness set. McAfee calculates a probability or likelihood that file is a threat, starting from 50 (unknown) to 100 (known malicious). Home products are somewhere at the 80 threshold (my guess) whilst business products can go down to 50 (clean all unknown files by default). Whitelisted files will logically score 0 (there is 0% chance that this is malware).

 

[sepik]

Hi,
Installed 60 day trial version of McAfee LiveSafe on my secondary PC couple of days ago. Downloaded some fresh and not so fresh malware samples. No alert while downloading them. I was like...wtf. Then installed their browser add-on and re-downloaded some of the malware samples. Now it detects them almost instantly when downloading (in "browser-level"). Seems that it makes some kind of cloud lookup, before writing it to the disk.
It should detect the samples when reading/writing without the browser add-on.

I really hate when opening the GUI, there's no way to disable all kind of security reports etc etc. Then, automatic updates. When i go to automatic updates tab, it says, that automatic updates are disabled. I enabled it. Then back to the home screen and then back to automatic updates tab. I still says that automatic updates are disabled. But in settings, it says that updates are enabled....sigh. The firewall said, that it blocked some "suspicious" connections. I did an IP lookup check of those and they seems to be Microsoft "Azure" servers, maybe some telemetry things?

But after all, it is a solid product, good detection rates, resource friendly and the web filter is good. Not bad what McAfee used to be years ago.

Kind regards,
-sepik

 

[ForgottenSeer 89360]

Hi,
Installed 60 day trial version of McAfee LiveSafe on my secondary PC couple of days ago. Downloaded some fresh and not so fresh malware samples. No alert while downloading them. I was like...wtf. Then installed their browser add-on and re-downloaded some of the malware samples. Now it detects them almost instantly when downloading (in "browser-level"). Seems that it makes some kind of cloud lookup, before writing it to the disk.
It should detect the samples when reading/writing without the browser add-on.

I really hate when opening the GUI, there's no way to disable all kind of security reports etc etc. Then, automatic updates. When i go to automatic updates tab, it says, that automatic updates are disabled. I enabled it. Then back to the home screen and then back to automatic updates tab. I still says that automatic updates are disabled. But in settings, it says that updates are enabled....sigh. The firewall said, that it blocked some "suspicious" connections. I did an IP lookup check of those and they seems to be Microsoft "Azure" servers, maybe some telemetry things?

But after all, it is a solid product, good detection rates, resource friendly and the web filter is good. Not bad what McAfee used to be years ago.

Kind regards,
-sepik

The McAfee firewall incorrectly labels “discarded packets” as suspicious connections. Every incoming connection is subject to firewall rules and firewall might reject traffic, just like any other vendor does. However, McAfee then goes ahead and labels it “suspicious connection” which is more of “look how much we did for you” tactic, rather then protection.

As for the Web Advisor vs standard antivirus, McAfee has a very comprehensive reputation calculations. I don't know how it works, because they don't release this information to the public, however different products and components kick in at different score. Standard antivirus only deletes known malicious files already blacklisted/ described in definitions or performs data mining and sends this to the cloud. If file matches any of the machine learning models it will be labelled JTI/Suspect.<modelNumber>!<partialFileHash>. Sometimes it might simply be labelled "Suspect.<partialFileHash> meaning it looks malicious, but it can't be related to anything seen before. This is usually the case with brand new malware families.

Web Advisor (due to most risks coming from the web) & ENS go a step further and delete suspicious files. They have either been executed by "patient 0" and Real Protect has reported malicious behaviour, or McAfee's sandbox reported something. McAfee is already aware of the risk and file is on the queue for analysis: after some time it will be blacklisted and in few days definition will be released. File has not matched any machine learning model. This is usually the case with evasive malware, that was discovered some hours ago, as the data mining technique will extract "noise" from the file.
Suspicious files will be removed by Real Protect post-execution.

McAfee ENS, GW and others can be configured to go even further and delete unknown files.
I am not a fan of this to be frank, that's why I prefer ENS myself.

 

[sepik]

@McMcbrad
Thanks for the reply.

"Discarded packets"
- maybe it blocks all the outgoing connections during the boot up stage? It does not care whether its made by Microsoft or some other program(s). This can be good in some situations, where malware can connect to a server during the boot up stage.
- Actually, my Symantec SEP blocks all outgoing connection during the boot up stage. That's why i always get yellow reclamation mark on my programs, they will not get an access to the internet before SEP is fully loaded.

"McAfee Internet Security/LiveSafe"
- Do these consumer products use the same "GTI" like McAfee Endpoint does? And if so, in "High" level or?
- How about intrusion prevention, do they share the same IPS signatures?

Kind regards,
-sepik

 

[ForgottenSeer 89360]

@McMcbrad
Thanks for the reply.

"Discarded packets"
- maybe it blocks all the outgoing connections during the boot up stage? It does not care whether its made by Microsoft or some other program(s). This can be good in some situations, where malware can connect to a server during the boot up stage.
- Actually, my Symantec SEP blocks all outgoing connection during the boot up stage. That's why i always get yellow reclamation mark on my programs, they will not get an access to the internet before SEP is fully loaded.

"McAfee Internet Security/LiveSafe"
- Do these consumer products use the same "GTI" like McAfee Endpoint does? And if so, in "High" level or?
- How about intrusion prevention, do they share the same IPS signatures?

Kind regards,
-sepik

I suggest you review the firewall rules to find out when McAfee might discard packets. Normally, sudden and uninitiated attempts for a remote device to connect are blocked. It doesn't matter if it's Microsoft or even mcafee.com.

I believe there is a setting in firewall to block all traffic during bootup, but I might be wrong. I suggest you take a look at the firewall settings, or consult McAfee documentation as I do not have the product installed currently.

McAfee GTI is one consolidated network for all products, however the decision products take based on the data is different. Please see the post above for more information. McAfee LiveSafe and Total Protection are configured to "Low" and this can't be changed. Web Advisor is configured on "Medium".
Real Protect Cloud and Client are configured to "Medium" meaning they use a smaller subset of classifiers, as compared to ENS configured on "Aggressive".

Intrusion Prevention signatures are same, but McAfee LiveSafe/TP will only block what's labelled as "High Risk", even if you set Intrusion Detection to "Aggressive". This means product will detect only known and confirmed exploits. Net Guard is also present, set to "High Risk Only", meaning product will block connection to known C&C servers, but will not be as proactive as ENS, where you can choose even "unverified".

 

[sepik]

@McMcbrad
Thanks for the comprehensive reply, appreciated.

Kind regards,
-sepik

 

[ForgottenSeer 89360]

These are more novelties, it's not only the UI that has changed.

McAfee unveils latest security offering, with a boosted VPN

Refreshed 2021 McAfee security suite includes updated VPN

www.techradar.com

 

[sepik]

Techradar...oh well

 

[ForgottenSeer 89360]

Techradar...oh well

The VPN addition is true as I am already using it, rest I am not sure about.

 

[amico81]

i had some packet loss during my trial with mcafee antivirus plus a few months ago.
tested with ping and tracert.
the lightness was amazing....fast app start and overall system performance. but terrible GUI with a lot of
recurring notifications. maybe i will give it a new try with version 16R28.

 

[ForgottenSeer 89360]

i had some packet loss during my trial with mcafee antivirus plus a few months ago.
tested with ping and tracert.
the lightness was amazing....fast app start and overall system performance. but terrible GUI with a lot of
recurring notifications. maybe i will give it a new try with version 16R28.

The UI is still not something to wow about. However, it's a bit easier to navigate.

 

[sepik]

@amico81
Packet loss with McAfee antivirus Plus? Hows that possible, because it does not contain any firewall in the network level?
Kinda surprised how Netwalker 3 kicked some serious asses in recent Hub test. GData's Deepray/Beast combo did "well" but the damage was already done. It's too late. Somethin like Comodo containment might be the only one that survive Netwalker 3...
Kind regards,
-sepik

 

[ForgottenSeer 89360]

@amico81
Packet loss with McAfee antivirus Plus? Hows that possible, because it does not contain any firewall in the network level?
Kinda surprised how Netwalker 3 kicked some serious asses in recent Hub test. GData's Deepray/Beast combo did "well" but the damage was already done. It's too late. Somethin like Comodo containment might be the only one that survive Netwalker 3...
Kind regards,
-sepik

McAfee Endpoint Security offers containment as well.

 

[amico81]

@sepik i dont know. i had a lot of "blocked suspicious connections" and maybe is there a correlation.

tested with cmd commands ping and tracert. re-test with windows defender and everything is fine