Hello guys and welcome to this McAfee review.
Before we get to the McAfee details (which will be discussed in great depth), I would like to discuss the upgrade to my practices across this forum.
This forum is not for promotion of favouritism, it is designed mainly as a technical and objective forum.
In the light of all that, I have created Trident Review Framework (TRF) 1.0 with several key highlights:
You can expect reviews from me every now and then, mainly when misinformation has to be combatted.
CHAPTER 1: The theory
McAfee around 2022 upgraded the products to a new cloud-based architecture. They rewrote the whole product and there were several support articles. Thread wad created by me here New Update - The new cloud-based McAfee
Since then the support articles have been deleted by McAfee.
Nevertheless, the new architecture has several key highlights:
TLSH is better than other methods such as SSDEEP, mainly because SSDEEP struggles with small files. McAfee also uses server-side machine learning.
Several of the new patents explain the McAfee multi-faceted approach in depth, McAfee combines online and offline reputation, heavily focused on multiple different types of machine learning, and also takes into account the file origin when taking a decision.
CHAPTER 2: Antivirus Test
McAfee was tested in the continuation of a few days. To make the test more interesting, executables were tested twice - once original, as they are and once modified. Scripts were modified to include custom functions/subs.
McAfee detects all malware early, pre-execution (just 2-3 detections were post-execution) and leaves clean system, confirmed by Norton Power Eraser and MalwareBytes.
The tests are ongoing, but it's clear that the new architecture offers efficient security.
rare instance of post-execution fileless malware block
*It's important to note that in a real world scenario, McAfee would never allow someone to download large amount of malware. From the quick web test, I wasn't able to download any.
Phishing Detection Test Coming Soon on the same thread.
Scam/SPAM email test:
In addition to handling files and web well, McAfee provides email protection for Outlook, Yahoo and Gmail. The protection does not scan emails that's already marked as spam. It only scans emails that pass the initial filtration. I composed several realistic scenarios, including Taylor Swift being in love with me and getting "a massive pay rise" with infostealer attached as a contract. McAfee blocked the scams. It's important to note that marketing emails containing language like "hurry up, offer expires", are not McAfee Anti-Scam's favourite and are also being flagged.
Removing emails of this sort aids malware detection and overall protection, including for unsuspecting users finances.
DeepFake detection: I don't really know where I can find deep fakes, so I turned to YouTube. Unfortunately, they are not that many and quite short, but they were identified based on audio patterns.
Now let's get to perhaps the most important.
CHAPTER 3: Performance impact
Loading the interface CPU Usage: 6-7% for a few seconds
Scan with fast scanning enabled: 75% CPU usage
Scan with fast scan disabled: 20-30% CPU usage
Quick Scan duration: less than a minute
Full scan duration: <10 minutes
Observed Maximum memory usage: 270 MB (right after a scan)
Observed minimum memory usage: 160 MB (idle)
Observed CPU usage in idle: <1%
Observed CPU usage whilst opening popular and unpopular apps: <5%
System feels responsive and boots fast: yes
Additional features that may be useful:
Breach monitoring, VPN, data shredder.
Cyber-theft insurance on more expensive plans available.
Cons: the Mac protection is not migrated to the new architecture.
Final verdict: TRF approved and recommended for all types of users.
Before we get to the McAfee details (which will be discussed in great depth), I would like to discuss the upgrade to my practices across this forum.
This forum is not for promotion of favouritism, it is designed mainly as a technical and objective forum.
In the light of all that, I have created Trident Review Framework (TRF) 1.0 with several key highlights:
- Software is reviewed objectively based on capabilities and performance.
- Wherever threat detection levels are measured (or tested), I focus on realistic scenarios and broad coverage.
- Committed to transparency: wherever threat detection tests are performed, hashes of the malware are provided (as much as possible), so users can test the same software or other software, as long as they know how to do it safely and securely.
- Malware is pre-checked, hunted fresh (as much as possible) and guaranteed to be malicious. Malware of different types is tested.
- Wherever the security software offers more aggressive downloads scanning (which is many solutions nowadays), malware is downloaded in realistic scenarios, giving the solution a chance to react.
- When additional components such as email protection are offered, these are welcome. Malware (and all trouble really) comes mainly through the web and email. These are tested too.
- When it comes to privacy, I have already created another thread here: Serious Discussion - Data Collection Core Principles (Security Software)
- Generative AI (namely Gemini 2.5 Pro which I also use in programming) is heavily used in my research, as well as in various other tasks, such as converting antivirus logs to tables, researching patents and so on. This allows me to do more work in a shorter time.
You can expect reviews from me every now and then, mainly when misinformation has to be combatted.
CHAPTER 1: The theory
McAfee around 2022 upgraded the products to a new cloud-based architecture. They rewrote the whole product and there were several support articles. Thread wad created by me here New Update - The new cloud-based McAfee
Since then the support articles have been deleted by McAfee.
Nevertheless, the new architecture has several key highlights:
- Less reliant on own kernel drivers, uses Windows native components as much as possible: McAfee uses the Defender Firewall for static rules and adds on top domain/web reputation. It also uses the Windows Filtering Platform to facilitate the malicious traffic interception.
- No "signatures" as in no malware fragments. McAfee uses highly efficient heuristic/generic detections, as well as local trust and machine learning models and YARA rules to detect malware offline. It's important to note that if you are testing McAfee with fresh malware from several websites we've all come to know, you can't expect offline detection. The offline detection will be only on old and well-known malware. Such software that is light, efficient, disconnected from the cloud and yet detects everything simply doesn't exist.
- Upgraded cloud, this was reflected in my McAfee deep research here: Serious Discussion - Deep Research: McAfee GTI, JTI, Artemis and Other Technologies Explained
- The new architecture creates a very lightweight product, see the performance section for details.
- McAfee offers many features that extend the protection, such as email scanning and deep fake detection. These features solve real problems for real users, beyond detecting malware which Microsoft Defender can do too.
- Heavily focused on machine learning and AI. Recent patents tell us more about McAfee focus
Patent Title Publication Number Date (YYYY-MM-DD) Brief Description --- 2024 --- Systems and Methods for Providing User Experiences on AR/VR Systems US-20240060933-A1 2024-02-22 Manages security and privacy within augmented or virtual reality environments. Methods and Apparatus for Comprehensive User-Centric Protection US-20240034800-A1 2024-02-01 Creates a personalized security posture based on a user's digital assets and risk profile across devices. Systems and methods for detecting deepfake artifacts US-20240012586-A1 2024-01-11 Analyzes media files for subtle inconsistencies and artifacts to identify AI-generated deepfakes. --- 2023 --- Visual Detection of Phishing Websites via Headless Browser US-20230396013-A1 2023-12-07 Uses a non-graphical browser to analyze the visual components of a webpage to determine if it's a phishing site. Systems and Methods for Performing Multi-Faceted Security Scanning US-20230349887-A1 2023-11-02 Implements a multi-layered scanning approach to detect diverse and complex security threats. Device Reputation Score Based on Device Vitals US-20230282672-A1 2023-09-07 Calculates a real-time trust score for a device based on its security health, software, and behavior. In-Place Cloud Instance Restore US-20230205562-A1 2023-06-29 Provides a method to restore a compromised cloud computing instance directly, minimizing downtime. Dynamic Process Criticality Scoring US-20230185984-A1 2023-06-15 Assigns a real-time risk score to running processes to prioritize security actions. Visual Identification of Malware US-20230089868-A1 2023-03-23 Converts malware code into a visual representation (an image) to use image analysis for faster detection. Methods and systems for cloud native threat detection US-20230070151-A1 2023-03-02 Provides threat detection specifically designed for the architecture of cloud-native applications (containers, etc.). Icon Based Phishing Detection US-20230047306-A1 2023-02-16 Detects phishing attempts by analyzing the favicon or other icons associated with a website. --- 2022 --- Method and Apparatus for Hardware Based File/Document Expiry Timer US-20220399433-A1 2022-12-15 Enforces document access expiry dates using hardware-level security, making it harder to bypass. Systems and Methods for Utilizing Hardware Assisted Protection US-20220366299-A1 2022-11-17 Leverages specialized hardware security features (like Intel SGX) to protect applications and data. Threat Hunting Using Natural Language Processing US-11451613-B2 2022-09-20 Enables security analysts to search for threats in datasets using plain English queries instead of complex code. Multi-Dimensional Malware Analysis US-20220261685-A1 2022-08-18 Utilizes machine learning to analyze malware across multiple dimensions (code, behavior, network) for classification. Systems and methods for mitigating against malicious scripts US-11394801-B2 2022-07-19 Detects and neutralizes malicious scripts (e.g., Magecart) designed to steal payment info from web forms. Detecting Grammatical Artifacts of Machine-Translated Phishing Websites US-20220191398-A1 2022-06-16 Identifies phishing sites by spotting grammatical errors characteristic of automated translation tools. Systems and Methods for Monitoring IoT Device Baseline US-11356453-B2 2022-06-07 Establishes a normal behavior baseline for IoT devices and flags anomalous activity as a potential threat. Methods and Systems for Detecting Ransomware US-20220078235-A1 2022-03-10 Employs behavioral analysis to detect and block ransomware activity before significant encryption occurs. - Local Intelligence Explained:
- AV Trust: whitelist for Neo engine, 6.49 KB in size.
- Neo Core: the main engine, includes true file type detection, unpacking and the Neo host (12.7 MB total size).
- Neo rules: these are heuristic rules for the Neo engine, compressed from 20.9 MB in a cab file that is 3.5 MB. Whilst some heuristics could be ran on the code, majority of AV heuristics are usually ran on behaviour, which means the Neo engine is responsible for file emulation as well.
- Neo trust: these are exceptions from the heuristic rules, 9.99MB compressed to 2.4MB
- Real Protect Core - these are the core behavioural monitoring machine learning models, just over 13 MB
- Real Protect Non-PE - these are machine learning modules mainly for DLL modules, 2.7 MB
- Real Protect Script - these are machine learning models involved in the detection of scripts (during runtime), probably focusing on suspicious, long encoded commands and so on.
- Real Protect Static - machine learning models facilitating Pre-Execution (static analysis) on scripts, modules and portable executables, 11.7 MB.
- TPX (according to McAfee these are the main AV generic detections), 35.7 MB -> these are updated often, if not daily
- TPX-1, these are the YARA rules (according to the configuration file), compressed from 20 MB to 3.2 MB -> these are updated often if not daily
- TRS, that's another part of the AV engine, 10.3 MB -> this seems to be updated every few days
- OpenVino-based DeepFake detection models, optimised for various CPUs (McAfee just recently launched that and is still working to increase availability), just over 50 MB
- McAfee also offers ransomware remediation/restoration
TLSH is better than other methods such as SSDEEP, mainly because SSDEEP struggles with small files. McAfee also uses server-side machine learning.
Several of the new patents explain the McAfee multi-faceted approach in depth, McAfee combines online and offline reputation, heavily focused on multiple different types of machine learning, and also takes into account the file origin when taking a decision.
CHAPTER 2: Antivirus Test
McAfee was tested in the continuation of a few days. To make the test more interesting, executables were tested twice - once original, as they are and once modified. Scripts were modified to include custom functions/subs.
| File Name | Detection Name | Final Detection Source | TLSH | Date |
| 1c8071c09a7f4b7bce1339b71d2522547aae5b41ed8d80a821a990a2f2b991fc.js | Trojan:Script/STRRAT.DA | neo | N/A | 2025-07-08 |
| 9ce142439e553f047639d272975b85c41da29191e532348f00653723e7f00299.bat | ti!9CE142439E55 | hti | N/A | 2025-07-08 |
| b97cd404ceab09bdd92003599566d946cead1d5d5dba528327821fe4f18108ec.msi | ti!B97CD404CEAB | hti | N/A | 2025-07-08 |
| 63d2e9f885c7b2df3fc23658a5c13d3df968fbe205d9c973f4f42c775bd787af.exe | ti!63D2E9F885C7 | hti | T13C55...1463E7A3 | 2025-07-08 |
| 2f0f2cdc865f7769b831943e2edb2a3090c3de28e45cb583a695257a6b771f3a.msi | ti!2F0F2CDC865F | hti | N/A | 2025-07-08 |
| 2f0f2cdc865f7769b831943e2edb2a3090c3de28e45cb583a695257a6b771f3a.msi | ti!2F0F2CDC865F | hti | N/A | 2025-07-08 |
| ca9d03df1842fbec86ce1be7fd74318cefaa44e61047c9667b3cc60667f0f9d9.exe | ti!CA9D03DF1842 | hti | T1AFB4...05A823AF | 2025-07-08 |
| 2f0f2cdc865f7769b831943e2edb2a3090c3de28e45cb583a695257a6b771f3a.msi | Cache!257a6b771f3a | cache | N/A | 2025-07-08 |
| ae4e172d659cdd1fb298a4bb02f361ac8db869e78cdfe5f4e21741337b088845.exe | ti!AE4E172D659C | hti | N/A | 2025-07-08 |
| 6d7bd0f24261739722d0d052000ea27767c6b73446aa5d0dd8d2b9b39a105563.vbe | ti!6D7BD0F24261 | hti | N/A | 2025-07-08 |
| 6d7bd0f24261739722d0d052000ea27767c6b73446aa5d0dd8d2b9b39a105563.vbe | ti!6D7BD0F24261 | hti | N/A | 2025-07-08 |
| 6d7bd0f24261739722d0d052000ea27767c6b73446aa5d0dd8d2b9b39a105563.vbe | ti!6D7BD0F24261 | hti | N/A | 2025-07-08 |
| d82bd404ae9e2a0e63509e6d4114cd139f029f6c27b30d5cde0713fe54f543eb.exe | ti!D82BD404AE9E | hti | T185E4...39F141E2 | 2025-07-08 |
| 19b6c6f8da4dd0a883cc647f0c5eaedd01a0bc1758beba1c8f9f97f4335b1f58.zip | ti!19B6C6F8DA4D | hti | N/A | 2025-07-08 |
| c4c2a82a7d454bb85fa22f12d2571639c1640ba4a6790d708f4a229f91a7a99b.exe | ti!C4C2A82A7D45 | hti | N/A | 2025-07-08 |
| ddd77057aed66ecef36d3b3997694acca1c72d4d23c32c684b9dff50e385b880.exe | ti!DDD77057AED6 | hti | N/A | 2025-07-10 |
| ddd77057aed66ecef36d3b3997694acca1c72d4d23c32c684b9dff50e385b880.exe | Real Protect-LS!c16f81a15b2a | rp-s | N/A | 2025-07-10 |
| 7fc0bcc654d5369fa6a18661eddfd91f058db076559f4517f0dd21f674d2fa3c.js | ti!7FC0BCC654D5 | hti | N/A | 2025-07-10 |
| 7fc0bcc654d5369fa6a18661eddfd91f058db076559f4517f0dd21f674d2fa3c.js | Trojan:Script/Downloadagent.I | neo | N/A | 2025-07-10 |
| 6caa23ad0e1f8b3cbfc3ec44de9bebfc53660a58df76f4756539edd5fdafee76.vbs | Trojan:Script/ObfuBAT.EOFF | neo | N/A | 2025-07-10 |
| 6caa23ad0e1f8b3cbfc3ec44de9bebfc53660a58df76f4756539edd5fdafee76.vbs | Trojan:Script/ObfuBAT.EOFF | neo | N/A | 2025-07-10 |
| ab0105ec57d87547362920516f6374f729f046f1a722eef189a1ef2d813ba00a.exe | ti!AB0105EC57D8 | hti | T1C725...2525EA73 | 2025-07-10 |
| fecd05a391d8dc00fc236e0808f8191bbcaee0f1b41b55d40f4c725f71f04848.zip | Trojan:Win/suspiciousLnk.C | neo | N/A | 2025-07-12 |
| ab0105ec57d87547362920516f6374f729f046f1a722eef189a1ef2d813ba00a.exe | hti!1dddaaaa | hti | T1C725...2525EA73 | 2025-07-12 |
| 70a92cdcd65bad4c5ed38adf340d5123944acde22d94c44df7ee8178f778d761.cmd | ti!70A92CDCD65B | hti | N/A | 2025-07-12 |
| 70a92cdcd65bad4c5ed38adf340d5123944acde22d94c44df7ee8178f778d761.cmd | Trojan:Script/SuspiciousBat.A!2 | neo | N/A | 2025-07-12 |
| wscript.exe | ti!AD5039A88038 | rp-d | N/A | 2025-07-12 |
| c5be4a627fe03ecc5c3768b579c77fc12b1a52738dfb7c0a5a2ee0fa122c28ac.exe | ti!C5BE4A627FE0 | hti | T101C5...29F1E332 | 2025-07-12 |
| c5be4a627fe03ecc5c3768b579c77fc12b1a52738dfb7c0a5a2ee0fa122c28ac.exe | ti!4BDF1C5B280B | rp-s | T1C8C5...29F1E332 | 2025-07-12 |
| c5be4a627fe03ecc5c3768b579c77fc12b1a52738dfb7c0a5a2ee0fa122c28ac.exe | ti!4BDF1C5B280B | rp-s | T1C8C5...29F1E332 | 2025-07-12 |
| c5be4a627fe03ecc5c3768b579c77fc12b1a52738dfb7c0a5a2ee0fa122c28ac.exe | hti!1dae93a9 | hti | T101C5...29F1E332 | 2025-07-12 |
| 6981d8702172dc39f302bdeb4917c0eb49f7c37b2a90bee41f64ccecc7e9497d.exe | ti!DEAC7649D369 | rp-s | T11155...2521E673 | 2025-07-14 |
| 6981d8702172dc39f302bdeb4917c0eb49f7c37b2a90bee41f64ccecc7e9497d.exe | ti!DEAC7649D369 | rp-s | T11155...2521E673 | 2025-07-14 |
| r189722c5-ba5c-4822-ab5d-7359af018697r.js | Trojan:Script/GenericYJ.BBC | neo | N/A | 2025-07-15 |
| 6981d8702172dc39f302bdeb4917c0eb49f7c37b2a90bee41f64ccecc7e9497d.exe | ti!6981D8702172 | hti | T19C55...2521E673 | 2025-07-15 |
| 9b757a3dbb96ff7cbea3853bdea20cbf954add2f6a2f6cebb2d0d5f0c137c0d8.exe | ti!9B757A3DBB96 | rp-s | T16715...016CF08F | 2025-07-15 |
| 968396ee196be287ac6de30d897f7e84570eb5a297642a32d7300826241349bb.exe | ti!968396EE196B | hti | N/A | 2025-07-15 |
| 968396ee196be287ac6de30d897f7e84570eb5a297642a32d7300826241349bb.exe | ti!0CBCDA1CFD01 | rp-s | N/A | 2025-07-15 |
| x.exe | ti!8C874AE8B5B3 | rp-s | T18E75...06A29763 | 2025-07-15 |
| x.exe | ti!8C874AE8B5B3 | rp-s | T18E75...06A29763 | 2025-07-15 |
| x.exe | ti!8C874AE8B5B3 | rp-s | T18E75...06A29763 | 2025-07-15 |
| 404f55e7aa854f7df700f2b93b4a31d0f13dde464e74985ca9bc98ba6224cc93.exe | ti!404F55E7AA85 | hti | N/A | 2025-07-15 |
| tier0.dll | ti!95829D5ACF78 | hti | N/A | 2025-07-15 |
| 968396ee196be287ac6de30d897f7e84570eb5a297642a32d7300826241349bb.exe | hti!968cc448 | hti | N/A | 2025-07-15 |
| b501e17e249221d34a618e288e0e9a75933cea9894ec11fdcd45c0663d95eeb6.vbs | VBS/Generic.c | av | N/A | 2025-07-15 |
McAfee detects all malware early, pre-execution (just 2-3 detections were post-execution) and leaves clean system, confirmed by Norton Power Eraser and MalwareBytes.
The tests are ongoing, but it's clear that the new architecture offers efficient security.
rare instance of post-execution fileless malware block
*It's important to note that in a real world scenario, McAfee would never allow someone to download large amount of malware. From the quick web test, I wasn't able to download any.
Phishing Detection Test Coming Soon on the same thread.
Scam/SPAM email test:
In addition to handling files and web well, McAfee provides email protection for Outlook, Yahoo and Gmail. The protection does not scan emails that's already marked as spam. It only scans emails that pass the initial filtration. I composed several realistic scenarios, including Taylor Swift being in love with me and getting "a massive pay rise" with infostealer attached as a contract. McAfee blocked the scams. It's important to note that marketing emails containing language like "hurry up, offer expires", are not McAfee Anti-Scam's favourite and are also being flagged.
Removing emails of this sort aids malware detection and overall protection, including for unsuspecting users finances.
DeepFake detection: I don't really know where I can find deep fakes, so I turned to YouTube. Unfortunately, they are not that many and quite short, but they were identified based on audio patterns.
Now let's get to perhaps the most important.
CHAPTER 3: Performance impact
Loading the interface CPU Usage: 6-7% for a few seconds
Scan with fast scanning enabled: 75% CPU usage
Scan with fast scan disabled: 20-30% CPU usage
Quick Scan duration: less than a minute
Full scan duration: <10 minutes
Observed Maximum memory usage: 270 MB (right after a scan)
Observed minimum memory usage: 160 MB (idle)
Observed CPU usage in idle: <1%
Observed CPU usage whilst opening popular and unpopular apps: <5%
System feels responsive and boots fast: yes
Additional features that may be useful:
Breach monitoring, VPN, data shredder.
Cyber-theft insurance on more expensive plans available.
Cons: the Mac protection is not migrated to the new architecture.
Final verdict: TRF approved and recommended for all types of users.
Last edited:
