Serious Discussion McAfee Uses Default-Deny on Executables

[Trident]

This is a straight-forward one, after experimenting with compilation, I've discovered McAfee uses default-deny on executables, in addition to all other modules.

In the log, File reputation returns 1 (very low reputation - unsigned, never seen before) and Heuristic Threat Intelligence in turn returns 50 - very high probability that it is malicious.

Field	Block 1 Value
Timestamp	2025-09-14T23:48:47.388Z
Target File	\\\\?\\C:\\Users\\user\\OneDrive\\Desktop\\OrionTool.exe
Initiator Process	\\\\?\\C:\\Windows\\explorer.exe
Detection Name	ti!3D3850892C55
Final Result	infection quarantined
File Reputation Score	1
Heuristic Threat Intelligence	50
Sensor	section execute

This further strengthens McAfee protections without the need for sandboxing.

 

[KnownStormChaser]

Cool, I guess this is partly why McAfee mostly block pre-launch rather than post: Results In May 2025 » AVLab Cybersecurity Foundation
(I prefer blocking pre-launch)

 

[Trident]

Cool, I guess this is partly why McAfee mostly block pre-launch rather than post: Results In May 2025 » AVLab Cybersecurity Foundation
(I prefer blocking pre-launch)

Partially, but it’s not like Panda or one of these that rely mainly on default-deny. It’s the first time I saw this detection on executable I created.

 

[Andy Ful]

We cannot be sure if there is a kind of default-deny in the example from the OP. This can depend on the priority level between "File Reputation" and "Heuristic Threat Intelligence".

For example, if the file is considered safe when "Heuristic Threat Intelligence" + "File Reputation" > 99% , then this will not be default-deny.

On the contrary, if the safety criterion is "Heuristic Threat Intelligence" + "File Reputation" > 99% and "File Reputation" > 90%, then this could be a smart-default-deny.

I think that McAfee has a good mix of "Heuristic Threat Intelligence" + "File Reputation", as you noticed in your last post.

 

[Trident]

We cannot be sure if there is a kind of default-deny in the example from the OP. This can depend on the priority level between "File Reputation" and "Heuristic Threat Intelligence".

For example, if the file is considered safe when "Heuristic Threat Intelligence" + "File Reputation" > 99% , then this will not be default-deny.

On the contrary, if the safety criterion is "Heuristic Threat Intelligence" + "File Reputation" > 99% and "File Reputation" > 90%, then this could be a smart-default-deny.

I think that McAfee has a good mix of "Heuristic Threat Intelligence" + "File Reputation", as you noticed in your last post.

The log provides every engine’s verdict though, everything else returned 0. McAfee also takes into account the origin of the file. For files that originate from untested/suspicious/malicious website, one of the engines returns between 55 and 85 as a verdict. Maybe I will compile a very simple exe, but HTI heuristics on executable are very straight forward, the emulation heuristics and verdict go under “Neo”.

Files with low reputation requiring deletion is a heuristic on its own, there is no set in stone definition what is low reputation and it’s not universal rule, so it stems from McAfee experience, hence is a heuristic.

The HTI is the ex JTI (Which is the evolved Artemis). It relies on rules (like suspicious executable in user space which was 196612). It’s their form of ASR and I guess it is kinda smart.

 

[Trident]

This is the whole log, I did a lot of manual testing of certutil abuse, suspicious powershell arguments, amsi bypass and so on. The [memory] detections are me, manually executing code in PowerShell. Signature denotes Yara rule, generic detection is listed as AV. Emulation is "Neo". Trust dat is local trust repository. RP-s is static analysis. Cache is behavioural/actions database. RP-Fileless is the runtime analysis of LOLBins and so on. Final source is what led to pulling the trigger.

Timestamp (UTC)

Detection Name

Target Name / Type

Target Hash (SHA256)

Initiator Process

Final Result

Sensor

Final Source

All Engine Detections (engine: {file_rep, hti_rep, url_rep, cert_rep})

2025-09-11 05:20:23

ti!0B3D7BD94996

...\\Downloads\\...c11c.exe

0b3d7b...c11c

explorer.exe

Quarantined

section execute

hti

hti:{2,2,0,[]},cache:{0,0,0,[]},uwp:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{2,2,0,[]},hti:{2,2,0,[]},rp-s:{0,1,0,[]},av:{0,50,0,[]},neo:{0,50,0,[]}

2025-09-11 15:57:39

Trojan:Script/SuspiciousPowershell.D

[memory] app: powershell.exe

N/A

powershell.exe

Infected

IAntiMalware

neo

neo:{0,1,0,[]},cache:{0,0,0,[]},signature:{0,0,0,[]},rp-fileless:{45,45,0,[]},av:{0,50,0,[]},neo:{0,1,0,[]}

2025-09-11 15:57:41

Trojan:Script/SuspiciousPowershell.D

[memory] app: powershell.exe

N/A

powershell.exe

Infected

IAntiMalware

cache

cache:{0,1,0,[]},cache:{0,1,0,[]}

2025-09-11 15:59:03

ti!9006CC5EB7A7

...\\Downloads\\...7434.js

9006cc...7434

N/A (ods)

Quarantined

ods

hti

hti:{2,2,0,[]},cache:{0,0,0,[]},uwp:{0,0,0,[]},signature:{0,50,0,[]},hti:{2,2,0,[]},rp-s:{0,0,0,[]},av:{0,50,0,[]},neo:{0,50,0,[]}

2025-09-11 15:59:13

ti!D38FEE12D409

...\\Temp\\...\\dEgFCsv.exe

d38fee...b33e

wscript.exe

Quarantined

section execute

hti

hti:{2,2,0,[]},cache:{0,0,0,[]},uwp:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{2,2,0,[]},hti:{2,2,0,[]},rp-s:{0,1,0,[]},av:{0,50,0,[]},neo:{0,50,0,[]}

2025-09-11 15:59:36

hti!9189fbd1

...\\Temp\\...\\XW6KHnp.exe

d38fee...b33e

wscript.exe

Quarantined

section execute

hti

hti:{2,2,0,[]},cache:{0,0,0,[]},uwp:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{2,2,0,[]},hti:{2,2,0,[]},rp-s:{0,1,0,[]},av:{0,50,0,[]},neo:{0,50,0,[]}

2025-09-11 16:42:36

Trojan:Script/Asyncrat.B!1

...\\Downloads\\...4430.vbs

12c3d3...4430

VBScript

Quarantined

IAntiMalware

neo

neo:{0,1,0,[]},cache:{0,0,0,[]},signature:{0,50,0,[]},rp-fileless:{0,50,0,[]},av:{0,50,0,[]},neo:{0,1,0,[]}

2025-09-11 16:45:58

Trojan:Script/SuspiciousPowershell.D

[memory] app: powershell.exe

N/A

powershell.exe

Infected

IAntiMalware

neo

neo:{0,1,0,[]},cache:{0,0,0,[]},signature:{0,0,0,[]},rp-fileless:{45,45,0,[]},av:{0,50,0,[]},neo:{0,1,0,[]}

2025-09-11 16:46:00

Trojan:Script/SuspiciousPowershell.D

[memory] app: powershell.exe

N/A

powershell.exe

Infected

IAntiMalware

cache

cache:{0,1,0,[]},cache:{0,1,0,[]}

2025-09-13 00:20:47

ti!0B3D7BD94996

...\\Downloads\\...c11c.exe

0b3d7b...c11c

N/A (ods)

Quarantined

ods

hti

hti:{2,2,0,[]},cache:{0,0,0,[]},uwp:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{2,2,0,[]},hti:{2,2,0,[]},rp-s:{0,1,0,[]},av:{0,50,0,[]},neo:{0,50,0,[]}

2025-09-13 00:22:50

ti!3811770F5C23

...\\Temp\\gjzunw.exe

381177...755c

powershell.exe

Quarantined

section execute

rp-s

rp-s:{1,1,0,[45]},cache:{0,0,0,[]},uwp:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{50,50,0,[45]},hti:{50,50,0,[45]},rp-s:{1,1,0,[45]},av:{0,50,0,[]},neo:{0,50,0,[]}

2025-09-13 00:24:28

AMSI-FZI!E97D61EAFE44

[memory] app: powershell.exe

N/A

powershell.exe

Infected

IAntiMalware

av

av:{0,1,0,[]},cache:{0,0,0,[]},signature:{0,0,0,[]},rp-fileless:{45,45,0,[]},av:{0,1,0,[]},neo:{0,1,0,[]}

2025-09-13 00:25:06

ti!3811770F5C23

...\\Temp\\jqmpvn.exe

381177...755c

powershell.exe

Quarantined

section execute

rp-s

rp-s:{1,1,0,[45]},cache:{0,0,0,[]},uwp:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{50,50,0,[45]},hti:{50,50,0,[45]},rp-s:{1,1,0,[45]},av:{0,50,0,[]},neo:{0,50,0,[]}

2025-09-13 00:25:59

Trojan:Script/Remcos.VDN

...\\Downloads\\...2b45.vbs

e867d9...2b45

VBScript

Quarantined

IAntiMalware

neo

neo:{0,1,0,[]},cache:{0,0,0,[]},signature:{0,50,0,[]},rp-fileless:{0,50,0,[]},av:{0,50,0,[]},neo:{0,1,0,[]}

2025-09-13 00:52:38

ti!1B3C1BF3BFE8

...\\Downloads\\...d278.bat

1b3c1b...d278

explorer.exe

Quarantined

section execute

hti

hti:{2,2,0,[]},cache:{0,0,0,[]},uwp:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{0,50,0,[]},hti:{2,2,0,[]},rp-s:{0,0,0,[]},av:{0,50,0,[]},neo:{0,50,0,[]}

2025-09-13 01:05:23

ti!EAD0485D49C8

...\\Downloads\\...524c.exe

ead048...524c

explorer.exe

Quarantined

section execute

hti

hti:{2,2,0,[]},cache:{0,0,0,[]},uwp:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{2,2,0,[]},hti:{2,2,0,[]},rp-s:{2,2,0,[]},av:{0,50,0,[]},neo:{0,50,0,[]}

2025-09-13 01:07:58

ti!DF847F7AF404

...\\Desktop\\...524c.exe

df847f...2dd5

msedge.exe

Quarantined

IOfficeAntivirus

rp-s

rp-s:{1,1,70,[]},cache:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{50,50,70,[]},hti:{50,50,70,[]},rp-s:{1,1,70,[]},av:{0,50,0,[]},neo:{0,50,0,[]}

2025-09-13 01:09:07

ti!276058E69F94

...\\Desktop\\...524c.exe

276058...d963

msedge.exe

Quarantined

IOfficeAntivirus

rp-s

rp-s:{1,1,70,[]},cache:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{50,50,70,[]},hti:{50,50,70,[]},rp-s:{1,1,70,[]},av:{0,50,0,[]},neo:{0,50,0,[]}

2025-09-13 01:09:37

ti!276058E69F94

...\\Downloads\\...524c.exe

276058...d963

msedge.exe

Quarantined

IOfficeAntivirus

rp-s

rp-s:{1,1,70,[]},cache:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{50,50,70,[]},hti:{50,50,70,[]},rp-s:{1,1,70,[]},av:{0,50,0,[]},neo:{0,50,0,[]}

The array indexes for every component:
0 - looks like offline detection
1 - looks like detection double checked with the cloud (HTI)
2 - URL reputation (in some cases being 70)
[] - certificate(s) reputation array within an array (all these files are unsigned so nothing returned there, it returns higher numbers on signed malware).

025-09-13 00:22:50

ti!3811770F5C23

...\\Temp\\gjzunw.exe

381177...755c

powershell.exe

Quarantined

section execute

rp-s

rp-s:{1,1,0,[45]},cache:{0,0,0,[]},uwp:{0,0,0,[]},signature:{0,50,0,[]},trust-dat:{50,50,0,[45]},hti:{50,50,0,[45]},rp-s:{1,1,0,[45]},av:{0,50,0,[]},neo:{0,50,0,[]}

This malware is signed and some components considered the signature, returning [45].

I think not all these numbers represent confidence levels, for example in some cases AV or Real Protect Static returned just 1, but still, they were the final source, like above. In other cases AV returns as high as 50, but it's still not the final source.

Then for the final detection source, it seems to prefer not weak classifiers, but engines that are definitive source of truth:

2025-09-13 00:24:28 AMSI-FZI!E97D61EAFE44 [memory] app: powershell.exe N/A powershell.exe Infected IAntiMalware av av:{0,1,0,[]},cache:{0,0,0,[]},signature:{0,0,0,[]},rp-fileless:{45,45,0,[]},av:{0,1,0,[]},neo:{0,1,0,[]}

AV returned just 1, RP-fileless returned 45, but yet AV was the source, because it probably applies some weighing to all that.

Very complicated decision matrix overall

But that's why I like it.

 

[ouyangx]

ti/Artemis relies heavily on cloud and the reputation it offers, so newly executables may seems to be blocked no matter what, which looks like default-deny for sure.

 

[Trident]

ti/Artemis relies heavily on cloud and the reputation it offers, so newly executables may seems to be blocked no matter what, which looks like default-deny for sure.

But it adds some heuristics to the mix as well, yeah.