I decided on McAfee myself. After 21 years of using Kaspersky, I got tired of the Russian knife. It's still cumbersome on the system. And from what I can see, the company isn't going to change that.
Quick Play with McAfee
- Thread starter Trident
- Start date
“Your individuality will be added to our own. Your culture will adapt to service us. Resistance is futile.”
“Strength is irrelevant. Resistance is futile. We wish to improve ourselves. We will add your biological and technological distinctiveness to our own. Your culture will adapt to service us.”
(might have got away with those two comments as no mods around)
Last edited:
Mcafee once offered a free cloud antivirus and the new mcafee feels just like it. Maybe they put an old retired dog into a new product. Mcafee free cloud av was very decent when it existed but was short lived.
I have thought for some time that as many now have fast fibre internet (not all) the need for info to be on a users system & updated constantly with large downloads that are kept on the users system shouldn't be needed - I often felt that Webroot & Panda could have done far, far better than they ever did & exploited that, I was a bit of a fan of Panda a few years ago - Webroot never got it right they bragged about their installer fitting on a old floppy but never mentioned the extremely ginormous WRDATA monitoring files that appeared on the system if you were to use anything out of the ordinary, with them it was a case of frequently whitelisting your own files & uploading the results to support, and I always thought I thought that was the job of the AV company.
McAfee seems to have got it right, slower full scans may be an issue for some, 'maybe' because of uploading data? but it does seem that things are changing as regards the so called cloud, I don't know the full science of how McAfee compares to Bitdefender etc (Trident does) for example but the days of old systems seem to be changing & probably the cat is now out of the bag, I do notice that images I make with Mcafee installed stay the same size but with others grow week by week, not a problem at all but shows how it is different.
Change is for me the only constant there actually is, this applies to absolutely everything?
McAfee seems to have got it right, slower full scans may be an issue for some, 'maybe' because of uploading data? but it does seem that things are changing as regards the so called cloud, I don't know the full science of how McAfee compares to Bitdefender etc (Trident does) for example but the days of old systems seem to be changing & probably the cat is now out of the bag, I do notice that images I make with Mcafee installed stay the same size but with others grow week by week, not a problem at all but shows how it is different.
Change is for me the only constant there actually is, this applies to absolutely everything?
Last edited:
where can i find the logs like yours?The analysis and play with McAfee continues. Today's work reveals that McAfee is using memory content scan: it is capable of scanning the underlying process code, as opposed to just getting the image path and scanning it on disk.
Some of these threats were taken from real attacks and copy-pasted in PowerShell. Others have extremely low VT detection.
Field Value Timestamp(s) 7:05 PM, 7:14 PM, 7:15 PM Action Taken Infected (Detected in Memory)
Target [memory] PowerShell.exe SHA256 Hash N/A (Memory Scan) TLSH N/A Key Engines rp-fileless (50, 50, 45), neo (50, 50, 1)
Field Value Timestamp 2025-07-28 at 7:11:45 PM BST Action Taken Target C:\...\aspnet_compiler.exe SHA256 Hash 923c541ce782bf45a3d338487e6f411cd11ab0b98eb9775a2d2065dff39a4f37 TLSH Not Provided Engines rp-d (1), cache (99)
Field Value Timestamp 2025-07-28 at 7:18:02 PM BST Action Taken Target C:\...\certutil.exe SHA256 Hash 0693b1964ce3e578d61cbe1d7dec28737cad29147d89fe6fe537dd591a0a68bb TLSH Not Provided Engines rp-d (1), cache (99)
Field Value Timestamp 2025-07-28 at 7:18:05 PM BST Action Taken Infection Quarantined
Target C:\Users\user\AppData\Local\Temp\pipe\XORLoader.ps1 SHA256 Hash b9b34908dd298d8a43b2306f81370bf9af0c9e49a8c33110b021f2739c0b58b2 TLSH Not Provided Engines signature (50), av (50), neo (50)
The
c:\ProgramData\McAfee\wps\detection.log
At the end of the day, they are both doing the same job. If someone wants to beat around the bush, test them in unrealistic scenarios with malware packs and so on, both McAfee and Bitdefender will fail. Bitdefender is not the king of AVs.
McAfee does what Bitdefender does without the hourly updates and the massive database.
In terms of technology behind them, they have similar offerings.
How can I download trial version? In India McAfee website there's no such option to download trial Antivirus.
I am still working out the McAfee detections and logs, the log contains something like this (from another thread).
The “Cache” appears to come into play when behavioural-based detections occur. McAfee likely refers to the behavioural blocking database (the one where actions are recorded) as “Cache”.
Detections from the “Cache” are named “Cache!<part of SHA256>
| Detection Source | File Reputation | HTI Reputation |
| hti | 4 | 4 <- online reputation reports the file as malicious |
| cache | 0 | 0 <- nothing in cache, as detections are cached only once they occur, not before that |
| uwp | 0 | 0 <- not a UWP app |
| signature | 0 | 50 <- picked up by a Yara rule |
| trust-dat | 4 | 4 <- file is untrusted |
| rp-s | 4 | 4 <- minor tweaks to the final score. RealProtect static analysis deems the file suspicious |
| av | 0 | 1 <- these verdicts are minor tweaks to the final score |
| neo | 0 | 1 <- minor tweaks to the final score |
The “Cache” appears to come into play when behavioural-based detections occur. McAfee likely refers to the behavioural blocking database (the one where actions are recorded) as “Cache”.
Detections from the “Cache” are named “Cache!<part of SHA256>
I tested this file from the following link:
VirusTotal
When I tested it, it wasn't yet detected by McAfee on VirusTotal. However, McAfee immediately quarantined the file on my system. Around 20 minutes later, VirusTotal also started
recognizing it.
VirusTotal
When I tested it, it wasn't yet detected by McAfee on VirusTotal. However, McAfee immediately quarantined the file on my system. Around 20 minutes later, VirusTotal also started
recognizing it.
I used to really like it. I was always sad that it closed.
I’m guessing this one has similar architecture, though quite a lot of patents, like the multi-modal malware analysis through bucketizing or rendering pages in headerless “invisible” browser for visual analysis, are recent. This technology couldn’t have been in Gamers Security. But performance-wise it is probably the same. This version has no games optimiser though.I used to really like it. I was always sad that it closed.
Kerish Doctor is doing a good job with this right now, so I can live without this feature in my antivirus.
Maybe I'll try McAfee in the future. I need to look for some good discounts. By the way, if I'm not mistaken, they used to have a pretty advanced IP filter based on a huge database, which other home products didn't offer. Am I wrong or not? Do they still have it?
I found this cheap license:Kerish Doctor is doing a good job with this right now, so I can live without this feature in my antivirus.
McAfee Total Protection 2025
McAfee Total Protection provides Premium protection for your…
blitzhandel24.co.uk
McAfee now has rewritten firewall that feels a lot like the Trend Micro Firewall Booster.
Rules and inbound monitoring is handled by Windows Firewall whilst outbound connections are monitored through the McAfee firewall that uses this massive database (part of GTI) to block connections to malicious domains and IP addresses.
On Chinese forums they call it Anti-RAT.
The suspicious file on your link has been seen in VT since July 13 and AV vendors already got a copy of tha exact file.
Likely this is a FP due to the file being UNSIGNED. If this is a TP, this will be flagged by MOST AV vendors by now in their Labs and will not be flagged by heuristics.
It’s detected due to suspicious modifications that have been made after the file was compiled, like manually modifying the file version and so on. That plus the lack of digital signature are highly suspicious.
The file was probably not malicious on its own but was used as part of DLL side loading (probably came in an archive with a DLL).
File is Matches rule skip20_sqllang_hook from ruleset skip20_sqllang_hook at GitHub - eset/malware-ioc: Indicators of Compromises (IOC) of our various investigations
The rule name skip20_sqllang_hook suggests that it’s related to malware that hooks into SQL Server or similar database-related processes. Malware might use this kind of technique to:
The rule name skip20_sqllang_hook suggests that it’s related to malware that hooks into SQL Server or similar database-related processes. Malware might use this kind of technique to:
- Intercept or alter SQL commands
- Execute code via SQL Server
- Steal credentials or data from within the system
Are you referring to Yara Rules or Snort Rules?
If you can post the exact link that would be better. Rules from those are mostly noisy with higher chance of False Positive. Requires more fine tuning I would say.
You may also like...
-
-
McAfee Protection (Plus Plans, Total Protection, LiveSafe)
- Started by Trident
- Replies: 413
-
Deep Research: McAfee GTI, JTI, Artemis and Other Technologies Explained
- Started by Trident
- Replies: 2
-
Best Paid Antivirus in Late 2025 – Norton, Bitdefender, or What?- Started by Bot
- Replies: 63
-
Testing Orion Malware Cleaner Designed by Me
- Started by Trident
- Replies: 8