Serious Discussion Quick Play with McAfee

Trident

Trident

Level 45
Thread author
Verified
Top Poster
Content Creator
Well-known
Feb 7, 2023
3,415
21,989
4,379
The analysis and play with McAfee continues. Today's work reveals that McAfee is using memory content scan: it is capable of scanning the underlying process code, as opposed to just getting the image path and scanning it on disk.

Some of these threats were taken from real attacks and copy-pasted in PowerShell. Others have extremely low VT detection.

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com


FieldValue
Timestamp(s)7:05 PM, 7:14 PM, 7:15 PM
Action Taken❗ Infected (Detected in Memory)
Target[memory] PowerShell.exe
SHA256 HashN/A (Memory Scan)
TLSHN/A
Key Enginesrp-fileless (50, 50, 45), neo (50, 50, 1)


FieldValue
Timestamp2025-07-28 at 7:11:45 PM BST
Action Taken❗ Infected (Behavior Blocked)
TargetC:\...\aspnet_compiler.exe
SHA256 Hash923c541ce782bf45a3d338487e6f411cd11ab0b98eb9775a2d2065dff39a4f37
TLSHNot Provided
Enginesrp-d (1), cache (99)


FieldValue
Timestamp2025-07-28 at 7:18:02 PM BST
Action Taken❗ Infected (Behavior Blocked)
TargetC:\...\certutil.exe
SHA256 Hash0693b1964ce3e578d61cbe1d7dec28737cad29147d89fe6fe537dd591a0a68bb
TLSHNot Provided
Enginesrp-d (1), cache (99)


FieldValue
Timestamp2025-07-28 at 7:18:05 PM BST
Action Taken✅ Infection Quarantined
TargetC:\Users\user\AppData\Local\Temp\pipe\XORLoader.ps1
SHA256 Hashb9b34908dd298d8a43b2306f81370bf9af0c9e49a8c33110b021f2739c0b58b2
TLSHNot Provided
Enginessignature (50), av (50), neo (50)
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Lord Ami, Behold Eck, Sunqfu and 16 others
Thank you for sharing your detailed analysis on McAfee's memory content scan. It's interesting to see how it's capable of detecting threats in real-time, even in the underlying process code. The fact that it can handle threats from real attacks and those with low VT detection is impressive. The tables you provided give a clear picture of the actions taken, targets, and engines involved. This will be helpful for others in understanding McAfee's capabilities.
 
  • Love
  • Applause
Reactions: Behold Eck and Jonny Quest
Trident said:
The analysis and play with McAfee continues. Today's work reveals that McAfee is using memory content scan: it is capable of scanning the underlying process code, as opposed to just getting the image path and scanning it on disk.

Some of these threats were taken from real attacks and copy-pasted in PowerShell. Others have extremely low VT detection.

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com


FieldValue
Timestamp(s)7:05 PM, 7:14 PM, 7:15 PM
Action Taken❗ Infected (Detected in Memory)
Target[memory] PowerShell.exe
SHA256 HashN/A (Memory Scan)
TLSHN/A
Key Enginesrp-fileless (50, 50, 45), neo (50, 50, 1)


FieldValue
Timestamp2025-07-28 at 7:11:45 PM BST
Action Taken❗ Infected (Behavior Blocked)
TargetC:\...\aspnet_compiler.exe
SHA256 Hash923c541ce782bf45a3d338487e6f411cd11ab0b98eb9775a2d2065dff39a4f37
TLSHNot Provided
Enginesrp-d (1), cache (99)


FieldValue
Timestamp2025-07-28 at 7:18:02 PM BST
Action Taken❗ Infected (Behavior Blocked)
TargetC:\...\certutil.exe
SHA256 Hash0693b1964ce3e578d61cbe1d7dec28737cad29147d89fe6fe537dd591a0a68bb
TLSHNot Provided
Enginesrp-d (1), cache (99)


FieldValue
Timestamp2025-07-28 at 7:18:05 PM BST
Action Taken✅ Infection Quarantined
TargetC:\Users\user\AppData\Local\Temp\pipe\XORLoader.ps1
SHA256 Hashb9b34908dd298d8a43b2306f81370bf9af0c9e49a8c33110b021f2739c0b58b2
TLSHNot Provided
Enginessignature (50), av (50), neo (50)
Click to expand...
Thanks for sharing this, bro! Now I'm even happier that I invested in McAfee at the end of the week. It was a good decision. I'm satisfied, even though I was a Kaspersky user for 21 years.
 
  • Like
  • Applause
  • +Reputation
Reactions: Behold Eck, Sorrento, simmerskool and 9 others
Digmor Crusher said:
Which shows how fickle this forum can be as it wasn't that long ago when almost everyone here hated it.
Click to expand...
I'm not sure about the word fickle, but maybe with the changes McAfee has made, the reviews, the feedback from the members, along with this thread, it's being done more out of insight?

But yes, it had a hard reputation to overcome, and maybe still does with some. And I admit it, when I got my Dell notebook (even with the HP notebook) that was the first thing I uninstalled, whatever version of McAfee it was.
 
  • Like
  • Hundred Points
  • +Reputation
Reactions: Miravi, Sorrento, Oldie1950 and 5 others
Trident said:
The analysis and play with McAfee continues. Today's work reveals that McAfee is using memory content scan: it is capable of scanning the underlying process code, as opposed to just getting the image path and scanning it on disk.

Some of these threats were taken from real attacks and copy-pasted in PowerShell. Others have extremely low VT detection.

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com


FieldValue
Timestamp(s)7:05 PM, 7:14 PM, 7:15 PM
Action Taken❗ Infected (Detected in Memory)
Target[memory] PowerShell.exe
SHA256 HashN/A (Memory Scan)
TLSHN/A
Key Enginesrp-fileless (50, 50, 45), neo (50, 50, 1)


FieldValue
Timestamp2025-07-28 at 7:11:45 PM BST
Action Taken❗ Infected (Behavior Blocked)
TargetC:\...\aspnet_compiler.exe
SHA256 Hash923c541ce782bf45a3d338487e6f411cd11ab0b98eb9775a2d2065dff39a4f37
TLSHNot Provided
Enginesrp-d (1), cache (99)


FieldValue
Timestamp2025-07-28 at 7:18:02 PM BST
Action Taken❗ Infected (Behavior Blocked)
TargetC:\...\certutil.exe
SHA256 Hash0693b1964ce3e578d61cbe1d7dec28737cad29147d89fe6fe537dd591a0a68bb
TLSHNot Provided
Enginesrp-d (1), cache (99)


FieldValue
Timestamp2025-07-28 at 7:18:05 PM BST
Action Taken✅ Infection Quarantined
TargetC:\Users\user\AppData\Local\Temp\pipe\XORLoader.ps1
SHA256 Hashb9b34908dd298d8a43b2306f81370bf9af0c9e49a8c33110b021f2739c0b58b2
TLSHNot Provided
Enginessignature (50), av (50), neo (50)
Click to expand...
Thank you for sharing your detailed analysis @Trident . I'll try McAfee. I'm currently using ESET & also Kaspersky & K7 are my all time favourite.
 
  • Like
  • +Reputation
Reactions: Miravi, Sorrento, Oldie1950 and 2 others
Everyone makes jokes on McAfee, but they have been making huge moves in the background. :ROFLMAO: I remember when they tested their cloud only based protection back when McAfee Gamer Security came out. Took a while to get here, but I am super happy we went from 15 processes down to 4 (the most). I just wish they would make a dark mode theme cause that bright white theme blinds me at night.
 
  • Like
  • +Reputation
Reactions: Sorrento, Trident, simmerskool and 3 others
jtshadow92 said:
Everyone makes jokes on McAfee, but they have been making huge moves in the background. :ROFLMAO: I remember when they tested their cloud only based protection back when McAfee Gamer Security came out. Took a while to get here, but I am super happy we went from 15 processes down to 4 (the most). I just wish they would make a dark mode theme cause that bright white theme blinds me at night.
Click to expand...
15 processes previously, that's BD territory. Will it go into dark mode if you change the Windows 11 theme to Dark? But yes, it's always nice to have that option within the app itself.
 
Last edited:
  • Like
Reactions: Sorrento, Trident, simmerskool and 2 others
Jonny Quest said:
15 processes previously, that's BD territory. Will it go into dark mode if you change the Windows 11 theme to Dark? But yes, it's always nice to have that option within the app itself.
Click to expand...
If you are talking about BD, then dark mode follows the system default or you can change it in the BD GUI. But McAfee does not have dark mode, the GUI is all white, and that doesn't bother me because the GUI is simple and intuitive, and you don't interact with it much all the time. McAfee comes with a default gold configuration, so you don't need to do any configuration. You install the product and forget about it, you just configure it to enable VPN on unsecured Wi-Fi networks, that's it, McAfee has zero settings. I liked that, users with a certain level of advanced knowledge may not like it. But for me, the most important thing is the efficiency in detecting and neutralising malware, McAfee protecting me from these pests and keeping my machine clean is great. ;)
 
  • Like
  • Hundred Points
  • Applause
Reactions: RansomwareRemediation, randj89, Oldie1950 and 3 others
Digmor Crusher said:
changing frequently, especially as regards one's loyalties, interests, or affection.
Click to expand...
This is what I had in mind in my post, that they weren't changing as in the definition below, but out of new knowledge and insight. But, we all can get a little giddy here at times and play the AV roulette wheel 😅 😅

dictionary.cambridge.org

fickle

1. likely to change your opinion or your feelings suddenly and without a good…
dictionary.cambridge.org dictionary.cambridge.org
Likely to change your opinion or your feelings suddenly and without a good reason.
 
Last edited:
  • Like
Reactions: anirbandutta01, Oldie1950, Trident and 3 others
I guess its fine to swap antiviruses as often you like to, and favour the one doing ''best''

Mcafee got new cloud version and improved alot in short time
meanwhile f-secure downgraded to avira clone in same time
I mean that things happens in short period, someone can totally surprise with success and other can just flop badly, but there are some products like kaspersky that has done good in long period, and probably is rated high because of that ( it has gained trust being good as long term) meanwhile mcafee been worst for years and probably has worst reputation, so noone thinks its good choice and couldnt change, but it seems they can improve and by alot

Its good we have @Trident and many other members that try out these not so often used antiviruses, it would get boring to just test and promote same top 3 antiviruses constantly
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Miravi, anirbandutta01, Oldie1950 and 6 others
Jonny Quest said:
I'm not sure about the word fickle
Click to expand...
Digmor Crusher said:
changing frequently, especially as regards one's loyalties, interests, or affection.
Click to expand...
Jonny Quest said:
Likely to change your opinion or your feelings suddenly and without a good reason.
Click to expand...
Fickle (formal)... You're sophisticated beyond our comprehension; we're just not refined enough to appreciate your ever-changing preferences! :)

Fickle (informal)... is like ordering a salad and then stealing fries! 😊
 
  • Like
  • HaHa
Reactions: Jonny Quest, Behold Eck, anirbandutta01 and 2 others
piquiteco said:
McAfee has zero settings
Click to expand...
McAfee actually has a lot of settings, just not settings for the antivirus module.

When you go on protection.mcafee.com, there is quite a lot to setup.

IMG_2499.jpeg
Locally in the app, there are some settings here and there.

For example on the scanner window, there is scan speed selection, telemetry control and the option to shutdown the machine.
On the Web Advisor settings, there is exceptions, search result indicators on off, social network protection.

In the console, there are antivirus exceptions, firewall exceptions, VPN settings (like location, split tunnel and so on).

So there are still some personalisation and setup options, it’s just the typical heuristic aggression levels and so on have been omitted.
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: simmerskool, rashmi, Miravi and 7 others

You may also like...