Solved

McAfee is a keystroke logger

Posted on 2004-07-30
8
2,663 Views
Last Modified: 2013-12-04
So, I am demoing the Cisco Security Agent and Cisco works software.  I installed it on my desktop and laptop which also has McAfee Anti-Virus software.  The security agent activly monitors your computer checking for all kinds of viruses, port scans, keystroke loggers, etc..  The first thing that the Agent detected on both systems was the the c:\programfiles\network associates\common framework\frameworkservice.exe captures all of your keystrokes.  (frameworkservice.exe is a process associated with McAfee)

Any one else know about this?  Is this part of the On-Access Scan feature?  Is this a threat?  Where are all the keystrokes logged?

I am just wondering, I search the Internet and found nothing about it.
0
Comment
Question by:ngravatt
  • 4
  • 2
  • 2
8 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
This must be incorrect... or somesort of a False positive... McAfee detects Keyloggers, and therefor must contain a certain amount of the keyloggers code, in order to match it to the actual kloggers, it does the same thing with viri, they put in little bits of code that are unique to the viri, and AV's match that code to programs and they are detected as a virus. However, the DAT's are encoded(encrypted if you will) in such a way that they are obufacated, so that they aren't detected as the viri... from other AV solutions.... I've had CSA installed for some time, and I run McAfee 7.1- it's never reported this behaviour to me. What version of McAfee are you running? Also the version of CSA your running
http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_release_note09186a008019b760.html#67958 (known issues)
You should perhaps report this to mcafee and cisco... perhaps they have an answer/workaround...

http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_qanda_item09186a00801f8e5a.shtml
Q. What other software can be loaded in an IP Communications server that is running the Cisco Security Agent headless agent?
A. The policies provide support for several Cisco approved, third-party monitoring tools and co-resident applications. For Cisco CallManager, Cisco Emergency Responder, Cisco Conference Connection, Cisco IP-IVR, Cisco IP Queue Manager and Cisco IPCC Express; the following software can be running on the same server on which the headless or managed agent is installed:

    * McAfee VirusScan 7.0
    * Symantec AntiVirus Corporate Edition 8.0
    * HP OpenView Performance Manager v. 3.3
    * HP OpenView Operations Agent 7.1
    * Micromuse Netcool VoIP Manager 1.0
    * NetIQ Vivinet Manager 2.1
    * Concord eHealth Monitor 5.6.5
    * Integrated Research Prognosis 7.07
    * Trend Micro ServerProtect 5
    * Windows Terminal Services
    * Real VNC

-rich

0
 
LVL 10

Author Comment

by:ngravatt
Comment Utility
I am running McAfee Virus Scan 7.1.  The CSA is version 4.0-1 build 540.
I wish i could post a picture of the screenshot when the agent detects it.  No one else I know has ever seen this.
It says exactly:  c:\...\FrameworkService.exe is trying to capture all keystrokes. THis is characteristic of remote control software or a trojan. Allow or disable.
The same thing happend on two different machines.
I am sure it must be some type of false postive, but it concerns me that McAfee captures all keystrokes.

What agent kit or rules do you have running in you CSA?
0
 
LVL 2

Expert Comment

by:billyea
Comment Utility
It is a false positive.
Perhaps a virus snuck into the computer, replaced framework.exe with a REAL keystroke logger. Then naming itself as MCAffee.

Heres a few pointers:

When you are asked 'Allow' or 'Disable'.
Choose Disable and see what happens to McAffee (test it).
If nothing happens, something has replaced the REAL frameworkservice.exe with a keystroke logger.
0
 
LVL 2

Expert Comment

by:billyea
Comment Utility
If thid doesn't work, ignore it.
I BET YOU 10000000000000000000000 dollars that it is a false alarm.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 38

Accepted Solution

by:
Rich Rumble earned 200 total points
Comment Utility
Using this hasher my "FrameworkService.exe's" have the following hash's
http://ntsecurity.nu/toolbox/filehasher/
C:\..\>filehasher.exe FrameworkService.exe -md5
FileHasher 1.1  - (c) 2002, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
MD5 hash: f7bcb6ce d5f42ebf b8975a88 dee773d4
SHA hash: 6820e377 4ed9cd84 df983222 4b787f88 f732aa74

The file (frameworkservice.exe) has these properties:
filesize 106,586 bytes
BuildDate 9/10/2003
BuildNumber 184
FileVersion 3.1.1.184
===Running===
mcafee 7.1.0
Virus Desfinitions 4383
Created Aug 4th 2004
Scan Engine 4.3.20
---
I'd write cisco (tac@cisco.com) if this were my issue, and see if they've encoutered this prior... again, I am unable to duplicate- I've changed my settings for just about everything mcafee does... no alarms. Also, I can find no viri that replace or rename themselves as framework... I think's its a FP- because mcafee has klogger detection definitions (find joke and potentially unwanted programs) you may try to toggle that on and off to see if that is setting it off- it didn't for me, but who knows.
http://vil.nai.com/images/VSE7-ODS-PROGRAM.gif

-rich



0
 
LVL 10

Author Comment

by:ngravatt
Comment Utility
good point.  

All this was done on a test machine that COULD NOT have been infected with a virus.  I installed the OS, got the updates, then installed Mcafee and then CSA.

billyea-
I selected disable and it seemed as if Mcafee was still working fine.

rich-
i am betting that is a false positve.  I wanted to ask and see if anyone else had seen this though
for mine
md5 hash- f7bcb6ce d5f42ebf b8975a88 dee773d4
SHA hash- 6820e377 4ed9cd84 df983222 4b787f88 f732aa74


thanks for the feedback
0
 
LVL 2

Expert Comment

by:billyea
Comment Utility
Get your keystroke logging detector to scan the McAffee CD. If it finds anything, report here.
0
 
LVL 2

Expert Comment

by:billyea
Comment Utility
If it finds nothing, it probably is the virus detection files that contain malicious code (but only for scanning purposes), in that case, you're fine. :)
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now