• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2734
  • Last Modified:

McAfee is a keystroke logger

So, I am demoing the Cisco Security Agent and Cisco works software.  I installed it on my desktop and laptop which also has McAfee Anti-Virus software.  The security agent activly monitors your computer checking for all kinds of viruses, port scans, keystroke loggers, etc..  The first thing that the Agent detected on both systems was the the c:\programfiles\network associates\common framework\frameworkservice.exe captures all of your keystrokes.  (frameworkservice.exe is a process associated with McAfee)

Any one else know about this?  Is this part of the On-Access Scan feature?  Is this a threat?  Where are all the keystrokes logged?

I am just wondering, I search the Internet and found nothing about it.
  • 4
  • 2
  • 2
1 Solution
Rich RumbleSecurity SamuraiCommented:
This must be incorrect... or somesort of a False positive... McAfee detects Keyloggers, and therefor must contain a certain amount of the keyloggers code, in order to match it to the actual kloggers, it does the same thing with viri, they put in little bits of code that are unique to the viri, and AV's match that code to programs and they are detected as a virus. However, the DAT's are encoded(encrypted if you will) in such a way that they are obufacated, so that they aren't detected as the viri... from other AV solutions.... I've had CSA installed for some time, and I run McAfee 7.1- it's never reported this behaviour to me. What version of McAfee are you running? Also the version of CSA your running
http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_release_note09186a008019b760.html#67958 (known issues)
You should perhaps report this to mcafee and cisco... perhaps they have an answer/workaround...

Q. What other software can be loaded in an IP Communications server that is running the Cisco Security Agent headless agent?
A. The policies provide support for several Cisco approved, third-party monitoring tools and co-resident applications. For Cisco CallManager, Cisco Emergency Responder, Cisco Conference Connection, Cisco IP-IVR, Cisco IP Queue Manager and Cisco IPCC Express; the following software can be running on the same server on which the headless or managed agent is installed:

    * McAfee VirusScan 7.0
    * Symantec AntiVirus Corporate Edition 8.0
    * HP OpenView Performance Manager v. 3.3
    * HP OpenView Operations Agent 7.1
    * Micromuse Netcool VoIP Manager 1.0
    * NetIQ Vivinet Manager 2.1
    * Concord eHealth Monitor 5.6.5
    * Integrated Research Prognosis 7.07
    * Trend Micro ServerProtect 5
    * Windows Terminal Services
    * Real VNC


ngravattAuthor Commented:
I am running McAfee Virus Scan 7.1.  The CSA is version 4.0-1 build 540.
I wish i could post a picture of the screenshot when the agent detects it.  No one else I know has ever seen this.
It says exactly:  c:\...\FrameworkService.exe is trying to capture all keystrokes. THis is characteristic of remote control software or a trojan. Allow or disable.
The same thing happend on two different machines.
I am sure it must be some type of false postive, but it concerns me that McAfee captures all keystrokes.

What agent kit or rules do you have running in you CSA?
It is a false positive.
Perhaps a virus snuck into the computer, replaced framework.exe with a REAL keystroke logger. Then naming itself as MCAffee.

Heres a few pointers:

When you are asked 'Allow' or 'Disable'.
Choose Disable and see what happens to McAffee (test it).
If nothing happens, something has replaced the REAL frameworkservice.exe with a keystroke logger.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

If thid doesn't work, ignore it.
I BET YOU 10000000000000000000000 dollars that it is a false alarm.
Rich RumbleSecurity SamuraiCommented:
Using this hasher my "FrameworkService.exe's" have the following hash's
C:\..\>filehasher.exe FrameworkService.exe -md5
FileHasher 1.1  - (c) 2002, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
MD5 hash: f7bcb6ce d5f42ebf b8975a88 dee773d4
SHA hash: 6820e377 4ed9cd84 df983222 4b787f88 f732aa74

The file (frameworkservice.exe) has these properties:
filesize 106,586 bytes
BuildDate 9/10/2003
BuildNumber 184
mcafee 7.1.0
Virus Desfinitions 4383
Created Aug 4th 2004
Scan Engine 4.3.20
I'd write cisco (tac@cisco.com) if this were my issue, and see if they've encoutered this prior... again, I am unable to duplicate- I've changed my settings for just about everything mcafee does... no alarms. Also, I can find no viri that replace or rename themselves as framework... I think's its a FP- because mcafee has klogger detection definitions (find joke and potentially unwanted programs) you may try to toggle that on and off to see if that is setting it off- it didn't for me, but who knows.


ngravattAuthor Commented:
good point.  

All this was done on a test machine that COULD NOT have been infected with a virus.  I installed the OS, got the updates, then installed Mcafee and then CSA.

I selected disable and it seemed as if Mcafee was still working fine.

i am betting that is a false positve.  I wanted to ask and see if anyone else had seen this though
for mine
md5 hash- f7bcb6ce d5f42ebf b8975a88 dee773d4
SHA hash- 6820e377 4ed9cd84 df983222 4b787f88 f732aa74

thanks for the feedback
Get your keystroke logging detector to scan the McAffee CD. If it finds anything, report here.
If it finds nothing, it probably is the virus detection files that contain malicious code (but only for scanning purposes), in that case, you're fine. :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now