?
Solved

McAfee is a keystroke logger

Posted on 2004-07-30
8
Medium Priority
?
2,708 Views
Last Modified: 2013-12-04
So, I am demoing the Cisco Security Agent and Cisco works software.  I installed it on my desktop and laptop which also has McAfee Anti-Virus software.  The security agent activly monitors your computer checking for all kinds of viruses, port scans, keystroke loggers, etc..  The first thing that the Agent detected on both systems was the the c:\programfiles\network associates\common framework\frameworkservice.exe captures all of your keystrokes.  (frameworkservice.exe is a process associated with McAfee)

Any one else know about this?  Is this part of the On-Access Scan feature?  Is this a threat?  Where are all the keystrokes logged?

I am just wondering, I search the Internet and found nothing about it.
0
Comment
Question by:ngravatt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11687581
This must be incorrect... or somesort of a False positive... McAfee detects Keyloggers, and therefor must contain a certain amount of the keyloggers code, in order to match it to the actual kloggers, it does the same thing with viri, they put in little bits of code that are unique to the viri, and AV's match that code to programs and they are detected as a virus. However, the DAT's are encoded(encrypted if you will) in such a way that they are obufacated, so that they aren't detected as the viri... from other AV solutions.... I've had CSA installed for some time, and I run McAfee 7.1- it's never reported this behaviour to me. What version of McAfee are you running? Also the version of CSA your running
http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_release_note09186a008019b760.html#67958 (known issues)
You should perhaps report this to mcafee and cisco... perhaps they have an answer/workaround...

http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_qanda_item09186a00801f8e5a.shtml
Q. What other software can be loaded in an IP Communications server that is running the Cisco Security Agent headless agent?
A. The policies provide support for several Cisco approved, third-party monitoring tools and co-resident applications. For Cisco CallManager, Cisco Emergency Responder, Cisco Conference Connection, Cisco IP-IVR, Cisco IP Queue Manager and Cisco IPCC Express; the following software can be running on the same server on which the headless or managed agent is installed:

    * McAfee VirusScan 7.0
    * Symantec AntiVirus Corporate Edition 8.0
    * HP OpenView Performance Manager v. 3.3
    * HP OpenView Operations Agent 7.1
    * Micromuse Netcool VoIP Manager 1.0
    * NetIQ Vivinet Manager 2.1
    * Concord eHealth Monitor 5.6.5
    * Integrated Research Prognosis 7.07
    * Trend Micro ServerProtect 5
    * Windows Terminal Services
    * Real VNC

-rich

0
 
LVL 10

Author Comment

by:ngravatt
ID: 11695957
I am running McAfee Virus Scan 7.1.  The CSA is version 4.0-1 build 540.
I wish i could post a picture of the screenshot when the agent detects it.  No one else I know has ever seen this.
It says exactly:  c:\...\FrameworkService.exe is trying to capture all keystrokes. THis is characteristic of remote control software or a trojan. Allow or disable.
The same thing happend on two different machines.
I am sure it must be some type of false postive, but it concerns me that McAfee captures all keystrokes.

What agent kit or rules do you have running in you CSA?
0
 
LVL 2

Expert Comment

by:billyea
ID: 11739824
It is a false positive.
Perhaps a virus snuck into the computer, replaced framework.exe with a REAL keystroke logger. Then naming itself as MCAffee.

Heres a few pointers:

When you are asked 'Allow' or 'Disable'.
Choose Disable and see what happens to McAffee (test it).
If nothing happens, something has replaced the REAL frameworkservice.exe with a keystroke logger.
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 2

Expert Comment

by:billyea
ID: 11739850
If thid doesn't work, ignore it.
I BET YOU 10000000000000000000000 dollars that it is a false alarm.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 800 total points
ID: 11741309
Using this hasher my "FrameworkService.exe's" have the following hash's
http://ntsecurity.nu/toolbox/filehasher/
C:\..\>filehasher.exe FrameworkService.exe -md5
FileHasher 1.1  - (c) 2002, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
MD5 hash: f7bcb6ce d5f42ebf b8975a88 dee773d4
SHA hash: 6820e377 4ed9cd84 df983222 4b787f88 f732aa74

The file (frameworkservice.exe) has these properties:
filesize 106,586 bytes
BuildDate 9/10/2003
BuildNumber 184
FileVersion 3.1.1.184
===Running===
mcafee 7.1.0
Virus Desfinitions 4383
Created Aug 4th 2004
Scan Engine 4.3.20
---
I'd write cisco (tac@cisco.com) if this were my issue, and see if they've encoutered this prior... again, I am unable to duplicate- I've changed my settings for just about everything mcafee does... no alarms. Also, I can find no viri that replace or rename themselves as framework... I think's its a FP- because mcafee has klogger detection definitions (find joke and potentially unwanted programs) you may try to toggle that on and off to see if that is setting it off- it didn't for me, but who knows.
http://vil.nai.com/images/VSE7-ODS-PROGRAM.gif

-rich



0
 
LVL 10

Author Comment

by:ngravatt
ID: 11755257
good point.  

All this was done on a test machine that COULD NOT have been infected with a virus.  I installed the OS, got the updates, then installed Mcafee and then CSA.

billyea-
I selected disable and it seemed as if Mcafee was still working fine.

rich-
i am betting that is a false positve.  I wanted to ask and see if anyone else had seen this though
for mine
md5 hash- f7bcb6ce d5f42ebf b8975a88 dee773d4
SHA hash- 6820e377 4ed9cd84 df983222 4b787f88 f732aa74


thanks for the feedback
0
 
LVL 2

Expert Comment

by:billyea
ID: 11756205
Get your keystroke logging detector to scan the McAffee CD. If it finds anything, report here.
0
 
LVL 2

Expert Comment

by:billyea
ID: 11756226
If it finds nothing, it probably is the virus detection files that contain malicious code (but only for scanning purposes), in that case, you're fine. :)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month14 days, 23 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question