Solved

McAfee is a keystroke logger

Posted on 2004-07-30
8
2,673 Views
Last Modified: 2013-12-04
So, I am demoing the Cisco Security Agent and Cisco works software.  I installed it on my desktop and laptop which also has McAfee Anti-Virus software.  The security agent activly monitors your computer checking for all kinds of viruses, port scans, keystroke loggers, etc..  The first thing that the Agent detected on both systems was the the c:\programfiles\network associates\common framework\frameworkservice.exe captures all of your keystrokes.  (frameworkservice.exe is a process associated with McAfee)

Any one else know about this?  Is this part of the On-Access Scan feature?  Is this a threat?  Where are all the keystrokes logged?

I am just wondering, I search the Internet and found nothing about it.
0
Comment
Question by:ngravatt
  • 4
  • 2
  • 2
8 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11687581
This must be incorrect... or somesort of a False positive... McAfee detects Keyloggers, and therefor must contain a certain amount of the keyloggers code, in order to match it to the actual kloggers, it does the same thing with viri, they put in little bits of code that are unique to the viri, and AV's match that code to programs and they are detected as a virus. However, the DAT's are encoded(encrypted if you will) in such a way that they are obufacated, so that they aren't detected as the viri... from other AV solutions.... I've had CSA installed for some time, and I run McAfee 7.1- it's never reported this behaviour to me. What version of McAfee are you running? Also the version of CSA your running
http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_release_note09186a008019b760.html#67958 (known issues)
You should perhaps report this to mcafee and cisco... perhaps they have an answer/workaround...

http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_qanda_item09186a00801f8e5a.shtml
Q. What other software can be loaded in an IP Communications server that is running the Cisco Security Agent headless agent?
A. The policies provide support for several Cisco approved, third-party monitoring tools and co-resident applications. For Cisco CallManager, Cisco Emergency Responder, Cisco Conference Connection, Cisco IP-IVR, Cisco IP Queue Manager and Cisco IPCC Express; the following software can be running on the same server on which the headless or managed agent is installed:

    * McAfee VirusScan 7.0
    * Symantec AntiVirus Corporate Edition 8.0
    * HP OpenView Performance Manager v. 3.3
    * HP OpenView Operations Agent 7.1
    * Micromuse Netcool VoIP Manager 1.0
    * NetIQ Vivinet Manager 2.1
    * Concord eHealth Monitor 5.6.5
    * Integrated Research Prognosis 7.07
    * Trend Micro ServerProtect 5
    * Windows Terminal Services
    * Real VNC

-rich

0
 
LVL 10

Author Comment

by:ngravatt
ID: 11695957
I am running McAfee Virus Scan 7.1.  The CSA is version 4.0-1 build 540.
I wish i could post a picture of the screenshot when the agent detects it.  No one else I know has ever seen this.
It says exactly:  c:\...\FrameworkService.exe is trying to capture all keystrokes. THis is characteristic of remote control software or a trojan. Allow or disable.
The same thing happend on two different machines.
I am sure it must be some type of false postive, but it concerns me that McAfee captures all keystrokes.

What agent kit or rules do you have running in you CSA?
0
 
LVL 2

Expert Comment

by:billyea
ID: 11739824
It is a false positive.
Perhaps a virus snuck into the computer, replaced framework.exe with a REAL keystroke logger. Then naming itself as MCAffee.

Heres a few pointers:

When you are asked 'Allow' or 'Disable'.
Choose Disable and see what happens to McAffee (test it).
If nothing happens, something has replaced the REAL frameworkservice.exe with a keystroke logger.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 2

Expert Comment

by:billyea
ID: 11739850
If thid doesn't work, ignore it.
I BET YOU 10000000000000000000000 dollars that it is a false alarm.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 200 total points
ID: 11741309
Using this hasher my "FrameworkService.exe's" have the following hash's
http://ntsecurity.nu/toolbox/filehasher/
C:\..\>filehasher.exe FrameworkService.exe -md5
FileHasher 1.1  - (c) 2002, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
MD5 hash: f7bcb6ce d5f42ebf b8975a88 dee773d4
SHA hash: 6820e377 4ed9cd84 df983222 4b787f88 f732aa74

The file (frameworkservice.exe) has these properties:
filesize 106,586 bytes
BuildDate 9/10/2003
BuildNumber 184
FileVersion 3.1.1.184
===Running===
mcafee 7.1.0
Virus Desfinitions 4383
Created Aug 4th 2004
Scan Engine 4.3.20
---
I'd write cisco (tac@cisco.com) if this were my issue, and see if they've encoutered this prior... again, I am unable to duplicate- I've changed my settings for just about everything mcafee does... no alarms. Also, I can find no viri that replace or rename themselves as framework... I think's its a FP- because mcafee has klogger detection definitions (find joke and potentially unwanted programs) you may try to toggle that on and off to see if that is setting it off- it didn't for me, but who knows.
http://vil.nai.com/images/VSE7-ODS-PROGRAM.gif

-rich



0
 
LVL 10

Author Comment

by:ngravatt
ID: 11755257
good point.  

All this was done on a test machine that COULD NOT have been infected with a virus.  I installed the OS, got the updates, then installed Mcafee and then CSA.

billyea-
I selected disable and it seemed as if Mcafee was still working fine.

rich-
i am betting that is a false positve.  I wanted to ask and see if anyone else had seen this though
for mine
md5 hash- f7bcb6ce d5f42ebf b8975a88 dee773d4
SHA hash- 6820e377 4ed9cd84 df983222 4b787f88 f732aa74


thanks for the feedback
0
 
LVL 2

Expert Comment

by:billyea
ID: 11756205
Get your keystroke logging detector to scan the McAffee CD. If it finds anything, report here.
0
 
LVL 2

Expert Comment

by:billyea
ID: 11756226
If it finds nothing, it probably is the virus detection files that contain malicious code (but only for scanning purposes), in that case, you're fine. :)
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question