Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

McAfee is a keystroke logger

Posted on 2004-07-30
8
Medium Priority
?
2,729 Views
Last Modified: 2013-12-04
So, I am demoing the Cisco Security Agent and Cisco works software.  I installed it on my desktop and laptop which also has McAfee Anti-Virus software.  The security agent activly monitors your computer checking for all kinds of viruses, port scans, keystroke loggers, etc..  The first thing that the Agent detected on both systems was the the c:\programfiles\network associates\common framework\frameworkservice.exe captures all of your keystrokes.  (frameworkservice.exe is a process associated with McAfee)

Any one else know about this?  Is this part of the On-Access Scan feature?  Is this a threat?  Where are all the keystrokes logged?

I am just wondering, I search the Internet and found nothing about it.
0
Comment
Question by:ngravatt
  • 4
  • 2
  • 2
8 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11687581
This must be incorrect... or somesort of a False positive... McAfee detects Keyloggers, and therefor must contain a certain amount of the keyloggers code, in order to match it to the actual kloggers, it does the same thing with viri, they put in little bits of code that are unique to the viri, and AV's match that code to programs and they are detected as a virus. However, the DAT's are encoded(encrypted if you will) in such a way that they are obufacated, so that they aren't detected as the viri... from other AV solutions.... I've had CSA installed for some time, and I run McAfee 7.1- it's never reported this behaviour to me. What version of McAfee are you running? Also the version of CSA your running
http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_release_note09186a008019b760.html#67958 (known issues)
You should perhaps report this to mcafee and cisco... perhaps they have an answer/workaround...

http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_qanda_item09186a00801f8e5a.shtml
Q. What other software can be loaded in an IP Communications server that is running the Cisco Security Agent headless agent?
A. The policies provide support for several Cisco approved, third-party monitoring tools and co-resident applications. For Cisco CallManager, Cisco Emergency Responder, Cisco Conference Connection, Cisco IP-IVR, Cisco IP Queue Manager and Cisco IPCC Express; the following software can be running on the same server on which the headless or managed agent is installed:

    * McAfee VirusScan 7.0
    * Symantec AntiVirus Corporate Edition 8.0
    * HP OpenView Performance Manager v. 3.3
    * HP OpenView Operations Agent 7.1
    * Micromuse Netcool VoIP Manager 1.0
    * NetIQ Vivinet Manager 2.1
    * Concord eHealth Monitor 5.6.5
    * Integrated Research Prognosis 7.07
    * Trend Micro ServerProtect 5
    * Windows Terminal Services
    * Real VNC

-rich

0
 
LVL 10

Author Comment

by:ngravatt
ID: 11695957
I am running McAfee Virus Scan 7.1.  The CSA is version 4.0-1 build 540.
I wish i could post a picture of the screenshot when the agent detects it.  No one else I know has ever seen this.
It says exactly:  c:\...\FrameworkService.exe is trying to capture all keystrokes. THis is characteristic of remote control software or a trojan. Allow or disable.
The same thing happend on two different machines.
I am sure it must be some type of false postive, but it concerns me that McAfee captures all keystrokes.

What agent kit or rules do you have running in you CSA?
0
 
LVL 2

Expert Comment

by:billyea
ID: 11739824
It is a false positive.
Perhaps a virus snuck into the computer, replaced framework.exe with a REAL keystroke logger. Then naming itself as MCAffee.

Heres a few pointers:

When you are asked 'Allow' or 'Disable'.
Choose Disable and see what happens to McAffee (test it).
If nothing happens, something has replaced the REAL frameworkservice.exe with a keystroke logger.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 2

Expert Comment

by:billyea
ID: 11739850
If thid doesn't work, ignore it.
I BET YOU 10000000000000000000000 dollars that it is a false alarm.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 800 total points
ID: 11741309
Using this hasher my "FrameworkService.exe's" have the following hash's
http://ntsecurity.nu/toolbox/filehasher/
C:\..\>filehasher.exe FrameworkService.exe -md5
FileHasher 1.1  - (c) 2002, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
MD5 hash: f7bcb6ce d5f42ebf b8975a88 dee773d4
SHA hash: 6820e377 4ed9cd84 df983222 4b787f88 f732aa74

The file (frameworkservice.exe) has these properties:
filesize 106,586 bytes
BuildDate 9/10/2003
BuildNumber 184
FileVersion 3.1.1.184
===Running===
mcafee 7.1.0
Virus Desfinitions 4383
Created Aug 4th 2004
Scan Engine 4.3.20
---
I'd write cisco (tac@cisco.com) if this were my issue, and see if they've encoutered this prior... again, I am unable to duplicate- I've changed my settings for just about everything mcafee does... no alarms. Also, I can find no viri that replace or rename themselves as framework... I think's its a FP- because mcafee has klogger detection definitions (find joke and potentially unwanted programs) you may try to toggle that on and off to see if that is setting it off- it didn't for me, but who knows.
http://vil.nai.com/images/VSE7-ODS-PROGRAM.gif

-rich



0
 
LVL 10

Author Comment

by:ngravatt
ID: 11755257
good point.  

All this was done on a test machine that COULD NOT have been infected with a virus.  I installed the OS, got the updates, then installed Mcafee and then CSA.

billyea-
I selected disable and it seemed as if Mcafee was still working fine.

rich-
i am betting that is a false positve.  I wanted to ask and see if anyone else had seen this though
for mine
md5 hash- f7bcb6ce d5f42ebf b8975a88 dee773d4
SHA hash- 6820e377 4ed9cd84 df983222 4b787f88 f732aa74


thanks for the feedback
0
 
LVL 2

Expert Comment

by:billyea
ID: 11756205
Get your keystroke logging detector to scan the McAffee CD. If it finds anything, report here.
0
 
LVL 2

Expert Comment

by:billyea
ID: 11756226
If it finds nothing, it probably is the virus detection files that contain malicious code (but only for scanning purposes), in that case, you're fine. :)
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Loops Section Overview
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question