McAfee VirusScan
- Product name
- Publisher page
-
- [McAfee|McAfee]
- Category
- Secure Content and Threat Management
- Release
- TKU 2023-Jan-1
- More information
- Publisher link
Product Description
McAfee has branched their VirusScan product into different products, each of them relating to a specific computing environment, whether it's home, small business, or enterprise. We have focused our attention on a product called McAfee VirusScan Enterprise, which focuses its scope on Enterprise Business, and combines virus detection and elimination, intrusion prevention and firewall technology in a single solution for PCs and file servers.
This documentation refers to the model for the Windows version. The Linux version is documented here
Software Pattern Summary
| Product Component | OS Type | Versioning | Pattern Depth |
|---|---|---|---|
| McAfee VirusScan | Windows | Package | Instance-based |
Platforms Supported by the Pattern
The pattern identifies instances of McAfee VirusScan on the Windows platform.
Identification
Software Instance Triggers
| Product Component | OS Type | Trigger Node | Attribute | Condition | Argument |
|---|---|---|---|---|---|
| McAfee VirusScan | Windows | DiscoveredProcess | cmd | matches | regex
|
| or | |||||
regex '(?i)\bVirusScan[^\\]*\\scan32\.exe$' | |||||
| or | |||||
| regex '(?i)\bmcshield\.exe$' |
Simple Identification Mappings
The following processes are identified by the pattern, the identification is performed at two levels - processes listed below are identified through the use of Simple Identifiers and in addition, they are modeled within a full Software Instance for McAfee VirusScan (See Application Model Produced by Software Pattern for more details about the approach taken to model this product).
There are Simple Identifiers for the following processes:
| Component Name | OS Type | Command |
|---|---|---|
| Alert Manager | Windows | (?i)\bamgrsrvc\.exe$ |
| VirusScan Framework Service | (?i)\bframeworkservice\.exe$ | |
| VirusScan On-demand Virus Scanner process | (?i)\bVirusScan[^\\]*\\scan32\.exe$ | |
| VirusScan Shield (Internet Security On-Access scanner) | (?i)\bmcshield\.exe$ | |
| VirusScan Updater UI | (?i)\bUpdaterUI\.exe$ | |
| VirusScan Enterprise Console | (?i)\bmcconsol\.exe$ | |
| VirusScan Shstat | (?i)\bshstat\.exe$ | |
| VirusScan Task Manager | (?i)\bvstskmgr\.exe$ | |
| Error Reporting Service | (?i)\btbmon\.exe$ | |
| Common Framework Script Engine | (?i)\bmcscript_inuse\.exe$ | |
| ePolicy Orchestrator Product Manager | (?i)\bnaprdmgr\.exe$ | |
| ePolicy Orchestrator System Compliance Profiler Microsoft Patch Scan | (?i)\bptchscan\.exe$ |
Versioning
Registry Versioning
The pattern searches for a registry key that has the following path and the following value:
Path:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\<product code>\\Product Name- Value has subword "McAfee VirusScan"
Once this key has been found the pattern knows the value of <product code>. It uses this knowledge to obtain version and DAT version from the following two registry keys:
Version:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\<product code>\\VersionDAT Version:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\<product code>\\DATVersion
Package Versioning
Atrium Discovery executes a search for the installed packages and tries to match them against the following regular expression:
- (?i)^McAfee\s*Virus\s*Scan\s*(Enterprise)?$
- (?i)McAfee\s+Endpoint\s+Security
When it finds a match, it extracts the version for McAfee VirusScan from the package information. Should it match on more than one package, the version information is extracted from the package with the highest version.
An attempt is also made to avoid cross-matching on the McAfee Endpoint Security Storage Protection product.
Application Model Produced by Software Pattern
Software Pattern Model
The pattern triggers on one of three processes, as shown in section Software Instance Triggers.
SI Depth
The pattern creates an Instance-Based (Deep) Software Instance, as our data shows that there can only be one instance of McAfee VirusScan running on a specific host. The key it uses to identify the Instance is based on process type (McAfee VirusScan) and host key.
Relationship Creation
Prime Processes
This pattern performs a search for all the processes running on the host, and then matches them against a set of regular expressions, listed below:
| Pattern Name | Regular Expression |
|---|---|
| McAfee VirusScan | (?i)\bvstskmgr\.exe$ |
(?i)\bVirusScan[^\\]*\\scan32\.exe$ | |
| (?i)\bmcshield\.exe$ |
All of the processes that match one of these regular expressions are then associated, as prime processes, to the Software Instance.
Related Processes
This pattern performs a search for all the processes running on the host, and then matches them against a set of regular expressions, listed below:
| Pattern Name | Regular Expression |
|---|---|
| McAfee VirusScan | (?i)\bshstat\.exe$ |
| (?i)\bframeworkservice\.exe$ | |
| (?i)\bUpdaterUI\.exe$ | |
| (?i)\bmfeatp\.exe$ |
All of the processes that match one of these regular expressions are then associated, as related processes, to the Software Instance.
Subject Matter Expertise
Testing
We tested the processes related to McAfee VirusScan against record data concerning Windows platforms. This allowed us to verify that the pattern correctly triggers and versions the product with the Package method.
Information Sources
virus/file servers desktops/virusscan enterprise 80i.html McAfee VirusScan Enterprise Official Website provided valuable information as to where McAfee has directed its VirusScan product.
Comments
Log in or register to comment.