×
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MChalyy
Contributor
Message 1 of 4

Question about logs and bypass of McAfee

I´m looking for what is the log that McAfee gives when is disable, attempt to bypass or successful bypass.

I didnt found that information in the documentation.

I´m trying to make a yara rule to alert when McAfee is disable but i cant find the right logs.

3 Replies
Edward_Franso
Moderator
Moderator
Message 2 of 4

Re: Question about logs and bypass of McAfee

Hi @MChalyy 

Greeting from McAfee,

We are sorry for the inconvenience caused. We request you to kindly share the OS details along with McAfee version.

Alternatively, You can always contact the chat support using below link for immediate assistance.

McAfee Chat Support

Regards,
Edward Franso

MChalyy
Contributor
Message 3 of 4

Re: Question about logs and bypass of McAfee

My OS is W11 23H2 and the McAfee version is the latest one released.

Everything is updated.

Basit11
Contributor II
Message 4 of 4

Re: Question about logs and bypass of McAfee

Hi @MChalyy YT3converter
When attempting to detect McAfee being disabled or bypassed, you may not find specific logs dedicated solely to these events in McAfee's documentation. However, you can look for indicators across various logs and system events that might suggest tampering or bypass attempts.

These indicators could include:

  1. Events in the Windows Event Viewer related to security software modifications or service status changes.
  2. Alerts from McAfee's own logs indicating changes to its protection status or services.
  3. Anomalies in system behavior, such as sudden performance drops or unexpected changes in network traffic patterns.
  4. Suspicious processes or activities identified by security monitoring tools or endpoint detection and response (EDR) systems.

To create a YARA rule for alerting on McAfee disablement, consider incorporating patterns or behaviors indicative of such events. This could include changes in registry keys, service statuses, or file modifications associated with McAfee's operation. Additionally, leveraging EDR solutions or SIEM platforms may provide more comprehensive monitoring and alerting capabilities for detecting McAfee bypass attempts or disablement events.

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community