{"id":2869,"date":"2014-12-09T11:54:46","date_gmt":"2014-12-09T11:54:46","guid":{"rendered":"https:\/\/dn-www.azurewebsites.net\/2014\/12\/09\/disabling-mcafee-on-access-scanning\/"},"modified":"2024-02-06T12:18:13","modified_gmt":"2024-02-06T12:18:13","slug":"disabling-mcafee-on-access-scanning","status":"publish","type":"post","link":"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/","title":{"rendered":"Disabling McAfee On-Access Scanning"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

In a recent internal penetration test I came across in a situation where although I was local administrator on a Windows server and I could not run Windows Credentials Editor (WCE) because it was detected as a malicious threat in the McAfee on-access scan, as you can see below:
\n<\/p>\n

The first thought was to disable it but for security reasons McAfee prevents Administrators from stopping the service:<\/p>\n

<\/p>\n

or killing the process:<\/p>\n

<\/p>\n

Then, I thought to stop McAfee directly but when I went to the McAfee console I noticed that it was password protected:<\/p>\n

<\/p>\n

After Googling a bit I discovered<\/a> that McAfee stores the hash of that password in the registry key. If the version of McAfee is 5.x then the password hash is in the format md5(unicode(password)), option “–format=md5u” in JTR. If the version of McAfee is 8.x then it is base64(sha1(unicode(“\\x01\\x0f\\x0d\\x33\u201d+password)). Contrary to the first format, by default JTR doesn\u2019t come with a format option for cracking that hash (base64(sha1(unicode(“\\x01\\x0f\\x0d\\x33″+password))) so you would need to edit your local.john.conf by adding a dynamic format. I have written both a Metasploit post module that grabs the hash from the registry key and the dynamic format which is necessary for cracking the hash version 8.x of McAfee.<\/p>\n

[22\/01\/2015] This module is now part of Metasploit master branch: mcafee_vse_hashdump.rb<\/a><\/b><\/p>\n

Installation<\/p>\n

mkdir -p ~\/.msf4\/modules\/post\/windows\/gather\/credentials\ncurl -O https:\/\/raw.githubusercontent.com\/m7x\/Metasploit-Modules\/master\/post\/windows\/gather\/credentials\/mcafee_hashdump.rb\ncurl https:\/\/raw.githubusercontent.com\/m7x\/stuff\/master\/john.local.conf >> your_john_path\/john.local.conf\n<\/pre>\n
Usage<\/p>\n
Once Meterpreter is running on the targeted machine and has enough permissions for accessing the registry key you can run the post exploitation module as shown below.
\n
\nThe module stores the hash in the Metasploit database which is a good place to keep all harvested credentials.
\n
\nFinally, you need to load the hash in john specifying the dynamic format and hope that the password or some variants are in your dictionary.
\n<\/p>\n
Obtaining clear-text passwords during a penetration test is always good since the same passwords might have been re-used in other systems and could let you to compromise other systems. However, if you have physical access to the target machine and you can reboot it (which is normally not possible during an assessment) you could enter in Safe Mode and set to blank the following registry key:<\/p>\n
HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\McAfee\\DesktopProtection\\UIP = \"\"<\/code><\/div>\n
And set this other one to 0:<\/p>\n
HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\McAfee\\DesktopProtection\\UIPMode = \"0\"<\/code><\/div>\n
This would let you open McAfee console without requiring a password.<\/p>\n
Troubleshooting<\/p>\n
If John returns the following error message when you are trying to crack the hash, use the option “-enc:8859-1”
\nThis format does not yet support other encodings than ISO-8859-1<\/code><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"
In a recent internal penetration test I came across in a situation where although I was local administrator on a Windows server and I could not run Windows Credentials Editor (WCE) because it was detected as a malicious threat in the McAfee on-access scan, as you can see below: The first thought was to disable […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[209],"class_list":["post-2869","post","type-post","status-publish","format-standard","hentry","category-researchblog","tag-infrastructure","wpbf-post"],"contentshake_article_id":"","yoast_head":"\nDisabling McAfee On-Access Scanning<\/title>\n<meta name=\"description\" content=\"In a recent internal penetration test I came across in a situation where although I was local administrator on a Windows server and I could not run\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/\" \/>\n<meta property=\"og:locale\" content=\"nl_NL\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Disabling McAfee On-Access Scanning\" \/>\n<meta property=\"og:description\" content=\"In a recent internal penetration test I came across in a situation where although I was local administrator on a Windows server and I could not run\" \/>\n<meta property=\"og:url\" content=\"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/\" \/>\n<meta property=\"og:site_name\" content=\"Dionach\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/dionachcyber\" \/>\n<meta property=\"article:published_time\" content=\"2014-12-09T11:54:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-06T12:18:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg?fit=512%2C512&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"512\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Dionach Admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:site\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:label1\" content=\"Geschreven door\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dionach Admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Geschatte leestijd\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/\"},\"author\":{\"name\":\"Dionach Admin\",\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/person\/e73f3537233924cf4944f7807068b3c8\"},\"headline\":\"Disabling McAfee On-Access Scanning\",\"datePublished\":\"2014-12-09T11:54:46+00:00\",\"dateModified\":\"2024-02-06T12:18:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/\"},\"wordCount\":423,\"publisher\":{\"@id\":\"https:\/\/dionach.com\/nl\/#organization\"},\"keywords\":[\"infrastructure\"],\"articleSection\":[\"researchblog\"],\"inLanguage\":\"nl-NL\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/\",\"url\":\"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/\",\"name\":\"Disabling McAfee On-Access Scanning\",\"isPartOf\":{\"@id\":\"https:\/\/dionach.com\/nl\/#website\"},\"datePublished\":\"2014-12-09T11:54:46+00:00\",\"dateModified\":\"2024-02-06T12:18:13+00:00\",\"description\":\"In a recent internal penetration test I came across in a situation where although I was local administrator on a Windows server and I could not run\",\"breadcrumb\":{\"@id\":\"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/#breadcrumb\"},\"inLanguage\":\"nl-NL\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/dionach.com\/nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Disabling McAfee On-Access Scanning\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/dionach.com\/nl\/#website\",\"url\":\"https:\/\/dionach.com\/nl\/\",\"name\":\"Dionach\",\"description\":\"Real Security in a Virtual World\",\"publisher\":{\"@id\":\"https:\/\/dionach.com\/nl\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/dionach.com\/nl\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"nl-NL\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/dionach.com\/nl\/#organization\",\"name\":\"Dionach\",\"url\":\"https:\/\/dionach.com\/nl\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"contentUrl\":\"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"width\":512,\"height\":512,\"caption\":\"Dionach\"},\"image\":{\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/dionachcyber\",\"https:\/\/x.com\/dionachcyber\",\"https:\/\/uk.linkedin.com\/company\/dionach-ltd\",\"https:\/\/www.instagram.com\/dionachcyber\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/person\/e73f3537233924cf4944f7807068b3c8\",\"name\":\"Dionach Admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"caption\":\"Dionach Admin\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Disabling McAfee On-Access Scanning","description":"In a recent internal penetration test I came across in a situation where although I was local administrator on a Windows server and I could not run","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/","og_locale":"nl_NL","og_type":"article","og_title":"Disabling McAfee On-Access Scanning","og_description":"In a recent internal penetration test I came across in a situation where although I was local administrator on a Windows server and I could not run","og_url":"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/","og_site_name":"Dionach","article_publisher":"https:\/\/www.facebook.com\/dionachcyber","article_published_time":"2014-12-09T11:54:46+00:00","article_modified_time":"2024-02-06T12:18:13+00:00","og_image":[{"width":512,"height":512,"url":"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg?fit=512%2C512&ssl=1","type":"image\/jpeg"}],"author":"Dionach Admin","twitter_card":"summary_large_image","twitter_creator":"@dionachcyber","twitter_site":"@dionachcyber","twitter_misc":{"Geschreven door":"Dionach Admin","Geschatte leestijd":"4 minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/#article","isPartOf":{"@id":"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/"},"author":{"name":"Dionach Admin","@id":"https:\/\/dionach.com\/nl\/#\/schema\/person\/e73f3537233924cf4944f7807068b3c8"},"headline":"Disabling McAfee On-Access Scanning","datePublished":"2014-12-09T11:54:46+00:00","dateModified":"2024-02-06T12:18:13+00:00","mainEntityOfPage":{"@id":"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/"},"wordCount":423,"publisher":{"@id":"https:\/\/dionach.com\/nl\/#organization"},"keywords":["infrastructure"],"articleSection":["researchblog"],"inLanguage":"nl-NL"},{"@type":"WebPage","@id":"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/","url":"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/","name":"Disabling McAfee On-Access Scanning","isPartOf":{"@id":"https:\/\/dionach.com\/nl\/#website"},"datePublished":"2014-12-09T11:54:46+00:00","dateModified":"2024-02-06T12:18:13+00:00","description":"In a recent internal penetration test I came across in a situation where although I was local administrator on a Windows server and I could not run","breadcrumb":{"@id":"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/#breadcrumb"},"inLanguage":"nl-NL","potentialAction":[{"@type":"ReadAction","target":["https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/dionach.com\/nl\/disabling-mcafee-on-access-scanning\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/dionach.com\/nl\/"},{"@type":"ListItem","position":2,"name":"Disabling McAfee On-Access Scanning"}]},{"@type":"WebSite","@id":"https:\/\/dionach.com\/nl\/#website","url":"https:\/\/dionach.com\/nl\/","name":"Dionach","description":"Real Security in a Virtual World","publisher":{"@id":"https:\/\/dionach.com\/nl\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/dionach.com\/nl\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"nl-NL"},{"@type":"Organization","@id":"https:\/\/dionach.com\/nl\/#organization","name":"Dionach","url":"https:\/\/dionach.com\/nl\/","logo":{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/","url":"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","contentUrl":"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","width":512,"height":512,"caption":"Dionach"},"image":{"@id":"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/dionachcyber","https:\/\/x.com\/dionachcyber","https:\/\/uk.linkedin.com\/company\/dionach-ltd","https:\/\/www.instagram.com\/dionachcyber\/"]},{"@type":"Person","@id":"https:\/\/dionach.com\/nl\/#\/schema\/person\/e73f3537233924cf4944f7807068b3c8","name":"Dionach Admin","image":{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","caption":"Dionach Admin"}}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/ph4Ojq-Kh","_links":{"self":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts\/2869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/comments?post=2869"}],"version-history":[{"count":0,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts\/2869\/revisions"}],"wp:attachment":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/media?parent=2869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/categories?post=2869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/tags?post=2869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}