Trellix Endpoint Security - Documentation for BMC Discovery content reference

Product name

Publisher page

[Trellix|Trellix]

Category

Secure Content and Threat Management

Release

TKU 2023-Nov-1

Publisher link

McAfee had branched their VirusScan product into different products, each of them relating to a specific computing environment, whether it's home, small business, or enterprise. We have focused our attention on a product called Trellix Endpoint Security (formerly McAfee VirusScan Enterprise), which focuses its scope on Enterprise Business, and combines virus detection and elimination, intrusion prevention and firewall technology in a single solution for PCs and file servers.

This documentation refers to the model for the Windows version. The Linux version is documented here

Product Component	OS Type	Versioning	Pattern Depth
VirusScan	Windows	Package	Instance-based

The pattern identifies instances of Trellix Endpoint Security on the Windows platform.

Software Instance Triggers

Product Component	OS Type	Trigger Node	Attribute	Condition	Argument
Trellix Endpoint Security	Windows	DiscoveredProcess	cmd	matches	regex `'(?i)\bvstskmgr\.exe$'`
					or
					regex '(?i)\bVirusScan[^\\]*\\scan32\.exe$'
					or
					regex '(?i)\bmcshield\.exe$'

Simple Identification Mappings

The following processes are identified by the pattern, the identification is performed at two levels - processes listed below are identified through the use of Simple Identifiers and in addition, they are modeled within a full Software Instance for Trellix Endpoint Security (See Application Model Produced by Software Pattern for more details about the approach taken to model this product).

There are Simple Identifiers for the following processes:

Component Name	OS Type	Command
Alert Manager	Windows	(?i)\bamgrsrvc\.exe$
VirusScan Framework Service		(?i)\bframeworkservice\.exe$
Trellix Endpoint Security On-demand Virus Scanner process		(?i)\bVirusScan[^\\]*\\scan32\.exe$
Trellix Endpoint Security Shield (Internet Security On-Access scanner)		(?i)\bmcshield\.exe$
Trellix Endpoint Security Updater UI		(?i)\bUpdaterUI\.exe$
Trellix Endpoint Security Enterprise Console		(?i)\bmcconsol\.exe$
Trellix Endpoint Security Shstat		(?i)\bshstat\.exe$
Trellix Endpoint Security Task Manager		(?i)\bvstskmgr\.exe$
Error Reporting Service		(?i)\btbmon\.exe$
Common Framework Script Engine		(?i)\bmcscript_inuse\.exe$
ePolicy Orchestrator Product Manager		(?i)\bnaprdmgr\.exe$
ePolicy Orchestrator System Compliance Profiler Microsoft Patch Scan		(?i)\bptchscan\.exe$

Registry Versioning

The pattern searches for the following registry keys that have the following path and the following value:

HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\<product code>\\Product Name

Value has subword "McAfee VirusScan"

Once this key has been found the pattern knows the value of <product code>. It uses this knowledge to obtain version and DAT version from the following two registry keys:

Version: HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\<product code>\\Version
DAT Version: HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Application Plugins\\<product code>\\DATVersion

Package Versioning

Atrium Discovery executes a search for the installed packages and tries to match them against the following regular expression:

(?i)^McAfee\s*Virus\s*Scan\s*(Enterprise)?$
(?i)(Trellix|McAfee)\s+Endpoint\s+Security'

When it finds a match, it extracts the version for Trellix Endpoint Security from the package information. Should it match on more than one package, the version information is extracted from the package with the highest version.

An attempt is also made to avoid cross-matching on the McAfee Endpoint Security Storage Protection product.

Build

If we have detected a release of version 10, an attempt needs to be made to get the build from Windows Registry so that we can tell if the product's publisher should be set as McAfee (build <= 3468) or Trellix (build > 3468). The pattern searches for the following registry keys: HKEY_LOCAL_MACHINE\\SOFTWARE\\McAfee\\Endpoint\\Common\\BuildNumber HKEY_LOCAL_MACHINE\\SOFTWARE\\McAfee\\Endpoint\\AV\\BuildNumber

Software Pattern Model

The pattern triggers on one of three processes, as shown in section Software Instance Triggers.

SI Depth

The pattern creates an Instance-Based (Deep) Software Instance, as our data shows that there can only be one instance of McAfee VirusScan running on a specific host. The key it uses to identify the Instance is based on process type (McAfee VirusScan) and host key.

Relationship Creation

Prime Processes

This pattern performs a search for all the processes running on the host, and then matches them against a set of regular expressions, listed below:

Pattern Name	Regular Expression
McAfee VirusScan	(?i)\bvstskmgr\.exe$
	(?i)\bVirusScan[^\\]*\\scan32\.exe$
	(?i)\bmcshield\.exe$

All of the processes that match one of these regular expressions are then associated, as prime processes, to the Software Instance.

Related Processes

This pattern performs a search for all the processes running on the host, and then matches them against a set of regular expressions, listed below:

Pattern Name	Regular Expression
McAfee VirusScan	(?i)\bshstat\.exe$
	(?i)\bframeworkservice\.exe$
	(?i)\bUpdaterUI\.exe$
	(?i)\bmfeatp\.exe$

All of the processes that match one of these regular expressions are then associated, as related processes, to the Software Instance.

We tested the processes related to McAfee VirusScan against record data concerning Windows platforms. This allowed us to verify that the pattern correctly triggers and versions the product with the Package method.

virus/file servers desktops/virusscan enterprise 80i.html McAfee VirusScan Enterprise Official Website provided valuable information as to where McAfee has directed its VirusScan product.