Jan 16, 2013 - Add Anti-Virus Policy Exceptions; Disable Anti-Virus via the GUI. Prevent anti-virus from running by setting a custom debugger in the registry. McAfee Anti Virus Unlock User Interface. Easier solution is to write a known MD5 hash to this registry. Single Sign on for the user interface unlock. Mar 5, 2016 - Files News Users Authors. McAfee VirusScan Enterprise versions 8.8 and below suffer from a. Tags exploit, bypass: MD5 cce81076c310ea79fe77a1: Download Favorite Comments (0). Security restrictions and disable the antivirus engine. Close all the handles of this registry key.

I needed to change a few settings on a McAfee VirusScan Enterprise 8.7.Oi client. However there was a password protection in place that locks the user interface and nobody around that could tell me the password. So what to do? Right, we check out where this password is stored and how we can get rid of it!

I openend vsplugin.dll in Ida Pro and searched for related strings such as password, lock etc. I found out that vsplugin. Pds Excel Password Recovery 5.5 Crack. dll calls some interesting exports in shutil.dll called UIP, UiLockInfoLoad1 and UiLockInfoValidate1. I searched further in shutil.dll and concluded that the password is stored in the UIP value under HKLM Software McAfee DesktopProtection registry key. The value is an of the password so we cannot decrypt it. So I tried one of the many MD5 hash databases on the net but I couldn’t find the original string for the password. This happens because the MD5 hash tables are all based on and McAfee uses a string type.

Eg the word password would be stored like this in hex: We can of course build our own Unicode hash/rainbow table but an easier solution is to write a known MD5 hash to this registry value. For instance the MD5 hash for the Unicode string password is: b081dbe85e1ec3ffc3d4e7d0227400cd. Another bypass would be to delete the UIP value and set the UIPMode to 0 which disables the user interface password completely. Note that when an EPO server is in place it will always periodically overwrite the settings with those defined in it’s policies. I’ve also seen that shutil.dll exports a function called UiLockInfoValidate1.

This functions checks if the given MD5 hash exists in the Global Atom Table in the from UIP. The Atom seems to be used as a Single Sign on for the user interface unlock. Once you’ve entered the password in one module, it will also unlock the other modules. Possibly we could abuse this system by writing our own hash to the Global Atom Table but I didn’t investigate this further.