CVE-2016-3984

MEDIUM

McAfee Active Response < 1.1.0.161 - Local Administrator Bypass of Self-Protection via Registry Key Modification

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-3984. PoCs published by Maurizio Agazzini.

AI-analyzed exploit summary This exploit bypasses McAfee VirusScan Enterprise's password protection by directly manipulating registry keys and interacting with the WGUARDNT device driver. It allows a local administrator to disable the antivirus engine without knowing the management password.

Description

The McAfee VirusScan Console (mcconsol.exe) in McAfee Active Response (MAR) before 1.1.0.161, Agent (MA) 5.x before 5.0.2 Hotfix 1110392 (5.0.2.333), Data Exchange Layer 2.x (DXL) before 2.0.1.140.1, Data Loss Prevention Endpoint (DLPe) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Device Control (MDC) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Endpoint Security (ENS) 10.x before 10.1, Host Intrusion Prevention Service (IPS) 8.0 before 8.0.0.3624, and VirusScan Enterprise (VSE) 8.8 before P7 (8.8.0.1528) on Windows allows local administrators to bypass intended self-protection rules and disable the antivirus engine by modifying registry keys.

Exploits (1)

exploitdb WORKING POC

by Maurizio Agazzini · clocalwindows

https://www.exploit-db.com/exploits/39531

View Code ZIP pw:eip

This exploit bypasses McAfee VirusScan Enterprise's password protection by directly manipulating registry keys and interacting with the WGUARDNT device driver. It allows a local administrator to disable the antivirus engine without knowing the management password.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: McAfee VirusScan Enterprise 8.8 and prior versions

Auth required

Prerequisites: Local administrator privileges on the target system

MITRE ATT&CK

T1548.002 - Bypass User Account Control T1112 - Modify Registry

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit x_refsource_misc

http://lab.mediaservice.net/advisory/2016-01-mcafee.txt

Exploit exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39531/

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1035130

Vendor Advisory x_refsource_confirm

https://kc.mcafee.com/corporate/index?page=content&id=SB10151

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2016/Mar/13

Scores

CVSS v3 5.1

EPSS 0.0113

EPSS Percentile 62.2%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

Details

CWE

CWE-284

Status published

Products (8)

mcafee/active_response < 1.1.0.158

mcafee/agent < 5.0.2.285

mcafee/data_exchange_layer < 2.0.0.430.1

mcafee/data_loss_prevention_endpoint < 9.3.0

mcafee/data_loss_prevention_endpoint < 9.4.0

mcafee/endpoint_security < 10.0.1

mcafee/host_intrusion_prevention < 8.0.0

mcafee/virusscan_enterprise < 8.8.0

Published Apr 08, 2016

Tracked Since Feb 18, 2026