Knowledge Center

Troubleshooting procedure for finding possible infected files if a virus is not detected
Technical Articles ID:   KB53094
Last Modified:  3/9/2018


All McAfee desktop and server anti-virus products for Microsoft Windows


This article describes various procedures and locations to help you find suspicious files when an infection is not detected by your anti-virus products.

Possible symptoms include:
  • Suspicious computer behavior such as high CPU usage on unrecognized processes
  • Significantly increased network traffic or bandwidth usage
  • New services added or existing services removed
  • Unable to access network resources such as shared drives
  • Applications cease to function or files cannot be accessed
  • Unexpected registry keys added
  • Internet Explorer home page changed without permission
IMPORTANT: Because of the wide variety of malware and other threats, McAfee is unable to provide a list of all possible infection symptoms. If you suspect that your system is infected and the specific symptoms are not listed, still take all available precautions. Ensure that your DAT files are up to date and run an On-Demand Scan or command-line scan of your system. If the infection is not detected, follow the procedures in this article to collect suspicious file samples and submit them to McAfee Labs.
This article includes references to some third-party tools. For instructions on using them, McAfee recommends that you use the Help files for the third-party products.

Before you begin looking for suspicious files:
  1. Update your DAT files and ensure that you have the latest scanning engine.
  2. Ensure that you have the latest product patch or hotfix.
  3. Install the latest Microsoft security patches.
  4. Verify the scan settings for your products.
  5. Run a full On-Demand Scan with all scan settings enabled.
  6. Apply the latest Beta DAT files and run an On-Demand Scan.
If the On-Demand Scan still fails to detect any threats: 
  1. Search Windows configuration files for any suspicious entries.
  2. Search the startup programs group for any items or applications you do not recognize.
  3. Check common registry locations for suspicious entries.
  4. Use Windows Explorer to check common directory locations for malicious files.
  5. Check the Windows Scheduler for entries you do not recognize.
  6. Use additional McAfee and third-party tools to discover malicious activity.


Basic checks before contacting Technical Support:  
Ensure that you use the latest DAT and Engine files
Download the current DAT and Engine from the Security Updates website:
  1. Obtain the latest security updates:
    To download a DAT, Engine, XDAT, or Stinger file, go to https://www.mcafee.com/enterprise/en-us/downloads/security-updates.html.

    You might need to download these files if your automated update fails, or if you want to use an Extra.DAT on an infected system.
  2. Click the DAT tab to download the latest DAT. The file format denotes the DAT version dat-####.zip, where #### is the DAT version.
  3. Click the Engines tab to download the latest Engine.
  4. Check the Version column to identify the current released engine version.
Ensure that you use the latest available product patch or hotfix
  1. Determine the latest patch and hotfix level using the supported platforms article for your product, available here.
  2. Determine which patch or hotfix is installed. The way to determine varies from product to product, but typical methods include:
    • Right-click the product icon in the system tray and select About.
    • Open the product console and select Help, About.
    • Some products require a console command to determine if a patch is installed. See the relevant product documentation.
      For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.

  3. Download and install the latest product patch. A combination of a product patch, DAT, and Engine update might be required to remove a virus.
    McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

    NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.
  4. Obtain the latest hotfix.
    Hotfixes are created to address specific issues and are not posted publicly, but are available by contacting Technical Support.

    To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
    • If you are a registered user, type your User Id and Password, and then click Log In.
    • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
Microsoft security patches
Install the latest Microsoft Security patches to prevent exploits of security vulnerabilities:
  1. For Windows updates, go to: http://update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?ln=en&returnurl=http://update.microsoft.com/microsoftupdate/v6/default.aspx?.
  2. Ensure that the latest patches and fixes are downloaded and installed. You can configure Windows to perform these actions automatically.  
Point product configuration
Verify that you have configured the On-Access and On-Demand Scanners to:
  • Scan for Spyware
  • Scan for Potentially Unwanted Programs
Verify that you have enabled the following options:
  • Heuristic scanning
  • Buffer Overflow Protection
  • Global Threat Intelligence at its highest sensitivity (see KB70130)

    Some of these options are available in VirusScan Enterprise only. See the product guide for your product for details and instructions.
    For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.

Run an On-Demand Scan with all scan settings enabled
Perform a full On-Demand Scan of all files with the primary action set to Clean. See the product guide for your product for details about how to configure an On-Demand Scan. For VirusScan Enterprise, click Start, Programs, McAfee, On-Demand Scan, Start.

Run scan.exe with the latest Beta DAT files
If the On-Demand Scan and the standard DAT files do not detect the infection, it might be detected with the additional signatures in the Beta DAT files.
  1. Download the Beta DAT files from: http://www.mcafee.com/apps/mcafee-labs/beta/dat-file-updates.aspx.
  2. Apply the Beta DAT files:
    • Automatically (using the latest SuperDAT file executable):
      1. Start avvwin_xdatbeta.exe on the infected computer. The executable updates all products that use DAT files.
      2. After the update completes, run an On-Demand Scan on all drives or databases depending on the product. 
    • Manually (using latest DAT file):
      To manually update the DAT files for your product, see the relevant article for instructions. 
      SaaS Endpoint Protection KB53768
      Security for SharePoint
      VirusScan Enterprise


Locate suspicious files
Startup folders and registry locations are most likely to contain suspicious entries. Examine the following locations.

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.

System Configuration files:
  • Win.ini
    This file was used by earlier versions of Windows and used during system startup. With Windows 7 and later, details stored in this file are now placed in the registry.
  • System.ini
    This file is a Windows Initialization file used primarily with earlier versions of Windows. But, this INI file is still used for backward compatibility in later versions of Windows.
  • Autoexec.bat
    This file is used during the system startup and retained on later versions of Windows for backward compatibility and is stored on the root of the system drive. This batch file executes commands at startup,
  • Config.sys
    This file is a legacy Windows ASCII text file that contained configuration directives which can be accessed using msconfig.
To view the systems configuration using msconfig:
  1. Press Windows+R, type msconfig, and press ENTER.
  2. Examine the Startup items tab.
  3. Examine the win.ini and system.ini entries. 
Startup Group
When looking at folders, change the view to Details, and use the Date created column to arrange files: 
  • \documents and settings\all users\Start Menu\Programs\Startup
  • \winnt\profiles\all users\Start Manu\Programs\Startup
Registry Locations
Look at common locations in the registry that start at startup and are often abused:


Malware specific:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools

Directory locations often used by viruses
%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%userprofile%\local settings\temp
%userprofile%\application data
%userprofile%\local settings\application data
C:\Program Files\
C:\Documents and Settings

Analyze the registry for suspicious activity or malware
For details about the utilities referenced in the following steps, see KB72766
  1. Use IceSword rootkit detector to analyze the registry.
  2. Click Start, McAfee, On-Demand Scan, Start to run an On-Demand Scan.
  3. If On-Demand Scanning fails to detect a threat, use the free FPort and Vision utilities to monitor activity.
    NOTE: The following third-party utilities can also be useful for logging malicious file activity:
    • Process Explorer
    • TCPView
    • ProcMon
    • Autoruns
    • RootkitRevealer 


Before you contact Technical Support
  1. Gather suspicious samples.
    Collect into one location any files or methods listed above that you feel indicate that a file is suspicious. Ensure that all sample files are included in a single password protected .zip file. Set the password to infected
  2. Submit samples to McAfee Labs.
    Upload the sample through the ServicePortal or Platinum Portal. For instructions, see KB68030.
  3. Collect and submit Minimum Escalation Requirements (MER) tool results for your products:
    1. Run the MER tool for your products. For details about the MER tool list for security products, see KB59385.
    2. Provide the Results.tgz file when you contact Technical Support.

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.