Outsmarting McAfee VirusScan
----------------------------
                          By forensic
                          -----------

McAfee has an EXCLUSIONS property which allows the virus
scanner to EXCLUDE certain folders or files from being scanned.

Registry Key and Values responsible for this:
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VirusScan\McShield\CurrentVersion\
ExcludedItem_0 "|pagefile.sys|48|0"
ExcludedItem_1 "C:\Program Files\Network Associates\VirusScan NT\||48|1"
NumExcludeItems "0x00000002 (2)

Registry "String Values"
ExcludedItem_0 "|pagefile.sys|48|0"
[File pagefile.sys with options EXCLUDE FROM: "inbound" and "outbound"]
ExcludedItem_1 "C:\Program Files\Network Associates\VirusScan NT\||48|1"
[Directory C:\Program Files\Network Associates\VirusScan NT\ 
with options EXCLUDE FROM: "inbound" and "outbound" & excludes "subfolders"]

Registry "DWORD Value"
NumExcludeItems "0x00000002 (2)
[Number of Items on Exclude list]

Default EXCLUSIONS are found in the Registry Key:
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VirusScan\DefaultTask\

Problem:
Virii Creators would beable to create viruses to bypass McAfee's VirusScan
and also Trojans (eg. NetBus or BO) would be able to roam around freely on NT
Servers and Workstations while the Administrator thinks he is Virus Free 
because good old McAfee is watching ;)

Exploit:
by default just make the trojan installer or whatever extract to 
C:\Program Files\Network Associates\VirusScan NT\ and execute...
or
you could add your own excludeitem to the registry and dunk your trojan in the
created excluded directory.