Bypass Record

DLL Side-Loading × McAfee Agent

A publicly-reported instance of DLL Side-Loading bypassing McAfee Agent, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

McAfee Agent

Technique

DLL Side-Loading

MITRE ATT&CK

T1574.002

Confidence

High

Severity

High

Status

poc

Disclosed

2025-09-20

Config / version noted

Not stated

Provenance

www.tenable.com
disclosed 2025-09-20 · original source · via exa

Reported as

unsigned DLL preloading attack enabling loading of malicious libraries (CVE-2021-31840)

Mechanism

CVE-2021-31839: Local authenticated user can edit the agent's event log before it is sent to the ePO server, potentially hiding malicious activity. CVE-2021-31840: Application loads DLLs without proper validation, allowing a local attacker to place a malicious DLL in a location where it will be loaded by the agent, leading to code execution.

Detection & mitigation

Monitor for unexpected DLL loads by McAfee Agent processes (e.g., Masvc.exe) from non-standard directories using Sysmon Event ID 7 or EDR telemetry; enforce code-signing validation and restrict write permissions to agent installation paths to prevent malicious DLL placement.

DLL Side-Loading has also been recorded against

eScan ESET Microsoft SentinelOne Xcitium Zabbix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.