McAfee Stinger

McAfee Stinger is a standalone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but a specialized tool to assist administrators and users when dealing with infected system. Stinger utilizes next-generation scan technology, including rootkit scanning, and scan performance optimizations. It detects and removes threats identified under the "Threat List" option under Advanced menu options in the Stinger application.

McAfee Stinger now detects and removes GameOver Zeus and CryptoLocker. Learn more.

How do you use Stinger?
  1. Download the latest version of Stinger
  2. When prompted, choose to save the file to a convenient location on your hard disk, such as your Desktop folder.

  3. When the download is complete, navigate to the folder that contains the downloaded Stinger file, and run it.

  4. The Stinger interface will be displayed.

  5. By default, Stinger scans for rootkits, running processes, loaded modules, registry and directory locations known to be used by malware on a machine to keep scan times minimal. If necessary, click the "Customize my scan" button to add additional drives/directories to scan.
  6. Click the Scan button to begin scanning the specified drives/directories.
  7. By default, Stinger will repair any infected files it finds.
  8. Stinger leverages GTI File Reputation and runs network heuristics at Medium level by default. If you select "High" or "Very High," McAfee Labs recommends that you set the "On threat detection" action to "Report" only for the first scan.



    To learn more about GTI File Reputation see the following KB articles

    KB53735 - FAQs for Global Threat Intelligence File Reputation

    KB60224 - How to verify that GTI File Reputation is installed correctly

    KB65525 - Identification of generically detected malware (Global Threat Intelligence detections)
Frequently Asked Questions

Q: I know I have a virus, but Stinger did not detect one. Why is this?
A: Stinger is not a substitute for a full anti-virus scanner. It is only designed to detect and remove specific threats.

Q: Stinger found a virus that it couldn't repair. Why is this?
A: This is most likely due to Windows System Restore functionality having a lock on the infected file. Windows/XP/Vista/7 users should disable system restore prior to scanning.

Q: Where is the scan log saved and how can I view them?
A: By default the log file is saved from where Stinger.exe is run. Within Stinger, navigate to the log TAB and the logs are displayed as list with time stamp, clicking on the log file name opens the file in the HTML format.

Q: Where are the Quarantine files stored?
A: The quarantine files are stored under C:\Quarantine\Stinger.

Q: What is the "Threat List" option under Advanced menu used for?
A: The Threat List provides a list of malware that Stinger is configured to detect. This list does not contain the results from running a scan.

Q: Are there any command-line parameters available when running Stinger?
A: Yes, the command-line parameters are displayed by going to the help menu within Stinger.

Q: I ran Stinger and now have a Stinger.opt file, what is that?
A: When Stinger runs it creates the Stinger.opt file that saves the current Stinger configuration. When you run Stinger the next time, your previous configuration is used as long as the Stinger.opt file is in the same directory as Stinger.

Q: Stinger updated components of VirusScan. Is this expected behavior?
A: When the Rootkit scanning option is selected within Stinger preferences – VSCore files (mfehidk.sys & mferkdet.sys) on a McAfee endpoint will be updated to 15.x. These files are installed only if newer than what's on the system and is needed to scan for today’s generation of newer rootkits. If the rootkit scanning option is disabled within Stinger– the VSCore update will not occur.

Q: Does Stinger perform rootkit scanning when deployed via ePO?
A: We’ve disabled rootkit scanning in the Stinger-ePO package to limit the auto update of VSCore components when an admin deploys Stinger to thousands of machines. To enable rootkit scanning in ePO mode, please use the following parameters while checking in the Stinger package in ePO:

--reportpath=%temp% --rootkit

For detailed instructions, please refer to KB77981

Q: What versions of Windows are supported by Stinger?
A: Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8. In addition, Stinger requires the machine to have Internet Explorer version 8 or above.

Q: What are the requirements for Stinger to execute in a Win PE environment?
A: While creating a custom Windows PE image, add support for HTML Application components using the instructions provided in this walkthrough.

Q: How can I get support for Stinger?
A: Stinger is not a supported application. McAfee Labs makes no guarantees about this product.

Q: Where can I send feedback to regarding Stinger?
A: Provide your feedback on the McAfee Community Forum page.

Q: How can I add custom detections to Stinger?

A: Stinger has the option where a user can input upto 1000 MD5 hashes as a custom blacklist. During a system scan, if any files match the custom blacklisted hashes - the files will get detected and deleted. This feature is provided to help power users who have isolated a malware sample(s) for which no detection is available yet in the DAT files or GTI File Reputation. To leverage this feature:

1. From the Stinger interface goto the Advanced --> Blacklist tab.

2. Input MD5 hashes to be detected either via the Enter Hash button or click the Load hash List button to point to a text file containing MD5 hashes to be included in the scan. SHA1, SHA 256 or other hash types are unsupported.

3. During a scan, files that match the hash will have a detection name of Stinger!<first 12 characters of the MD5 of the detected file>. Full dat repair is applied on the detected file.

4. Files that are digitally signed using a valid certificate or those hashes which are already marked as clean in GTI File Reputation will not be detected as part of the custom blacklist. This is a safety feature to prevent users from accidentally deleting files.

Q: How can run Stinger without the Raptor component getting installed?
A: The Stinger-ePO package does not execute Raptor. In order to run Stinger without Raptor getting installed, execute Stinger.exe --ePO