are you looking to remove one or more occurrences of this threat or are you just curious why there are no ePO events signalling that VirusScan has detected this?
There are a lot of internet resources on describing and removing this threat and I saw that in many occasion a legitimate (looking) program installation stood in the background (like an approval to a search bar installation by the user, etc.) If that is the case VirusScan may not reacted as usual since that has occurred with a user's content I suppose.
There might not even have been any executable file operation during this process.
I wonder how your VSE is configured to prevent such actions as browser modification, etc. Is any of the Access Protection rules in effect? Is the "Prevent McAfee services from being stopped" AP option on clients in effect?
Thanks for replying ! Indeed, i'm looking for a solution to remove one or more occurrences of this threat, passing by VSE if possible (for that solution McAfee must detect it before 😉 ), otherwise I would like to find a solution by script or by the registry to deploy by gpo. I'm not ok to install a program to remove it.
Maybe there was no execution to install yet we prevent our users to do this kind of action.
first off, please start an on demand scan on the affected computers making sure the VirusScan has the latest major and minor version (currently 8.8 and patch), DAT and engine. Please set the scope to memory scanning, registry scanning, Windows system folders (having time "local disks", too) and also check if scanning for unwanted programs are selected (with heuristics enabled, too, and set Heuristic sensitivity to at least medium). I believe this program is considered an unwanted program (PUP). Please check if all PUP categories is selected to scan for (they should), in the ODS task.
I also recommend enabling blocking and reporting the following access protection rules in the policy to prevent similar issues from occurring again:
"Prevent programs registering to autorun"
"Prevent Internet Explorer settings"
"Prevent Internet Explorer and Mozilla files and settings"
"Prevent installation of Browser Helper Objects and Shell Extensions"
"Prevent hooking of McAfee processes"
(+ enable all McAfee related protection rules, too.)
(these are the rules that I think can be enabled without much hassle coming from the user's side)
There is no guarantee that VirusScan detects this as even a PUP, but it might. Several description of this program mentioned a running process (which perhaps was legitimately running but by all means monitoring its reg keys and files), hence my request to scan the memory.
Almost all description to remove this manually has mentioned to set the browser start page to "a blank page". Maybe you can achieve this by setting through GPO. Also, this program might overwrite the browser's search and other default pages, which can be a nuissance to restore. If this browserbar is a browser plugin then it can be also removed centrally I think by running the removal instruction referenced in the respective registry key.
According to this: http://www.mybrowserbar.com/privacy.html you can easily uninstall the toolbar in the traditional Add/Remove programs section in Windows, or from the toolbar by selecting Options > Help > Uninstall. Yahoo will remain the default search provider if selected during install. You can manually change your search provider at any time.
Hope this helps.