The difference here is due to registry scanning within the on demand scan. Was anything else other than the registry key detected during the ODS that you ran?
Some admins also choose configure their ODS to be more aggressive than the OAS (no exclusions, scanning all files, etc), so with regards to how the machine got infected in the first place it's also worth considering how you have VSE configured. Support can provide you with best practice documentation for VSE.
I created a document with some information that could help with general answers to some of your questions.
If you really had a variant of Cutwail, chances are an active McAfee VirusScan installation will at least catch the common rootkit and virus components. However, the "dropper" that first gets onto the system may have been missed because it's a new variant.
Access Protection could also have protected against this virus IF they are configured correctly. Out of the box, most of the policies do not block some actions as they would also stop legitimate software.
On Access scanning might fail if the infection was done entirely in memory or in an area that was not being scanned by policy.
Secured2k, thank you for you answer. Let me say, that I'm using your bootable cd for business and private purpouse and it's a great tool if you have problems with virus.
I would still have 1 more "newbie" question.
What is the difference between Access Protection Policies and On-Access General Policies. Why are this two things seperated? Why do we even need to turn on Access Protection.
Access Protection and OA Scan are completely different from each other that i why they have to be separated.
Access Protection is like the bult-in firewall from Mcafee and you set policies to block ports, directories, or files. You could also prevent stopping of Mcafee services (as some viruses tries to shut off installed AVs and even prevent system modifications, etc.
In other words, its a very powerful feature and should be maximized for optimum protection. While OA scan is the "real-time" scanner and is like the "enforcer" of those policies that you set. If you disable OA scan then Access protection is useless
On Access Protection is based off known detections on files and objects.
Access Protection is based on reporting or blocking program behaviors. It is for stopping bad program/malware behavior without having any signatures and stopping or mitigating an outbreak.
Access Protection is good if setup properly to block common malware activity. For example, it can be set to prevent anything else from touching McAfee files or registry settings or prevent any program from changing a registry setting that could block access to the task manager and registry editor. It also include some very base firewall abilities with basic port blocking. File rules for blocking network shares or blocking file name or writing to the Windows folder are all possibilities.
Marking as 'assumed answered' due to age of thread. If you need any further assistance please don't hesitate to let us know.