How Real Protect scanning monitors activity

The Real Protect scanner inspects suspicious files and activities on client systems to detect malicious patterns using machine-learning techniques. The scanner uses this information to detect zero-day malware.

The Real Protect technology is not supported on some Windows operating systems. See KB82761 for information.

The Real Protect scanner provides two options for performing automated analysis:

  • On the client system
  • In the cloud
Tip: Best practice: Enable both client and cloud Real Protect options unless Technical Support advises you otherwise.

No personally identifiable information (PII) is sent to the cloud.

Client-based scanning

Client-based Real Protect uses machine learning on the client system to determine whether the file matches known malware. If the client system is connected to the Internet, Real Protect sends telemetry information to the cloud, but doesn't use the cloud for analysis.

The client-based scanning sensitivity levels, which are based on mathematical formulas, assign "tolerance" to suspicious activity to assess whether the file matches known malware. The higher the sensitivity level, the more malware matches. But, allowing more detections might result in more false positives.

Sensitivity level Recommended use
Low Systems, such as servers, that rarely connect to the Internet or only to trusted websites (lower risk of infection), and the impact of false positives is high.
Medium Systems that don't meet the other criteria. (Default)
High Systems with multiple users and unfiltered network access (higher risk of infection), and the impact of false positives is low.

Client-based scanning requires McAfee GTI or TIE server connectivity unless offline scanning is enabled.

Tip: Best practice: Because offline scanning might result in increased false positives, enable this option only for systems without connectivity to McAfee GTI or the TIE server.

Cloud-based scanning

Cloud-based Real Protect collects and sends file attributes and behavioral information to the machine-learning system in the cloud for malware analysis.

Cloud-based scanning requires connectivity to realprotect1.mcafee.com. See KB79640.

Tip: Best practice: Disable cloud-based Real Protect on systems that aren't connected to the Internet.