McAfee complains right after update to Roon 1.8 (Build 806) stable (64 bit) [Answered]

Roon Core Machine

Microsoft Surface Studio 2
Windows Version 10.0.19042 Build 19042
Intel(R) Core™ i7-7820HQ CPU @ 2.90GHz, 2904 Mhz, 4 Core(s), 8 Logical Processor(s)
McAfee Endpoint Security Analyzer
McAfee Endpoint Security Product

Networking Gear & Setup Details


Connected Audio Devices


Library Size


Description of Issue

Everytime I run Roon 1.8 (Build 806) stable (64 bit) on my Windows 10 PC my McAfee complains about Roon.exe trying to access C:\Users\DADIDADA\AppData\Roaming\Microsoft\Crypto\RSA\S-DADIDDADA which, in their words violates the rule ‘Malware Behavior: Windows EFS abuse’
This started right after I updated Roon, yesterday July 7
Besides the fact that this is ONLY SINCE the LAST ROON update and I do have a very expensive, highly up to date McAfee Endpoint Security system that is remotely monitored by security professionals, please abstain from the obvious replies. Y’all know what I mean… :slight_smile: :laughing:
Please advice…

1 Like

Suspicious if other security suites start to pick it up as EFS abuse. Wonder what Roon is trying to access :thinking:

Hi @ronaldwanders

I’m sorry for the delayed response on this. We wanted to make sure we got the engineering team’s feedback on this before we gave an answer so that we could ensure everything is factually correct.

Ultimately, this is a false-positive from McAfee, but we know what change likely triggered it. With this update we added HTTPS support for the webserver that runs on the Core — Basically the function of the Core that communicates with Roon API or remotes on the network (i.e. communications between the Core and other devices on the network). This change is triggering this and, while there is no actual malware behavior or anything, we are looking into tweaks we can make to avoid triggering any reports like this.

I hope this helps clear things up!

1 Like

It sure does Dylan, thank you. I forwared your message to my McAfee rep here.

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.