I recently picked up a new laptop with Windows 8.1 - my first time using this version of Windows for a laptop. I was dismayed to find McAffee pre-installed, as I knew it meant having to waste time getting rid of it.
I will say this for them - they have gotten better since the last time I went through this many years ago. Better, as in uninstalling using the utility provided by McAfee did not break vital parts of the Windows operating system. Great would be if the uninstaller actually removed all of McAffee's software from the computer. Good would be if the software that was left didn't connect to the internet.
Specifically, what gets left behind is the McAfee Update Manager; a utility designed to download applications from the McAfee corporate servers and install those applications on your computer with minimal human intervention.
|Registry key & path of the remaining McAfee executables|
Notice the registry keys that are created:
[AddRegEntry] HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",,"%45001%" HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",0x00001000,"%45001%" HKLM,Software\McAfee\UPDMGR\InstallSettings,"Version",,"220.127.116.11" HKLM,Software\McAfee\UPDMGR\InstallSettings,"Version",0x00001000,"18.104.22.168" [ObfuscatedRegEntry] HKLM,Software\McAfee\UPDMGR,"DownloadDomain",,"download.mcafee.com" HKLM,Software\McAfee\UPDMGR,"DownloadDomain",0x00001000,"download.mcafee.com",0x00001000 HKLM,Software\McAfee\UPDMGR,"InitialPingUrl",,"https://consumerapps.mcafee.com/mantle/22.214.171.124/" HKLM,Software\McAfee\UPDMGR,"InitialPingUrl",0x00001000,"https://consumerapps.mcafee.com/mantle/126.96.36.199/",I haven't had time to look into how the application is obfuscating its registry entries, but they are in fact obfuscated:
|Note the gobble-dee-gook|
I decompiled a few of the DLLs in the directory; nothing stood out. Unfortunately, the EXEs crashed the one 64 bit decompiler I currently have for Intel instructionsets (C4Decompiler). As a result I cannot guarantee exactly what these programs are up to. That said, given what we have seen, there is a fairly strong case that this set of programs can do the following to sum up our findings:
- Download other applications from remote servers hosting download.mcafee.com and consumerapps.mcafee.com
- It is likely these applications can install software it downloads without user approval, at least in some circumstances
- The Update Manager leaves a substantial amount of registry entries behind following a complete uninstallation and reboot of everything McAfee related.
- Fortunately, following uninstallation there do not appear to be any services left behind.
The bottom line is that at this point in the game ditching the factory-installed Operating System is a requirement for those who want to actually know what is on their computer. This can be cost-prohibitive with some Windows licensing arrangements or those not as familiar with how to install an OS, especially since most manufacturers no longer include driver disks with their computers. Stop loading up computers with spy & adware OEMs!