Skip to main content

McAfee Security Center Won't Stay the **** Out of My Computer

McAfee's suite of antivirus services have come pre-installed on Windows computers for a long time. I don't use the product, but I frequently have to use computers that have had Windows installed with McAffee pre-bundled somehow. I've often struggled to completely remove all of the components of their software packages.

I recently picked up a new laptop with Windows 8.1 - my first time using this version of Windows for a laptop. I was dismayed to find McAffee preinstalled.

I will say this for them - they have gotten better since the last time I went through this many years ago. Better, as in uninstalling using the utility provided by McAfee did not break Windows. The uninstaller still left bits of McAffee's software behind, though.

Specifically, what gets left behind is the McAfee Update Manager; a utility designed to download applications from the McAfee corporate servers and install those applications on your computer with minimal human intervention.

McAfee Security Center, Josh Wieder, registry editor, key
Registry key & path of the remaining McAfee executables

Notice the registry keys that are created:


HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",,"%45001%"
HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",0x00001000,"%45001%"



The registry entries are in fact obfuscated:

McAfee Security Center, Josh Wieder, PingUrl, Registry, Encrypted Binary Value
Note the gobble-dee-gook appears to provide a RESTful interface for application requests.

I decompiled a few of the DLLs in the directory; nothing stood out. Unfortunately, the EXEs crashed the one 64 bit decompiler I currently have for Intel instructionsets (C4Decompiler). Still, the program can do the following:

    - Download other applications from remote servers hosting and
    - It is likely these applications can install software it downloads without user approval, at least in some circumstances
    - The Update Manager leaves a substantial amount of registry entries behind following a complete uninstallation and reboot of everything McAfee related.
    - No services are left behind after uninstall

Software packages pre-bundled with Windows are not removed by their accompanying uninstallers, and in this case intentionally obfuscate their presence in the Windows registry.

It has been many years since I could buy a retail PC that did not have some sort of adware prebundled with Windows. The obvious consequence of this is security-related, ironically given the focus on AV software. Small business owners provisioning PCs purchased from retail environments end up without an accurate accounting of the software running on their network. How do you successfully audit the network connections from a PC, if half the network connections being made are from functionality that is, let's say "adware adjacent", and filtering those connections might interfere with legitimate functions (like printing).

I'm old enough to remember a time when the assumption was the user would be aware of all of the software running on her system at the same time. As modern computing becomes more complex, perhaps this is too much to ask of the average user, but it should still be possible or at least a goal that isn't actively sabotages by Windows.