I recently picked up a new laptop with Windows 8.1 - my first time using this version of Windows for a laptop. I was dismayed to find McAffee preinstalled.
I will say this for them - they have gotten better since the last time I went through this many years ago. Better, as in uninstalling using the utility provided by McAfee did not break Windows. The uninstaller still left bits of McAffee's software behind, though.
Specifically, what gets left behind is the McAfee Update Manager; a utility designed to download applications from the McAfee corporate servers and install those applications on your computer with minimal human intervention.
 |
| Registry key & path of the remaining McAfee executables |
Notice the registry keys that are created:
[AddRegEntry] HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",,"%45001%" HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",0x00001000,"%45001%" HKLM,Software\McAfee\UPDMGR\InstallSettings,"Version",,"3.0.225.1" HKLM,Software\McAfee\UPDMGR\InstallSettings,"Version",0x00001000,"3.0.225.1" [ObfuscatedRegEntry] HKLM,Software\McAfee\UPDMGR,"DownloadDomain",,"download.mcafee.com" HKLM,Software\McAfee\UPDMGR,"DownloadDomain",0x00001000,"download.mcafee.com",0x00001000 HKLM,Software\McAfee\UPDMGR,"InitialPingUrl",,"https://consumerapps.mcafee.com/mantle/1.0.0.0/" HKLM,Software\McAfee\UPDMGR,"InitialPingUrl",0x00001000,"https://consumerapps.mcafee.com/mantle/1.0.0.0/",The registry entries are in fact obfuscated:
 |
| Note the gobble-dee-gook |
https://consumerapps.mcafee.com/mantle/1.0.0.0/ appears to provide a RESTful interface for application requests.
I decompiled a few of the DLLs in the directory; nothing stood out. Unfortunately, the EXEs crashed the one 64 bit decompiler I currently have for Intel instructionsets (C4Decompiler). Still, the program can do the following:
- Download other applications from remote servers hosting download.mcafee.com and consumerapps.mcafee.com
- It is likely these applications can install software it downloads without user approval, at least in some circumstances
- The Update Manager leaves a substantial amount of registry entries behind following a complete uninstallation and reboot of everything McAfee related.
- No services are left behind after uninstall
Software packages pre-bundled with Windows are not removed by their accompanying uninstallers, and in this case intentionally obfuscate their presence in the Windows registry.
It has been many years since I could buy a retail PC that did not have some sort of adware prebundled with Windows. The obvious consequence of this is security-related, ironically given the focus on AV software. Small business owners provisioning PCs purchased from retail environments end up without an accurate accounting of the software running on their network. How do you successfully audit the network connections from a PC, if half the network connections being made are from functionality that is, let's say "adware adjacent", and filtering those connections might interfere with legitimate functions (like printing).
I'm old enough to remember a time when the assumption was the user would be aware of all of the software running on her system at the same time. As modern computing becomes more complex, perhaps this is too much to ask of the average user, but it should still be possible or at least a goal that isn't actively sabotages by Windows.