McAfee Security Center Won't Stay the **** Out of My Computer

McAfee's suite of antivirus services have come pre-installed on Windows computers for a long time. I can't speak to how efficient or not efficient their antivirus is, because I have not used it in any real capacity for any length of time. What I have done is struggle to completely remove all of the components of their software package when I want to keep the version of Windows that came with the computers I purchased.

I recently picked up a new laptop with Windows 8.1 - my first time using this version of Windows for a laptop. I was dismayed to find McAffee pre-installed, as I knew it meant having to waste time getting rid of it.

I will say this for them - they have gotten better since the last time I went through this many years ago. Better, as in uninstalling using the utility provided by McAfee did not break vital parts of the Windows operating system. Great would be if the uninstaller actually removed all of McAffee's software from the computer. Good would be if the software that was left didn't connect to the internet.

Specifically, what gets left behind is the McAfee Update Manager; a utility designed to download applications from the McAfee corporate servers and install those applications on your computer with minimal human intervention.

Registry key & path of the remaining McAfee executables

Notice the registry keys that are created:

[AddRegEntry]

HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",,"%45001%"
HKLM,Software\McAfee\UPDMGR\InstallSettings,"Install Dir",0x00001000,"%45001%"
HKLM,Software\McAfee\UPDMGR\InstallSettings,"Version",,"3.0.225.1"
HKLM,Software\McAfee\UPDMGR\InstallSettings,"Version",0x00001000,"3.0.225.1"

[ObfuscatedRegEntry]

HKLM,Software\McAfee\UPDMGR,"DownloadDomain",,"download.mcafee.com"
HKLM,Software\McAfee\UPDMGR,"DownloadDomain",0x00001000,"download.mcafee.com",0x00001000
HKLM,Software\McAfee\UPDMGR,"InitialPingUrl",,"https://consumerapps.mcafee.com/mantle/1.0.0.0/"
HKLM,Software\McAfee\UPDMGR,"InitialPingUrl",0x00001000,"https://consumerapps.mcafee.com/mantle/1.0.0.0/",

I haven't had time to look into how the application is obfuscating its registry entries, but they are in fact obfuscated:

Note the gobble-dee-gook

https://consumerapps.mcafee.com/mantle/1.0.0.0/ appears to provide a RESTful interface for application requests.

I decompiled a few of the DLLs in the directory; nothing stood out. Unfortunately, the EXEs crashed the one 64 bit decompiler I currently have for Intel instructionsets (C4Decompiler). As a result I cannot guarantee exactly what these programs are up to. That said, given what we have seen, there is a fairly strong case that this set of programs can do the following to sum up our findings:

    - Download other applications from remote servers hosting download.mcafee.com and consumerapps.mcafee.com
    - It is likely these applications can install software it downloads without user approval, at least in some circumstances
    - The Update Manager leaves a substantial amount of registry entries behind following a complete uninstallation and reboot of everything McAfee related.
    - Fortunately, following uninstallation there do not appear to be any services left behind.

The bottom line is that at this point in the game ditching the factory-installed Operating System is a requirement for those who want to actually know what is on their computer. This can be cost-prohibitive with some Windows licensing arrangements or those not as familiar with how to install an OS, especially since most manufacturers no longer include driver disks with their computers. Stop loading up computers with spy & adware OEMs!