You are here

McAfee Stinger leaving mfevtps.exe behind

14 posts / 0 new
Last post
Wm ...
Offline
Last seen: 6 years 11 months ago
Joined: 2010-07-17 12:37
McAfee Stinger leaving mfevtps.exe behind

mfevtps.exe and mfevtps.exe.50d0.deleteme are in C:\WINDOWS\system32\
mfevtps.exe is running as an auto start service
mfevtp, McAfee Validation Trust Protection Service, Own Process, Running, Auto Start, 1832

mfehidk, McAfee Inc. mfehidk, Driver, Running, Boot Start,
and
mferkdet, McAfee Inc. mferkdet, Driver, Stopped, Demand Start,
are in services too

John T. Haller
John T. Haller's picture
Online
Last seen: 24 min 47 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Can't Reproduce

I can't reproduce this with the current build (installing today will download a new version). I installed it on Windows 7, ran a scan, then started it again and exited without running it (as instructed in the Warning message), and no services were left behind.

Could you try it with today's version and, if it happens again, lay out the exact steps you did (OS, install path, version reported in the app's Help About window, whether it found anything, etc).

Sometimes, the impossible can become possible, if you're awesome!

Wm ...
Offline
Last seen: 6 years 11 months ago
Joined: 2010-07-17 12:37
It's back

I had cleaned it up by hand but it is back again. After I'd cleaned it up it didn't reappear until today's new version. This also didn't happen with the version before last.

WinXPSP3
C:\E\PortableApps (all PA stuff lives there)
There isn't a Help About but the Version is 12.1.0.1432
Stinger has never found anything that I recall and I run it at least weekly as part of my system hygiene routine.

mfehidk, McAfee Inc. mfehidk, Driver, Running, Boot Start, ,\SystemRoot\system32\drivers\mfehidk.sys
mferkdet, McAfee Inc. mferkdet, Driver, Stopped, Demand Start, ,system32\drivers\mferkdet.sys
mfevtp, McAfee Validation Trust Protection Service, Own Process, Running, Auto Start, 1844,C:\WINDOWS\system32\mfevtps.exe

Any other thoughts? It isn't causing any problems apart from not being very PA and it is easy enough to clean up

Wm

John T. Haller
John T. Haller's picture
Online
Last seen: 24 min 47 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Possibly XP Only

It could be an XP only issue, in which case I'll just update the app to be Vista and up. It definitely doesn't occur on a clean Windows 7 install. DId you change any options?

Sometimes, the impossible can become possible, if you're awesome!

Wm ...
Offline
Last seen: 6 years 11 months ago
Joined: 2010-07-17 12:37
Tidying up

As of today XP won't be my main system but I don't think it was that. I tried changing the Stinger options once many months ago and decided to go with the default settings as per PA. My guess is that if I fix it by hand on the XP system (untick in autoruns, mainly) it won't happen gain until the next version change. I think marking the App as Vista and up would be inappropriate as the App itself isn't behaving badly, just not doing what PA expects. i.e. if there is a problem it is PA specific rather than Stinger specific.

If there is only me and a girl in Kansas using both let it go naturally rather than marking it when it is doing its job perfectly well but happens to break the PA rules ... that is the only reason i mentioned it.

Wm

blackx
Offline
Last seen: 5 years 5 months ago
Joined: 2015-05-04 06:57
Good morning,

Good morning,

I confirm what Wm ... posted, using Windows 7 Ultimate.

But I'm pretty sure that it didn't happen in the past. Perhaps it happens after some of the last updates?

Wm ...
Offline
Last seen: 6 years 11 months ago
Joined: 2010-07-17 12:37
Strange, I thought it was XP specific.

Strange, I thought it was XP specific. Are you not perhaps confusing this with https://portableapps.com/node/44601 which is a more recent Stinger drop off ?

Wm

blackx
Offline
Last seen: 5 years 5 months ago
Joined: 2015-05-04 06:57
There's Raptor, too!

There's Raptor, too!
In summary, that's what I can notice in my Windows 7 installation:

- C:\WINDOWS\system32\mfevtps.exe
- C:\WINDOWS\system32\mfevtps.exe.1a83.deleteme
- Service mfevtp running
- Process mfevtps.exe running
- Process Raptor.exe running

Wm ...
Offline
Last seen: 6 years 11 months ago
Joined: 2010-07-17 12:37
Being taken care of, PA is good like that

see https://portableapps.com/development/outdated where my recent Q has been answered by the line

McAfee Stinger 12.1.0.1503 [fix for new leave-behinds]

our bit will be to test as and when

Wm

blackx
Offline
Last seen: 5 years 5 months ago
Joined: 2015-05-04 06:57
Unable to uninstall

PortableAppsPlatform wasn't able to uninstall it, it just removed the entry in it's menu after an error message.
I had to start Windows in safe mode and manually remove the files from my system.

John T. Haller
John T. Haller's picture
Online
Last seen: 24 min 47 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Basically Malware

I've been investigating this and the current release of McAfee Stinger installs something that seems very similar to malware. It's installed without giving good notice to the user (buried in the EULA). The 'McAfee Validation Trust Protection Service' (mfevtps.exe) is installed on every machine you run a McAfee Stinger scan on. It has no entry in Add/Remove programs. It remains on the PC after a restart. It automatically runs every time you start the PC. It runs as a service but can not be stopped within the Services utility in Windows. It can only be removed by starting in safe mode and manually removing it or using the MCPR cleanup tool which uninstalls McAfee products that fail to uninstall properly.

Due to the above malware-like behavior, McAfee Stinger has been pulled from the Portable App Directory and platform App Store.

Sometimes, the impossible can become possible, if you're awesome!

Wm ...
Offline
Last seen: 6 years 11 months ago
Joined: 2010-07-17 12:37
poss better link

poss better link as the user is not invited to d/l an exe directly

https://service.mcafee.com/FAQDocument.aspx?id=TS101331

Wm

John T. Haller
John T. Haller's picture
Online
Last seen: 24 min 47 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Good Call

Good call, swapped the link in on the page.

Sometimes, the impossible can become possible, if you're awesome!

Wm ...
Offline
Last seen: 6 years 11 months ago
Joined: 2010-07-17 12:37
looking at autoruns before

looking at autoruns before and after there is at least
cfwids McAfee Personal Firewall IDS Plugin McAfee, Inc. c:\windows\system32\drivers\cfwids.sys 24/09/2014 23:29
that I didn't get by hand so the tool is probably best for most

edit: though I'm not sure what happens if the host system isn't yours and has licensed McAfee prods on it

Wm

Log in or register to post comments