McAfee Stinger Removed From App Directory Due to Malware-Like Behavior

John T. Haller's picture
Submitted by John T. Haller on May 8, 2015 - 4:51pm

McAfee Stinger has been removed from the Portable App Directory due to malware-like behavior. Running the current releases of McAfee Stinger on any Windows PC will automatically install the 'McAfee Validation Trust Protection Service' (mfevtps.exe) to the local machine without a prominent notice to the user. There is a reference to it only buried in the EULA. Once installed, these files are exceedingly difficult to remove. No entry is made in Add/Remove Programs or Uninstall a Program, a service is installed and set to automatically start with Windows, the service can not be Stopped by the end user. This behavior is unacceptable from any application, portable or not. It should be noted that the service left behind does not appear to do anything nefarious to the local machine. It could simply be an error by the publisher, but it has not been addressed since it began occurring a couple weeks ago.

While you can start the machine in safe mode and manually remove the files, the best way to ensure that all files are fully removed is to use the McAfee MPCR cleanup tool. Note that this tool is designed to fully remove all McAfee products from a Windows machine after their uninstallers have failed to properly remove them, so it should be used with care.

We apologize for any inconvenience the above issue may cause users and the loss of the app. This sudden change in app behavior due to the publisher's changes was as much a surprise to us as to you. Any support issues should be directed to the publisher.

Story Topic:

Comments

Maybe it might be good / nice to elaborate a little more on the subject.
I think many would like to know:
- till which version McAfee Stinger is safe to be used
- why not leave that "last" safe version in the App Directory (without applying further updates)

John T. Haller's picture

McAfee does not permit Stinger to be distributed or repackaged. It uses a live installer. Plus, it's regularly updated with new antivirus definitions which are embedded in the app. It does not download or update definitions separately. As such, keeping an old version, if you could, would be less and less effective each week anyway.

Sometimes, the impossible can become possible, if you're awesome!

John T. Haller's picture

I don't recommend using this portably as it'll install difficult-to-remove files on every PC that can only be removed using the procedure outlined above and on the app homepage. Including a service that will run forever.

If you installed it in the last couple weeks, your PC would be affected. Before that, it wouldn't be.

Sometimes, the impossible can become possible, if you're awesome!

John - thanks for reporting this issue.

The McAfee Validation Trust Protection Service is needed for Stinger to perform rootkit scanning of a system. This service is temporarily installed during a Stinger scan and is removed once the rootkit scanning portion is completed.

In a recent update to the Stinger's rootkit scanning engine, an issue was found where it wasn't getting uninstalled in certain conditions. We've fixed that in last week's release. The latest Stinger available for download should not leave behind any components post a scan.

Please let me know if you require any other clarification.

Best,
Vinoo Thomas
Product Manager, McAfee Labs

Used the actual Stinger-Tool once some days before, checked today running services. And the McAfee Validation Trust Protection Service is still active and it restarts via Autostart... Nice one...

John T. Haller's picture

I checked the current release of McAfee Stinger Portable 12.1.0.2684 and no files or services were left behind on the local machine after running and scanning. I did this check on a clean Windows 7 x86 virtual machine. It's also clean on Windows 10 x64.

Sometimes, the impossible can become possible, if you're awesome!