sign in sign up
<<
Home , Malware, Software license, Spyware

POLICY McAfee Potentially Unwanted Programs (PUP) Policy March, 2018

McAfee recognizes that legitimate technologies such as commercial, , , or products may provide a value or benefit to a . However, if these technologies also pose a risk to the user or their system, then users should to the behaviors exhibited by the , understand the risks, and have adequate control over the technology. McAfee refers to technologies with these characteristics as “potentially unwanted program(s),” or “PUP(s).”

The McAfee® PUP detection policy is based on the includes assessing the risks to , security, premise that users should understand what is being performance, and stability associated with the following: installed on their systems and be notified when a ■■ Distribution: how users obtain the software including technology poses a risk to their system or privacy. advertisements, interstitials, landing-, linking, PUP detection and removal is intended to provide and bundling notification to our users when a software program or technology lacks sufficient notification or control over ■■ Installation: whether the user can make an informed the software or fails to adequately gain user consent to decision about the software installation or add- the risks posed by the technology. McAfee Labs is the ons and can adequately back out of any undesired McAfee team responsible for researching and analyzing installations technologies for PUP characteristics. ■■ Run-Time Behaviors: the behaviors exhibited by the technology including advertisements, deception, and McAfee Labs evaluates technologies to assess any impacts to privacy and security risks exhibited by the technology against the degree of user notification and control over the technology. This ■■ Uninstall: whether the user can easily remove all functional components of an install Connect With Us

1 McAfee Potentially Unwanted Programs (PUP) Policy POLICY

These areas are then evaluated against the following: ■■ Software must not be distributed or installed by or by otherwise malicious (for example, drive- ■■ Notification: the extent to which the user is notified by) installations. of the software risks ■■ Software installers must provide software licensing ■■ Consent: the extent to which the affected users can information prior to the installation of any bundled consent to the software risks components. ■■ Control: the degree of control that the user has over ■■ Software installers must inform users when the the software installation, operation, and removal installation of bundled components are required for Failure to meet all the criteria in this document will result the installation of the main technology (that is, not in the technology being blocked by McAfee security optional). products. ■■ Software installers must allow the user to cancel the installation of all components if the installation of any When objectionable distribution practices are used by bundled components is required for the installation of a technology or its distributors, users (and antivirus the main technology. scanners) may be unable to distinguish between compliant versions distributed using acceptable means ■■ Software installers must provide consistent (for and versions distributed using objectionable means. As example, Accept/Decline) options when offering one or a result, software that is distributed using objectionable more bundles (for example, installers must not reverse practices may result in detection for other or all versions the order of the options buttons across more than of the technology. one install window). ■■ Software installers including bundle proxies must not Any software that exhibits malware behaviors will not be collect or transmit personally identifiable information tolerated and will be detected and removed as malware. (PII) without informed user consent. Distribution ■■ Any bundled install packages are considered installers Objectionable distribution methods can impair the and must abide by the same installation notification, overall user experience. Criteria for evaluating the consent, and control guidelines as the main installer. distribution of software are as follows:

■■ Software must not be linked to or distributed using spam .

2 McAfee Potentially Unwanted Programs (PUP) Policy POLICY

Deception ■■ Software must not obfuscate files, filenames, filepaths, Users must have an informed awareness of software registry entries, and the like, beyond reasonable DRM that is installed on their system including the protection. functionality of the software and whether it is active. ■■ Software must not impair the user’s ability to uninstall Criteria for determining deceptive behaviors are as or remove the program.

follows: ■■ Software uninstall features must adequately remove all functional components of an installation. ■■ Information regarding the software publisher, source, , or other identifying information must be ■■ Software must not run third-party processes or reasonable and accurate. programs on the system without prior informed user consent. ■■ The legal conditions of the software installation (for example, software , EULA) must be clearly ■■ Software must not impair the user’s ability to control indicated in a license agreement. the software while it runs on the system.

■■ Information regarding the software publisher in a ■■ Software must not install, reinstall, or removal itself or Digital Signature must be accurate. other legitimately installed software without informed user consent or interaction. ■■ Software must indicate its behaviors and purpose such that users have a meaningful and accurate ■■ Software must not install other software without clear understanding of the nature of the technology. indication of its relationship to the primary software installation. ■■ Software that tracks users’ activities, including browsing habits, must not hide, cloak, or mislead the ■■ Software must gain informed user consent prior to user as to this functionality. making or modifying key system settings, including:

■■ Software must not disguise its presence or −−Installing plugins masquerade as another technology (for example, −−Changing browser default home pages deceptive icons, deceptive Version Information, −−Changing browser default search provider deceptive .lnk files, etc.). −−Changing desktop settings ■■ Advertisements leading to software downloads must not masquerade as another technology (for example, −−Changing icons or system colors banner ads with fake close buttons). −−Modifying the system file

■■ Software must not attempt to hide its presence or the −−Adding startup registry entries presence of other components or software. −−Modifying security settings

3 McAfee Potentially Unwanted Programs (PUP) Policy POLICY

■■ Software that makes key system setting changes must −−Date of Birth reverse these changes as part of the software uninstall −−Social Security/tax ID number process. −−Passport number ■■ Software cannot use false or misleading −−Driver’s license number endorsements, as defined or researched by industry standard methods. −−Other government-issued identification number

■■ Additional industry standard criteria may be used to −−Bank account number or other financial account determine deceptive behavior. information (for example, PayPal, Apple Pay, Google Wallet, E*TRADE) Privacy −−Credit card number Users expect that software does not collect, transmit, or −−Email address reveal sensitive, private information including ■■ and personally identifiable information without the Software must not track user online activities such express permission of the user or effected individuals. as web browsing habits, chats, or Personally Identifiable Information (PII) is defined keystrokes without informed user consent. differently among jurisdictions. Criteria for determining ■■ Software must not allow user communications to be objectionable behaviors impacting privacy are as follows: monitored, redirected, or changed without informed user consent. ■■ Software must not reveal, collect, use, or transmit ■■ passwords, biometrics, or other credentials without Software must not allow a remote user to access or informed user consent of all impacted users. control the system or send remote commands without informed user consent. ■■ Software must not collect, use, or transmit personally ■■ identifiable information (PII) or other sensitive data A user must be able to deactivate software which without informed user consent. PII includes (but is not allows a remote user to access or control the system limited to): or send remote commands. ■■ Software must not install a proxy or redirect network −−Name traffic to an online proxy or other system without −−Address informed user consent. −−City ■■ Software must not require additional user information −−State before it can be uninstalled (for example, email −−Postal code/ZIP code address). −−Phone number

4 McAfee Potentially Unwanted Programs (PUP) Policy POLICY

■■ Software that collects, stores, or transmits user data ■■ Anti-Theft

(including browser activity), passwords, personally ■■ Anonymizing /web browsing traffic identifiable information, or other sensitive information ■■ Home security/surveillance software must offer an easily accessible and clear privacy policy.

■■ Software must not bypass or facilitate bypassing of Security other software licensing by using software decipherers Users expect that software does not impede their or altering another piece of software in such a way system security settings, data confidentiality, or the that bypasses licensing restrictions. integrity, stability, or availability of their system and ■■ Software must not generate license keys for another its resources. Criteria for determining objectionable piece of unrelated software which can facilitate behaviors impacting security are as follows: licensing restrictions to be bypassed. ■■ Software must not attempt to evade security features ■■ Tracking software must provide a runtime notice that of the system or installed security products (this the software is active (for example, login message, a does not include reasonable DRM protection such as system tray icon with controls, or an always-on-top runtime packers, encryptors, etc.). notice window). ■■ Software must not attempt to disable or bypass McAfee recognizes the privacy concerns of its users and security features of the system or installed security as such will not inhibit a user’s pursuit to augment their products. privacy through other tools. Although these technologies ■■ Software must not change settings of the operating may certainly be abused, many are utilized by individuals system, security software, or other unrelated software concerned for their own safety in oppressive regions or without informed consent of the user.

to combat surveillance. Therefore, legitimate tools that ■■ Software must not exploit software or system offer the following primary behaviors anddo not exhibit vulnerabilities. other behaviors expressed in these criteria will not be ■■ Software that requires elevated privileges to execute blocked by McAfee products: or that facilitates another application to run with ■■ Virtual Private Networking (VPN) or other elevated privileges must prompt the user to enter communication credentials for the elevated user with informed

■■ File or disk encryption notification of the need to do so.

■■ ■■ File or disk wiping Software must not facilitate a denial of service (that is, DOS or DDOS) against an application, system or ■■ Steganography network through exploit, flooding with network traffic ■ ■ Anti-Forensics or by any other means.

5 McAfee Potentially Unwanted Programs (PUP) Policy POLICY

Advertising Performance, Stability, and User Experience Unexpected advertisements can be a deception to the Users expect that the installation of a piece of software user. For the purposes of this document, does not severely impact the performance or usability methods may include software which creates pop-ups, of their system or other software. Additionally, negative pop-unders, slide-ins, or inserts advertisements into side effects or features of the software may adversely the of a web page. Criteria for determining impact the user experience including annoying objectionable advertising behaviors are as follows: advertisements, impairment of system or resource usability, and other drains on the system. Users may ■■ Software must not provide pop-up, pop-under, expect certain speed impacts for come technologies or slide-in advertisements without informed user (for example, security, products). However, consent. unexpected impairments may cause frustrations or ■■ Advertisements must not be false or fraudulent, indicate other unexpected problems. deceptive, misleading, vulgar, pornographic, or offensive. Criteria for determining objectionable impacts to system performance, stability, or the user experience are as follows: ■■ Pop-up advertisements must not impair the user’s ability to close them or to control their system or other ■■ Software must not negatively impact system software. performance, reliability, or the user experience

■■ The closing of one pop-up window must not spawn beyond a reasonable level necessary to provide the one or more additional pop-up window. functionality agreed to by the user.

■■ ■■ Advertisement content or logos must direct the user Software must not place a high drain on system to germane, related content as indicated. resources that result in noticeably slower computer performance without informed user consent. ■■ Advertisements must be clearly labeled to indicate the ■ program, technology, or product creating it. ■ Software must not consume large amounts of bandwidth of an internet connection beyond what ■■ Software must not replace the advertisements of is reasonable for the type of technology (that is, P2P, another legitimate site, company, or technology online gaming applications, etc.) without informed user without user consent. consent. ■■ Software must not insert advertisements into the ■■ Software must not negatively impact the reliability of content of another application or technology without the system without informed user consent. user consent. ■■ Software must not corrupt the , material components of the system, or other installed software without informed user consent.

6 McAfee Potentially Unwanted Programs (PUP) Policy POLICY

Notification ■■ Installation windows that offer users an opportunity Central to the evaluation of software risk is the notion to select or deselect unwanted options prior to that users must be notified of the software installation installation or making system modifications and the risks associated with it. Notification can occur ■■ Product information in the Resource (.RSRC) Version using many methods and may differ from technology to Information section of Windows binary executable technology. and DLL files that is valid and germane to the vendor, distributor, or manufacturer of the software Notification may address specific risk behaviors in the ■■ software and may alert users to the risks or changes For command-line tools, accurate product name and the software will make. Notification may also provide version information identification of the software so that the user can trace ■■ For command-line tools, accurate and complete Help its origin. Notification must be provided for all identified information

risk behaviors. General notification features may include, ■■ For graphical user interfaces, germane product but are not limited to: identification in main windows, window frames, or “About” window ■■ Easily accessible and identifiable notice on that outline risks associated with ■■ Installation paths that include accurate names the installation germane to the installation

■■ Easily accessible privacy policy information on ■■ Filenames that are not randomized to obfuscate or websites or in installers specifying any collection or otherwise mask the technology

use of personally identifiable information prior to any ■■ Files and components that are not obfuscated beyond application installation or collection or transmission of any reasonable DRM protection data to a third party ■■ Embedded Windows binary icons (that is, embedded ■■ Easily accessible and germane End User License in the PE file RSRC section) that accurately represent Agreement information provided prior to any the technology application installation or collection or transmission of ■■ Files or content that are not padded with data that data to a third party impairs the user’s ability to accurately identify the ■■ Valid and germane digital signatures of binary files technology, vendor, distributor, or manufacturer identifying the vendor, distributor, or manufacturer of ■■ For pop-up windows or advertisements, identification the software in the window frame that indicates the application generating the pop-up

7 McAfee Potentially Unwanted Programs (PUP) Policy POLICY

■■ Startup menu items that clearly identify the Consent must obtain, and users must provide informed ■■ Desktop shortcut names that are germane to the consent to any risks posed by the software prior to installation the actions of the software. Consent may be obtained

■■ Desktop shortcut icons that are germane to the through several acceptable means including: installation ■■ Originating websites of software distribution ■■ Windows registry key entries that are not obfuscated ■■ agreements in a manner that hides the identity of the technology ■■ Software or website privacy policies beyond reasonable DRM measures ■■ Software installation menus (including license and ■■ For tracking (for example, keylogger or ) privacy policy information) software that monitors user online activities, notification that the software is running or active, and ■■ Runtime alerts or notifications (including consent to is easily visible to all affected users prior to any data or uninstall) activity collection (for example, login notice, runtime Control system tray icon, pop-up alert, or warning before any monitoring takes place, etc.) Users should be able to control the installation process of an application or installation and have fundamental ■■ For bundled applications, notification of bundled control over the technology once installed including components prior to their installation starting and stopping the application. Additionally, a ■■ For software updates, clear indication that the user should be able to adequately uninstall or remove software or components are being updated or that an the application from a system once its use is no longer update is available desired. ■■ For Uninstall entries in the system Add/Remove A user should be able to see that a program is running Programs interface, clear identification for the on their system. This can include system tray icons, technology entries in browser add-on management interfaces, task ■■ For Uninstall entries in the Startup menu, clear manger entries, etc. identification for the technology

8 McAfee Potentially Unwanted Programs (PUP) Policy POLICY

Users must also be aware if a program updates itself Disputing a PUP Detection or its components. Users must also be in control of McAfee PUP detection may come into question by their personal information and the use or transmission a user or by the software vendor manufacturing or thereof. distributing the technology. Vendors wishing to dispute

■■ Software that is configured to automatically load at a PUP detection against their software should submit a system startup or user login must provide a clear Detection Dispute Form to McAfee Labs found at: mechanism to disable, adequately adjust this setting, ://secure.mcafee.com/apps/mcafee-labs/ or totally remove the software. dispute-form.aspx ■■ Software that is not standalone (that is, command-line Updates to Policy tool or standalone program/component) must provide a clear uninstall mechanism. Uninstall options may be Due to rapid and frequent software development found in several locations, including: and distribution, McAfee reserves the right to modify detection posture against a software or technology or to −−Add/Remove Programs update this detection policy without prior notice. −−Windows Start Menu Uninstall feature −−Windows System Tray −−Menu items within the software user interface

■■ Software that is standalone (that is, command-line tool or single-click app) must be able to be removed through standard file delete functionality.

■■ Software must inform the user if updates are to be downloaded or installed automatically.

■■ Software that tracks a user’s online activities must be easily deactivated or uninstalled.

2821 Mission College Blvd. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other Santa Clara, CA 95054 marks and brands may be claimed as the property of others. © 2018 McAfee, LLC. 3811_0318 888.847.8766 MARCH 2018 www.mcafee.com

9 McAfee Potentially Unwanted Programs (PUP) Policy