POLICY McAfee Potentially Unwanted Programs (PUP) Policy March, 2018 McAfee recognizes that legitimate technologies such as commercial, shareware, freeware, or open source products may provide a value or benefit to a user. However, if these technologies also pose a risk to the user or their system, then users should consent to the behaviors exhibited by the software, understand the risks, and have adequate control over the technology. McAfee refers to technologies with these characteristics as “potentially unwanted program(s),” or “PUP(s).” The McAfee® PUP detection policy is based on the process includes assessing the risks to privacy, security, premise that users should understand what is being performance, and stability associated with the following: installed on their systems and be notified when a ■ Distribution: how users obtain the software including technology poses a risk to their system or privacy. advertisements, interstitials, landing-pages, linking, PUP detection and removal is intended to provide and bundling notification to our users when a software program or technology lacks sufficient notification or control over ■ Installation: whether the user can make an informed the software or fails to adequately gain user consent to decision about the software installation or add- the risks posed by the technology. McAfee Labs is the ons and can adequately back out of any undesired McAfee team responsible for researching and analyzing installations technologies for PUP characteristics. ■ Run-Time Behaviors: the behaviors exhibited by the technology including advertisements, deception, and McAfee Labs evaluates technologies to assess any impacts to privacy and security risks exhibited by the technology against the degree of user notification and control over the technology. This ■ Uninstall: whether the user can easily remove all functional components of an install Connect With Us 1 McAfee Potentially Unwanted Programs (PUP) Policy POLICY These areas are then evaluated against the following: ■ Software must not be distributed or installed by malware or by otherwise malicious (for example, drive- ■ Notification: the extent to which the user is notified by) installations. of the software risks ■ Software installers must provide software licensing ■ Consent: the extent to which the affected users can information prior to the installation of any bundled consent to the software risks components. ■ Control: the degree of control that the user has over ■ Software installers must inform users when the the software installation, operation, and removal installation of bundled components are required for Failure to meet all the criteria in this document will result the installation of the main technology (that is, not in the technology being blocked by McAfee security optional). products. ■ Software installers must allow the user to cancel the installation of all components if the installation of any When objectionable distribution practices are used by bundled components is required for the installation of a technology or its distributors, users (and antivirus the main technology. scanners) may be unable to distinguish between compliant versions distributed using acceptable means ■ Software installers must provide consistent (for and versions distributed using objectionable means. As example, Accept/Decline) options when offering one or a result, software that is distributed using objectionable more bundles (for example, installers must not reverse practices may result in detection for other or all versions the order of the options buttons across more than of the technology. one install window). ■ Software installers including bundle proxies must not Any software that exhibits malware behaviors will not be collect or transmit personally identifiable information tolerated and will be detected and removed as malware. (PII) without informed user consent. Distribution ■ Any bundled install packages are considered installers Objectionable distribution methods can impair the and must abide by the same installation notification, overall user experience. Criteria for evaluating the consent, and control guidelines as the main installer. distribution of software are as follows: ■ Software must not be linked to or distributed using spam email. 2 McAfee Potentially Unwanted Programs (PUP) Policy POLICY Deception ■ Software must not obfuscate files, filenames, filepaths, Users must have an informed awareness of software registry entries, and the like, beyond reasonable DRM that is installed on their system including the protection. functionality of the software and whether it is active. ■ Software must not impair the user’s ability to uninstall Criteria for determining deceptive behaviors are as or remove the program. follows: ■ Software uninstall features must adequately remove all functional components of an installation. ■ Information regarding the software publisher, source, website, or other identifying information must be ■ Software must not run third-party processes or reasonable and accurate. programs on the system without prior informed user consent. ■ The legal conditions of the software installation (for example, software license, EULA) must be clearly ■ Software must not impair the user’s ability to control indicated in a license agreement. the software while it runs on the system. ■ Information regarding the software publisher in a ■ Software must not install, reinstall, or removal itself or Digital Signature must be accurate. other legitimately installed software without informed user consent or interaction. ■ Software must indicate its behaviors and purpose such that users have a meaningful and accurate ■ Software must not install other software without clear understanding of the nature of the technology. indication of its relationship to the primary software installation. ■ Software that tracks users’ activities, including browsing habits, must not hide, cloak, or mislead the ■ Software must gain informed user consent prior to user as to this functionality. making or modifying key system settings, including: ■ Software must not disguise its presence or − Installing web browser plugins masquerade as another technology (for example, − Changing browser default home pages deceptive icons, deceptive Version Information, − Changing browser default search provider deceptive .lnk files, etc.). − Changing desktop settings ■ Advertisements leading to software downloads must not masquerade as another technology (for example, − Changing icons or system colors banner ads with fake close buttons). − Modifying the system hosts file ■ Software must not attempt to hide its presence or the − Adding startup registry entries presence of other components or software. − Modifying security settings 3 McAfee Potentially Unwanted Programs (PUP) Policy POLICY ■ Software that makes key system setting changes must − Date of Birth reverse these changes as part of the software uninstall − Social Security/tax ID number process. − Passport number ■ Software cannot use false or misleading − Driver’s license number endorsements, as defined or researched by industry standard methods. − Other government-issued identification number ■ Additional industry standard criteria may be used to − Bank account number or other financial account determine deceptive behavior. information (for example, PayPal, Apple Pay, Google Wallet, E*TRADE) Privacy − Credit card number Users expect that software does not collect, transmit, or − Email address reveal sensitive, private information including passwords ■ and personally identifiable information without the Software must not track user online activities such express permission of the user or effected individuals. as web browsing habits, instant messaging chats, or Personally Identifiable Information (PII) is defined keystrokes without informed user consent. differently among jurisdictions. Criteria for determining ■ Software must not allow user communications to be objectionable behaviors impacting privacy are as follows: monitored, redirected, or changed without informed user consent. ■ Software must not reveal, collect, use, or transmit ■ passwords, biometrics, or other credentials without Software must not allow a remote user to access or informed user consent of all impacted users. control the system or send remote commands without informed user consent. ■ Software must not collect, use, or transmit personally ■ identifiable information (PII) or other sensitive data A user must be able to deactivate software which without informed user consent. PII includes (but is not allows a remote user to access or control the system limited to): or send remote commands. ■ Software must not install a proxy or redirect network − Name traffic to an online proxy or other system without − Address informed user consent. − City ■ Software must not require additional user information − State before it can be uninstalled (for example, email − Postal code/ZIP code address). − Phone number 4 McAfee Potentially Unwanted Programs (PUP) Policy POLICY ■ Software that collects, stores, or transmits user data ■ Computer Anti-Theft (including browser activity), passwords, personally ■ Anonymizing Internet/web browsing traffic identifiable information, or other sensitive information ■ Home security/surveillance software must offer an easily accessible and clear privacy policy. ■ Software must not bypass or facilitate bypassing of Security other software licensing by using software decipherers Users expect that software does not impede their or altering