0

We have a Windows Server 2008 Standard edition server and when we logged in today a service, McAfee Security Scan, had been installed. I checked all the logs, but can't find any trace of who or how this install was initiated. We already use Nod32 so there would be no reason for us to install McAfee.

Any idea how this happens?

I did look for other installs like Flash or the like, but didn't see anything.

Thanks Jacques

Jacques
  • 195
  • 1
  • 2
  • 15

3 Answers3

1

Did you recently update Java or Adobe Flash?

Once you update Java and you click on the "Agree and Install" there is sometimes a check to install McAfee products.

miro23
  • 198
  • 2
  • 10
  • I checked the list of programs and nothing show's up as being installed on that day or even a few weeks before that. I'm guessing that the Programs and Features tool won't show updates to Flash and the like? – Jacques Feb 04 '11 at 14:24
  • Sometimes windows shows you that you have an update of flash, If you did an adobe flash update then it won't show in the "Program and Features". Do you see Adobe Flash installed at all on that server? – miro23 Feb 05 '11 at 07:12
1

Last time McAfee Security Scan appeared on any of our hardware it was because of Adobe Reader being installed and the person failed to deselect the optional software at Adobe's web site. We have since moved to distributing the Adobe products via .msi installs through group policy.

Mike
  • 66
  • 5
0

I am not sure how you checked your logs and such, and you might want to clear that up. What was the install source? On my computer, which profile it was loaded from usually makes it clear. If it is a UNC path, you could probably limit it to people with admin access on your box and access to the share. To find out what I mean, check this out.

cmd /k wmic product where "name like '%mcafee%'" get name, installsource
songei2f
  • 1,934
  • 1
  • 20
  • 30
  • It's our server hosted with our ISP. They don't have access to it at all. Only we have access via Remote Desktop to it could only have occurred by someone signing in and installing something, but I can't see anything to that effect – Jacques Feb 04 '11 at 15:03
  • @Jacques, just run the command. It will give you the path of where the installer was executed from. If it is in `C:\Users\%USERNAME%\Desktop` or `C:\Users\%USERNAME%\Downloads`, we know that user probably willingly installed it. If from `C:\Users\%USERNAME%\AppData\Local\Temp`, it would appear @miro23 might have been on to something; a installer extracted another one there maybe during an install. If it is not there, but from a UNC path on a server, well, then it becomes a little more difficult. You still know someone had to get to it remotely, meaning someone with the right access. – songei2f Feb 04 '11 at 16:05