Security Paper suggests to remove McAfee from PCs, finds issues in OEM devices

Martin Brinkmann
Mar 17, 2016
Updated • May 17, 2016

A recent security analysis of OEM laptops running Windows 10 by Duo Security Inc concluded that all analyzed devices had privacy and network protocol related issues.

The seven laptops, produced by Dell, HP, Lenovo and Acer, shared many of the privacy and security issues, while some laptops had additional issues caused by installed OEM software.

The team looked at the network traffic that each device produced, and noticed -- among other findings -- the following:

Finding 1

Six of the seven laptops came with McAfee security software pre-installed. The researchers discovered that systems the software was installed on connected to a third-party tag server on the Internet.

Tags allow for management of cookies, tracking a browser/computer/user across time and space for marketing purposes, helping a vendor comply with “Do Not Track” settings in  browsers, allow for the management of content such as new product offerings based upon  numerous factors including time (like the first 30 days of a trial that starts after you power on your computer for the first time).

Odds are that McAfee is mainly using tags for the latter, but as I could find no documentation anywhere about how they are actually using it, I am assuming they are gathering at least some data from users

Suggestion: Uninstall McAfee software and use another security solution instead.

Finding 2

Automated network services put the computer at risk as soon as it started to talk on a network.

The researchers found the following protocols or services to be problematic from a privacy or security perspective:

1. Link Local

Link-local is an older protocol. In basic terms, it allows for a network interface to “self-configure” an IP address when other methods are absent (such as DHCP) or have simply failed (unable to read a config file).

However, when a wireless network interface is introduced, the local network segment is now confined by how powerful the wireless network interface actually is. This means that an attacker could conceivably start manipulating the wireless “local network” as they see fit.


WPAD is really trying to make things easier for the end user. One common thing for the computer to ask is “where is the web proxy so web browsing will work?” WPAD is the one that asks the question and fields the answer. The issue - much more prevalent for wireless - is that anyone nearby could provide that answer, even when no proxy is required.

LLMNR is the IPv6 version of link-local, and as we mentioned previously an attacker could answer some of those important questions the victim computer is asking, allowing for the manipulation of traffic to the attacker’s advantage

3. Smart Multi-Homed Name Resolution

Smart Multi-Homed Name Resolution remembers what DNS server is the quickest. You connect up to the Wi-Fi at the coffee shop, the DNS for the coffee shop is deemed the fastest (probably by default), and then you connect up to the VPN at work.

Sure, your DNS requests are now going over the VPN, but a copy of the requests are still being sent to that coffee shop DNS, leaking DNS queries to the coffee shop’s ISP, or to anyone else in the coffee shop sniffing the Wi-Fi.

4. Teredo Tunneling and ISATAP

Teredo Tunneling and ISATAP are both technologies that build upon the same territory laid down by our friend link-local. Both are intended to help the computer operate IPv6 in IPv4-only and IPv4/IPv6 mixed environments respectively. However, if you plan on taking your new laptop to the coffee shop (or any other place with free Wi-Fi), there is an inherent danger of MITM attacks

Fixes for these issues:

Tap on the Windows-key, type regedit.exe and hit enter. You may need to confirm an UAC prompt before the Registry Editor opens. Keep it open until you are done disabling all features below.

To disable LLMNR

  1. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
  2. Right-click on Windows NT and select New > Key.
  3. Name the key DNSClient.
  4. Right-click on DNSClient and select New > Dword (32-bit) Value.
  5. Name the Dword EnableMulticast.
  6. Set its value to 0.

To disable Smart Multi-Homed Name Resolution

  1. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
  2. Right-click on DNSClient and select New > Dword (32-bit) Value.
  3. Name the Dword DisableSmartNameResolution.
  4. Set its value to 1.
  5. On Windows 10, the following is required as well.
  6. Navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
  7. Right-click on Parameters and select New > Dword (32-bit) Value.
  8. Name it DisableParallelAandAAAA.
  9. Set its value to 1.

To disable WPAD

  1. Tap on the Windows-key, type cmd.exe, hold down Shift and Ctrl, and hit enter. Confirm the UAC prompt. This opens an elevated command prompt window. Keep it open after you run the following command.
  2. Run the command netsh winhttp reset proxy.
  3. Tap on the Windows-key again, type services.msc and hit enter.
  4. Locate the WinHTTP Web Proxy Auto-Discovery Service and stop it if it is running by right-clicking on it and selecting "stop" from the context menu.
  5. Double-click on the service to open its properties and change its startup type to disabled.
  6. Switch to the Registry Editor and navigate to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  7. Right-click on Parameters and select New > Dword (32-bit) Value.
  8. Name it UseDomainNameDevolution.
  9. Set its value to 0.

Disable teredo tunneling and ISATAP

  1. Switch to the elevated command prompt window and run the following commands
  2. netsh interface teredo set state disabled.
  3. netsh interface isatap set state disabled.

Finding 3

Privacy related settings were reset after certain updates were installed on machines running the Windows 10 operating system.

Since it cannot be helped, it is suggested to go through the Settings after updates are installed to make sure they have not been reset.

Closing Words

If you notice issues after making changes to the computer running Windows, then it is suggested to remove the Registry keys that you have created, and to change the state of services to enabled again.

Security Paper suggests to remove McAfee from PCs, finds issues in OEM devices
Article Name
Security Paper suggests to remove McAfee from PCs, finds issues in OEM devices
An analysis of seven OEM devices running Windows found severe privacy and security issues in all devices.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Pete said on May 17, 2016 at 12:33 pm

    Hi Martin, thanks for the article.

    “To disable LLMNRT” is a typo? Should be LLMNR, right?

    What about fixing “Link Local”? I don’t see fix for it.

    1. Martin Brinkmann said on May 17, 2016 at 1:10 pm

      You are right, fixed.

      1. Pete said on May 18, 2016 at 2:00 pm

        Ok, but what about the other thing? Where is the fix guide for “Link Local”?

        You have these problems/issues listed:

        1. Link Local
        2. WPAD and LLMNR
        3. Smart Multi-Homed Name Resolution
        4. Teredo Tunneling and ISATAP

        But the fixes section only has these:

        1. LLMNR
        2. Smart Multi-Homed Name Resolution
        3. WPAD
        4. Teredo Tunneling and ISATAP

        Where is the fix for “Link Local”?

      2. Martin Brinkmann said on May 18, 2016 at 2:23 pm

        I don’t have a fix for that. If you stumble upon something let me know.

  2. Corky said on March 20, 2016 at 9:55 am

    I had the time to read the PDF these security researches published and it make for enlightening reading, how a lot of the “necessary” traffic that people point to and claim is normal for Windows 10/8.x to be sending just increase the attack vector, something that was probably already known but it’s good to have proper research done.

  3. Fourtyfive said on March 18, 2016 at 2:42 pm


    Martin, do these issues only apply to Win 10 or also to, let’s say Win 8.1 ? I don’t want to start fiddling with my reg if not necessary. Thank you.

    1. Martin Brinkmann said on March 18, 2016 at 3:17 pm

      Also to Windows 8.1 as far as I remember reading.

  4. Muriel Schlecht said on March 17, 2016 at 9:00 pm

    Absolutely no problems if you use Emsisoft

  5. Converted to FOSS said on March 17, 2016 at 8:07 pm

    Windows 10 Codename Threshold has NO issues whatsoever. It does the NSA work in a splendid way.

    McAfee seems to integrate even better with NSA requirements to hunt down potential terrorists and future customers of NSA-Friendly Corporations. Sorry but McAfee… is yours complete negligence?
    “Do Not Track” is a joke! Go Private Browsing instead.

    Responder is a LLMNR and NBT-NS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server:

    This python script totally owns a local client… Wonder if some three-word-letter agency could do it remotely? I mean, SURE.

    So, McAfee is voluntary adhering to official spying standards?

  6. Rockin' Jerry said on March 17, 2016 at 7:27 pm

    Is it me or does it seem like Windows 10 has a lot of issues.

    1. Corky said on March 18, 2016 at 9:27 am

      @Rockin’ Jerry, Either posted a reply to the wrong article or doesn’t know McAfee (bought by Norton ages ago) has nothing to do with Windows 10. :?

      1. Corky said on March 20, 2016 at 9:48 am

        @Martin, Sorry i must have mixed up McAfee with one of the many companies Norton has bought up over the years, i wonder if all those OEM’s get any kickbacks from Intel for including McAfee like discounts on CPUs.

      2. Martin Brinkmann said on March 18, 2016 at 10:53 am

        McAfee was acquired by Intel ;)

    2. flyli5411 said on March 17, 2016 at 11:54 pm


Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.