Hello,

I studied 800 disparate Windows 7, 8, 10, 11 computers some of whom had HP computers (perhaps typically with a trial version of McAfee and certainly with HP Support Framework). 

Some eventually properly had removed McAfee (such as with the MCPR tool).  However, on one computer I observed that every few days starting perhaps two months ago, an mc-wps-secdashboardservice.exe would install itself as a service and I assume eventually exit because it was not running when I looked.  It did leave a vestige in the Windows prefetch folder.

I  could not figure out how it got launched as a service.  There were no schedule tasks.  I did not check the dependencies of every driver/service to see if someone else was doing it programmatically.  I did observe that it was located in the

C\Program Files (x86)\HP\HP Support Framework\Resources  on three different machines

01/04/2024  01:41 AM         1,204,608
c:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe
09/04/2024  03:19 AM         1,254,064
c:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe

09/25/2024  04:04 AM         1,254,064
c:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe

Virus Total and Hybrid-Analysis said it was fine.  The digital certificate was mostly okay (properly signed by McAfee and  I suppose not stolen) and signed while it was valid. However it was now outside the range of valid dates (I used sigcheck and digicert to check - see EXHIBIT A below).

Instead of trying to run it in a sandbox or disassembling it, I tried to take an easier path and asked HP support and McAfee Support why this service was located in the c:\Program Files (x86)\HP\HP Support Framework\Resources folder on three different machines.  

I had no confidence in the response with HP and was unable to escalate (the fellow said "HP would never put any AV product in it's folder but he admitted it was an opinion as a junior support person and could not verify that statement).

With McAfee, they insisted I look at the certificate and I had to explain to them that everything in the properties could be faked (product name, company name, file version, revision, and even various digital signature fields.).  The certificate itself could have even been stolen.  I said i just wanted to know in very broad terms (1) "what does this service do"  and (2) is it supposed to be in the HP folder or not?  No answer but McAfee agreed to escalate it and I have not heard back and I don't think I will ever get a proper answer.  IMO, only a senior person at both HP and McAfee could say without any doubt what those answers are. 

Keep in mind McAfee had already been removed and often properly with MCPR.  I doubt MCPR makes it it's business to look for components inside:
 
Also, on a fourth machine you can see where it (perhaps) normally belongs.  Example:
     C:\Program Files\McAfee\WPS\mok\mc-wps-secdashboardservice.exe

In https://www.reddit.com/r/Hewlett_Packard/comments/196wjsw/mcafee_system_security_check_dashboard_fou... the same question was asked and was not properly answered.

Bottom line, I cannot tell if this is well written malware disguised as mc-wps-secdashboardservice.exe in an HP folder or not.  I believe an HP subject-matter-expert on HP Support Framework and mc-wps-secdashboardservice.exe should be able to 100% definitely state if it belongs there or not and why it is there and what it does.

Sidenote: I knew how to manually remove all the registry entries and folders - the registry entries were problematic in terms of a rabbit hole research filled with GUID's  but I include it in EXHIBIT B

Thank you.

Harry S.

EXHIBIT A

          Verified: Signed

          Signing date:      11:34 PM 1/4/2024

          Signing date:      11:34 PM 1/4/2024

          Catalog:  ...Support Framework\Resources\mc-wps-secdashboardservice.exe

          Signers:

             McAfee, LLC

                   Cert Status:       This certificate or one of the certificates in the certificate chain is not time valid.

                   Valid Usage:       Code Signing

                   Cert Issuer:       GlobalSign GCC R45 EV CodeSigning CA 2020

                   Serial Number:     7D 9E 98 88 D0 F9 7A 54 32 82 7A 5E

                   Thumbprint:        5DCA543C1C261FB16252D630EE75B2DC5A09D8F6

                   Algorithm:         sha256RSA

                   Valid from:        11:33 AM 10/4/2021

                   Valid to: 11:33 AM 10/4/2024

             GlobalSign GCC R45 EV CodeSigning CA 2020

                   Cert Status:       Valid

                   Valid Usage:       Code Signing

                   Cert Issuer:       GlobalSign Code Signing Root R45

                   Serial Number:     77 BD 0E 05 B7 59 0B B6 1D 47 61 53 1E 3F 75 ED

                   Thumbprint:        C10BB76AD4EE815242406A1E3E1117FFEC743D4F

                   Algorithm:         sha256RSA

                   Valid from:        6:00 PM 7/27/2020

                   Valid to: 6:00 PM 7/27/2030

             GlobalSign Code Signing Root R45

                   Cert Status:       Valid

                   Valid Usage:       Code Signing

                   Cert Issuer:       GlobalSign Code Signing Root R45

                   Serial Number:     76 53 FE AC 75 46 48 93 F5 E5 D7 4A 48 3A 4E F8

                   Thumbprint:        4EFC31460C619ECAE59C1BCE2C008036D94C84B8

                   Algorithm:         sha384RSA

                   Valid from:        6:00 PM 3/17/2020

                   Valid to: 6:00 PM 3/17/2045

          Counter Signers:

             DigiCert Timestamp 2023

                   Cert Status:       Valid

                   Valid Usage:       Timestamp Signing

                   Cert Issuer:       DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

                   Serial Number:     05 44 AF F3 94 9D 08 39 A6 BF DB 3F 5F E5 61 16

                   Thumbprint:        66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40

                   Algorithm:         sha256RSA

                   Valid from:        6:00 PM 7/13/2023

                   Valid to: 5:59 PM 10/13/2034

             DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

                   Cert Status:       Valid

                   Valid Usage:       Timestamp Signing

                   Cert Issuer:       DigiCert Trusted Root G4

                   Serial Number:     07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B

                   Thumbprint:        B6C8AF834D4E53B673C76872AA8C950C7C54DF5F

                   Algorithm:         sha256RSA

                   Valid from:        6:00 PM 3/22/2022

                   Valid to: 5:59 PM 3/22/2037

             DigiCert Trusted Root G4

                   Cert Status:       Valid

                   Valid Usage:       All

                   Cert Issuer:       DigiCert Assured ID Root CA

                   Serial Number:     0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A

                   Thumbprint:        A99D5B79E9F1CDA59CDAB6373169D5353F5874C6

                   Algorithm:         sha384RSA

                   Valid from:        6:00 PM 7/31/2022

                   Valid to: 5:59 PM 11/9/2031

             DigiCert Assured ID Root CA

                   Cert Status:       Valid

                   Valid Usage:       All

                   Cert Issuer:       DigiCert Assured ID Root CA

                   Serial Number:     0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39

                   Thumbprint:        0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

                   Algorithm:         sha1RSA

                   Valid from:        6:00 PM 11/9/2006

                   Valid to: 6:00 PM 11/9/2031

          Signing date:      11:34 PM 1/4/2024

          Catalog:  C:\CUSTOMERS\R-Z\Rojas.Twila\HP Support Framework\Resources\mc-wps-secdashboardservice.exe

          Signers:

             McAfee, LLC

                   Cert Status:       Valid

                   Valid Usage:       Code Signing

                   Cert Issuer:       GlobalSign GCC R45 EV CodeSigning CA 2020

                   Serial Number:     47 E0 D8 57 8A B2 00 08 39 19 FA 11

                   Thumbprint:        AAFB69C1A3FD4C2D5207E98F818B994664DB71CD

                   Algorithm:         sha256RSA

                   Valid from:        8:08 AM 10/13/2023

                   Valid to: 8:08 AM 10/13/2026

             GlobalSign GCC R45 EV CodeSigning CA 2020

                   Cert Status:       Valid

                   Valid Usage:       Code Signing

                   Cert Issuer:       GlobalSign Code Signing Root R45

                   Serial Number:     77 BD 0E 05 B7 59 0B B6 1D 47 61 53 1E 3F 75 ED

                   Thumbprint:        C10BB76AD4EE815242406A1E3E1117FFEC743D4F

                   Algorithm:         sha256RSA

                   Valid from:        6:00 PM 7/27/2020

                   Valid to: 6:00 PM 7/27/2030

             GlobalSign Code Signing Root R45

                   Cert Status:       Valid

                   Valid Usage:       Code Signing

                   Cert Issuer:       GlobalSign Code Signing Root R45

                   Serial Number:     76 53 FE AC 75 46 48 93 F5 E5 D7 4A 48 3A 4E F8

                   Thumbprint:        4EFC31460C619ECAE59C1BCE2C008036D94C84B8

                   Algorithm:         sha384RSA

                   Valid from:        6:00 PM 3/17/2020

                   Valid to: 6:00 PM 3/17/2045

          Counter Signers:

             DigiCert Timestamp 2023

                   Cert Status:       Valid

                   Valid Usage:       Timestamp Signing

                   Cert Issuer:       DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

                   Serial Number:     05 44 AF F3 94 9D 08 39 A6 BF DB 3F 5F E5 61 16

                   Thumbprint:        66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40

                   Algorithm:         sha256RSA

                   Valid from:        6:00 PM 7/13/2023

                   Valid to: 5:59 PM 10/13/2034

             DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

                   Cert Status:       Valid

                   Valid Usage:       Timestamp Signing

                   Cert Issuer:       DigiCert Trusted Root G4

                   Serial Number:     07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B

                   Thumbprint:        B6C8AF834D4E53B673C76872AA8C950C7C54DF5F

                   Algorithm:         sha256RSA

                   Valid from:        6:00 PM 3/22/2022

                   Valid to: 5:59 PM 3/22/2037

             DigiCert Trusted Root G4

                   Cert Status:       Valid

                   Valid Usage:       All

                   Cert Issuer:       DigiCert Assured ID Root CA

                   Serial Number:     0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A

                   Thumbprint:        A99D5B79E9F1CDA59CDAB6373169D5353F5874C6

                   Algorithm:         sha384RSA

                   Valid from:        6:00 PM 7/31/2022

                   Valid to: 5:59 PM 11/9/2031

             DigiCert Assured ID Root CA

                   Cert Status:       Valid

                   Valid Usage:       All

                   Cert Issuer:       DigiCert Assured ID Root CA

                   Serial Number:     0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39

                   Thumbprint:        0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

                   Algorithm:         sha1RSA

                   Valid from:        6:00 PM 11/9/2006

                   Valid to: 6:00 PM 11/9/2031

          Signing date:      11:34 PM 1/4/2024

          Catalog:  C:\CUSTOMERS\R-Z\Rojas.Twila\HP Support Framework\Resources\mc-wps-secdashboardservice.exe

          Signers:

             McAfee, LLC

                   Cert Status:       This certificate or one of the certificates in the certificate chain is not time valid.

                   Valid Usage:       Code Signing

                   Cert Issuer:       McAfee Code Signing CA 2

                   Serial Number:     13 A1 91 C0 EB 27 AE 85 EA 99 D7 29 14 B6 91 E4

                   Thumbprint:        3ADBEC57AD771081833D07C4B0906FD26580D76C

                   Algorithm:         sha256RSA

                   Valid from:        6:00 PM 3/11/2021

                   Valid to: 5:59 PM 3/11/2024

             McAfee Code Signing CA 2

                   Cert Status:       This certificate or one of the certificates in the certificate chain is not time valid.

                   Valid Usage:       Code Signing

                   Cert Issuer:       USERTrust RSA Certification Authority

                   Serial Number:     00 CA C1 F1 DD 01 7E 80 F1 2B 4D 17 C1 69 6D 9B A5

                   Thumbprint:        17661DFBA03E6AAA09142E012D216864F01D1F5E

                   Algorithm:         sha384RSA

                   Valid from:        6:00 PM 10/26/2014

                   Valid to: 5:59 PM 10/26/2024

             Sectigo

                   Cert Status:       Valid

                   Valid Usage:       Client Auth, Code Signing, EFS, Email Protection, IPSEC Tunnel, IPSEC User, Server Auth, Timestamp Signing

                   Cert Issuer:       USERTrust RSA Certification Authority

                   Serial Number:     01 FD 6D 30 FC A3 CA 51 A8 1B BC 64 0E 35 03 2D

                   Thumbprint:        2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E

                   Algorithm:         sha384RSA

                   Valid from:        6:00 PM 1/31/2010

                   Valid to: 5:59 PM 1/18/2038

          Counter Signers:

             DigiCert Timestamp 2023

                   Cert Status:       Valid

                   Valid Usage:       Timestamp Signing

                   Cert Issuer:       DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

                   Serial Number:     05 44 AF F3 94 9D 08 39 A6 BF DB 3F 5F E5 61 16

                   Thumbprint:        66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40

                   Algorithm:         sha256RSA

                   Valid from:        6:00 PM 7/13/2023

                   Valid to: 5:59 PM 10/13/2034

             DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

                   Cert Status:       Valid

                   Valid Usage:       Timestamp Signing

                   Cert Issuer:       DigiCert Trusted Root G4

                   Serial Number:     07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B

                   Thumbprint:        B6C8AF834D4E53B673C76872AA8C950C7C54DF5F

                   Algorithm:         sha256RSA

                   Valid from:        6:00 PM 3/22/2022

                   Valid to: 5:59 PM 3/22/2037

             DigiCert Trusted Root G4

                   Cert Status:       Valid

                   Valid Usage:       All

                   Cert Issuer:       DigiCert Assured ID Root CA

                   Serial Number:     0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A

                   Thumbprint:        A99D5B79E9F1CDA59CDAB6373169D5353F5874C6

                   Algorithm:         sha384RSA

                   Valid from:        6:00 PM 7/31/2022

                   Valid to: 5:59 PM 11/9/2031

             DigiCert Assured ID Root CA

                   Cert Status:       Valid

                   Valid Usage:       All

                   Cert Issuer:       DigiCert Assured ID Root CA

                   Serial Number:     0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39

                   Thumbprint:        0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

                   Algorithm:         sha1RSA

                   Valid from:        6:00 PM 11/9/2006

                   Valid to: 6:00 PM 11/9/2031

          Company:  McAfee, LLC

          Description:       McAfee System Security Check Dashboard

          Product:  McAfee System Security Check DashboardService exe

          Prod version:      3.0.0.0

          File version:      3.0.186.1

          MachineType:       64-bit

EXHIBIT B
Registry search for keyword "secdashboardservice" exported as a CSV:

HKCR\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators

HKCR\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators

HKLM\SOFTWARE\Classes\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators

HKLM\SOFTWARE\Classes\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators

HKCR\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,gringo\Callie

HKCR\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,gringo\Callie

HKLM\SOFTWARE\Classes\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,NT AUTHORITY\SYSTEM

HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,NT AUTHORITY\SYSTEM

HKCR\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie

HKCR\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie

HKCR\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie

HKCR\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie

HKLM\SOFTWARE\Classes\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM

HKLM\SOFTWARE\Classes\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM

HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM

HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM

HKCR\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators

HKCR\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators

HKLM\SOFTWARE\Classes\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators

HKLM\SOFTWARE\Classes\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators

HKCR\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,gringo\Callie

HKCR\WOW6432Node\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,gringo\Callie

HKLM\SOFTWARE\Classes\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,NT AUTHORITY\SYSTEM

HKLM\SOFTWARE\Classes\WOW6432Node\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,NT AUTHORITY\SYSTEM

the end