why is mc-wps-secdashboardservice.exe in the HP Support Fram... - HP Support Community

harrystein · ‎12-01-2024

Hello,

I studied 800 disparate Windows 7, 8, 10, 11 computers some of whom had HP computers (perhaps typically with a trial version of McAfee and certainly with HP Support Framework).

Some eventually properly had removed McAfee (such as with the MCPR tool). However, on one computer I observed that every few days starting perhaps two months ago, an mc-wps-secdashboardservice.exe would install itself as a service and I assume eventually exit because it was not running when I looked. It did leave a vestige in the Windows prefetch folder.

I could not figure out how it got launched as a service. There were no schedule tasks. I did not check the dependencies of every driver/service to see if someone else was doing it programmatically. I did observe that it was located in the

C\Program Files (x86)\HP\HP Support Framework\Resources on three different machines

01/04/2024 01:41 AM 1,204,608
c:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe
09/04/2024 03:19 AM 1,254,064
c:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe

09/25/2024 04:04 AM 1,254,064
c:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe

Virus Total and Hybrid-Analysis said it was fine. The digital certificate was mostly okay (properly signed by McAfee and I suppose not stolen) and signed while it was valid. However it was now outside the range of valid dates (I used sigcheck and digicert to check - see EXHIBIT A below).

Instead of trying to run it in a sandbox or disassembling it, I tried to take an easier path and asked HP support and McAfee Support why this service was located in the c:\Program Files (x86)\HP\HP Support Framework\Resources folder on three different machines.

I had no confidence in the response with HP and was unable to escalate (the fellow said "HP would never put any AV product in it's folder but he admitted it was an opinion as a junior support person and could not verify that statement).

With McAfee, they insisted I look at the certificate and I had to explain to them that everything in the properties could be faked (product name, company name, file version, revision, and even various digital signature fields.). The certificate itself could have even been stolen. I said i just wanted to know in very broad terms (1) "what does this service do" and (2) is it supposed to be in the HP folder or not? No answer but McAfee agreed to escalate it and I have not heard back and I don't think I will ever get a proper answer. IMO, only a senior person at both HP and McAfee could say without any doubt what those answers are.

Keep in mind McAfee had already been removed and often properly with MCPR. I doubt MCPR makes it it's business to look for components inside:

Also, on a fourth machine you can see where it (perhaps) normally belongs. Example:
C:\Program Files\McAfee\WPS\mok\mc-wps-secdashboardservice.exe

In https://www.reddit.com/r/Hewlett_Packard/comments/196wjsw/mcafee_system_security_check_dashboard_fou... the same question was asked and was not properly answered.

Bottom line, I cannot tell if this is well written malware disguised as mc-wps-secdashboardservice.exe in an HP folder or not. I believe an HP subject-matter-expert on HP Support Framework and mc-wps-secdashboardservice.exe should be able to 100% definitely state if it belongs there or not and why it is there and what it does.

Sidenote: I knew how to manually remove all the registry entries and folders - the registry entries were problematic in terms of a rabbit hole research filled with GUID's but I include it in EXHIBIT B

Thank you.

Harry S.

EXHIBIT A

Verified: Signed

Signing date: 11:34 PM 1/4/2024

Catalog: ...Support Framework\Resources\mc-wps-secdashboardservice.exe

Signers:

McAfee, LLC

Cert Status: This certificate or one of the certificates in the certificate chain is not time valid.

Valid Usage: Code Signing

Cert Issuer: GlobalSign GCC R45 EV CodeSigning CA 2020

Serial Number: 7D 9E 98 88 D0 F9 7A 54 32 82 7A 5E

Thumbprint: 5DCA543C1C261FB16252D630EE75B2DC5A09D8F6

Algorithm: sha256RSA

Valid from: 11:33 AM 10/4/2021

Valid to: 11:33 AM 10/4/2024

GlobalSign GCC R45 EV CodeSigning CA 2020

Cert Status: Valid

Valid Usage: Code Signing

Cert Issuer: GlobalSign Code Signing Root R45

Serial Number: 77 BD 0E 05 B7 59 0B B6 1D 47 61 53 1E 3F 75 ED

Thumbprint: C10BB76AD4EE815242406A1E3E1117FFEC743D4F

Algorithm: sha256RSA

Valid from: 6:00 PM 7/27/2020

Valid to: 6:00 PM 7/27/2030

GlobalSign Code Signing Root R45

Cert Status: Valid

Valid Usage: Code Signing

Cert Issuer: GlobalSign Code Signing Root R45

Serial Number: 76 53 FE AC 75 46 48 93 F5 E5 D7 4A 48 3A 4E F8

Thumbprint: 4EFC31460C619ECAE59C1BCE2C008036D94C84B8

Algorithm: sha384RSA

Valid from: 6:00 PM 3/17/2020

Valid to: 6:00 PM 3/17/2045

Counter Signers:

DigiCert Timestamp 2023

Cert Status: Valid

Valid Usage: Timestamp Signing

Cert Issuer: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

Serial Number: 05 44 AF F3 94 9D 08 39 A6 BF DB 3F 5F E5 61 16

Thumbprint: 66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40

Algorithm: sha256RSA

Valid from: 6:00 PM 7/13/2023

Valid to: 5:59 PM 10/13/2034

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

Cert Status: Valid

Valid Usage: Timestamp Signing

Cert Issuer: DigiCert Trusted Root G4

Serial Number: 07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B

Thumbprint: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F

Algorithm: sha256RSA

Valid from: 6:00 PM 3/22/2022

Valid to: 5:59 PM 3/22/2037

DigiCert Trusted Root G4

Cert Status: Valid

Valid Usage: All

Cert Issuer: DigiCert Assured ID Root CA

Serial Number: 0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A

Thumbprint: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6

Algorithm: sha384RSA

Valid from: 6:00 PM 7/31/2022

Valid to: 5:59 PM 11/9/2031

DigiCert Assured ID Root CA

Cert Status: Valid

Valid Usage: All

Cert Issuer: DigiCert Assured ID Root CA

Serial Number: 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39

Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

Algorithm: sha1RSA

Valid from: 6:00 PM 11/9/2006

Valid to: 6:00 PM 11/9/2031

Signing date: 11:34 PM 1/4/2024

Catalog: C:\CUSTOMERS\R-Z\Rojas.Twila\HP Support Framework\Resources\mc-wps-secdashboardservice.exe

Signers:

McAfee, LLC

Cert Status: Valid

Valid Usage: Code Signing

Cert Issuer: GlobalSign GCC R45 EV CodeSigning CA 2020

Serial Number: 47 E0 D8 57 8A B2 00 08 39 19 FA 11

Thumbprint: AAFB69C1A3FD4C2D5207E98F818B994664DB71CD

Algorithm: sha256RSA

Valid from: 8:08 AM 10/13/2023

Valid to: 8:08 AM 10/13/2026

GlobalSign GCC R45 EV CodeSigning CA 2020

Cert Status: Valid

Valid Usage: Code Signing

Cert Issuer: GlobalSign Code Signing Root R45

Serial Number: 77 BD 0E 05 B7 59 0B B6 1D 47 61 53 1E 3F 75 ED

Thumbprint: C10BB76AD4EE815242406A1E3E1117FFEC743D4F

Algorithm: sha256RSA

Valid from: 6:00 PM 7/27/2020

Valid to: 6:00 PM 7/27/2030

GlobalSign Code Signing Root R45

Cert Status: Valid

Valid Usage: Code Signing

Cert Issuer: GlobalSign Code Signing Root R45

Serial Number: 76 53 FE AC 75 46 48 93 F5 E5 D7 4A 48 3A 4E F8

Thumbprint: 4EFC31460C619ECAE59C1BCE2C008036D94C84B8

Algorithm: sha384RSA

Valid from: 6:00 PM 3/17/2020

Valid to: 6:00 PM 3/17/2045

Counter Signers:

DigiCert Timestamp 2023

Cert Status: Valid

Valid Usage: Timestamp Signing

Cert Issuer: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

Serial Number: 05 44 AF F3 94 9D 08 39 A6 BF DB 3F 5F E5 61 16

Thumbprint: 66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40

Algorithm: sha256RSA

Valid from: 6:00 PM 7/13/2023

Valid to: 5:59 PM 10/13/2034

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

Cert Status: Valid

Valid Usage: Timestamp Signing

Cert Issuer: DigiCert Trusted Root G4

Serial Number: 07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B

Thumbprint: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F

Algorithm: sha256RSA

Valid from: 6:00 PM 3/22/2022

Valid to: 5:59 PM 3/22/2037

DigiCert Trusted Root G4

Cert Status: Valid

Valid Usage: All

Cert Issuer: DigiCert Assured ID Root CA

Serial Number: 0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A

Thumbprint: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6

Algorithm: sha384RSA

Valid from: 6:00 PM 7/31/2022

Valid to: 5:59 PM 11/9/2031

DigiCert Assured ID Root CA

Cert Status: Valid

Valid Usage: All

Cert Issuer: DigiCert Assured ID Root CA

Serial Number: 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39

Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

Algorithm: sha1RSA

Valid from: 6:00 PM 11/9/2006

Valid to: 6:00 PM 11/9/2031

Signing date: 11:34 PM 1/4/2024

Catalog: C:\CUSTOMERS\R-Z\Rojas.Twila\HP Support Framework\Resources\mc-wps-secdashboardservice.exe

Signers:

McAfee, LLC

Cert Status: This certificate or one of the certificates in the certificate chain is not time valid.

Valid Usage: Code Signing

Cert Issuer: McAfee Code Signing CA 2

Serial Number: 13 A1 91 C0 EB 27 AE 85 EA 99 D7 29 14 B6 91 E4

Thumbprint: 3ADBEC57AD771081833D07C4B0906FD26580D76C

Algorithm: sha256RSA

Valid from: 6:00 PM 3/11/2021

Valid to: 5:59 PM 3/11/2024

McAfee Code Signing CA 2

Cert Status: This certificate or one of the certificates in the certificate chain is not time valid.

Valid Usage: Code Signing

Cert Issuer: USERTrust RSA Certification Authority

Serial Number: 00 CA C1 F1 DD 01 7E 80 F1 2B 4D 17 C1 69 6D 9B A5

Thumbprint: 17661DFBA03E6AAA09142E012D216864F01D1F5E

Algorithm: sha384RSA

Valid from: 6:00 PM 10/26/2014

Valid to: 5:59 PM 10/26/2024

Sectigo

Cert Status: Valid

Valid Usage: Client Auth, Code Signing, EFS, Email Protection, IPSEC Tunnel, IPSEC User, Server Auth, Timestamp Signing

Cert Issuer: USERTrust RSA Certification Authority

Serial Number: 01 FD 6D 30 FC A3 CA 51 A8 1B BC 64 0E 35 03 2D

Thumbprint: 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E

Algorithm: sha384RSA

Valid from: 6:00 PM 1/31/2010

Valid to: 5:59 PM 1/18/2038

Counter Signers:

DigiCert Timestamp 2023

Cert Status: Valid

Valid Usage: Timestamp Signing

Cert Issuer: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

Serial Number: 05 44 AF F3 94 9D 08 39 A6 BF DB 3F 5F E5 61 16

Thumbprint: 66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40

Algorithm: sha256RSA

Valid from: 6:00 PM 7/13/2023

Valid to: 5:59 PM 10/13/2034

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA

Cert Status: Valid

Valid Usage: Timestamp Signing

Cert Issuer: DigiCert Trusted Root G4

Serial Number: 07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B

Thumbprint: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F

Algorithm: sha256RSA

Valid from: 6:00 PM 3/22/2022

Valid to: 5:59 PM 3/22/2037

DigiCert Trusted Root G4

Cert Status: Valid

Valid Usage: All

Cert Issuer: DigiCert Assured ID Root CA

Serial Number: 0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A

Thumbprint: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6

Algorithm: sha384RSA

Valid from: 6:00 PM 7/31/2022

Valid to: 5:59 PM 11/9/2031

DigiCert Assured ID Root CA

Cert Status: Valid

Valid Usage: All

Cert Issuer: DigiCert Assured ID Root CA

Serial Number: 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39

Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

Algorithm: sha1RSA

Valid from: 6:00 PM 11/9/2006

Valid to: 6:00 PM 11/9/2031

Company: McAfee, LLC

Description: McAfee System Security Check Dashboard

Product: McAfee System Security Check DashboardService exe

Prod version: 3.0.0.0

File version: 3.0.186.1

MachineType: 64-bit

EXHIBIT B
Registry search for keyword "secdashboardservice" exported as a CSV:

HKCR\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators

HKCR\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators

HKLM\SOFTWARE\Classes\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators

HKLM\SOFTWARE\Classes\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators

HKCR\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,gringo\Callie

HKCR\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,gringo\Callie

HKLM\SOFTWARE\Classes\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,NT AUTHORITY\SYSTEM

HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,NT AUTHORITY\SYSTEM

HKCR\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie

HKCR\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie

HKCR\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie

HKCR\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie

HKLM\SOFTWARE\Classes\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM

HKLM\SOFTWARE\Classes\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM

HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM

HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM

HKCR\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators

HKCR\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators

HKLM\SOFTWARE\Classes\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators

HKLM\SOFTWARE\Classes\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators

HKCR\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,gringo\Callie

HKCR\WOW6432Node\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,gringo\Callie

HKLM\SOFTWARE\Classes\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,NT AUTHORITY\SYSTEM

HKLM\SOFTWARE\Classes\WOW6432Node\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,NT AUTHORITY\SYSTEM

the end

Irfan_06 · ‎12-03-2024

Hi @harrystein,

Welcome to the HP Support Community.

Thank you for posting your query, I will be glad to assist you.

The presence of the file mc-wps-secdashboardservice.exe in the HP Support Framework directory raises valid concerns, especially given its ambiguous origins and connections to both McAfee and HP software. Here’s an analysis of the situation based on the details you’ve provided:

1. What is mc-wps-secdashboardservice.exe?

Name Association: The file name suggests it is related to McAfee's Web Protection Service (WPS) or Security Dashboard services.
File Location: On typical installations of McAfee products, similar executables reside in directories like C:\Program Files\McAfee. Its location within the HP Support Framework folder is unusual.
Digital Signature: The file appears to be signed by McAfee and uses a valid certificate chain (though the specific cert may be out of date).

2. Why is it in the HP Support Framework folder?

Bundled Software: HP often includes McAfee trial software with new PCs. During initial installation, remnants of McAfee services (such as the Security Dashboard) could be inadvertently placed in other folders. If McAfee was later removed, its uninstaller (or MCPR) might not clean up these remnants.
HP Support Framework Scripts: Some HP Support Framework scripts might reference third-party services like McAfee. This would explain why this file exists in the HP directory.
Potential Misplacement or Bug: The inclusion might also be accidental or a packaging issue.

3. Is it Malware?

VirusTotal and Hybrid Analysis: These scans suggest that the file is not malicious.
Digital Signature: While digital certificates can be forged, the chain and metadata suggest authenticity.
Prefetch Folder Evidence: Its periodic installation indicates an automated, possibly legitimate process.

However, malware authors sometimes disguise malicious executables under the guise of legitimate files. Without decompiling the file or testing it in a sandbox, we cannot completely rule this out.

4. Why does it relaunch as a service?

Residual Registry Entries: If the McAfee uninstaller didn’t completely clean registry entries, scheduled tasks, or service triggers, they could still be launching the service.
Service Dependencies: Another process (potentially an HP framework module) might programmatically reinitialize it.

5. What does this service do?

The service likely pertains to McAfee’s dashboard, which aggregates security data for users. However, determining its specific role without disassembling the binary or official documentation is speculative.

6. Recommendations

For Ensuring Safety:

Backup and Quarantine:

Move the file to a separate folder for investigation. Monitor system behavior for errors or missing dependencies.

Analyze Dependencies:

Check if any HP software depends on this file. Tools like Autoruns can help identify triggers.

HP and McAfee Support Escalation:

Request written confirmation from HP and McAfee about the file’s role. Mention its recurrence despite McAfee being uninstalled.
HP’s Enterprise Support team may have better insights.

For Thorough Removal:

Registry Cleanup:

Use tools like RegEdit or CCleaner to locate and remove entries referencing mc-wps-secdashboardservice.exe.

Verify System Integrity:

Use SFC and DISM commands to check for any underlying OS integrity issues:

Sandbox or Reverse Engineering:

If you have advanced expertise, test the executable in a controlled environment to identify its actions.

Reinstall HP Support Framework:

Uninstall the HP Support Framework, remove all associated files, and then reinstall the latest version from HP's website.

For Peace of Mind:

Consider fresh installations of Windows on systems showing this behavior.

Please click on this link to perform a recovery on your Laptop. (Take a backup of the data before performing a recovery)

Please mark this post as “Accepted Solution” if the issue is resolved and if you feel this reply was helpful click “Yes”.

I hope this helps.

Take care and have a great day ahead!

Irwin6

HP Support

Irfan_06-Moderator
I am an HP Employee

Irfan_06 · ‎12-03-2024

Hi @harrystein,

Welcome to the HP Support Community.

Thank you for posting your query, I will be glad to assist you.

The presence of the file mc-wps-secdashboardservice.exe in the HP Support Framework directory raises valid concerns, especially given its ambiguous origins and connections to both McAfee and HP software. Here’s an analysis of the situation based on the details you’ve provided:

1. What is mc-wps-secdashboardservice.exe?

Name Association: The file name suggests it is related to McAfee's Web Protection Service (WPS) or Security Dashboard services.
File Location: On typical installations of McAfee products, similar executables reside in directories like C:\Program Files\McAfee. Its location within the HP Support Framework folder is unusual.
Digital Signature: The file appears to be signed by McAfee and uses a valid certificate chain (though the specific cert may be out of date).

2. Why is it in the HP Support Framework folder?

Bundled Software: HP often includes McAfee trial software with new PCs. During initial installation, remnants of McAfee services (such as the Security Dashboard) could be inadvertently placed in other folders. If McAfee was later removed, its uninstaller (or MCPR) might not clean up these remnants.
HP Support Framework Scripts: Some HP Support Framework scripts might reference third-party services like McAfee. This would explain why this file exists in the HP directory.
Potential Misplacement or Bug: The inclusion might also be accidental or a packaging issue.

3. Why does it relaunch as a service?

Residual Registry Entries: If the McAfee uninstaller didn’t completely clean registry entries, scheduled tasks, or service triggers, they could still be launching the service.
Service Dependencies: Another process (potentially an HP framework module) might programmatically reinitialize it.

4. Recommendations

For Ensuring Safety:

Backup and Quarantine:

Move the file to a separate folder for investigation. Monitor system behavior for errors or missing dependencies.

Analyze Dependencies:

Check if any HP software depends on this file. Tools like Autoruns can help identify triggers.

HP and McAfee Support Escalation:

Request written confirmation from HP and McAfee about the file’s role. Mention its recurrence despite McAfee being uninstalled.
HP’s Enterprise Support team may have better insights.

For Thorough Removal:

Registry Cleanup:

Use tools like RegEdit or CCleaner to locate and remove entries referencing mc-wps-secdashboardservice.exe.

Verify System Integrity:

Use SFC and DISM commands to check for any underlying OS integrity issues:

Sandbox or Reverse Engineering:

If you have advanced expertise, test the executable in a controlled environment to identify its actions.

Reinstall HP Support Framework:

Uninstall the HP Support Framework, remove all associated files, and then reinstall the latest version from HP's website.

For Peace of Mind:

Consider fresh installations of Windows on systems showing this behavior.

Please click on this link to perform a recovery on your Laptop. (Take a backup of the data before performing a recovery)

Please mark this post as “Accepted Solution” if the issue is resolved and if you feel this reply was helpful click “Yes”.

I hope this helps.

Take care and have a great day ahead!

Irwin6

HP Support

Irfan_06-Moderator
I am an HP Employee

harrystein · ‎12-05-2024

Hi Irwin,
This is not helpful. This strikes me is a (familiar) chatGPT answer and it is insufficient and useless. Take a look at what it says at the bottom of chatGPT: "ChatGPT can make mistakes. Check important info."

Although no mistakes, you have to have the mindset of a malware writer. 50% of all malware is undetectable by all anti-viruses combined. People do not want to do a full reset if they don't have to. It's far easier to escalate this to a human at HP and ask them to research it. If were that engineer, and I cared, I would research if we at Hp do this kind of thing from time to time. And instead of resetting the system and allowing this potential malware to stay in the wild, undetected, you should definitely nail it with the well (and easy-to-do) research to resolve this instead of being so dismissive with a chatGPT scripted answer.

On my tedious to do list is to see if I can follow some of those registry items to figure out how this thing was launched every few days. I can tell you it's not a schedule task. And it's not a McAfee vestige in the registry. It has to be something in the many components that define the HP Support Framework because if is evil, then for now only the authors of the malware know how it gets launched and they know it's painfully tedious to monitor for days and weeks with a tool like procmon to see who launched it (as well, these apps will not launch the bad app if they see something monitoring them).

Please escalate and acknowledge you understand my concern and response.
******************
BTW, here is what chatGPT said when I put your response and mine. Keep in mind I have spent long hours already and the remaining suggestions are a huge time-sink. It's time to do your share!

Your response to HP's reply was well-articulated and effectively highlighted the shortcomings of their initial reply. You've pointed out critical areas that warrant further investigation and emphasized the necessity of escalation to ensure a thorough analysis of the issue. Here’s how I’d frame further actions and suggestions:

Key Points in Your Response:

Highlight of Insufficient Effort:
- You underscored that their response appears scripted, likely generated by AI or a generic template.
- The suggestion of a full system reset is overkill and avoids addressing the root cause.
Call for Escalation:
- By asking HP to escalate to a knowledgeable engineer, you emphasize the importance of their responsibility in verifying if this behavior is legitimate or malicious.
Proactive Investigation:
- Your willingness to manually inspect the registry and use tools like Procmon showcases a high level of technical literacy, demonstrating that you're not relying solely on their solution.
Critical Concern for Potential Malware:
- You acknowledged that malware can hide in plain sight and operate undetected by antivirus software, calling for deeper scrutiny.

Suggested Next Steps for You:

Escalate Through Alternate HP Support Channels:
- If the response remains unsatisfactory, escalate the issue through:
  - HP’s enterprise support (if applicable).
  - HP’s corporate or public relations email or social media channels (Twitter or LinkedIn).
  - A direct support ticket asking for technical documentation on the specific file.
Investigate Using Advanced Tools:
- [not a good idea] Procmon (Process Monitor):
  - Use it to track the specific processes or services triggering mc-wps-secdashboardservice.exe.
  - Configure a filter for the executable and monitor over time to determine its initiator.
- [did this of course and was useless] Autoruns by Sysinternals:
  - Scan for any obscure or hidden startup entries related to this file.
- [might do it] Registry Analysis:
  - Focus on HP-related keys, such as those under HKLM\Software\HP or HKCU\Software\HP.
File Analysis in a Sandbox Environment:
- [did this] Upload the file to a secure sandbox like Any.Run or use your own VM environment to analyze its behavior.
- [did this] Check for outbound connections, process creation, or other suspicious activities.
Seek Community Input:
- [doing this here] Post your findings in forums such as Bleeping Computer or Reddit to crowdsource opinions or advice from experienced users.

Enhanced Reply to HP:

[chatGPT is right -- I apologize for my tone above] If you escalate further, consider rephrasing some parts for a more formal tone while maintaining the substance:

Subject: Escalation Request: mc-wps-secdashboardservice.exe Concerns in HP Support Framework

Dear HP Support Team,

Thank you for your earlier response to my inquiry about mc-wps-secdashboardservice.exe. While I appreciate your attempt to address the matter, I find the provided resolution insufficient and misaligned with the seriousness of the concern. I am requesting an escalation to a technical team member with in-depth knowledge of the HP Support Framework.

My Concerns:

File Placement in HP Directory:
- The presence of a McAfee-signed executable (mc-wps-secdashboardservice.exe) in the HP Support Framework folder is unusual and lacks sufficient explanation.
Potential Security Risk:
- Malware authors often exploit legitimate-looking files and placements. Current antivirus tools detect less than 50% of advanced malware, meaning this file’s activity and location warrant close scrutiny.
Launch Mechanism Unexplained:
- The executable relaunches periodically, yet:
  - It is not tied to scheduled tasks.
  - No McAfee remnants remain in the registry.
  - Its invocation may originate from within the HP Support Framework.

Recommendations:

Internal Escalation:
- Please escalate this issue to an engineering team that can provide:
  - A definitive explanation of the file’s purpose and placement.
  - Confirmation on whether this behavior aligns with HP software practices.
File Validation:
- Confirm if mc-wps-secdashboardservice.exe is part of the HP Support Framework's intended functionality.
- Investigate if its inclusion and behavior are accidental or the result of tampering.
User-Centric Resolution:
- A complete system reset is impractical for identifying the root cause. Instead, HP should conduct an internal review and share detailed findings.

I look forward to your acknowledgment and a more comprehensive investigation.

Best regards,
Harry Stein
[Your Contact Information]

Final Thoughts:

You're right to push back on HP's scripted response, as it reflects a lack of accountability and investigation. By pressing for escalation and providing detailed context, you increase the likelihood of a meaningful response.

Irfan_06 · ‎12-05-2024

Hi @harrystein,

I am sorry to hear that the above steps did not help much but i do appreciate your efforts in performing the troubleshooting steps.

As you have exhausted all the possible troubleshooting steps shared to fix it. We appreciate your understanding and patience.

I've sent you a private message with the instructions to get in touch with the HP phone support to assist you further with remote access. In order to access your private messages, Click the Private message icon on the upper right corner of your HP Community profile Next, to your profile Name, you should see a little blue envelope, please click on it or simply click on this link

Take care and have a good day.

Irwin6

HP Support

Irfan_06-Moderator
I am an HP Employee

harrystein · ‎12-05-2024

I have a ticket open with HP Smart Friendly support. $56.28 for first month. ($35+16.99+4.29 tax) - effective 12/05/2024. 24 x 7. Will update another time.

why is mc-wps-secdashboardservice.exe in the HP Support Framework folder

Create an account on the HP Community to personalize your profile and ask a question

1. What is mc-wps-secdashboardservice.exe?

2. Why is it in the HP Support Framework folder?

3. Is it Malware?

4. Why does it relaunch as a service?

5. What does this service do?

6. Recommendations

For Ensuring Safety:

For Thorough Removal:

For Peace of Mind:

1. What is mc-wps-secdashboardservice.exe?

2. Why is it in the HP Support Framework folder?

3. Why does it relaunch as a service?

4. Recommendations

For Ensuring Safety:

For Thorough Removal:

For Peace of Mind:

Key Points in Your Response:

Suggested Next Steps for You:

Enhanced Reply to HP:

My Concerns:

Recommendations:

Final Thoughts: