Thank you McAfee for hidden user "mfe" with UID over 500

donmontalvo
Esteemed Contributor II

https://kc.mcafee.com/corporate/index?page=content&id=KB89431

Now we have to exclude that user in all our scripts. #UATwhatsUAT

$ dscl . list /Users | grep mfe
mfe
$ id mfe
uid=502(mfe) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),703(com.apple.sharepoint.group.3),704(com.apple.sharepoint.group.4),98(_lpadmin),100(_lpoperator),204(_developer),701(com.apple.sharepoint.group.1),225(com.apple.access_loginwindow),702(com.apple.sharepoint.group.2)
--
https://donmontalvo.com
32 REPLIES 32

SeanA
Contributor III

my o my.

donmontalvo
Esteemed Contributor II

"You pay us, but you do our Beta testing and UAT, thank you, enjoy the show!" - McAfee

#shakesFistAtMcAfee

--
https://donmontalvo.com

mm2270
Legendary Contributor III

Yeah, we see this too now. Amateurs. That's all I can say about them that's even remotely nice and doesn't involve swear words.

jwojda
Valued Contributor II

well, that explains a lot.

donmontalvo
Esteemed Contributor II

So much for "hidden"...ugh...we're reporting to McAfee.

EA to look for /Users/mfe and nuke it....better than editing bunches of scripts.

Until McAfee gets their heads out of their a**.

--
https://donmontalvo.com

jwojda
Valued Contributor II

@donmontalvo what would be the ripple effect of deleting mfe?

mm2270
Legendary Contributor III

@donmontalvo Is that account safe to nuke without messing up the software more than it already is when installed correctly? If so, I will also be nuking it. It annoys the crap out of me that this stupid account shows up now in inventory records. Every time I think their developers can't get any worse, they surprise me.

donmontalvo
Esteemed Contributor II

The "hidden" mfe user's home is /var/empty.

The /Users/mfe folder gets created when any of our scripts needs to populate home directories for accounts with UID 500>.

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor II

Ha....haha...HAHAHA...

mfe account on macOS
https://www51.v1ideas.com/IntelIdeas/ISecGForum/Idea/Detail/58270

PI is in reference to support case 4-17528505931

Directory Utility high level...

2d4a69b7ad93405dbf10858bc5d82912

--
https://donmontalvo.com

mm2270
Legendary Contributor III

Apparently to McAfee, the definition of "hidden" means it doesn't have a home folder in /Users/ that you can see. Or maybe more simply, "If you squint really hard you can't see it!". They are so inept it's beyond belief.

BTW, the article you linked to doesn't say anything about being safe to remove without repercussions. It says you can change the password, but like, who would even care about that? I'd prefer it just either not be there in the first place, or they learn the definition of "hidden"

jwojda
Valued Contributor II

looks like it happened in 5.0.5... does it continue to 5.0.6?

nevermind.. it does persist in 5.0.6

gachowski
Valued Contributor II

We enable McAfee unacceptable behavior.

: (

C

donmontalvo
Esteemed Contributor II

@mm2270 wrote:

BTW, the article you linked to doesn't say anything about being safe to remove without repercussions.

The /Users/mfe folder only exists after one of our scripts run to write out a defaults command to /Users/<user>/Library/Preferences/yadayada.plist.

--
https://donmontalvo.com

tnielsen
Valued Contributor

This is entertaining. Are you guys using McAfee?

donmontalvo
Esteemed Contributor II

Yes.

We also like to go out for group walks during lunch.

You know, barefoot, over shards of glass, thumbtacks, in traffic, etc.

--
https://donmontalvo.com

bvrooman
Valued Contributor

We finally got a response from McAfee:

We reached out to Apple's support team and they informed us that UIDs below 500 are reserved for Apple, specifically, and that they can at will remove these. ... In other words, it looks like we're stuck with a UID above 500 for the mfe user.

So apparently they think that macOS just removes low-UID accounts for the sport of it?

mm2270
Legendary Contributor III

If this was the case, our Jamf Pro management account that we've been using for like 6 years now with a sub 500 UID would have been removed long ago. This excuse is bogus. Apple doesn't remove UIDs below 500.
To be somewhat fair, I do seem to recall an OS update a long while ago, maybe 10.8.something that might have done that, but that was a one off case that Apple corrected and it hasn't happened since. As usual, McAfee is using outdated information and is incompetent. But tell me something new.

donmontalvo
Esteemed Contributor II

@bvrooman I also call BS on McAfee. They're such a bloated company with lots of redundant layers of unnecessary management and teams, to get an answer like that from them underscores how inept they are.

Endpoint for Mac is 5 pieces...four signed/flat packages and one long-in-tooth-convoluted install.sh script that the customer has to wrap and insert commands that are poorly documented and don't always work.

Rumor has it they've got a 70+ year old bearded skinny guy chained and in a cage maintaining install.sh and are waiting for him to die.

In short McAfee is blowing smoke, maybe their founder gets his supply from the company.

Drugs, rape, murder, offering to crack iOS...why do business with such a shady company?

John McAfee's strange tale gets darker in documentary

--
https://donmontalvo.com

draeconis
New Contributor II

@donmontalvo I logged that, McAfee didn't want to help us with it at all :/

We're moving away from McAfee now. Not related to this really, but happy to see the back of this issue as a result.

gachowski
Valued Contributor II

@donmontalvo....

It's really worse than that when Intel "sold" 1/2 of them ( they didn't really they paid the investment group 2 billion USD) on a 4 Billion sale so it was a dump. However, the good part is investment group has real ties to China... so not good in any way...

C

PS @draeconis can you share how big your install base is? I know they lost a big account late last year or early this year.. trying to get data so we can drop them too.. thanks!!

bvrooman
Valued Contributor

I agree that the excuse is a load of crap. Unfortunately, they also confirmed that they have no intention of changing their monkeys-at-a-typewriter development process or start thinking about their clients when releasing half-baked crap instead of software.

mm2270
Legendary Contributor III

This is one of those cases where I truly wish we could vote with our dollars and put this load of poop company out of our misery.
Unfortunately, where I am, I don't get to make the decision on which software to use for security purposes. We just get told this is what we use and find a way to make it work. Complaints about the fact that it's a steaming pile go in one ear and out the other. If it were up to me, McAfee would get removed from every single device, PC and Mac, in the environment and they'd be told not to come knocking ever again because of how shoddy their work has been for the last umpteen years. It's completely ridiculous they refuse to put some competent resources into making their garbage stink just a little less. We're not asking for perfection, just something that we don't have to wrestle with almost daily to make it actually work!

donmontalvo
Esteemed Contributor II

McAfee blows more smoke...

https://www51.v1ideas.com/IntelIdeas/ISecGForum/Idea/Detail/58270

--
https://donmontalvo.com

easyedc
Valued Contributor II

Had our InfoSec open a ticket with McAfee. Their response was, well...

"Based on [based on MAC Engineer's] suggestion if you create less than 500 UID it will not be hidden and that's why the UID can't be less than 500."

3f7f6451eeee4005b8654c2873c275e6

Has anyone tried to move the uid to something sub-500 and fix their crappy work?

mm2270
Legendary Contributor III

What the what?? That statement wins the prize for dumbest statement of the year from a tech support person.
Maybe the problem is the "engineer" they spoke with was an expert in "MAC" and not "Mac" :rollseyes:

McAfee's ineptness on the Mac front for their craptacular product continues to astound me. And it's not even just that they don't know what they're doing. It's the refusal to even try to learn or try harder that galls me. They continue to shatter even my very very low expectations of them. Is there no bottom to their incompetence? I'm beginning to think "no".

gachowski
Valued Contributor II

We need a Mcafee "support group". : )

C

donmontalvo
Esteemed Contributor II

@easyedc McAfee probably hired some ex Adobe engineers.

"Based on [based on MAC Engineer's] suggestion if you create less than 500 UID it will not be hidden and that's why the UID can't be less than 500."
--
https://donmontalvo.com

bradtchapman
Valued Contributor II

optional image ALT text

Step 1: insult two vendors in one post

gachowski
Valued Contributor II

@bradtchapman

You can't call McAfee and Adobe "vendors", it's not remotely fair to companies that take the products and support seriously.

C

donmontalvo
Esteemed Contributor II

@easyedc Curious if there was a follow up exchange with the Peanut Gallery.

@gachowski they won't care as long as they're making money. ¯_(ツ)_/¯

@mm2270 The group responsible for the horrible install.sh should have been fired a long time ago. Clearly there's some dead wood over there. The components released as flat/signed PKGs are not bad at all. Guessing they farmed out those items.

--
https://donmontalvo.com

gachowski
Valued Contributor II

@donmontalvo

I think the install.sh is the same as how the agent is installed on linux I think that is why it didn't change when the new .pkg were rolled out. Also I think the new .pkgs were before the dump to the private company in China so I expect that the pkgs were the last thing finished before all the "mac guys" left. I don't see it getting any better as they have entered two new businesses.

https://www.skyhighnetworks.com/

http://www.securityinfowatch.com/press_release/12390593/mcafee-introduces-identity-theft-protection-service

donmontalvo
Esteemed Contributor II

@gachowski wrote:

...I think the new .pkgs were before the dump to the private company in China...

c7f537f0e94247fcafa491ca0dd05768

--
https://donmontalvo.com