Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Files installed by Zoom for mac OS

The Zoom install package for macOS is mad. Rather than actually using the installer to install things, it does everything in the preinstall script. That's bonkers, and also means that the system won't have a list of the files it installed, because it's doing it using shell script.

The script appears to install two items, namely:

/Applications/zoom.us.app
~/Library/Internet Plug-Ins/ZoomUsPlugIn.plugin

If the user opening the package isn't an administrator, it looks like it will install the app in the user's home folder instead. If they are an administrator, Zoom will delete the ZoomUsPlugIn.plugin from /Library if it's there, but it still installs to ~/Library.

It also adds Zoom to your Dock automatically, without asking.

Bizarrely, zoom.us.app is installed by unzipping a 7-zip archive, then unzipping another 7-zip archive containing graphics and copying that inside the Frameworks folder in the zoom.us.app bundle.

If run by an administrator, the script also executes a script as root to change the ownership of zoom.us.app to root:admin.

If you are on macOS 10.10 or above, the script will delete the file "ZoomAudioDevice.kext" from the zoom.us.app bundle. Perplexingly, this file doesn't actually seem to exist in the current zoom.us.app iteration (it looks like it has been replaced with a userland audio driver instead). On Mac OS X 10.9 and earlier, with the older zoom.us.app that presumably had the KEXT in it, the KEXT would be copied to the ~/Library/Application Support/zoom.us/Plugins, which it alarmingly makes writable by the "staff" group - so you'd have been loading a KEXT from a directory in your home folder that is writable to other people on the machine(!!)

That's all the installer does, but when the zoom.us.app application is first executed, it also creates the folder ~/Library/Application Support/zoom.us, which holds a database and also a copy of the retina version of the graphics bundle. The application also creates two plist files in ~/Library/Preferences, namely

us.zoom.xos.plist
ZoomChat.plist
@kylehotchkiss

This comment has been minimized.

Copy link

@kylehotchkiss kylehotchkiss commented Apr 3, 2020

I don't have anything against Zoom but after this weeks news, I don't want it anywhere on my personal laptop, just want it on my work laptop. Here's the commands to just delete all the files listed above, thanks @al45tair for the cleanup guide above.

rm -r /Applications/zoom.us.app
rm -r ~/Library/Internet\ Plug-Ins/ZoomUsPlugIn.plugin 
rm -r ~/Library/Application\ Support/zoom.us/
rm -r ~/Library/Preferences/us.zoom.xos.plist
rm -r ~/Library/Preferences/ZoomChat.plist
@GJRobert

This comment has been minimized.

Copy link

@GJRobert GJRobert commented Apr 4, 2020

Thanks for sharing this info.

@mclow

This comment has been minimized.

Copy link

@mclow mclow commented Apr 7, 2020

If you want to remove all traces, you should also remove

~/Library/Logs/zoom.us
~/Library/Logs/zoominstall.log
~/Library/Caches/us.zoom.xos

The first and third one are probably created when you run the app.

@marcoburato

This comment has been minimized.

Copy link

@marcoburato marcoburato commented May 13, 2020

Not sure if things have changed from a month ago, but in my installer package (Version: 5.0.2 (24030.0508)) the postinstall script will install ZoomUsPlugIn.plugin to /Library/Internet Plug-Ins (so, not to the user folder) when run as root. And, it will always run as root AFAIK, because the installer requires to escalate.

So, in my case I had to delete:

/Applications/zoom.us.app
/Library/Internet Plug-Ins/ZoomUsPlugIn.plugin
~/Library/Application Support/zoom.us
@flowmar

This comment has been minimized.

Copy link

@flowmar flowmar commented May 16, 2020

There are also 2 separate packages that are downloaded from the Zoom website, I don't understand why.
I examined them with the Suspicious Package app and one of them installs about 80MB worth of stuff on the hard drive while the other one installs about 30MB worth of stuff on the hard drive. Very strange, as they both came from the same link on their website.
I downloaded it once, and got one package, turned on a VPN, reloaded the page, and got a different package.
One was called "Zoom.pkg" and the other is "zoomusInstallerFull.pkg". Very strange.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.