Feb 23, 2011 9:25 AM
Leith Tussing - University of Central Florida
I've got a thread over at the MS Technet forums where we've narrowed down that having HIPS8 on a W7 machine (64bit or 32bit) will break the installation of SP1 for said OS.
In essence during the pre-boot process of the SP instllation it is failing to write out a new registry hive area and this is only failing on machines running HIPS8. This results in a Fatal Error C0000022 which I've replicated on about 6 machines out of a tesbed of 12 and the common link for the broken ones are HIPS8. I spun up a ton of VMs to do testing against and proved this as well.
The 32bit machine had signature set 3740 and the 64bit machines had 3709 because the 64bit update process is broken.
I'm in the process of setting up a test machine to test signature set 3753 to see if it resolves this issue or not.
Of note this can be fixed by pressing F8 and loading into Safe Mode. The SP1 installation will complete and reboot the computer and "seems" to function as normal afterwards.
I will review that information and test it agaisnt the W7 SP1 isntalls to see if it resolves it. The install process works perfectly fine with HIPS7 running though, only HIPS8 so it's something that should still be reviewed by McAfee in my opinion.
Actually I just verified that HIPS8 on all of these machines are already in adaptive mode. There are no new policies being made or any blocks/warnings being thrown during this entire process.
I've run through a series of test systems over and over again now with different configurations.
Every time a system fails it is always on the same registry key. In W7 Gold this hive does not exist and is being created by the SP1 installer.
However I did just get one of the machines that failed after getting it to fix itself in Safe mode to drop an alert finally when I let it load in safe mode with networking.
Signature ID 3829
I've just added a rule for it and I'm going to test another deployment.
Nope, that didn't do it. It still Fatal Error C0000022's with that setting in place. Booting that machine in safe mode now to see if it throws another alert.
So far the only solution is HIPS Off or HIPS in Log mode only.
Message was edited by: brentil on 2/25/11 8:31:26 AM GMT-05:00
The install finally fixed itself and made it to Windows and in doing so has now feed 4 more items into the ePO system.
Signature ID 111 - NETCFG.EXE
Signature ID 1148 - SVCHOST.EXE
Signature ID 111 - DRVINST.EXE
Signature ID 850 - SERVICES.EXE
However I'm not sure which of these are just post SP items or things related to installation. Going to permit them and try again...
I was looking over settings again and came across the "Startup IPS protection enabled" which is enabled. I had compeltely forgotten about this setting which is new to HIPS8 I believe and it's enabled. I'm betting this is the issue since it puts a set of hard blocks on files and registry settings prior to system booting which is when this issues occures. I've changed this setting now and retesting.
Yup that did it. Disaling the "Startup IPS protection enabled" setting allows the W7 SP1 to install to completion.
Since this seems to be more of an admin selection item it should be added to a McAfee tech doc alerting users to disable this setting during SP installation. Oddly this setting has been set since we started testing this product since it came out and this is the first item that has caused this issue.