cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
brentil
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 3

DLP blocking Microsoft KB4056894 and KB4056897

Jump to solution

Windows 2008 R2

DLP 11.0.130 (HF 130)

VSE P10

HIPS P10

MA 5.5.0

In starting our testing of the Spectre/Meltdown Microsoft patches I found two servers that would fail and roll back every time we tried applying the updates from SCCM, Microsoft Update, and manual installation of the MSI files. The installation would complete in Windows, reboot, and then fail and revert on the post reboot process.

Digging in the C:\Windows\Logs\CBS\CBS.log file this is the start of the errors during the post reboot process.

2018-01-08 18:26:18, Info                  CBS    SQM: Reporting poqexec status with status: 0xc0000043, failed file: lsass.exe, interfering process: lsass.exe,fcags.exe, context: Startup, first merged sequence: 1869

2018-01-08 18:26:18, Info                  CBS    SQM: Upload requested for report: PoqexecStatus, session id: 142861, sample type: Standard

2018-01-08 18:26:18, Info                  CBS    SQM: Ignoring upload request because the sample type is not enabled: Standard

2018-01-08 18:26:18, Info                  CBS    Failure in poqexec.exe while processing updates. [HRESULT = 0x80070020 - ERROR_SHARING_VIOLATION]

Also looking in the C:\Windows\winsxs\poqexec.log file more references to fcags.exe being the blocker.

1d388d812ca9f3e: 0, 0, 0, 0, StartTime ;

1d388d812c37830: 74c, c0000043, 5, 0, HardLinkFile ;\SystemRoot\WinSxS\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.24000_none_0500ac048c843eed\lsass.exe, \??\C:\Windows\System32\lsass.exe

1d388d815ee17b8: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume4\Windows\System32\lsass.exe

1d388d815ee17b8: 0, 0, 0, 0, InterferingProcess ; \Device\HarddiskVolume4\Program Files\McAfee\DLP\Agent\fcags.exe

1d388d815fa037a: 0, 0, 0, 0, EndTime ;

I tried setting DLP access protection = Disabled but that didn't resolve the issue.

I looked in the HIPS & VSE logs and neither are showing blocks against either product.

The core DLP process is a protected process so I can't disable it without going into Safe Mode in Windows.  My next test will be completely disabling DLP through its configuration and try installing again.

1 Solution

Accepted Solutions
brentil
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: DLP blocking Microsoft KB4056894 and KB4056897

Jump to solution

There is now a KB article about this issue and a resolution in DLP 11.0 HF150 which is now in the Grants area.

McAfee Corporate KB - Microsoft patches fail to install on Windows 7 systems protected by Data Loss ...

View solution in original post

2 Replies
brentil
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: DLP blocking Microsoft KB4056894 and KB4056897

Jump to solution

I've attempted making changes to some of the DLP configuration to see if this would fix the issue but none of them have so far.  Installation of any of either of the MS updates forces rollback after install and still blame fcags.exe.

DLP access protection = Disabled

Run DLP client watch dog = Disabled

Run DLP client service watch dog = Disabled

Operation Mode = Device Control only

Data Protection Modules = all modules unchecked

brentil
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: DLP blocking Microsoft KB4056894 and KB4056897

Jump to solution

There is now a KB article about this issue and a resolution in DLP 11.0 HF150 which is now in the Grants area.

McAfee Corporate KB - Microsoft patches fail to install on Windows 7 systems protected by Data Loss ...

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community