cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bblanchard
Level 11
Report Inappropriate Content
Message 1 of 5

Adaptive Threat Protection is preventing apps in observe mode

I'm currently running ENS 10.5 (Threat protection, web control and ATP) and ATP is currently configured in observe mode.

I'm using PIA's openvpn client application and ATP is preventing it from operating correctly:

----

cmd /c route delete 0.0.0.0 192.168.250.1

created process

#<Errno::ECONNREFUSED: No connection could be made because the target machine actively refused it. - connect(2)>

C:/Users/user/AppData/Local/Temp/ocrD74.tmp/lib/ruby/site_ruby/1.9.1/openvpn_manager.rb:1210:in `initialize'

C:/Users/user/AppData/Local/Temp/ocrD74.tmp/lib/ruby/site_ruby/1.9.1/openvpn_manager.rb:1210:in `open'

C:/Users/user/AppData/Local/Temp/ocrD74.tmp/lib/ruby/site_ruby/1.9.1/openvpn_manager.rb:1210:in `block (2 levels) in cmd'

C:/Users/user/AppData/Local/Temp/ocrD74.tmp/lib/ruby/site_ruby/1.9.1/pia_common.rb:291:in `timeout'

C:/Users/user/AppData/Local/Temp/ocrD74.tmp/lib/ruby/site_ruby/1.9.1/openvpn_manager.rb:1209:in `block in cmd'

----

According to these logs, something is blocking PIA from configuring the default route during its initialization process.  As soon as i disabled ATP, the VPN connection comes up successfully.

I can then re-enable ATP and i have no issues afterward.

ENS logs show this:

---

01/05/2017 11:33:28.635 AM   mfeatp(4388.1904) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:646): Failed to set new reputation for process C:\WINDOWS\SYSWOW64\ROUTE.EXE, result:0xc0300020

01/05/2017 11:33:28.678 AM   mfeatp(4388.9244) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:646): Failed to set new reputation for process C:\WINDOWS\SYSWOW64\CMD.EXE, result:0xc0300020

01/05/2017 11:33:28.882 AM   mfeatp(4388.7824) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:646): Failed to set new reputation for process C:\WINDOWS\SYSWOW64\IPCONFIG.EXE, result:0xc0300020

01/05/2017 11:33:33.891 AM   mfeatp(4388.1812) <SYSTEM> Orchestrator.JTI.Error (jti_native.cpp:269): Unable to scan object C:\WINDOWS\SYSTEM32\CONHOST.EXE, 0xc0310026

---

It seems like ATP tries and fails to  set the reputation for these Windows process which prevents the VPN client to complete its connection.

Since these are signed Windows processed, shouldn't ATP already have the reputation for them?

4 Replies
bretzeli
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 5

Re: Adaptive Threat Protection is preventing apps in observe mode

Hello,

Did you ever this or any similair case. We have the same issue with ENS 10.5.2 and TIE-Server. We currently have 2 cases at development for this issue.

ame argument from my side this is LOW LEVEL Windows Micorosoft core services like Windows Installer and CMD.exe shell. We asume that those few are hard coded an in memory during runtime for most Windows OS.

If you have any inof please let us know...

09/06/2017 08:02:46.101 AM   mfeatp(9884.3092) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:748): Failed to finalize reputation for file C:\WINDOWS\SERVICING\TRUSTEDINSTALLER.EXE. ErrorCode 0xc030002f

08/31/2017 01:53:12.293 PM   mfeatp(3120.5624) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:748): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\MSIEXEC.EXE. ErrorCode 0xc030002f

08/31/2017 01:53:12.497 PM   mfeatp(3120.5624) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:748): Failed to finalize reputation for file C:\WINDOWS\SYSWOW64\MSIEXEC.EXE. ErrorCode 0xc030002f

08/31/2017 01:53:26.668 PM   mfeatp(3120.5624) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:748): Failed to finalize reputation for file C:\WINDOWS\SYSWOW64\MSIEXEC.EXE. ErrorCode 0xc030002f

08/31/2017 01:53:37.248 PM   mfeatp(3120.5624) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:748): Failed to finalize reputation for file C:\WINDOWS\SYSWOW64\MSIEXEC.EXE. ErrorCode 0xc030002f

08/29/2017 12:40:52.139 PM   mfeesp(2948.5820) <SYSTEM> ApBl.AP.Error (XModule.cpp:67): Open existing file LastErr 0x00000020 Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.

08/29/2017 12:45:05.208 PM   mfeatp(3196.5364) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\CMD.EXE. ErrorCode 0xc030002f

08/29/2017 12:49:22.309 PM   McTray(1228.4684) <win7> McTray.McTrayUPC.Error (dllmain.cpp:1418): GetProperties failed for Firewall State with error = 0x80000101

08/29/2017 12:49:34.596 PM   mfeatp(3196.5364) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\CMD.EXE. ErrorCode 0xc030002f

08/29/2017 12:51:37.692 PM   mfeatp(3196.5364) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\CMD.EXE. ErrorCode 0xc030002f

08/29/2017 12:52:37.797 PM   McTray(1228.4684) <win7> McTray.McTrayUPC.Error (dllmain.cpp:1418): GetProperties failed for Firewall State with error = 0x80000101

08/29/2017 12:52:49.509 PM   McTray(1228.4684) <win7> McTray.McTrayUPC.Error (dllmain.cpp:1418): GetProperties failed for Firewall State with error = 0x80000101

08/29/2017 12:53:01.348 PM   mfeesp(2948.4432) <SYSTEM> Logger.LOGGER.Error (loggerbl.cpp:707): Failed to set path (C:\%DEFLOGDIR%\AccessProtection_Activity.log) for AccessProtection_Activity

08/29/2017 12:53:01.350 PM   mfeesp(2948.2112) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:625): BLSetPropertiesEx failed for property logpath,retval = -1072431103

08/29/2017 12:58:33.507 PM   mfeatp(3196.5364) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\NOTEPAD.EXE. ErrorCode 0xc030002f

markgarza
Level 10
Report Inappropriate Content
Message 3 of 5

Re: Adaptive Threat Protection is preventing apps in observe mode

I seem to be having the same issue, user reports a Powershell script is not being allowed to run and the log shows the same error message, result:0xc0300020, even though ATP is in observe mode. Did you ever get this figured out? We're on 10.7.0.2913 for ATP.

Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Adaptive Threat Protection is preventing apps in observe mode

Hi @markgarza ,

There was a known issue and has been recently fixed in ENS 10.7 Sep 2021 release. Please upgrade any system as a test and verify if it works.

Source - https://kc.mcafee.com/agent/index?page=content&id=KB94807

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

markgarza
Level 10
Report Inappropriate Content
Message 5 of 5

Re: Adaptive Threat Protection is preventing apps in observe mode

Well, in our situation, the script is also deleted immediately after attempting to run it, but there is no threat event logged to indicate why this happened. Doesn't look like this update specifies that being fixed, but we will update shortly and see what happens.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community