cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 5

Core Protection - Sanitize McAfee processes events

Jump to solution

Hi,

Checking today the EPO events, there is a spike in “ Summary of Threats Detected in the Last 7 days -> Core Protection - Sanitize McAfee processes” .

216 events during the last 7 days and increasing. (222 events during the last 3 months)

17 machines reporting self-protection block on MFETP.EXE trying to access the McAfee flies listed below.

6 of them stopped reporting “Endpoint Security Threat Prevention” as installed in the EPO console.

 

MCSHIELDCLIENT.DLL

BLFRAMEWORK.DLL

API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL

MSVCR100.DLL

SPLPC.DLL

VCRUNTIME140.DLL

API-MS-WIN-CRT-STRING-L1-1-0.DLL

API-MS-WIN-CRT-HEAP-L1-1-0.DLL 

 

I have seen random ENS corruptions with no apparent reason and I am a little bit worried about this.

Any suggestion on how to troubleshoot these random behaviors is more than welcome.

 

EPO 5.9.1 (build 251) EPO5xHF1241557

McAfee Agent 5.0.5.658

Endpoint Security Platform 10.5.5.5067

Endpoint Security Threat Prevention 10.5.5.5075

Windows 7 SP1

 

3 Samples of yesterday’s latest events found in EndpointSecurityPlatform_Errors.log

1

01/22/2019 03:56:00.135 PM   McTray(1420.3112) <xxxxxxxxxxx> McTray.McTrayUPC.Error (dllmain.cpp:517): Endpoint Security Platform is not running!

01/22/2019 03:56:54.321 PM   mfeesp(2292.2432) <SYSTEM> LCBL.LC.Error (LcBl.cpp:1308): BLGetPropertiesEx for Combo failed [2147549216]!!!

01/22/2019 03:56:54.336 PM   mfeesp(2292.1988) <SYSTEM> LPC.CommonLPC.Error (common_prop_collection.cpp:734): BLGetPropertiesEx failed for property SystemLanguage with retval = -2147418080

01/22/2019 03:56:59.188 PM   mfeesp(2292.2536) <SYSTEM> LCBL.LC.Error (LcBl.cpp:1308): BLGetPropertiesEx for Combo failed [2147549216]!!!

01/22/2019 03:57:00.139 PM   McTray(1420.3112) < xxxxxxxxxxx > McTray.McTrayUPC.Error (dllmain.cpp:857): GetDisplayLanguage: Get DisplayLanguage failed = 0x80010020

01/22/2019 03:57:00.139 PM   McTray(1420.3112) < xxxxxxxxxxx > McTray.McTrayUPC.Error (dllmain.cpp:517): Endpoint Security Platform is not running!

01/22/2019 03:57:17.442 PM   mfeesp(2292.1988) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:469): BLSetPropertiesEx failed for property /businessObject/Languages/AdminPreferred,retval = -2147418080

01/22/2019 03:57:17.801 PM   mfeesp(2292.1988) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:1580): Setproperties failed for property 'showManagedTasks', retval = -2147418080

01/22/2019 03:57:17.801 PM   mfeesp(2292.1988) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:303): Failed to enforce policies on ClientAccess

01/22/2019 04:42:00.578 PM   McTray(1420.3112) < xxxxxxxxxxx > McTray.McTrayUPC.Error (dllmain.cpp:857): GetDisplayLanguage: Get DisplayLanguage failed = 0x80010020

01/22/2019 04:42:00.578 PM   McTray(1420.3112) < xxxxxxxxxxx > McTray.McTrayUPC.Error (dllmain.cpp:517): Endpoint Security Platform is not running!

2

01/15/2019 01:01:29.460 PM   mfeesp(2816.4468) <SYSTEM> EventManager.EM.Error (EmBl.cpp:441): Unable to stop event DB purge thread.

01/21/2019 04:38:18.550 PM   mfeesp(2816.4452) <SYSTEM> EventManager.EM.Error (EventManager.cpp:290): Failed to add OAS event with eventID = 1065 to Windows AppLog, error = RegisterEventSource error: LastErr 0x000006b5 The interface is unknown.

3

01/21/2019 04:38:26.085 PM   mfeesp(2816.4716) <SYSTEM> SysInfoBL.SYSTEMINFO.Error (SystemInfoBL.cpp:1571): Time taken to cancel disk calls (ms) 200

01/21/2019 04:39:53.264 PM   mfeesp(2676.2760) <SYSTEM> ApBl.BOPAP.Error (ApRc.cpp:89): Load Content File C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\BOP_Default.rul, Error: LastErr 0x00000002 The system cannot find the file specified.

01/21/2019 04:41:46.174 PM   mfetp(3000.3500) <SYSTEM> odsbl.ODS.Error (odsbl.cpp:5411): Error disabling full scan schedule: 0x8001010e

01/21/2019 04:41:46.174 PM   mfetp(3000.3500) <SYSTEM> odsbl.ODS.Error (odsbl.cpp:5417): Error disabling quick scan schedule: 0x8001010e

01/21/2019 04:43:45.470 PM   mfeesp(2676.3788) <SYSTEM> EventManager.EM.Error (EmBl.cpp:441): Unable to stop event DB purge thread.

01/22/2019 02:19:24.368 PM   mfetp(3000.2596) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:678): Failed to retrieve task item count FS_ScanOptions:

01/22/2019 02:19:24.743 PM   mfetp(3000.2596) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:536): Failed to set ODS scan items.

01/22/2019 02:19:24.743 PM   mfetp(3000.2596) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:1927): Failed to enforce ODS policies: ODS_TASK_ID_FULL_SCAN

01/22/2019 02:19:24.758 PM   mfetp(3000.2596) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:536): Failed to set ODS scan items.

01/22/2019 02:19:25.070 PM   mfetp(3000.2596) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:1540): Failed to retrieve enable setting for Script Scan.

01/22/2019 02:19:25.101 PM   mfetp(3000.2596) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforceBOPolicies.cpp:283): Failed to retrieve exclusions for Exploit Prevention.

01/22/2019 02:19:25.101 PM   mfetp(3000.2596) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforceBOPolicies.cpp:446): Failed to retrieve block enabled setting for Exploit Prevention.

01/22/2019 02:19:26.599 PM   mfetp(3000.2596) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:2079): Failed to enforce some of the Exploit Prevention policies.

01/22/2019 02:19:27.551 PM   mfeesp(2676.5672) <SYSTEM> blframework.PW.Error (PwBl.cpp:1105): Failed to save container: (null)

01/22/2019 02:19:27.675 PM   mfeesp(2676.2332) <SYSTEM> blframework.PW.Error (PwBl.cpp:1105): Failed to save container: (null)

01/22/2019 02:26:55.838 PM   mfeesp(2676.3808) <SYSTEM> EventManager.EM.Error (EmDb.cpp:511): Error 10 opening existing event database file [C:\ProgramData\McAfee\Endpoint Security\DADEvents.db]

 

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Core Protection - Sanitize McAfee processes events

Jump to solution

Looks like you could potentially have a third party injecting into ENS causing issues. I would suggest you raise an SR with support and either give us a call to initiate a remote session or gather procmon/ amtrace / ENS logs (MER) as per KB86691 and open an SR with that data.

Based on your agent version - I would recommend upgrading to at least 5.5.x as we've made a lot of integration changes between agent and ENS to improve the service stability and correct reporting of the modules.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

4 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Core Protection - Sanitize McAfee processes events

Jump to solution

Looks like you could potentially have a third party injecting into ENS causing issues. I would suggest you raise an SR with support and either give us a call to initiate a remote session or gather procmon/ amtrace / ENS logs (MER) as per KB86691 and open an SR with that data.

Based on your agent version - I would recommend upgrading to at least 5.5.x as we've made a lot of integration changes between agent and ENS to improve the service stability and correct reporting of the modules.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 5

Re: Core Protection - Sanitize McAfee processes events

Jump to solution

Thank you for your prompt reply,

I am currently testing agents 5.5.x ,5.6 and will be updating soon.

I will raise an SR as suggested.

Highlighted

Re: Core Protection - Sanitize McAfee processes events

Jump to solution

@pcmcis 

I would like you to have the checkboxes checked below

"Select Allow to trust a vendor to run code within McAfee processes. This setting might result in compatibility issues and reduced security."

You will find a list of signatures and certifications which you will need to check it in the ENS Common Options policy. Try and let me know the result.

Venu
Highlighted
Level 7
Report Inappropriate Content
Message 5 of 5

Re: Core Protection - Sanitize McAfee processes events

Jump to solution

@vnaidu 

On this EPO that the problem appeared, the "Select Allow to trust a vendor to run code within McAfee processes. This setting might result in compatibility issues and reduced security"  list is empty.

On my other EPO, I do see certificates for PGP and Adobe, matching the "Sanitize McAfee processes events" that I get every day from 2 machines. I have desided not "Allow" and continue receiving every day these events.

update:

The problem stopped yesterday and only one new machine reported today a few events on MSVCP140.DLL.

Support did not find anything suspicious and explained to me that something is trying to access these McAfee files and therefore causing these events.

 

 

 

 

 

 

 

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community