cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nick_B
Level 11
Report Inappropriate Content
Message 1 of 6

Desktop Application Being Blocked by McAfee's MFEConsole.exe

Hey McAfee Community,

A customer of ours has a desktop application which is being blocked by MFEConsole.exe.

The application in question makes use of a DLL called Bit4uPKI-Store.dll and is being blocked by MFEConsole.exe (see below the 1092 error as seen in the logs).

Bit4uPKI-Store.dll - Blocked.jpgBit4uPKI-Store.dll is blocked

The exclusion for the MFEConsole.exe process is shown below.

AP Exclusion for MFEConsole-exe.PNGAP Exclusion for MFEConsole.exe

 I hope you'll forgive the language in use - the client site is in Italy - but hopefully it will still make sense.

When the issue was first identified an exclusion was added in respect of MFEConsole.exe and this appeared to resolve the issue however, it now appears that the issue will manifest itself at random moments with no pattern observed so far.

Look forward to hearing your suggestions!

5 Replies
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Desktop Application Being Blocked by McAfee's MFEConsole.exe

It looks like the DLL is trying to inject into the McAfee process, if I'm understanding correctly.  The language is getting me a bit.  I'm not sure why it would ever need to do this.  I wouldn't recommend your exclusion as it could allow somebody to compromise ENS, potentially.  If you have to allow the DLL go to the Common policy and load the cert for the DLL in there.

 

Thanks,

Dave

Nick_B
Level 11
Report Inappropriate Content
Message 3 of 6

Re: Desktop Application Being Blocked by McAfee's MFEConsole.exe

Cheers Dave, you've got a point there.

With that in mind, I thought of an additional two potential options to help resolve this issue, so the 3 options available now are:

1. Ascertain the certificate used to sign the DLL, load it into the ENS Common Options policy and allow it to run.

2. Add an exclusion for the affected McAfee process (MFEConsole.exe) in the Self Protection Exclusions section (as seen below).

ENS Common - Common Options - Self Protection Exclusions.PNGAdding a Self Protection Exclusion

 

 

 3. Add an exclusion for the affected McAfee process in the AAC section (shown below).

ENS Common - Common Options - AAC Process Exclusions (empty).PNGAdding an AAC Exclusion

I guess the ideal scenario would be to upload the certificate of the DLL (assuming it has one) and allow it to run its code in McAfee processes but failing that should one of the alternate options work?

Cheers guys.

Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Desktop Application Being Blocked by McAfee's MFEConsole.exe

One thing I do wonder is if you can't put the DLL in as a "Process" exclusion.  Not sure if it will work, but just a thought.

 

Dave

Nick_B
Level 11
Report Inappropriate Content
Message 5 of 6

Re: Desktop Application Being Blocked by McAfee's MFEConsole.exe

Sure, I had considered that but in this context at least I think what they're looking for in terms of a process is a traditional, .exe style process so to speak.

I've asked the IT chap who logged the ticket if he can translate the text accompanying the images he sent in. Might help clarify things a bit.

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Desktop Application Being Blocked by McAfee's MFEConsole.exe

Very good discussion in this thread! I would like to quote the below from the KBA that deals with handling of a similar issue:

"The third-party software injects code into McAfee processes. McAfee software considers third-party DLLs that inject into McAfee processes untrusted, and those processes also become untrusted. McAfee software then denies access to the untrusted processes, causing the affected McAfee process to not work as expected. For detailed information about Endpoint Security and third-party injection, see KB88085.

When a third-party DLL is detected attempting to load into MFECANARY.EXE, the digital certificate for the process is populated in the certificate table in the user interface at Endpoint Security Common policy, your enforced policy, Show AdvancedCertificates. The certificate table is populated with the Vendor, Subject, and Hash of the associated public key."

Please feel free to let me know if you do not find this information helpful.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community