Hey McAfee Community,
A customer of ours has a desktop application which is being blocked by MFEConsole.exe.
The application in question makes use of a DLL called Bit4uPKI-Store.dll and is being blocked by MFEConsole.exe (see below the 1092 error as seen in the logs).
The exclusion for the MFEConsole.exe process is shown below.
I hope you'll forgive the language in use - the client site is in Italy - but hopefully it will still make sense.
When the issue was first identified an exclusion was added in respect of MFEConsole.exe and this appeared to resolve the issue however, it now appears that the issue will manifest itself at random moments with no pattern observed so far.
Look forward to hearing your suggestions!
It looks like the DLL is trying to inject into the McAfee process, if I'm understanding correctly. The language is getting me a bit. I'm not sure why it would ever need to do this. I wouldn't recommend your exclusion as it could allow somebody to compromise ENS, potentially. If you have to allow the DLL go to the Common policy and load the cert for the DLL in there.
Cheers Dave, you've got a point there.
With that in mind, I thought of an additional two potential options to help resolve this issue, so the 3 options available now are:
1. Ascertain the certificate used to sign the DLL, load it into the ENS Common Options policy and allow it to run.
2. Add an exclusion for the affected McAfee process (MFEConsole.exe) in the Self Protection Exclusions section (as seen below).
3. Add an exclusion for the affected McAfee process in the AAC section (shown below).
I guess the ideal scenario would be to upload the certificate of the DLL (assuming it has one) and allow it to run its code in McAfee processes but failing that should one of the alternate options work?
Sure, I had considered that but in this context at least I think what they're looking for in terms of a process is a traditional, .exe style process so to speak.
I've asked the IT chap who logged the ticket if he can translate the text accompanying the images he sent in. Might help clarify things a bit.
Very good discussion in this thread! I would like to quote the below from the KBA that deals with handling of a similar issue:
"The third-party software injects code into McAfee processes. McAfee software considers third-party DLLs that inject into McAfee processes untrusted, and those processes also become untrusted. McAfee software then denies access to the untrusted processes, causing the affected McAfee process to not work as expected. For detailed information about Endpoint Security and third-party injection, see KB88085.
When a third-party DLL is detected attempting to load into MFECANARY.EXE, the digital certificate for the process is populated in the certificate table in the user interface at Endpoint Security Common policy, your enforced policy, Show Advanced, Certificates. The certificate table is populated with the Vendor, Subject, and Hash of the associated public key."
Please feel free to let me know if you do not find this information helpful.