cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
dmease27
Level 8

McAfee sysprep utility noted in EUA documentation - request for further details

Jump to solution

Hi,

McAfee sysprep utility noted in the Endpoint Upgrade Assistant 1.6 release notes (PD27478).  I cannot find this utility on the download site (inc in the EUA downloads section), nor can I seem to find any documentation?

Is this a specific requirement for use of EUA or actually recommended preparation before installing (or migration to, from VSE) ENS?  It is not noted anywhere in the ENS installation guide (PD26800)?

Any guidance or comment on this, as I have not encountered this before...

Many thanks,

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: McAfee sysprep utility noted in EUA documentation - request for further details

Jump to solution

The MfeSysPrep is available from the Downloads tab of the ServicePortal at https://support.mcafee.com/downloads

It is listed under Endpoint Security Threat Prevention.
Current build as of this posting was MfeSysprep 1.0.0.196

This is only available to customers with valid product entitlement and access to the support portal. 

14 Replies
McAfee Employee

Re: McAfee sysprep utility noted in EUA documentation - request for further details

Jump to solution

The MfeSysPrep is available from the Downloads tab of the ServicePortal at https://support.mcafee.com/downloads

It is listed under Endpoint Security Threat Prevention.
Current build as of this posting was MfeSysprep 1.0.0.196

This is only available to customers with valid product entitlement and access to the support portal. 

dmease27
Level 8

Re: McAfee sysprep utility noted in EUA documentation - request for further details

Jump to solution

Hi dmcgeary,

That is fantastic, thanks!  A follow on concern - the associated release notes (PD27529) state that this is rated critical, and the installation information clearly states "Before installing Endpoint Security, run the McAfee SysPrep Utility to detect and allow trusted third-party software to inject into McAfee processes. This allows third-party software to function, while allowing McAfee to maintain a trust boundary." - this sounds like it is clearly an important prepreq to installing ENS.

My question is why is this not clearly stated in the ENS installation guide (PD26800)?  If I had not been looking at endpoint upgrade assistant (I have labbed a manual migration of VSE to ENS quite nicely), I wouldnt have come across this sysprep utility, which I would have thought requires more clear coverage in the documents given its criticality?

Many thanks,

0 Kudos
DocB
Level 11

Re: McAfee sysprep utility noted in EUA documentation - request for further details

Jump to solution

dmgeary,

O.K, so we run the tool and find untrusted applications we need to have trusted.  How do we add these applications/files/processes to the SysPrepTool or are they added to ENS?  If ENS, where?

Thanks,

DocB

0 Kudos
McAfee Employee

Re: McAfee sysprep utility noted in EUA documentation - request for further details

Jump to solution

Great question, robust topic.

The mfesysprep.log will need to be consulted.

If we see "Trust granted to module" in the log, there is nothing further needed.
Trust granted to module [C:\Windows\example\injecting.dll]

If we see "unable to add trust"
The log will tell us why. Provide the log and subject file to McAfee support, and validate the injection of the file onto McAfee is expected.

Some details:
Trust is added by mfesysprep by updating a McAfee trust store. This is not visible or managed from a local ENS console.

New to ENS 10.5.3 (and later) an updated ePO management extension allows for the manual importing of certificates. Mentioned in PD27192
• Adds the ability to include the certificate of a third-party application as a trusted process through McAfee ePO.

Policy is the 'Endpoint Security Common' - Show Advanced - Certificates


Note - That certificates added by mfesyprep do not show in this ePO policy unless manually imported.
Certificates added to a local systems McAfee trust via mfesysprep are not managed by ePO nor viewable in ePO or local ENS install. 
The mfesysprep log should be consulted to see what has been added.

0 Kudos
kathisbeta
Level 7

Re: McAfee sysprep utility noted in EUA documentation - request for further details

Jump to solution

Thank you for your question. We don’t publish new guides for Patch releases, so we haven’t updated the installation guide since McAfee SysPrep became available. However, we do recommend running McAfee SysPrep and describe its function in the new version of the installation guide that will release for Endpoint Security 10.6. 

dmease27
Level 8

Re: McAfee sysprep utility noted in EUA documentation - request for further details

Jump to solution

Hi Kathisbeta,

Thanks for the swift response - appreciated!

Would it be possible to provide brief details in advance of the 10.6 release? The EUA release notes advise that 3rd party injectors are added to the McAfee Trusted Store. Following on from DocB comment, above:

- Is this McAfee Trusted Store local on the managed host?
- Does it pass any details to ePO?
- Not sure why we shouldnt use --ignoresysprepfail by default, as we can either not migrate to ENS, or migrate and carry out regression checks that would confirm if the 3rd party injections caused an issue with ENS?
- Is there any security risk of adding all 3rd party injectors to the McAfee Trusted Store, or is it assumed that the system on which ENS is being deployed is clean?

Some of these questions may not make sense - I believe injectors are kind of synonymous with hooking, is that correct? As injection is used by malware, this option leaves me a little uncomfortable.

Cheers,

0 Kudos
McAfee Employee

Re: McAfee sysprep utility noted in EUA documentation - request for further details

Jump to solution

@dmease27

- Is this McAfee Trusted Store local on the managed host?
yes, See KB89860 

- Does it pass any details to ePO?
This information is covered in the release notes PD27529.
McAfee ePO events When Third Party Injectors are discovered on a managed machine, McAfee SysPrep Utility sends
• Event 1092 – If the Injector is unknown and trust can’t be granted
• Event 1095 – If the Injector is whitelisted


- Not sure why we shouldn’t use –ignore sysprepfail by default, as we can either not migrate to ENS, or migrate and carry out regression checks that would confirm if the 3rd party injections caused an issue with ENS?
>MFEsysprep is run during the install of ENS 10.5.3 and later. If ENS install succeeds, then that alleviates most concerns.
Most of the time we see a failure to add trust the resulting issue is an ENS install failure.
Secondarily adding trust can help performance and is the preferred method to do so.


- Is there any security risk of adding all 3rd party injectors to the McAfee Trusted Store, or is it assumed that the system on which ENS is being deployed is clean?
See KB89860 – This will address most the questions on this topic.
Any Dll’s added by mfesysprep have undergone threat analysis and passed.
However there is always an inherent risk in allowing 3rd party injection.
Not allowing the trust when injected would be ideal.
However the leason learned is that by not trusing injected processes the ENS install fails. MFEsysprep is the answer to that failure.   

DocB
Level 11

Re: McAfee sysprep utility noted in EUA documentation - request for further details

Jump to solution

kathisbeta,

So do I have to sign up for the Beta of 10.6 to be able to see what to do with detections and download the directions?  Any other avenues for a solution?  I have detections which are not malware and need to add exceptions.  I can open a ticket, but I'd rather not.

Thanks,

DocB

0 Kudos
dmease27
Level 8

Re: McAfee sysprep utility noted in EUA documentation - request for further details

Jump to solution

Hi DocB,

I believe the sysprep is related to 3rd party injectors and potential incompatibilities.  For detections that are not malware, surely they can be configured as exclusions (and potentially submitted via standard process to McAfee for false positive analysis)?  Unless the detections you have are definitely related to 3rd party injectors, in which case I would be interested in how this was discovered?

Apologies if I am missing anything!

Cheers,

0 Kudos