Anybody else experiencing that when you push the update from ePO and if the user has IE open it will crash their session? We are and its almost every machine. The other problem is that when it does this it triggers Malwarebytes into thinking its a heap memory corruption and throws up a block message. We have seen it crash Adobe, Office products and media player. The strange thing is I cannot reproduce it. I can reproduce IE session crashing but noting else.
Thank you for posting your query
Could you please let me know what modules of ENS are trying to push from ePO?
Endpoint security modules include
Adaptive Threat Protection
I would suggest you to kindly collect the crash dump for IE while the issue is reproduced. Log a SR with McAfee Technical support team and have them analyze the crash dump. This will help us identify what is causing the crash
I would also recommend collecting crash dump for iexplore.exe.
A crash would usually come up when the process faces an exception it could not handle. So if you can use procdump from Microsoft (Download Link) and run it using -e param, it would help us gather the crash data.
It is also important that you try running iexplore with no add-ons to see if it is the add-ons that is causing the conflict and crash.
Also, since you mentioned MalwareBytes, I would also like to know if it is running simultaneously on the machine. If yes, can you try to reproduce the issue without MB on the machine.
Thank you for your post here. Looking into the reported issue, I would strongly suggest creating a Service request with us to investigate the issue. I am sure this is not what you are looking for for an answer, however, the nature of the issue demands the same.
First we have to identify what is causing the crash. We need to isolate the component responsible for the issue. You can start by uninstalling the Firewall component. If the issue is identified to be caused by only one component, you can disable feature by feature and isolate which feature is responsible.
Also, For internet explore crash, Do you see any events in event viewer? This would usually contain more information on the crash.
Thanks for the response guys. I am not sure I want to waste the energy creating a SR when I am already done pushing out the update. And with no disrespect to support, I am tired of getting told it's normal and deal with it, then a week later find out it was a bug. If Malwarebytes is the problem I can't just turn it off on 900 machines to install an update. We have Malwarebytes and McAfee running side by side for years with no issues between them. And IE is a default install, no add-ons.
and again, I can recreate the IE problem but I cannot recreate Malwarebytes throwing a block. So it's not Malwarebytes.
Only thing in event viewer is IExplore is at vault. EpMPApi.dll_unloaded was the faulting module.
If somebody is really wanting to check into this I will have to re-image and recreate the issue. But Like I said its a lot of work to try to find a resolve when I am already done updating.
Thank you for your response. I see from your response that you have not had a great experience with us on your previous Support requests with us for similar issues. We can and we really look forward to change that if you are really interested in raising this one with us.
Based on the information provided, just a basic look at what the dll involved is:
This EpMPApi.dll belongs to Exploit prevention component. Iexplore.exe is certainly protected by our exploit prevention component and it is done so via this dll. What I find interesting here is that we are looking at faulting module that says EpMPApi.dll_unloaded. I suspect that this dll is being unloaded while upgrading the product version, however I cannot be sure without investigating based on logs and Dump files.
I am afraid via this forum, I really don't have a solution per se, however, we can work around this by completely avoiding the crash with the help of exclusions via Access protection rules, however I would certainly not recommend that even though it will only be for a short amount of time (during deployment) as this would mean that your Internet explorer would be unprotected form Exploit Prevention during this period of time.
I am curious to know how big of an upgrade this is to the endpoints. Is this a jump from July repost update that we released in August (sorry about the naming part) or are we looking at a jump from an even older version to October update?
With respect to MalwareBytes, Kindly consider removal of it only as a best practice recommendation here and I sincerely hope that this is not seen as a finger pointing at it since honestly we do not have a root cause for this.
Lastly, I certainly understand that investigation is going to require a lot of work from your end and hence we really do not want you to push this as a Service Request if you do not want to. However, I am afraid we have not come across this issue being reported to us (As far as I am aware of) and hence I am afraid I do not have a handy resolution or update to fix this one for you.
I sincerely hope you find the above response meaningful although, we understand we have not really resolved the issue for you.
Thanks for that.
"However, I am afraid we have not come across this issue being reported to us (As far as I am aware of) and hence I am afraid I do not have a handy resolution or update to fix this one for you."
That is all I was ever looking for. If I can get a dump and logs I will open a ticket. As for Malwarebytes, this was a bug with them in 2017 (an update from McAfee triggered a "Malicious return address Detection for Browsers"), it appears it is happening again with the DLL killing IE on this update. They are looking into it.
This was a jump from July and I never noticed it do it with that one. I could troubleshoot with the rules, but remember, it's not just IE, but Adobe and Media player and all Office products, from what I have seen so far.
Thank you for your kind response. Although not re doable at will, the fact that you faced the crash with bother applications as well definitely makes sense as this dll would be injected into those processes as well. Also July repost to October update is a +1 leap and it is concerning to known this issue has happened. If you get the time and resource to collect and send Dumps with Debug enabled logs via a Service Request, it would be very helpful in digging further into this issue. However, We of course leave that decision to you. I personally tried an upgrade via epo after verifying the dll injection to an open browsing session and I did not really face a crash. So it would be interesting to find how this happens and possible figure out if there is any third party interference such as MalwareBytes.
Thanks for your update to the post. Feel free to reach out to us if you need any further assistance.