Hi everyone, McAfee Team!
I would like to make a discussion about my problem.
Part of hosts/PC on our system installed public applications and all of them installed McAfee Endpoint Security (AV, agent). When I manual update signature/AMCore version of McAfee Antivirus or run deployment task from ePO to client, it will fail.
Checking log of McAfee agent (C:\ProgramData\McAfee\Agent\logs), for example mfemactl.log, I saw this lines:
2019-11-13 16:13:13.987 mfemactl(6208.7704) mfemactl.Info: The process <C:\PROGRAM FILES\MCAFEE\AGENT\X86\MCTRAY.EXE>(5196) was blocked from accessing('CREATE' (1)) <AAC_OBJECT_SECTION:D:\[SETUP]\ULTRAVIEWER\ULTRAVIEWER\UVH.DLL> via the rule <Sanitize McTray Process>
2019-11-13 16:13:13.988 mfemactl(6208.7704) mfemactl.Info: The process <C:\PROGRAM FILES\MCAFEE\AGENT\X86\MCTRAY.EXE>(5196) was blocked from accessing('CREATE' (1)) <AAC_OBJECT_SECTION:D:\[SETUP]\ULTRAVIEWER\ULTRAVIEWER\UVH.DLL> via the rule <Sanitize McTray Process>
2019-11-13 16:13:13.989 mfemactl(6208.7704) mfemactl.Info: The process <C:\PROGRAM FILES\MCAFEE\AGENT\X86\MCTRAY.EXE>(5196) was blocked from accessing('CREATE' (1)) <AAC_OBJECT_SECTION:E:\[SETUP]\PROXIFIER_PORTABLE\PRXDRVPE.DLL> via the rule <Sanitize McTray Process>
I searched for many topics that everyone created before about this error but i can't find a satisfactory answers. I checked that DLL file and saw that, applications of that DLL file maybe is out-of-date or certificate of vendor is unsigned or certificate is out-of-sign. It is trying to inject it's code to McAfee process.
If McAfee process need to load untrust/unsigned DLL file to use, updating/deployment task will fail and I have to manual remove that application which contains that DLL file to make updating/deployment task successful.
Does McAfee have any actions on that untrusted/unsigned DLL files (for example delete, block,...) to make McAfee process to continue without my action?
If we have 50 PCs with untrusted/unsigned DLL files, I cannot manual remove DLL file on that PC to make McAfee process to continue without error.
I hope I can find a solution for this error in this topic. Thank you so much.
Solved! Go to Solution.
HI @VietDuc19
It mean: McAfee does not trust module PrxDrvPE.dll of Proxifier application.
> This is correct.
In those situations, does McAfee have any actions on that DLL file (block/delete/...DLL file) to make McAfee process run successful instead of return status fail of process?
> I'm afraid not. Because there is something untrusted on the system, the installation/ running of an update/ etc. will be stopped. If you trust this and what to trust it yourself, you can add the .cer file into the ENS Common policy. This will add the trust.
For more details on dll injections, please do take the time to read this article: KB88085
Hello @VietDuc19
When you mentioned that you need to trust all these untrusted DLL's, there is a easy way to it. We have tool call mfesysprep (Available by contacting support) which can scan the machine and see if there is any 3rd party DLL getting injected and if we can trust it by that version of the tool. If yes then we add that into trust center if not then we can create a customize mfesysprep tool just to trust those DLL's. You can contact support to avail that tool.
You mentioned that installation was failing because of this DLL trust issue, can you please IM me the installation log (McAfeeLogs Folder)?
The log you have shared shows hooking of "E:\[SETUP]\PROXIFIER_PORTABLE\PRXDRVPE.DLL". This is not during deployment but during update. This can be looked by Agent team.
The provided logs are from the Agent Folder and not the Installation log folder. What I am looking for is the installation log. If you have scenario where you pushed the ENS from EPO and it failed, then go to C:\Windows\Temp\ location and you will see McAfeeLogs folder. You can share that with me so that I can check which DLL's are causing the installation issue.
Sorry for my mistake. I sent you update log. Please help me to review it.
Thank you so much!
Thank you for sharing the log.
Looking at the installation point of view, last sysprep log says:
11/08/19 10:28:52 [I] [0x1d38] Creating unprotected process to detect injections "C:\ProgramData\McAfee\Agent\Current\ENDP_GS_1060\Install\0000\compattest_6008_3875.exe" -detect
11/08/19 10:28:54 [I] [0x1d38] Reading child results
11/08/19 10:28:54 [I] [0x1d38] Read child results |
11/08/19 10:28:54 [I] [0x1d38] No injectors found
Which means there was no injector during the last installation try. Also installation logs says that it has completed successfully. So it does not seems to be any issue with the installation as such.
Coming to the point of DLL hooking we are seeing in mfemactl.log for E:\[SETUP]\PROXIFIER_PORTABLE\PRXDRVPE.DLL file. This may cause problem with content update. A further investigation will be required for this. I would suggest to open a support ticket for this with us so that we can take it further.
So if I don't wanna trust that DLL files, does McAfee have any actions on that untrusted/unsigned DLL files (for example delete, block,...) to make McAfee process to continue without my action?
I just removed McAfee Products and re-installed again. After that, I tried to run McAfee SysPrep and sysprep log show that:
11/14/19 14:45:53 [I] [0x31ec] MfeSysPrep 1.0.0.296
11/14/19 14:45:53 [I] [0x31ec] Initializing certificate manager...
11/14/19 14:45:53 [I] [0x31ec] Detecting injectors...
11/14/19 14:45:53 [I] [0x31ec] Creating unprotected process to detect injections "C:\Users\VIETDUC19\Desktop\McAfee_SysPrep_1.0.0.296\compattest_3940_28944.exe" -detect
11/14/19 14:45:54 [I] [0x31ec] Reading child results
11/14/19 14:45:54 [I] [0x31ec] Read child results E:\[SETUP]\Proxifier_Portable\PrxDrvPE64.dll||
11/14/19 14:45:54 [I] [0x31ec] Injector discovered [E:\[SETUP]\Proxifier_Portable\PrxDrvPE64.dll]
11/14/19 14:45:54 [I] [0x31ec] Loaded module [E:\[SETUP]\Proxifier_Portable\PrxDrvPE64.dll] is untrusted
11/14/19 14:45:54 [I] [0x31ec] Extracting certificate information for file [E:\[SETUP]\Proxifier_Portable\PrxDrvPE64.dll]
11/14/19 14:45:54 [I] [0x31ec] File [E:\[SETUP]\Proxifier_Portable\PrxDrvPE64.dll] sha2[E109011F96919D968164DE6957B9A75E87A167AFA961855AF7C291E8DE475735] sha1[DB58536833F6D25AFDD429BDDDDF3C3CD17EB146] md5[77F0642BCD7A97A068C0AFE70BE22F03]
11/14/19 14:45:54 [I] [0x31ec] File [E:\[SETUP]\Proxifier_Portable\PrxDrvPE64.dll] is signed with certificate:
11/14/19 14:45:54 [I] [0x31ec] ***************** BEGIN CERT DUMP ********************
11/14/19 14:45:54 [I] [0x31ec] Issuer[GlobalSign Extended Validation CodeSigning CA - SHA256 - G3]
11/14/19 14:45:54 [I] [0x31ec] subject[Initeks, OOO]
11/14/19 14:45:54 [I] [0x31ec] issuerDn[CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE]
11/14/19 14:45:54 [I] [0x31ec] subjectDn[CN="Initeks, OOO", O="Initeks, OOO", STREET=Komendantskiy 51-1-300, L=Saint Petersburg, S=Saint Petersburg, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Saint Petersburg, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1089847274439, OID.2.5.4.15=Private Organization]
11/14/19 14:45:54 [I] [0x31ec] signatureAlgorithm[sha256RSA]
11/14/19 14:45:54 [I] [0x31ec] sign key sha1[1FA5144C0AB20B23F3D9F6C8F3D0642C89506161]
11/14/19 14:45:54 [I] [0x31ec] cert sha1[FCA847CF2222CF0D0952AE6039EB5B269BA582A3]
11/14/19 14:45:54 [I] [0x31ec] ***************** END CERT DUMP ********************
11/14/19 14:45:54 [E] [0x31ec] Unable to grant trust to module [E:\[SETUP]\Proxifier_Portable\PrxDrvPE64.dll]
11/14/19 14:45:55 [I] [0x27c0] MfeSysPrep 1.0.0.296
11/14/19 14:45:55 [I] [0x27c0] Initializing certificate manager...
11/14/19 14:45:55 [I] [0x27c0] Detecting injectors...
11/14/19 14:45:55 [I] [0x27c0] Creating unprotected process to detect injections "C:\Users\VIETDUC19\Desktop\McAfee_SysPrep_1.0.0.296\compattest_4608_2096.exe" -detect
11/14/19 14:45:55 [I] [0x27c0] Reading child results
11/14/19 14:45:55 [I] [0x27c0] Read child results E:\[SETUP]\Proxifier_Portable\PrxDrvPE.dll||
11/14/19 14:45:55 [I] [0x27c0] Injector discovered [E:\[SETUP]\Proxifier_Portable\PrxDrvPE.dll]
11/14/19 14:45:55 [I] [0x27c0] Loaded module [E:\[SETUP]\Proxifier_Portable\PrxDrvPE.dll] is untrusted
11/14/19 14:45:55 [I] [0x27c0] Extracting certificate information for file [E:\[SETUP]\Proxifier_Portable\PrxDrvPE.dll]
11/14/19 14:45:55 [I] [0x27c0] File [E:\[SETUP]\Proxifier_Portable\PrxDrvPE.dll] sha2[44243F0D0102D654C5CAD1AC3826B52DA9454D4AF99D9A417CEB6AE4DDDA71F0] sha1[EBF1C54049E801C3B665990C0612C44BA6B75940] md5[D3DA1003323423DA89AF2C83E5E2B40A]
11/14/19 14:45:55 [I] [0x27c0] File [E:\[SETUP]\Proxifier_Portable\PrxDrvPE.dll] is signed with certificate:
11/14/19 14:45:55 [I] [0x27c0] ***************** BEGIN CERT DUMP ********************
11/14/19 14:45:55 [I] [0x27c0] Issuer[GlobalSign Extended Validation CodeSigning CA - SHA256 - G3]
11/14/19 14:45:55 [I] [0x27c0] subject[Initeks, OOO]
11/14/19 14:45:55 [I] [0x27c0] issuerDn[CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE]
11/14/19 14:45:55 [I] [0x27c0] subjectDn[CN="Initeks, OOO", O="Initeks, OOO", STREET=Komendantskiy 51-1-300, L=Saint Petersburg, S=Saint Petersburg, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Saint Petersburg, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1089847274439, OID.2.5.4.15=Private Organization]
11/14/19 14:45:55 [I] [0x27c0] signatureAlgorithm[sha256RSA]
11/14/19 14:45:55 [I] [0x27c0] sign key sha1[1FA5144C0AB20B23F3D9F6C8F3D0642C89506161]
11/14/19 14:45:55 [I] [0x27c0] cert sha1[FCA847CF2222CF0D0952AE6039EB5B269BA582A3]
11/14/19 14:45:55 [I] [0x27c0] ***************** END CERT DUMP ********************
11/14/19 14:45:56 [E] [0x27c0] Unable to grant trust to module [E:\[SETUP]\Proxifier_Portable\PrxDrvPE.dll]
It mean: McAfee does not trust module PrxDrvPE.dll of Proxifier application.
In those situations, does McAfee have any actions on that DLL file (block/delete/...DLL file) to make McAfee process run successful instead of return status fail of process?
HI @VietDuc19
It mean: McAfee does not trust module PrxDrvPE.dll of Proxifier application.
> This is correct.
In those situations, does McAfee have any actions on that DLL file (block/delete/...DLL file) to make McAfee process run successful instead of return status fail of process?
> I'm afraid not. Because there is something untrusted on the system, the installation/ running of an update/ etc. will be stopped. If you trust this and what to trust it yourself, you can add the .cer file into the ENS Common policy. This will add the trust.
For more details on dll injections, please do take the time to read this article: KB88085
Thank you for your information. I think this is answer I am looking for.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA