cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Virus\Malware Warning - libeay32.dll (OpennSSL)

Jump to solution
Recently we got an alert from McAfee EPO: ============= Threat detected - Target:SERVER2016|Source:| System Location - GlobalRoot\Directory\SIMSNET\WebClient Description of the Event - DLL Injection Event Threat Severity - Critical Threat Name - Self Protection - protect McAfee processes Affected User - Was the Threat Handled - False ============= I have been trying to look into this but I can't find anything relevant. It seems that libeay32.dll (OpennSSL) was trying to be injected by the local system and the process was blocked by Endpoint Security. I don’t believe this is a big problem, looks like the DLL was signed by McAfee: ' Injected DLL was signed by certificate: C-US, S-California, L-Santa Clara, O-"McAfee, Inc.", OU-Engineering, CN-"McAfee, Inc." ' But it was blocked by its Self Protection, could anyone please help explain this and what might need to be done? Kind Regards, Matt
1 Solution

Accepted Solutions
harshgautam
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Virus\Malware Warning - libeay32.dll (OpennSSL)

Jump to solution

Hi @User51749476 ,

Thank you for reaching out to us on McAfee community portal.  We have observed this issue with McAfee Signed dlls, have been detected as threat when the root certs are not updated. 

Kindly update the root certs from all the 3 Kbs below 

a) https://kc.mcafee.com/corporate/index?page=content&id=KB91697
b) https://kc.mcafee.com/corporate/index?page=content&id=KB87096
c) https://kc.mcafee.com/agent/index?page=content&id=KB92937

Was my reply helpful?

If yes, please give me a kudo. If I have answered your query, kindly mark this as solution so that we help other community members together.

View solution in original post

5 Replies
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Virus\Malware Warning - libeay32.dll (OpennSSL)

Jump to solution

Hi @User51749476,

Thank you for your post. May I knw fi the event showed the details of process to which the dlls were injected?

It is indeed strange that a McAfee signed dll would be caught by Self protection. While excluding the dll will resolve the block and thereby may resolve any update or agent related issues (The dll seems to be apart of McAfee Agent) that may be present because of this, I am curious to know why/which process this dll would inject into thereby triggering this event.

Can you help us with the complete event, removing sensitive details like usernames and I shall look at this for you. Alternatively, You can open an SR where this can be investigated further.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

Re: Virus\Malware Warning - libeay32.dll (OpennSSL)

Jump to solution

Hi AdithyanT,

I've not found an event as such with any more detail. However the SelfProtection_Activity.Log has the following entry several times on the 01/01/22 and on the 02/01/22 but not again since:


2022-01-01 05:02:37.147Z |Activity|ApBl |mfeesp | 2712| 4412|SP |XModuleEvents.cpp(851) | NT AUTHORITY\SYSTEM ran C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe, which attempted to access the process libeay32.dll, violating the rule "Core Protection - Sanitize McAfee processes", and was blocked. For information about how to respond to this event, see KB85494.

The fore mentioned KB is just about NLS and not related to the DLL injection.

There is a Windows Event Log:

Log Name: Application
Source: McAfee Endpoint Security
Date: 01/01/2022 05:00:48
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: ######
Description:
EventID=34865

Injected DLL was signed by certificate: C-US, S-California, L-Santa Clara, O-"McAfee, Inc.", OU-Engineering, CN-"McAfee, Inc."
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="McAfee Endpoint Security" />
<EventID Qualifiers="8192">3</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2022-01-01T05:00:48.889576800Z" />
<EventRecordID>261646</EventRecordID>
<Channel>Application</Channel>
<Computer>######</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>EventID=34865

Injected DLL was signed by certificate: C-US, S-California, L-Santa Clara, O-"McAfee, Inc.", OU-Engineering, CN-"McAfee, Inc."</Data>
</EventData>
</Event>



Is there anywhere else you would recommend I check? I can log this as a SR, it does seem to be less of a community issue and more like a one off.

Kind Regards,

Matt 

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Virus\Malware Warning - libeay32.dll (OpennSSL)

Jump to solution

Hi @User51749476,

Thank you for your swift response and details. This event points t an interaction between libeay32.dll and mfeesp process. While mfeesp.exe can belong only to ENS platform component, the libeay32.dll module can belong to McAfee Agent, DLP and MAR/EDR too!

Also, The Windows Event and the log excerpt's time stamps don't match, which may mean that these 2 events may not be exactly pointing one specific action on the machine.

As long as none of the applications are affected, This can be treated as a benign event. However, I would recommend a support case to get to the bottom of it, provided we have some means to replicate the issue. Please create an SR for investigating this event and confirming this behavior as to whether this is expected to happen.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
harshgautam
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Virus\Malware Warning - libeay32.dll (OpennSSL)

Jump to solution

Hi @User51749476 ,

Thank you for reaching out to us on McAfee community portal.  We have observed this issue with McAfee Signed dlls, have been detected as threat when the root certs are not updated. 

Kindly update the root certs from all the 3 Kbs below 

a) https://kc.mcafee.com/corporate/index?page=content&id=KB91697
b) https://kc.mcafee.com/corporate/index?page=content&id=KB87096
c) https://kc.mcafee.com/agent/index?page=content&id=KB92937

Was my reply helpful?

If yes, please give me a kudo. If I have answered your query, kindly mark this as solution so that we help other community members together.

View solution in original post

Re: Virus\Malware Warning - libeay32.dll (OpennSSL)

Jump to solution
Thank you, I believe this was the cause! We've not had any more alerts. But now I know where to look if we do.
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community