cancel
Showing results for 
Search instead for 
Did you mean: 
chaitan
Level 7

HIPS 8 Patch 3 in adaptive mode causes Windows 8 to reboot after logon, violations 1003 MFEFIRE WERFAULT

Jump to solution

Hi,

Latest version of HIPS 8 Patch 3 was installed on Windows 8 laptop and connected to freshly installed EPO 5 with lates extensions for these products.

Everything was fine until HIPS was enabled in EPO, it was possible to reboot, etc. Today I enabled Adaptive Modes for both IPS

and Firewall in Default policies in EPO. After policy propagation to client, laptop self-rebooted after some time, I mean, the system

just warned that it will reboot after 2 minutes and offered to close all applications.

After that, user could not log in into Windows anymore. Namely, Windows logon screen appears, user enters credetials, 2-3 minutes

pass, and laptop reboots.

Fortunately it was still possible to logon by rebooting in Safe Mode from logon screen. In this case, following message appeared

after logon:
"Failed to connect to a Windows service. Windows couldn't connect to the AUInstallAgent service. This problem prevents standard users from signing in. As an adminstrative

user, you can review the system event log for details about why the service didn't respond."  The problematic service is Windows All-User Install Agent.

But problematic user logs on as administrator, and not a standard user.

In the system log, I can see following information messages just before reboot:

Info: "The following boot-start or system-start driver(s) did not load: dam"

Info: "The process wininit.exe has initiated the restart of computer HOST01 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found. Reason code: 0x50006. Shutdown type: restart. Comment: The system process 'C:\windows\system32\services.exe' terminated unexpectedly with status code - 1073741819. The system will now shut down and restart".

Or

"The process C:\Windows\system32\winlogon.exe (HOST01) has intiated the restart of computer HOST01 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found. Reason code: 0x500ff. Shutdown type: restart."

Error: "DCOM got error "1726" attempting to start the service netprofm with arguments: "Unavailale" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}"

Warning: "Name resolution for the name isatap.Home timed out after none of the configured DNS servers responded"

There are many identical exceptions in HipShiels.log file:

k11-04 15:50:58.947 Alert: 0x4,4c Block event matching sig 1003

11-04 15:51:02 [02108] VIOLATION: NoLog Id found 1003

11-04 15:51:02 [02108] VIOLATION: [1] ------- Violation ---- Size 1193 ----

<Event> <!-- Level=High, Reaction=Prevent -->

  <EventData

  SignatureID="1003"

  SignatureName="Windows Agent Shielding - Process Access"

  SeverityLevel="4"

  Reaction="3"

  ProcessUserName="NT AUTHORITY\SYSTEM"

  Process="&lt;SYSTEM&gt;"

  IncidentTime="2013-11-04 15:50:59"

  AllowEx="False"

  SigRuleClass="Program"

  ProcessId="4"

  Session="0"

  SigRuleDirective="open_with_terminate,open_with_modify"/>

  <Params>

    <Param name="Workstation Name" allowex="True">HOST01</Param>

    <Param name="Target File Name" allowex="False">MFEFIRE.EXE</Param>

    <Param name="Target Path" allowex="False">C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MFEFIRE.EXE</Param>

    <Param name="Target Distinguished Name" allowex="False">CN=&quot;MCAFEE, INC.&quot;, OU=IIS, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=&quot;MCAFEE, INC.&quot;, L=SANTA CLARA, S=CALIFORNIA, C=US</Param>

    <Param name="Target Organization Name" allowex="False">&quot;MCAFEE, INC.&quot;</Param>

    <Param name="Target Description" allowex="False">MCAFEE CORE FIREWALL SERVICE</Param>

    <Param name="Target Fingerprint" allowex="False">cc89cfc30d2d919562c1986974c74f9f</Param>

  </Params>

</Event>

(the same exception also for FIRESVC.EXE), and

<Event> <!-- Level=High, Reaction=Prevent -->

  <EventData

  SignatureID="1003"

  SignatureName="Windows Agent Shielding - Process Access"

  SeverityLevel="4"

  Reaction="3"

  ProcessUserName="NT AUTHORITY\SYSTEM"

  Process="C:\WINDOWS\SYSTEM32\WERFAULT.EXE"

  IncidentTime="2013-11-04 14:14:49"

  AllowEx="False"

  SigRuleClass="Program"

  ProcessId="4652"

  Session="0"

  SigRuleDirective="open_with_terminate,open_with_modify"/>

  <Params>

    <Param name="Workstation Name" allowex="True">HOST01</Param>

    <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

    <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

    <Param name="Executable Description" allowex="False">WINDOWS PROBLEM REPORTING</Param>

    <Param name="Executable Fingerprint" allowex="False">c89fab42cd5fd672506031d941529a74</Param>

    <Param name="Target File Name" allowex="False">MFEVTPS.EXE</Param>

    <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\MFEVTPS.EXE</Param>

    <Param name="Target Distinguished Name" allowex="False">CN=&quot;MCAFEE, INC.&quot;, OU=IIS, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=&quot;MCAFEE, INC.&quot;, L=SANTA CLARA, S=CALIFORNIA, C=US</Param>

    <Param name="Target Organization Name" allowex="False">&quot;MCAFEE, INC.&quot;</Param>

    <Param name="Target Description" allowex="False">MCAFEE PROCESS VALIDATION SERVICE</Param>

    <Param name="Target Fingerprint" allowex="False">42eb23142c60c914cf1f652f1303f7b2</Param>

  </Params>

</Event>

While the problem was temporarily "fixed" after manually disabling McAfee Host Intrustion Prevention Service in Safe Mode and restarting, is it possible to determine what is happening  and how to prevent this situation?

All software (HIPS, Agent, EPO) are of latest versions, at least they're listed as "Up to date" in EPO.

Software versions:

HIPS Client 8.0.0

2151

8.0.0.5153

Eugeny.

0 Kudos
1 Solution

Accepted Solutions
chaitan
Level 7

Re: HIPS 8 Patch 3 in adaptive mode causes Windows 8 to reboot after logon, violations 1003 MFEFIRE WERFAULT

Jump to solution

Ok we've found out that Patch 3 was not actually checked in. We checked it in, updated client to version 8.0.0.2589, and it seems that the problem doesn't occur anymore.

0 Kudos
2 Replies
chaitan
Level 7

Re: HIPS 8 Patch 3 in adaptive mode causes Windows 8 to reboot after logon, violations 1003 MFEFIRE WERFAULT

Jump to solution

Ok we've found out that Patch 3 was not actually checked in. We checked it in, updated client to version 8.0.0.2589, and it seems that the problem doesn't occur anymore.

0 Kudos
McAfee Employee

Re: HIPS 8 Patch 3 in adaptive mode causes Windows 8 to reboot after logon, violations 1003 MFEFIRE WERFAULT

Jump to solution

The reboot issue was probably caused by having HIPS 8.0 Patch 2 (build 8.0.0.2151) installed with the Host IPS module enabled.  With the Host IPS module enabled, the Windows 8 system would constantly reboot until you applied Hotfix 803520. 

Windows 8 is officially supported in the HIPS 8.0 (build 8.0.0.2589) though.

0 Kudos