cancel
Showing results for 
Search instead for 
Did you mean: 
ckwebb
Level 7
Report Inappropriate Content
Message 1 of 10

"NTDLL.DLL" failing with HIPS enabled

Jump to solution

Good Morning,

I have a serious issue. Any Microsoft program that calls "NTDLL.DLL" to execute (which is almost all Microsoft programs" is crashing. HIPS does not show anything in the activity log (as far as anything red), but when I turn HBSS off everything works. What do I do?

Thanks,

Chris

1 Solution

Accepted Solutions

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Thanks for the reply greatscott, I tried that yesterday to no avail. I was able to resolve the issue today. We recently installed EMET on all of our workstations, two of them lost Outlook and IE capability and the event logs were showing NTDLL.DLL was the faulting module. There were never any HIPs events generated. When I would turn off HIPs enforcement the problem immediately went away. It turns out the person who installed EMET on those two workstations chose the default configuration instead of the manual configuration option. Uninstalling EMET (and carving out all registry references to it) and then re-installing it with the manual configuration option fixed our problem. Not sure why the default configuration broke NTDLL.DLL when HIPS was enforced.

9 Replies
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Moved to HIPs for better attention - Moderator

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Chris.. send me a digitally signed email to brian.berger AT mda.mil - I can help you through this.

FYI.. the term HBSS is only used in the DoD; here on the forums most people are commercial, so they would have no idea what HBSS means.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 4 of 10

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Note from Moderator - no email addresses should be posted per forum rules, so  I  "munged" yours.   It's still readable but not clickable, which is better safety and security-wise.

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

I am having the exact same issue, does anyone have a solution to this please?

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 6 of 10

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

You could do as the user has suggested in post #2

---

Peter

Moderator

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Thanks, I did try that. Was hoping the solution was known by others and posted in hopes of getting the solution as quickly as possible.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 8 of 10

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Good, I think maybe it's not for publication here.  However I could be wrong.

Highlighted

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

i would suggest to anyone having this issue:

1. go to the IPS Rules policy applied to the system(s)

2. locate the "Application Protection Rules" tab, click into it

3. put the dll in this list section

4. test

Re: "NTDLL.DLL" failing with HIPS enabled

Jump to solution

Thanks for the reply greatscott, I tried that yesterday to no avail. I was able to resolve the issue today. We recently installed EMET on all of our workstations, two of them lost Outlook and IE capability and the event logs were showing NTDLL.DLL was the faulting module. There were never any HIPs events generated. When I would turn off HIPs enforcement the problem immediately went away. It turns out the person who installed EMET on those two workstations chose the default configuration instead of the manual configuration option. Uninstalling EMET (and carving out all registry references to it) and then re-installing it with the manual configuration option fixed our problem. Not sure why the default configuration broke NTDLL.DLL when HIPS was enforced.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community