cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring buffer overflow exclusions VSE 8.8

Hi All.

I’d like some help and advice on configuring the buffer overflow exclusionsin VSE 8.8. Like most of you, since upgrading to patch 4 I have had numerousproblems on user pc / citrix server where the buffer overflow has beentriggered. At the moment it seems to be Office 2003 and IE8 causing theproblem. The workaround (if I’m right in saying as these are legitimate) is toeither turn off BOP or to add exclusions. I’d rather do the latter and leave BOPon. I’d like to add the exclusions with as much info as possible so at least itwon’t be complete off for that process.

The errors I’m mainly seeing are:

C:\Program Files\InternetExplorer\iexplore.exe:NTDLL.KiUserExceptionDispatcher::6d4ac228   BO:Image BO:Writable

D:\Program Files\MicrosoftOffice\OFFICE11\OUTLOOK.EXE:NTDLL.KiUserExceptionDispatcher::73   BO:Memory

From that info what do I need to put in the 3 boxes for the exclusions(process, module and API)?

I guess the process is iexplore.exe & OUTLOOK.EXE 🙂 wouldKiUserExceptionDispatcher be the module and 6d4ac228 & 73 be the API?

As you can tell I’m way out of my depth here.

Thanks all.

20 Replies
Highlighted
pato
Level 7
Report Inappropriate Content
Message 2 of 21

Re: Configuring buffer overflow exclusions VSE 8.8

To fix the IE issues, update to at least IE9 and clean out all temporary files. That should normaly fix it. Sometimes some outdated Add-Ins can also cause issues.

I can't help with Office 2003, but in general, install all updates and maybe remove outdated plugins and it might already work.

Re: Configuring buffer overflow exclusions VSE 8.8

Thanks for the reply Pato. We cannot go to IE9 as the OS on the server is 2003 R2 so IE8 is the latest and it's fully patched. The same goes for office, we are not in a position yet to upgrade toi Office 2010 / 2013.

Can anyone else help me out with the exclusions?

Re: Configuring buffer overflow exclusions VSE 8.8

Hi Dean,

Try to create the exclusions, using only the process name and leaving the other two fields in blank.

As you said the processes are IEXPLORER.exe and OUTLOOK.exe

From my experience only using process name it works.

Best regards,

Re: Configuring buffer overflow exclusions VSE 8.8

Does leaving the other two fields blank (Module & API) leave you open for vulnerability though?

We have also implemented Patch Level 4 and are experiencing the same issue.  We are currently tracking all of the reported BOP alerts and have found that a majority of them are AcroRd32.exe & iexplore.exe related.  I'm just hesitant to globally exclude these two processes since they are used by many exploits.

Guidance on this would be appreciated.

Thanks.

Message was edited by: jloader1 on 5/15/14 11:40:56 AM GMT-05:00

Re: Configuring buffer overflow exclusions VSE 8.8

As far I am aware McAfee will release a fix for that, so I reckon to open a case and they will give you more info. Be aware that

Old software like office 2000 or Office 2003 is not supported for DEP and the only way to get rid of the issue is creating and exclusion. If you check in kc mcafee.com for Vse p4 bof violation you will get more info.

Best regards

Re: Configuring buffer overflow exclusions VSE 8.8

Hi,

We discovered a similar issue. McAfee released an SNS Notice on March 7th highlighting this issue and have created a KB here https://kc.mcafee.com/corporate/index?page=content&id=KB81308

The above KB explains why this happens and some solutions and work arounds.

Rich

Re: Configuring buffer overflow exclusions VSE 8.8

Thanks for the response Rich.  I have seen the KB article.  My concern lies in giving any process a sort of "free pass" if you have the ability to add module & API.  It's a balancing act for sure.  Vast number of modules, tons of API's, exclusion list could be potentially limitless vs. the risk of allowing any process named iexplore or acrord32 (hackers favorites).   We've not seen the same API flagged by BOP twice (if I'm understanding the log entries correctly).  Disabling BOP is not an option in our enterprise.

Thanks.

Travler
Level 10
Report Inappropriate Content
Message 9 of 21

Re: Configuring buffer overflow exclusions VSE 8.8

C:\Program Files\InternetExplorer\iexplore.exe:NTDLL.KiUserExceptionDispatcher::6d4ac228   BO:Image BO:Writable

D:\Program Files\MicrosoftOffice\OFFICE11\OUTLOOK.EXE:NTDLL.KiUserExceptionDispatcher::73    BO:Memory

From that info what do I need to put in the 3 boxes for the exclusions(process, module and API)?

I guess the process is iexplore.exe & OUTLOOK.EXE :-) would KiUserExceptionDispatcher be the module and 6d4ac228 & 73 be the API?

We're having iexplore.exe (and explorer.exe) issues, too.  I was wondering the same thing about the "module" and "api" settings.

Can someone confirm that DeanBaker is correct in his assumption as to what we should be entering in these exclusion setting fields?

Thanks!

bccol
Level 7
Report Inappropriate Content
Message 10 of 21

Re: Configuring buffer overflow exclusions VSE 8.8

I've had an issue with one of our users where BOP was blocking them when trying to import scanned documents into one of our data systems. This was solved after adding the exception for svchost.exe on their machine by policy as described below.

20/06/2014 09:33:46 Blocked by Buffer Overflow Protection  NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe:NTDLL.KiUserExceptionDispatcher::74736552 BO:Stack

Using the info above from the BufferOverFlowLog I added NTDLL.KiUserExceptionDispatcher to the module field and then added the 74736552 to the api field. I noticed after saving the policy though that this information was corrected by EPO which added NTDLL as the module and KiUserExceptionDispatcher was added to the API field removing the numerical value I'd added.

It appears there is some kind of error checking when entering BOP exceptions and the logs can be interpreted as NT AUTHORITY\LOCAL SERVICE process:module.api (please correct me though if this is wrong?) I don't know how secure this is but it must be better than excluding the entire process.

Message was edited by: bccol on 20/06/14 14:03:19 IST
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community