cancel
Showing results for 
Search instead for 
Did you mean: 
shribm
Level 7
Report Inappropriate Content
Message 1 of 12

Process **\mcshield.exe pid (4976) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Hi Team,

I have been facing this issue since a month but couldnt yet find a permanent solution.

Can anyone help me out on this by providing me a permanent solution.

Thanking in advance.

Issue:

Process **\mcshield.exe pid (4976) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Event ID: 516

Task category: 256

Source: mfehidk

Level: Warning

McAfee Products on Machine.

McAfee agent 4.8 Patch 2

VSE 8.8 Patch 4

11 Replies
catdaddy
Level 20
Report Inappropriate Content
Message 2 of 12

Re: Process **\mcshield.exe pid (4976) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Moved appropriately to Virus Scan Enterprise for better assistance - By Moderator

Cliff
McAfee Volunteer

Re: Process **\mcshield.exe pid (4976) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Hi,

looks like something injects code into the McShield process. See KB74177, KB71083 and KB74176 (especially section "Resolve the third-party application (hook) problem") for background information and permanent resolution.

Regards,

Frank

shribm
Level 7
Report Inappropriate Content
Message 4 of 12

Re: Process **\mcshield.exe pid (4976) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Thanks for the reply, appreciate it.

We have gone through the all the three mentioned KB articles. We ran procmon Tool on the affected machines and we found that the sxwmon32.dll is getting hooked to McAfee process. This seems to be related to Lumension Security, please advice on the same.


We found article KB73521 which has information on sxwmon32.dll. What are the further steps to be taken to resolve the issue.



wwarren
Level 15
Report Inappropriate Content
Message 5 of 12

Re: Process **\mcshield.exe pid (4976) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

You should be following https://kc.mcafee.com/corporate/index?page=content&id=KB74176

You are currently up to Solution 1, section 2.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
shribm
Level 7
Report Inappropriate Content
Message 6 of 12

Re: Process **\mcshield.exe pid (4976) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Thanks for your reply..

As i said sxwmon32.dll is getting hooked to McAfee process and also seems to be related to Lumension Security, please advice on the same.

i have followed KB article https://kc.mcafee.com/corporate/index?page=content&id=KB74176

One of my colleague suggested to rename dll file ? how much its true?

My question is renaming dll name will it work? Is this the solution.

If yes please suggest me

If No please suggest me for both.

Kindly do the needful

Thanking in advance

Re: Process **\mcshield.exe pid (4976) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Well. As William says follow the kb to trust 3rd party certificates. Export the certificate and open a case with support and they will provide you a superdat for the certificate. I used to create the superdat when worked at McAfee

Best regards

Jose Maria

shribm
Level 7
Report Inappropriate Content
Message 8 of 12

Re: Process **\mcshield.exe pid (4976) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Thanks Maria for your reply... I have been following it.

But i want some justification from someone for below query

One of my colleague suggested to rename dll file ? how much its true?

My question is renaming dll file will it work? Is this the solution.

If yes please suggest me

If No please suggest me for both.

Thanks & Regards

Shrikant

Re: Process **\mcshield.exe pid (4976) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

I have never tried, but i would say 99% not as this is a dll that is injectin in the antivirus and the antivirus by default trust McAfee and Microsoft dll signed so it wont work What your colleague kindly suggested but you can always give a try and confirm.

Best regards,

Jose Maria

shribm
Level 7
Report Inappropriate Content
Message 10 of 12

Re: Process **\mcshield.exe pid (4976) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Thanks for all your reply

can someone guide me for my below query

One of my colleague suggested to rename dll file ? how much its true?

My question is renaming dll file will it work? Is this the solution.

If yes please suggest me

If No please suggest me for both.

By renaming dll file will the application work?


Thanks

Shrikant