I just rolled out MA 5.0.2.333 a couple hours ago - seemed fine until folks started losing their desktops. Not able to use Windows Explorer and when logging in Explorer.exe will not launch. Below is a clip from the AP log on my computer. I had to perform and emergency policy roll out that turned off AP. That was a knee-jerk reaction but now I think I can re-enable that and disable the spoofing rule below - but is that a good idea?
Let me tell ya, this REALLY SUCKS,
2/26/2016 2:26:15 PM Blocked by Access Protection rule C:\WINDOWS\EXPLORER.EXE C:\Windows\explorer.exe Anti-virus Standard Protection:Prevent Windows Process spoofing Action blocked : Read
Disabling that rule would suffice.
Or excluding Explorer.exe (there may be other processes to exclude though, and adding exclusions defeats the purpose of the rule, so disabling seems simpler).
And then there's setting the rule to Report only, but that will mean you still get all the noise from the Events, and for activity that you understand the "where it's coming" and "why" you don't need the noise.
Disabling the rule is best.
I'm doing some poking around at the rule to understand why it might be flagging things now vs. prior to the upgrade. But the definition of the rule and interpretation of the rule all look correct, so we need to look closer still.
I'm on hold with the VSE support guys right now. Yes, I left reporting on and disabled block to resolve the immediate issue. Placing Explorer.exe as an exemption to the rule would be very unsafe! I'll let you know what support says.....
Spent all day on hold with McAfee/Intel yesterday. No solution yet.
This is a little more dangerous than just Explorer and app failure. Several of our test systems failed to shut down after the agent update was installed. The problem is it looked very much like they were shut down. No error, screen was black. Users were putting them in their bags, taking them home and finding them cooking later.
We had only installed the agent update, not the VSE 8.8 patch 7 but it makes no difference if both are installed. Support pointed to a section of the agent update that said patch 7 needed to be installed first however when you try to install patch 7 first it errors out stating the agent must be done first.
Very dangerous issue, we are hoping none of these systems have been damaged. I do not know what system types are affected. Dell laptops with Win8/10 for sure.
I believe disabling the rule dose resolve it but too late when the devices are "off" and burning up. Kind of crazy that the agent caused this.
Feels like patch 5/6 again but just different issues, but still they are things that shouldnt have got past testing stage.....
I had 5.0.2.188 and Patch 7 installed, I didnt go to the new agent after the issues I had already - figured I would wait a few days and see what came out from other people testing
However will say...I didnt check if my laptop went to sleep properly on Friday, too eager to leave after being at work an hour longer than I should of been looking at the issues.
So far, its a no no from me...haha.
Maybe on Monday when back at work I'll try to determine why manual tasks are not being sent to the laptops anymore - I even force removed and reinstalled the agent, so perhaps some lingering registry entries causing me the issues somewhere.
Oh and I am pretty certain I dont have the Spoof rule enabled as it causes problems installing windows updates in our environment where they were getting blocked per the desktop crew and threat logs.
As I posted already, on Friday (2/26) I spent a couple hours on the phone with support and numerous times I showed them how that with the
AVSP:Prevent Windows Process Spoofing policy enabled, it broke Explorer.exe. We completely removed the 5.0.2.333 Agent and the problem still occurred.The only solution was to either make an exemption or disable the policy - neither of which I deem "safe".
I disabled the policy, leaving it in report mode only. McAfee's default is OFF as well. McAfee's only answer is that the policy is doing what it is supposed to do. It's not an issue with McAfee products. I am supposed to call Microsoft and ask them why it's happening. Yea, right, like I'm going to get a Microsoft answer that cures my ills.
I guess I could accept McAfee's answer but for this - and I said in in my previous post - this issue did not start until I installed MA 5.0.2.333. I had machines with lower revs of the Agent and there is no problem with those stations. the only machines that have the problem are the ones with the 5.0.2.333 agent. BUT STILL it's not a McAfee problem. I asked him "what changed?" the answer, MA has nothing to do with the enforcement of policies in VSE. Therefore, nothing.
I give up - for now. We're just going to have to live with a broken policy or a broken agent.
I was unable to delete a McAfee registry entry in the software listing (SystemCore) and a folder with in Common Files (sure that was the location), even though all McAfee programs had been removed and were no longer installed on the system, it wouldn't allow me to delete.
I had to go into Safe Mode and delete the registry entries and folders.
There were also some services leftover it seems after the removals and I can not delete them, even in safe mode.
McAfee Service Controller
McAfee Firewall Core Service
About to reinstall the agent and see if I can send a manual task now from deleting the registry entries....see what happens
Seems to be losing its PUBLIC KEY frequently and disappearing from EPO server...
Maybe something to do with the following log entry;
aac_service.Warning: mfevtp is not up
Looking at the registry....looks like alot of mcafee entries are still there and causing me my issues - these are not normally there after removal of the programs.
Following this in relation to removing mfevtp
Can't delete service - OpenService FAILED 5: Access is denied
Can now push tasks, for some reason since updating the HIPS/VSE I was unable to push tasks to the machine anymore - added on the Juniper firewalls to allow it through, although didnt have to do that in the past.
I think my showing up and deleting from the EPO is related to this;
https://kc.mcafee.com/corporate/index?page=content&id=KB52949
But so far it is still disappearing on me - but havent completed the last step yet.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA