cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 31 of 42

Re: VSE Patch 7 and HIPS Patch 7 out

Hi

You've described 2 separate issues here, both of which I suggest working on with our Support team in 2 separate service requests. Each will have their own investigative methodologies to work through.

Of the two, the install issue is the simpler to discuss because you'll have install logs left behind by the installation attempt to review (which Support can do of course).

Downgrading the software is not advised but if you feel you must, it will require removing VSE + the Agent (since you say it's 5.x version) + any other ISecG products that are installed which use our shared technology (SYSCore) - then rebooting - then reinstalling the products to their desired version. So, as you can see, we wouldn't wish that upon anybody. Better to identify the problem and determine if there's a simple workaround, while a longer-term solution is followed up on.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted

Re: VSE Patch 7 and HIPS Patch 7 out

Hi tulhaum,

We are having the exact same problem, Agent Version 5.0.2.188 VSE Patch 7.  Black screen after logon, windows processes being blocked, printing issues, unable to access the VirusScan Console, Agents not talking to EPO etc.

In some instances removing Deep Defender has worked for us, in others it hasn't.  I don't have the logs to hand, but Deep Defender was blocking the Agent, as soon as Deep Defender was removed the Agents started talking to EPO again.

Disabling the Access Protection has been another 'solution' as just disabling the policy blocking explorer.exe hasn't always worked.

We spend numerous hours on the phone with McAfee support with no resolution, and have had to re-image a large percentage of clients to get them running again.

A very painful experience.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 33 of 42

Re: VSE Patch 7 and HIPS Patch 7 out

Hi ,

Just from your comment I can see that you experienced 2 separate and severe issues.

1. You encountered the issue with Patch 7 + the Windows process spoofing rule.

2. You installed Patch 7 on top of Deep Defender.

For #1, we know the issue and workaround: https://kc.mcafee.com/corporate/index?page=content&id=KB86694

For #2, don't do that. Deep Defender is old product that cannot coexist with the underlying technology carried by Patch 7. Reimaging may well be your only path to recovery as it's an unsupported configuration, never tested.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted
Level 7
Report Inappropriate Content
Message 34 of 42

Re: VSE Patch 7 and HIPS Patch 7 out

Outstanding. I feel vindicated, and I can share with my team that "I didn't do it" - directly anyway. When I ran the update that caused this, it started a steady stream of Help Desk calls. I had to punt really, really fast. Disabling the policy and pushing it out was a knee jerk immediate resolution (now seen as a workaround) but some machines got stuck on stupid.

I figured out that on a machine with the black screen, if you CTL-ALT-DEL and run Task Manager, you can launch a new task - mcconsole, and disable AP. While you got that up, go into the AP properties and add an exemption for explorer.exe in the Windows Process Spoofing policy. You can then launch explorer.exe via task manager and you got your desktop back.

Highlighted

Re: VSE Patch 7 and HIPS Patch 7 out

Hi wwarren,

Thank you for the reply, it is appreciated.

The workaround does not solve the problem.  With all the exclusions in place, I am still unable to get to Windows Services or McAfee VirusScan Console the Windows Desktop Taskbar isn't formatted correctly and the Windows Update Service does not run.  There are probably other issues, but these are the obvious ones.  We have been told that the issue is with a Tier 3 engineer, but this has been two weeks now and we have had to disable Access Protection again and are no closer to a resolution.

Thank you for the information regarding Deep Defender, this has now been removed from our client base.

Regards

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 36 of 42

Re: VSE Patch 7 and HIPS Patch 7 out

Ok. Tell me your SR# if you don't mind; it may be on my "to do" list. That list keeps growing faster than I'd like at the moment.

But if you're facing AP violation issues, the remediation is straight forward:  Review the AP log file, identify what processes are being blocked, update the policy to exclude what is being blocked.

Sometimes corrective action is complicated by other symptoms, like "the exclusion is not working" or "the policy is not being enforced" etc. All of which can be explored with Support.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted

Re: VSE Patch 7 and HIPS Patch 7 out

Hi,

SR is <4-13454666247>


Thanks

Highlighted
Level 10
Report Inappropriate Content
Message 38 of 42

Re: VSE Patch 7 and HIPS Patch 7 out

Has anyone read this:

https://kc.mcafee.com/corporate/index?page=content&id=SB10151

If not - you may should do so.

----

Multiple McAfee endpoint products include a private mechanism to access settings and files protected by self-protection rules. This mechanism is not sufficiently secure and may be misused to access registry keys and files that should be protected from tampering.

When VirusScan Enterprise (VSE) is present on the device, processes that attempt to use this private mechanism are scanned upon access. If the processes are not detected as malware, they could gain access to resources protected by McAfee products

This trusted access bypass vulnerability allows access to resources normally protected by the products. Someone with knowledge of this mechanism can use and exploit it

----

Please, that can’t be true! Really? “A private mechanism” to bypass security…in a security product? Really? Who had such an idea? Security by obscurity (“s.o. with knowledge of …”)? I really can’t believe this!

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 39 of 42

Re: VSE Patch 7 and HIPS Patch 7 out

The security bulletin is correct.  It also explains how to solve the issue; Patch 7.

The reporter was kind enough to allow us to have a fix available prior to going public with their findings. And I have already seen evidence of proof-of-concept code in the field that leverages this back door.


Patching is advisable. But not in haste.

Best practices for patch adoption should still be adhered to, such as those described here: .


William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted

Re: VSE Patch 7 and HIPS Patch 7 out

How does this all affect fresh installs? I can't imagine they expect to frog hop up all the versions. Can VS Patch 7 Fresh install directly to agent x.333?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community