cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VSE8.8 Patch 7 mfebopk.sys Event 5038

Jump to solution

Hi Folks

Currently we have VSE8.8 Patch 6 deployed, with Agent 4.8.0.1938, running on Windows 7 SP1.

On a few test stations I manually installed Patch 7 prior to a full deployment.  As soon as this was done the following events started to be logged in the Client PCs security event log.  These were not present when using patch 6.

Event 5038

Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

\Device\HarddiskVolume2\Windows\System32\drivers\mfebopk.sys

I uninstalled VSE8.8 and made sure that the file mfebopk.sys no longer existed in the above location.

Then I performed a manual full re-install of VSE8.8 using the Patch 7 Repost download, however the errors are still logged.

Anyone Else seeing this?

Thanks

1 Solution

Accepted Solutions
wwarren
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: VSE8.8 Patch 7 mfebopk.sys Event 5038

Jump to solution

We did make changes to Patch 7 that might get flagged by Code Integrity, but those changes were unavoidable for our part and not actually indicative of an issue (changes we had to make in how our drivers were built to work around a Win10 TH2 issue)

So this event may be unavoidable, consequently.

Is it just that file of ours mentioned in such events? mfebopk.sys is the buffer overflow protection driver, and only ever loaded on 32-bit systems.

If it's just that file being mentioned, we can expect that others are not seeing the event because they're on 64-bit systems.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

View solution in original post

4 Replies
wwarren
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: VSE8.8 Patch 7 mfebopk.sys Event 5038

Jump to solution

We did make changes to Patch 7 that might get flagged by Code Integrity, but those changes were unavoidable for our part and not actually indicative of an issue (changes we had to make in how our drivers were built to work around a Win10 TH2 issue)

So this event may be unavoidable, consequently.

Is it just that file of ours mentioned in such events? mfebopk.sys is the buffer overflow protection driver, and only ever loaded on 32-bit systems.

If it's just that file being mentioned, we can expect that others are not seeing the event because they're on 64-bit systems.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

View solution in original post

Re: VSE8.8 Patch 7 mfebopk.sys Event 5038

Jump to solution

Thank you for assistance.

This seen on only on 32-bit systems as you supected

wwarren
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: VSE8.8 Patch 7 mfebopk.sys Event 5038

Jump to solution

FYI, since your posting I've seen other reports of the symptom and where a little more detail was available that the "why" was made clear.

We will be releasing a hotfix that solves this (and the AP rule: Prevent Windows Process spoofing issue) in the coming weeks, hopefully before the end of April.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: VSE8.8 Patch 7 mfebopk.sys Event 5038

Jump to solution

I am also having this issue.

It appears that the following driver files are signed with an untrusted "McAfee Test" certificate and is causing these issues:

C:\Windows\System32\drivers\mfebopk.sys

C:\Windows\System32\drivers\mfeclnk.sys

C:\Windows\System32\drivers\mferkdet.sys


Furthermore, it introduces a significant delay (4-10 minutes) in the UAC prompt when accessing McAfee VirusScan Console.


UPDATE: I just installed HF1123565 and it seemed to resolve the certificate issue. Still noticing the long delay in the UAC prompt. I am also on a domain and noticed that GPO updates seem to be getting blocked by the "Prevent Programs from running in the Temp folder".

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community