cancel
Showing results for 
Search instead for 
Did you mean: 
jkears
Level 7
Report Inappropriate Content
Message 1 of 5

WCF Socket Connection Aborted - Unknown Authentication Format - FilterId 66716

We have production WCF services for a large Enterprise and we are randomly seeing McAfee filters taking a FWP_ACTION_CALLOUT_TERMINATING which results in the WCF Socket Connection to be aborted.

Aside from completely uninstalling McAfee, is there any way that we can configure McAfee to not block this network traffic?

4 Replies
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 2 of 5

Re: WCF Socket Connection Aborted - Unknown Authentication Format - FilterId 66716

What McAfee product?

jkears
Level 7
Report Inappropriate Content
Message 3 of 5

Re: WCF Socket Connection Aborted - Unknown Authentication Format - FilterId 66716

VirusScan Enterprise + Antispyware Enterprise 8.8

jkears
Level 7
Report Inappropriate Content
Message 4 of 5

Re: WCF Socket Connection Aborted - Unknown Authentication Format - FilterId 66716

This blocking randomly occurs, not consistent at all. Why does this only sometimes block these network packets?

This is a snippet of the analysis of this issue ...

... From network trace, we can see SSL error at 2017-11-20 10:14:47.2638 (UTC+8), the time matches to "2017-11-20T02:14:47.2638505Z" UTC when socket connection was aborted at WCF Service call ...

{TCP:2367, IPv4:2329}

18621    10:14:47 2017-11-20         51.6774060          w3wp.exe              XXX         XXX SSL                SSL:SSLv2RecordLayer, Error (needs reassembly)         {SSL:2370, SSLVersionSelector:2369, TCP:2367, IPv4:2329}

  Frame: Number = 4354, Captured Frame Length = 706, MediaType = ETHERNET

+ Ethernet: DataLength = 2050 bytes,DestinationAddress:[00-10-DB-FF-70-01],SourceAddress:[00-50-56-AE-28-3B]

+ Ipv4: Src = XXX, Dest = XXX, Next Protocol = TCP, Packet ID = 28781, Total IP Length = 692

+ Tcp: Flags=...AP..., SrcPort=8201, DstPort=51980, PayloadLen=652, Seq=1891611085 - 1891611737, Ack=250625194, Win=4100 (scale factor 0x8) = 1049600

  TLSSSLData: Secure Sockets Layer (SSL) Payload Data

- SSL: SSLv2RecordLayer, Error (needs reassembly)

  - SslV2RecordLayer:

   + Header:

   - Error:

      HandShakeMessageType: Error

      ErrorType: Error Type: Unknown Authentication Format

... It appears that driver filter ID: 66716 drops / ended the TCP packet/stream...

TCP etl:

783475 [4]0000.0000::11/20/17-10:14:47.2791609 [Microsoft-Windows-TCPIP/Diagnostic] TCPIP: SendDatagram 0xFFFFD0002065B660 fell off the send fast path, Reason: WFP filters present. Protocol = TCP, Family = IPV4, Number of NBLs = 1. SourceAddress = XXX . DestAddress = XXX . 0xFFFFD0002065B660

783476 [4]0000.0000::11/20/17-10:14:47.2791629 [Microsoft-Windows-TCPIP/Diagnostic] TCPIP: SendDatagram 0xFFFFD0002065B660 fell off the send fast path, Reason: WFP filters present. Protocol = TCP, Family = IPV4, Number of NBLs = 1. SourceAddress = XXX   . DestAddress = XXX . 0xFFFFD0002065B660

783477 [4] 0000.0000::11/20/17-10:14:47.2791653 [user] - Invoking callout layerId 4 filter FFFFE0011778A4D0 filterId 66716 flowContext 0

783478 [4]0000.0000::11/20/17-10:14:47.2791824 [Microsoft-Windows-NDIS-PacketCapture/Diagnostic] Packet Fragment (54 bytes) 12, 12, 54

783479 [4] 0000.0000::11/20/17-10:14:47.2791975 [tcp]  - Timer 4 forced expiration episode ended at 14454775.

783480 [4]0000.0000::11/20/17-10:14:47.2791985 [Microsoft-Windows-TCPIP/Diagnostic] TCP timer rescheduled by processor 4 for processor 4 at Tick = 14454775 to Tick = 14454800, OldScheduledExpiration = 1445475361110 NewScheduledExpiration = 1445477917261 DueTime = -2500000 Aperiodic = TRUE.

783481 [4] 0000.0000::11/20/17-10:14:47.2791990 [tcp] - Timer 4 was rescheduled at 14454775 to expire at 14454800.

783482 [0]2960.214C::11/20/17-10:14:47.2870539 [Microsoft-Windows-Winsock Network Event/Operational ] connection aborted: 2: Process 0xFFFFE0012A21B900, Endpoint 0xFFFFE001236BF260, Seq 8003, Reason Abortive disconnect requested on endpoint

783483 [0]2960.214C::11/20/17-10:14:47.2870578 [Microsoft-Windows-Winsock Network Event/Operational ] socket cleanup: 0: Process 0xFFFFE0012A21B900, Endpoint 0xFFFFE001236BF260, Seq 2002, Status STATUS_SUCCESS

783484 [0]2960.214C::11/20/17-10:14:47.2870622 [Microsoft-Windows-TCPIP/Diagnostic] TCP: endpoint (sockaddr=0.0.0.0:50729) closed. 16, 0.0.0.0:50729

ID: 66716 aligns to a McAfee driver filter....

<filterKey>{354d75ae-57e0-4d5a-9d07-c88f8e25ab6f}</filterKey>

                                                                        <displayData>

                                                                                       <name>GUID_MFE_OUTBOUND_IPPACKET_CALLOUT_V4</name>

                                                                          <description>GUID_MFE_OUTBOUND_IPPACKET_CALLOUT_V4</description>

                                                                        </displayData>

                                                                        <flags numItems="2">

                                                                                       <item>FWPM_FILTER_FLAG_PERSISTENT</item>

                                                                               <item>FWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED</item>

                                                                        </flags>

                                                                        <providerKey>{8dfb7ab4-65f2-4889-a54b-e4a929173158}</providerKey>

                                                                        <providerData/>

                                                                        <layerKey>FWPM_LAYER_OUTBOUND_IPPACKET_V4</layerKey>

                                                                        <subLayerKey>{ff085613-834a-45c1-b5e8-f202fb1d5c8e}</subLayerKey>

                                                                        <weight>

                                                                                       <type>FWP_EMPTY</type>

                                                                        </weight>

                                                                        <filterCondition/>

                                                                        <action>

                                                                                       <type>FWP_ACTION_CALLOUT_TERMINATING</type>

                                                                                       <calloutKey>{6105765a-a0f1-4333-8b04-d4cc1f57e349}</calloutKey>

                                                                        </action>

                                                                        <rawContext>0</rawContext>

                                                                        <reserved/>

                                                                        <filterId>66716</filterId>

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: WCF Socket Connection Aborted - Unknown Authentication Format - FilterId 66716

Moved to Virusscan Enterprise forum

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community