cancel
Showing results for 
Search instead for 
Did you mean: 
erpede
Level 9
Report Inappropriate Content
Message 21 of 84

Re: problem after upgrading VSE8.8 to patch 4

Any news on that?

Nachricht geändert durch erpede on 03.03.14 10:41:36 MEZ
b12
Level 7
Report Inappropriate Content
Message 22 of 84

Re: problem after upgrading VSE8.8 to patch 4

Good Morning

Where are the McAfee guys with new information about this issue???

McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 23 of 84

Re: problem after upgrading VSE8.8 to patch 4

The latest information -

We're learning that these detections people have been reporting are 100% legitimate.

You are either a) under attack, or b) using an application that is purposefully executing code from writable memory.

For most of the reports we've seen the cause is the latter. And most commonly, that has been due to using old versions of Microsoft Office (MSO.DLL in particular).

Whatever your process that's seeing the violation, you should consider upgrading or patching the software - or - use a workaround*.

The reason why we see these detections now with Patch 4 and not prior patches is we broadened BOP's scope in Patch 4. In previous patch releases it did not monitor all APIs of a protected process, only a subset (APIs most commonly used in attacks) - but with Patch 4, by making use of Data Execution Protection, we now cover any/all APIs. So the behavior of these processes was not being detected until installing Patch 4.

I hope to have a KB article on this soon.

* Workaround is to disable BOP (or exclude the process in the BOP configuration)

Other info may be available in the Knowledgebase.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: problem after upgrading VSE8.8 to patch 4

wwarren a écrit:

The latest information -

We're learning that these detections people have been reporting are 100% legitimate.

You are either a) under attack, or b) using an application that is purposefully executing code from writable memory.

For most of the reports we've seen the cause is the latter. And most commonly, that has been due to using old versions of Microsoft Office (MSO.DLL in particular).

Whatever your process that's seeing the violation, you should consider upgrading or patching the software - or - use a workaround*.

The reason why we see these detections now with Patch 4 and not prior patches is we broadened BOP's scope in Patch 4. In previous patch releases it did not monitor all APIs of a protected process, only a subset (APIs most commonly used in attacks) - but with Patch 4, by making use of Data Execution Protection, we now cover any/all APIs. So the behavior of these processes was not being detected until installing Patch 4.

I hope to have a KB article on this soon.

* Workaround is to disable BOP (or exclude the process in the BOP configuration)

Other info may be available in the Knowledgebase.

Workaround... Exclude process in the BOP config.. seems to be the best way, but How ?

Don't see documentation about that... Did someone already do that ?

Derosa
Level 7
Report Inappropriate Content
Message 25 of 84

Re: problem after upgrading VSE8.8 to patch 4

Since deploying patch 4 a range of our development software will no longer compile without error, users are mysteriously thrown out of databases after 30 seconds of web access, buffer offerflow errors across a range of Office products. Revert back to patch 2 and all the issues mysteriously disappear.

We are staying at patch 2 and ignoring patch 4.

Re: problem after upgrading VSE8.8 to patch 4

The KB article for this issue has just recently been published:

https://kc.mcafee.com/corporate/index?page=content&id=KB81308

We're seeing the issue mostly with Office 2010 products and Adobe Reader.  Still haven't decided how we're going to approach solving the problem as it's not currently affecting end users in a noticable way at the moment.

Re: problem after upgrading VSE8.8 to patch 4

Have anyone found how to "Disable the VSE BOP feature locally"?

McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 28 of 84

Re: problem after upgrading VSE8.8 to patch 4

shanren wrote:

Have anyone found how to "Disable the VSE BOP feature locally"?

Do you not have the product documentation? Please go download it; maybe use this article as your point of reference as you might need other items it references:  http://kc.mcafee.com/corporate/index?page=content&id=KB79580

In short -

1. Open the VSE console

2. Select the Buffer Overflow protection feature

3. Click the "Stop" button

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: problem after upgrading VSE8.8 to patch 4

Strange, I can't see have Buffer Overflow protection feature in VSE concole:

Highlighted
McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 30 of 84

Re: problem after upgrading VSE8.8 to patch 4

shanren wrote:

Strange, I can't see have Buffer Overflow protection feature in VSE concole:

Because it wasn't installed.

Either you selected to not install it, or your system is 64-bit.

And if it's 64-bit, there's no need for you to be concerned with this BOP alert issue... unless of course you have 32-bit systems in the environment that DO have the feature installed/enabled.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community