I am realy looking forward to other Security Products if we will be looking to renew our licence next time in 2 Years.. until then i am looking how Intel will bring the security software on a higher level. And if there will be no big step in to a better usability - Mcafee will be no longer used.
Open your Browser,
Open the Epo console,
-> Navigate Systemtree
-> Click on what part of the tree you want to change the rules
-> on the right u will see System | Client Rules | Client Task | Group ...
(sorry perhaps the name is different got german Epo)
-> Go to Client Rules and choose the Product Virus Scan Enterprice
here you will find: Rules for Buffer Overflow Protection
-> If you have the Default Setting be carefull, if you just want to change only one Part of your strukture
it is important to break the rule, make a 2nd & rename it too perhaps BOP_OFF. Save it change it to
BOP_OFF and go into it.
You can Enable/Disable Bop, change from warning mode to save mode.
You can Enable/Disable the dialog box that appears if something is blocked (if its out the problem
is still there! But your telefon will be much much MUCH more quiet)
AND you can make exeptions by Process | Module or / And API - the problem is if the BOP logs not enogh data
to get a clean answer... like BOP > SVCHOST.EXE - Module: unknown Prozess: unknown API: unknown blablabbla..
.. you will have a BIG Problem to disable the EXACT Process Programm or what ever.
The better way is to change the Suite to Kaspersky - perhaps if mcafee loose all companys they learn the lesson.
1) Wait (somtimes it took ~5-10 Minutes to reach all clients)
2) Check out the Version of the Agent and VSE - perhaps one is old, then the Rule can get no update becourse of a
3) Push the Epo Agent Installation. Sometimes the agent is bad and works not like it should.
4) Try to do a manual Synchronisation from the and watch the log - is the server connecting? If yes somthing is wrong,
try to install the VSE -> disable the prevention on the local VSE and be shure to take the hook out from the seve Securiy mechanism.
Stop the Framework Service and uninstall the VSE from "Programms" in your windows. Navigate to your Data Repository - choose the
VSE Installer and make a NEW installaton. That takes time.. if its done Start Yor PC new.
5) Try to find out if the Client conects and if it gets the update of the Rules.
Sometimes if EVERYTHING is not working fine - its better to uninstall via EPO Rule. First uninstall the VSE & then the Agent -
THEN Reinstall both and 80% of your system is well - the rest is need to fixed oder installed manualy becourse something is
Those fu..ing Problems you will learn to hate becourse when ever everything is running well - and youre upgrading or install a Patch
thats your Work for the next weeks until everything is working well again. So i decide looking forward to Kaspersky..
This is so ridiculous!! Why am I getting BO errors from explorer.exe on windows 7 SP1 systems that have every single security update from MS installed? What more can I update to prevent them?
McAfee, You need to remove this extra BO protection you've introduced with P4 cause it's doing nothing except giving security admins a huge headache!! Do you guys even test this stuff before pushing it out to your paying customers? I mean at least give us a heads up warning that we may experience BO errors after updating to P4 and we could be prepared to deal with it!!
This is so ridiculous!!
Nobody is trying to ridicule anyone. The frustration is detected, and, sorry if it's giving you a hard time. The workarounds are simple though; that should help.
McAfee, You need to remove this extra BO protection you've introduced with P4 cause it's doing nothing except giving security admins a huge headache!!
It's affecting about 2% of security admins; a subset of them will have a headache; a smaller subset will have huge headaches.
But it's also an assumption to call folks security admins if they're willfully running apps that are incompatible with Data Execution Prevention, because they're using apps that execute code from the stack or heap, which is/has been a common exploit method of malware. I'm of the belief that Security Admins would be interested in ridding themselves of such apps, therefore on the plus side, this change has alerted them to _some_ of those apps.
Nevertheless, as stated in an earlier post, we'll see what we can do for Patch 5.
Do you guys even test this stuff before pushing it out to your paying customers? I mean at least give us a heads up warning that we may experience BO errors after updating to P4 and we could be prepared to deal with it!!
Tested, yes. Tested in your environment - well, we didn't do that. We hope somebody did.
The heads up is warranted, we could've done something about that but it was a judgment call on whether to assume alleged reports of BOP alerts from 2% of external testers were legitimate or anomalies in their testing. I say alleged because none provided data to allow us to confirm the behavior. And the lack of data, and evidence, led to a decision of it not being a "real" issue, and that to say something with no sound evidence supporting it would've sounded wishy-washy and created questions which we could not answer.
Why am I getting BO errors from explorer.exe on windows 7 SP1 systems that have every single security update from MS installed? What more can I update to prevent them?
We can help you with that. If there's a 3rd party DLL loading into Explorer that's responsible for the DEP violations, we can help you find it. It may not be a Windows component, therefore Windows updates wouldn't help. 3rd party code often hooks into Explorer to provide fancy shell functionality. Whatever it might be, we can help you identify it - and there may be updates available for it.
If we can't find it via DLL inspection, log review, or dump analysis, then we'll need a VM - just so you're prepared for what to expect along that journey. Meanwhile, for the environment at large, an exclusion is appropriate to provide relief from alerts.
Those are all fair points provided by wwarren. Our line of work has so many (arguably infinite) amounts of unique combinations in each envrionment, not piloting something is crazy, yet more often than not it doesn't happen, as is witnessed by many of these complaints. I do acknowledge though sometime people want to do the right thing, but bean counters and cowboy-management say otherwise.
I wish my other vendors were as responsive on official forums.
We have many many explore and IEexplore BO alerts every day and we are cleaning those systems as they are reported and dealing with the fall out. It does stink but I do understand and I am certainly not complaining. We have had McAfee since 1997 and it has not let us down yet knock on wood). I can't think of one single security application that has never had a tough roll out to a large coporation with numerous applciations of varying degrees.
That said... How do I get our organization on the beta testing teams? We are currenlty on the Virusscan Reputation beta team but that is the only one i have been alerted to in a long time. I want our organization to be proactive in these events so we don't face these issues at roll out time. I do have the support of leadership on this.
Thanks for all you do to help us protect what keeps our bills paidMessage was edited by: sol on 3/31/14 11:08:38 AM CDT
When you say you are "cleaning the systems", what is the process you are using? The frustrating part for me is that our systems are on IE9, are fully patched, etc. so we are not sure what else we can do. McAfee is not providing a log of any type that could show us what needs to be upgraded.