So i have done some Reseach becourse McAfee doesnt come with some Patches.
After i Read this:
---We're learning that these detections people have been reporting are 100% legitimate.
---You are either a) under attack, or b) using an application that is purposefully executing code from writable memory.
In my case it seems to be a Dialit CTI Addin called "ctiaddin.dll" Version 4.1.0.7 Company EK-Soft size 848kb & this is a trusted plugin!
Works well a for years..
What is does? It connect to our Telefon Avaya Server to get access of our Telefone Userdatabase and so on. Nothing unusual.
So let me think loud what i think that happen:
..the Addin start to run with word, excel, outlook. It hooks to its System and Server - connects to its Database and is running well.
Until someone comes up with a stupid Programm Close. The Addin still gets connected. It is not so fast that it close all connections
fast enough to close them right. Word, Excel, Outlook etz. want to close, stops the Programmkernel and the Addin is still running.
Thats how I explain why the Word.exe / Excel.exe / Outlook.exe etc. is still running and needs to close manualy.
If the Protection is disabled there will be no problem to close becourse the addin has more time to close its Connection.
But becourse of the new buffer overflow protection or realtime Scanengine of Patch 4 the addin is running against the Wall.
And after the main programm is stopped - the service still exist in the Buffer and try to close it selve. What creates a bufferoverflow.
That couse in a 100% legitimate bufferoverflow. So it is 100% legitimate.
So the BASIC Problem is - McAfee just log the "winword.exe" or "excel.exe" NOT the ctiaddin.dll - becourse its a child prozess of the
Program. I dont know how to disable those Problem with the Software - ok.. i can excluse Office - but THEN it is very unsave for the
company...
I can just say go to your office addin Option and disable one after another addin try to find that one that makes trouble. Disable it.
So let me think loud what i think that happen:
<stuff>
It's much simpler than that.
The application has code (either one of its own DLLs or a 3rd party injected DLL) that is not compatible with Data Execution Prevention (DEP).
In other words, that DLL is executing code from memory that is marked for Data, not Code - DEP stomps on that - and VSE's BOP will tell you by way of a BOP alert.
DEP stomps on it because VSE 8.8 Patch 4 tells DEP to watch that process, because it's a process BOP is configured to monitor, and that process has some poorly behaving code. But some companies (Microsoft included) have leveraged that poor behavior of executing code from the stack or heap intentionally, to provide functionality or "cleverly" solve issues. DEP has been around a looong time, and most vendors have since released updated software that is DEP compatible - those that haven't, need to consider better programming practices.
Good Morning
Please see the following issuese I am getting since I have rollout VSE 8.8 P4. This issues are on Win-XP and W7 clients. In the moment I have BOP disabled because the helpdesk was flooted by user calls.
McAfee has enlarged the function of BOP and the outcome for me is to have no BOP security in the moment.
One hint of wwarren is to put this processes into the BOP exclusion but on the other side this processes are named by McAfee to be a high risk process. I close a hole in BOP and will open a new hole in access protection ??
Received Threat Name: BO:Stack
Source Process Name: C:\Programme\Adobe\Reader 10.0\Reader\AcroRd32.exe
Action Taken: blocked
Problem solved?: true
Affected Object: _:NTDLL.KiUserExceptionDispatcher::60006c4d
Received Threat Name: BO:Stack
Source Process Name: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Action Taken: blocked
Problem solved?: true
Affected Object: _:NTDLL.KiUserExceptionDispatcher::58dd583f
Received Threat Name: BO:Stack
Source Process Name: D:\WINDOWS\Explorer.EXE
Action Taken: blocked
Problem solved?: true
Affected Object: _:NTDLL.KiUserExceptionDispatcher::10003052
Received Threat Name: BO:Image BO:Writable
Source Process Name: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
Action Taken: blocked
Problem solved?: true
Affected Object: _:NTDLL.KiUserExceptionDispatcher::77165023
Received Threat Name: BO:Stack
Source Process Name: D:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Action Taken: blocked
Problem solved?: true
Affected Object: _:NTDLL.KiUserExceptionDispatcher::6b461f7b
Received Threat Name: BO:Writable BO:Heap
Source Process Name: C:\Program Files\Internet Explorer\iexplore.exe
Action Taken: blocked
Problem solved?: true
Affected Object: _:NTDLL.KiUserExceptionDispatcher::4190000
Received Threat Name: BO:Image BO:Writable
Source Process Name: C:\Program Files\Internet Explorer\iexplore.exe
Action Taken: blocked
Problem solved?: true
Affected Object: _:NTDLL.KiUserExceptionDispatcher::68c74b18
Received Threat Name: BO:Stack, BO:Image BO:Writable
Source Process Name: C:\Program Files\Internet Explorer\IEXPLORE.EXE
Action Taken: blocked
Problem solved?: true
Affected Object: _:NTDLL.KiUserExceptionDispatcher::281e478
Received Threat Name: BO:Stack
Source Process Name: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Action Taken: blocked
Problem solved?: true
Affected Object: _:NTDLL.KiUserExceptionDispatcher::3f39a1a5
Received Threat Name: BO:Writable BO:Stack
Source Process Name: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Action Taken: blocked
Problem solved?: true
Affected Object: _:NTDLL.KiUserExceptionDispatcher::c07f938
I just wonder, are those Win 7 clients all 32 bit (x86) or do you have this issue also on 64 bit clients?
All the clients are 32 bit (x86) systems
Buffer overflow protection is only available on 32bit.
Have anyone found an article with the list of protected processes in VSE 8.8 Patch 4 ?
+++++++++++++++++++++++++
Technical Articles ID: KB58007
Last Modified: 04/05/2012
Rated:
wwarren wrote:
DEP has been around a looong time, and most vendors have since released updated software that is DEP compatible - those that haven't, need to consider better programming practices.
I don't think anyone will disagree with you that almost every software product could benefit from better (and more secure) programming practices. The problem is McAfee has chosen to send their customers scrambling in effort to elicit better programming practices. We weren't told ahead of time the extent that this expansion of DEP was going to affect core products like Office and Adobe Reader, not to mention legacy applications that many of us have no choice but to work with. Yes, we can exempt processes and that's fine up to a point. There should have been better communication and a feature expansion like this should never have been dropped into a production environment without extensive testing. The fact that it took a while for anyone to acknowledge this issue officially is evidence that such testing never took place. There should have been a KB article for this at release for Patch 4. There also should have been far more than a cursory mention in the release notes. The time and cost of troubleshooting this issue, running MERs and ETL Traces at the request of McAfee Support, etc. far outweigh the benefits so far since in the end the ultimate answer is to just ignore or exempt the process that don't use "better programming practices."
Yes trevorw2000, I agree. And with jmcguireiii too.
My expectation is the team will reconsider the default behavior when Patch 5 rolls around.
Until then we'll be tracking the long-term impact of this change. These forums too are good feedback mechanisms, so, even if you don't see folks like myself commenting - we're listening.
I know it was with all good intentions that McAfee wannted to upgrade the BOP service for our enviroments and I applaud that, but we are now having BOP issues we shouldn't be dealing with. These BOP detections we are now encountering after P4 are not threats to our computers. I actually had never even seen a BOP detection in 10 years of using McAfee VS until I applied P4 although I know others may have. With the planned obsolesence of 32 bit machines is all this really needed at this point. We all have smaller staffs today and having to deal with a manufactured issue is something we really could do without. This issue for us is more than updating Adobe Rreader or MS Office. We have 3'rd party apps that can't get updated anytime soon. I am going to be forced to disable this service and I am not real happy about it. Hopefully McAfee can reconsidered their position on this change for 32 bit machines.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA