So let me think loud what i think that happen:
<stuff>

It's much simpler than that.

The application has code (either one of its own DLLs or a 3rd party injected DLL) that is not compatible with Data Execution Prevention (DEP).

In other words, that DLL is executing code from memory that is marked for Data, not Code - DEP stomps on that - and VSE's BOP will tell you by way of a BOP alert.

DEP stomps on it because VSE 8.8 Patch 4 tells DEP to watch that process, because it's a process BOP is configured to monitor, and that process has some poorly behaving code. But some companies (Microsoft included) have leveraged that poor behavior of executing code from the stack or heap intentionally, to provide functionality or "cleverly" solve issues.  DEP has been around a looong time, and most vendors have since released updated software that is DEP compatible - those that haven't, need to consider better programming practices.

Good Morning

Please see the following issuese I am getting since I have rollout VSE 8.8 P4. This issues are on Win-XP and W7 clients. In the moment I have BOP disabled because the helpdesk was flooted by user calls.

McAfee has enlarged the function of BOP and the outcome for me is to have no BOP security in the moment.

One hint of wwarren is to put this processes into the BOP exclusion but on the other side this processes are named by McAfee to be a high risk process. I close a hole in BOP and will open a new hole in access protection ??

Received Threat Name:  BO:Stack

Source Process Name:   C:\Programme\Adobe\Reader 10.0\Reader\AcroRd32.exe

Action Taken:          blocked

Problem solved?:       true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::60006c4d

Received Threat Name:  BO:Stack

Source Process Name:   C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

Action Taken:          blocked

Problem solved?:       true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::58dd583f

Received Threat Name:  BO:Stack

Source Process Name:   D:\WINDOWS\Explorer.EXE

Action Taken:          blocked

Problem solved?:       true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::10003052

Received Threat Name:  BO:Image BO:Writable

Source Process Name:   C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE

Action Taken:          blocked

Problem solved?:       true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::77165023

Received Threat Name:  BO:Stack

Source Process Name:   D:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Action Taken:          blocked

Problem solved?:       true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::6b461f7b

Received Threat Name:  BO:Writable BO:Heap

Source Process Name:   C:\Program Files\Internet Explorer\iexplore.exe

Action Taken:          blocked

Problem solved?:       true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::4190000

Received Threat Name:  BO:Image BO:Writable

Source Process Name:   C:\Program Files\Internet Explorer\iexplore.exe

Action Taken:          blocked

Problem solved?:       true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::68c74b18

Received Threat Name:  BO:Stack, BO:Image BO:Writable

Source Process Name:   C:\Program Files\Internet Explorer\IEXPLORE.EXE

Action Taken:          blocked

Problem solved?:       true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::281e478

Received Threat Name:  BO:Stack

Source Process Name:   C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Action Taken:          blocked

Problem solved?:       true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::3f39a1a5

Received Threat Name:  BO:Writable BO:Stack

Source Process Name:   C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Action Taken:          blocked

Problem solved?:       true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::c07f938

I just wonder, are those Win 7 clients all 32 bit (x86) or do you have this issue also on 64 bit clients?

All the clients are 32 bit (x86) systems

Buffer overflow protection is only available on 32bit.

Have anyone found an article with the list of protected processes in VSE 8.8 Patch 4 ?

+++++++++++++++++++++++++

List of Processes Protected by Buffer Overflow Protection in VSE 8.8 Patch 1

Technical Articles ID:  KB58007
Last Modified:  04/05/2012
Rated:

Environment

Solution

wwarren wrote:
 DEP has been around a looong time, and most vendors have since released updated software that is DEP compatible - those that haven't, need to consider better programming practices.

I don't think anyone will disagree with you that almost every software product could benefit from better (and more secure) programming practices.  The problem is McAfee has chosen to send their customers scrambling in effort to elicit better programming practices.  We weren't told ahead of time the extent that this expansion of DEP was going to affect core products like Office and Adobe Reader, not to mention legacy applications that many of us have no choice but to work with.  Yes, we can exempt processes and that's fine up to a point.  There should have been better communication and a feature expansion like this should never have been dropped into a production environment without extensive testing.  The fact that it took a while for anyone to acknowledge this issue officially is evidence that such testing never took place.  There should have been a KB article for this at release for Patch 4.  There also should have been far more than a cursory mention in the release notes.  The time and cost of troubleshooting this issue, running MERs and ETL Traces at the request of McAfee Support, etc. far outweigh the benefits so far since in the end the ultimate answer is to just ignore or exempt the process that don't use "better programming practices."

Yes trevorw2000, I agree. And with jmcguireiii too.

My expectation is the team will reconsider the default behavior when Patch 5 rolls around.

Until then we'll be tracking the long-term impact of this change. These forums too are good feedback mechanisms, so, even if you don't see folks like myself commenting - we're listening.