Community Help Hub

Former Member · ‎03-09-2014

So i have done some Reseach becourse McAfee doesnt come with some Patches.

After i Read this:

---We're learning that these detections people have been reporting are 100% legitimate.

---You are either a) under attack, or b) using an application that is purposefully executing code from writable memory.

In my case it seems to be a Dialit CTI Addin called "ctiaddin.dll" Version 4.1.0.7 Company EK-Soft size 848kb & this is a trusted plugin!

Works well a for years..

What is does? It connect to our Telefon Avaya Server to get access of our Telefone Userdatabase and so on. Nothing unusual.

So let me think loud what i think that happen:

..the Addin start to run with word, excel, outlook. It hooks to its System and Server - connects to its Database and is running well.

Until someone comes up with a stupid Programm Close. The Addin still gets connected. It is not so fast that it close all connections

fast enough to close them right. Word, Excel, Outlook etz. want to close, stops the Programmkernel and the Addin is still running.

Thats how I explain why the Word.exe / Excel.exe / Outlook.exe etc. is still running and needs to close manualy.

If the Protection is disabled there will be no problem to close becourse the addin has more time to close its Connection.

But becourse of the new buffer overflow protection or realtime Scanengine of Patch 4 the addin is running against the Wall.

And after the main programm is stopped - the service still exist in the Buffer and try to close it selve. What creates a bufferoverflow.

That couse in a 100% legitimate bufferoverflow. So it is 100% legitimate.

So the BASIC Problem is - McAfee just log the "winword.exe" or "excel.exe" NOT the ctiaddin.dll - becourse its a child prozess of the

Program. I dont know how to disable those Problem with the Software - ok.. i can excluse Office - but THEN it is very unsave for the

company...

I can just say go to your office addin Option and disable one after another addin try to find that one that makes trouble. Disable it.

wwarren · ‎03-10-2014

So let me think loud what i think that happen:
<stuff>

It's much simpler than that.

The application has code (either one of its own DLLs or a 3rd party injected DLL) that is not compatible with Data Execution Prevention (DEP).

In other words, that DLL is executing code from memory that is marked for Data, not Code - DEP stomps on that - and VSE's BOP will tell you by way of a BOP alert.

DEP stomps on it because VSE 8.8 Patch 4 tells DEP to watch that process, because it's a process BOP is configured to monitor, and that process has some poorly behaving code. But some companies (Microsoft included) have leveraged that poor behavior of executing code from the stack or heap intentionally, to provide functionality or "cleverly" solve issues. DEP has been around a looong time, and most vendors have since released updated software that is DEP compatible - those that haven't, need to consider better programming practices.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Former Member · ‎03-11-2014

Good Morning

Please see the following issuese I am getting since I have rollout VSE 8.8 P4. This issues are on Win-XP and W7 clients. In the moment I have BOP disabled because the helpdesk was flooted by user calls.

McAfee has enlarged the function of BOP and the outcome for me is to have no BOP security in the moment.

One hint of wwarren is to put this processes into the BOP exclusion but on the other side this processes are named by McAfee to be a high risk process. I close a hole in BOP and will open a new hole in access protection ??

Received Threat Name: BO:Stack

Source Process Name: C:\Programme\Adobe\Reader 10.0\Reader\AcroRd32.exe

Action Taken: blocked

Problem solved?: true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::60006c4d

Received Threat Name: BO:Stack

Source Process Name: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

Action Taken: blocked

Problem solved?: true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::58dd583f

Received Threat Name: BO:Stack

Source Process Name: D:\WINDOWS\Explorer.EXE

Action Taken: blocked

Problem solved?: true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::10003052

Received Threat Name: BO:Image BO:Writable

Source Process Name: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE

Action Taken: blocked

Problem solved?: true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::77165023

Received Threat Name: BO:Stack

Source Process Name: D:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Action Taken: blocked

Problem solved?: true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::6b461f7b

Received Threat Name: BO:Writable BO:Heap

Source Process Name: C:\Program Files\Internet Explorer\iexplore.exe

Action Taken: blocked

Problem solved?: true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::4190000

Received Threat Name: BO:Image BO:Writable

Source Process Name: C:\Program Files\Internet Explorer\iexplore.exe

Action Taken: blocked

Problem solved?: true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::68c74b18

Received Threat Name: BO:Stack, BO:Image BO:Writable

Source Process Name: C:\Program Files\Internet Explorer\IEXPLORE.EXE

Action Taken: blocked

Problem solved?: true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::281e478

Received Threat Name: BO:Stack

Source Process Name: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Action Taken: blocked

Problem solved?: true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::3f39a1a5

Received Threat Name: BO:Writable BO:Stack

Source Process Name: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Action Taken: blocked

Problem solved?: true

Affected Object: _:NTDLL.KiUserExceptionDispatcher::c07f938

Former Member · ‎03-11-2014

I just wonder, are those Win 7 clients all 32 bit (x86) or do you have this issue also on 64 bit clients?

Former Member · ‎03-11-2014

All the clients are 32 bit (x86) systems

frank_enser · ‎03-11-2014

Buffer overflow protection is only available on 32bit.

Former Member · ‎03-11-2014

Have anyone found an article with the list of protected processes in VSE 8.8 Patch 4 ?

+++++++++++++++++++++++++

List of Processes Protected by Buffer Overflow Protection in VSE 8.8 Patch 1

Technical Articles ID: KB58007
Last Modified: 04/05/2012
Rated:

Environment

McAfee VirusScan Enterprise 8.8 Patch 1

Solution

List of processes protected by VirusScan Enterprise (VSE) Buffer Overflow Protection (BOP) in version 8.8 Patch 1 (build 588):

AcroRd32.exe
amgrsrvc.exe
dllhost.exe
EventParser.exe
excel.exe
explorer.exe
ftp.exe
iexplore.exe
inetinfo.exe
lsass.exe
mapisp32.exe
mplayer2.exe
msaccess.exe
msimn.exe
msmsgs.exe
mstask.exe
NaiMServ.exe
naPrdMgr.exe
outlook.exe
powerpnt.exe
rpcss.exe
services.exe
sqlservr.exe
SrvMon.exe
svchost.exe
visio32.exe
VSEBOTest.exe
w3wp.exe
winword.exe
winzip32.exe
wmplayer.exe
wuauclt.exe

Former Member · ‎03-11-2014

wwarren wrote:

DEP has been around a looong time, and most vendors have since released updated software that is DEP compatible - those that haven't, need to consider better programming practices.

I don't think anyone will disagree with you that almost every software product could benefit from better (and more secure) programming practices. The problem is McAfee has chosen to send their customers scrambling in effort to elicit better programming practices. We weren't told ahead of time the extent that this expansion of DEP was going to affect core products like Office and Adobe Reader, not to mention legacy applications that many of us have no choice but to work with. Yes, we can exempt processes and that's fine up to a point. There should have been better communication and a feature expansion like this should never have been dropped into a production environment without extensive testing. The fact that it took a while for anyone to acknowledge this issue officially is evidence that such testing never took place. There should have been a KB article for this at release for Patch 4. There also should have been far more than a cursory mention in the release notes. The time and cost of troubleshooting this issue, running MERs and ETL Traces at the request of McAfee Support, etc. far outweigh the benefits so far since in the end the ultimate answer is to just ignore or exempt the process that don't use "better programming practices."

wwarren · ‎03-11-2014

Yes trevorw2000, I agree. And with jmcguireiii too.

My expectation is the team will reconsider the default behavior when Patch 5 rolls around.

Until then we'll be tracking the long-term impact of this change. These forums too are good feedback mechanisms, so, even if you don't see folks like myself commenting - we're listening.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Former Member · ‎03-11-2014

I know it was with all good intentions that McAfee wannted to upgrade the BOP service for our enviroments and I applaud that, but we are now having BOP issues we shouldn't be dealing with. These BOP detections we are now encountering after P4 are not threats to our computers. I actually had never even seen a BOP detection in 10 years of using McAfee VS until I applied P4 although I know others may have. With the planned obsolesence of 32 bit machines is all this really needed at this point. We all have smaller staffs today and having to deal with a manufactured issue is something we really could do without. This issue for us is more than updating Adobe Rreader or MS Office. We have 3'rd party apps that can't get updated anytime soon. I am going to be forced to disable this service and I am not real happy about it. Hopefully McAfee can reconsidered their position on this change for 32 bit machines.

Re: problem after upgrading VSE8.8 to patch 4

Re: problem after upgrading VSE8.8 to patch 4

Re: problem after upgrading VSE8.8 to patch 4

Re: problem after upgrading VSE8.8 to patch 4

Re: problem after upgrading VSE8.8 to patch 4

Re: problem after upgrading VSE8.8 to patch 4

Re: problem after upgrading VSE8.8 to patch 4

Environment

Solution

Re: problem after upgrading VSE8.8 to patch 4

Re: problem after upgrading VSE8.8 to patch 4

Re: problem after upgrading VSE8.8 to patch 4

Community Help Hub

Join the Community