There's a new Article in the McAfee Knowledge Center:
Buffer Overflow violations after installing VirusScan Enterprise 8.8 Patch 4 (KB81308): https://kc.mcafee.com/corporate/index?page=content&id=KB81308
The Buffer Overflow protection feature now uses Data Execution Prevention (DEP) to determine a violation has occurred for the list of processes protected by BOP. When a violation is detected, the Buffer Overflow feature will take action to notify and/or block the monitored process.
IMPORTANT: These detections should be considered legitimate. Prior releases of VSE did not detect these violations because the feature only monitored certain API calls for a limited list of processes. With Patch 4, the scope has broadened, and now all APIs of the same limited list of processes are monitored. Therefore, detections of buffer overrun violations may now be more prevalent, especially if you use older or unpatched Microsoft Office software.Applications known to violate DEP and cause alerts:
NOTE: This list is not comprehensive, but will be updated as additional applications are identified.
- Microsoft Office 2003 and Office XP (version 11 and older versions, due to MSO.DLL)
- Microsoft Office 2007 (version 12)
- Explorer.exe (due to SEPCM.DLL, "SizeExplorer Pro")
Really what I really want to hear is that relief is on the way and that this was an unforseen result of P4. It's that simple. I'm unhappyy McAfee has responded with the hard core response saying it's not us, it's them, even though that may be technically true. We know McAfee tried to do the right thing by upgrading the BOP service, but it unfortunately produced the wrong result for a lot of us. (Almost 9000 views on this topic)
We have pulled back on Patch 4 as well, but it did manage to get installed on a few hundred machines prior to me moving it to eval branch. In my support ticket with McAfee, they wanted me to contact MS and have them investigate why IE is causing BO violations ( I had to laugh out loud)... So McAfee releases a new patch and suddenly BO alerts start going off... hmmm, wonder where the problem is. I am sure MS will be all over this one. I have nothing to give MS anyway other than a McAfee log file.
I just posted a discussion on this before i saw this.
We took care of the issue by making sure everyone was updated to IE 9. Of those that had vers 9 and still had the issue, we cleaned all the cache files incluing the C:\windows\TEMP folder.
We have very few explore.exe BOs though that even the cleaning did not help. We have over 8600 computers and they were all pushed to before we realized the problem. We did not test on systems that had old versions of software on them like Office 97 and IE 8.
This is not McaFee's Fault...this is the nature of the technology beast moving faster then businesses can afford to update or secure. The cart before the horse so to say.Message was edited by: sol on 3/24/14 2:39:25 PM CDT
I disagree though and that could be because of my environment. The buffer overflows MAY not be McAfee's fault. The problem that I believe many of us have with these alerts is they create noise. Noise that is not causing any harm to our system or security posture but that we have to respond to or somehow document how we determined that it was not a threat. Had McAfee communicated this change clearly from the beginning we wouldn't have been so quick to jump on board with Patch 4.
Also, my top buffer overflow threats are not outdated software. They are software still being supported by their vendors such as Office 2010 and Internet Explorer 9 (or higher in almost every case) - and yes they are fully patched. I'll give McAfee credit for the Adobe Reader detections because that program is sloppy...but mostly everything else is a false positive and really even the Reader detections are benign. Yet these are events that could indicate an infection so the recommendation is that you essentially treat them with almost the same sense of urgency as you'd treat a malware detection. I'm all for advances in technology that detect advanced and potentially hidden threats, but it does no good if we have to shut it off to filter out the noise.
Also I guess it now comes down to what is the overall value of the BOP service in our overall security scheme? I am not sure I feel our enviroment is any less secure than it was on Patch 3 with the BOP service now disabled.Message was edited by: jmcguireiii on 3/25/14 8:09:17 AM CDT
I would ask you (and everyone else here with issues) do you only have VSE on your endpoints?
We have VSE and HIPS and Site Advisor and Avecto.
VSE on its own seems like a bad security choice, you should speak to mcafee around their defense in depth strategy
There are multiple different methods for achieving defense in depth. I'm not sure why it's appropriate to assume that all of us are only running VSE and by that we must be making bad security choices. My company has a layered, defense in depth strategy that accomplishes everything that VSE, HIPS, Site Advisor and Avecto would accomplish but we do not use those particular products. There are many alternatives and what determines a good choice for security practices is based mostly on the amount of risk a business is willing to accept. Some might not want that much software running in the background on their workstations. Some might never connect an ethernet cable until programs like those are installed and verified functional.
My point being this: Your question is not exactly relevant unless your point is that the combination of VSE along with those other three security applications may be part of the cause for the Buffer Overflow Protection issue that many of us are experiencing. The solution to problems with one piece of software is almost never to add more software from the same vendor.
Oh no thats not how I meant to come across.
HIPS disables the BOP in VSE as it has a better version for example(I mentioned this earlier in the thread).
Thats why I asked the question rather than assume anything! Yes i agree, much better to have multple options to defend the systems rather than one (or one vendor)
We have Endpoint protection on the laptops. All devices have VSE and SiteAdvisory. We also secure settings in IE and Windows through various policies to control the settings and restrict our users from making changes