Agent 220.127.116.11 / ENS 10.6 oct update
We have deployed Agent and ENS for over 800 clients, and we found some clients' (less than 10)DAT version keep staying at v0.5, means it never updated - always got an error "failed to find valid repository" when we try to run the DAT update task.
After checking the mfemactl.log we found all these clients have some 3rd party softwares installed, and these software's dll file is injecting into mcscript_inuse.exe and caused this issue, so we exported the certificate from those dlls and added as trusted certificate in ENS common policy, and indeed the issue is gone.
I kept an eye on those 3rd party softares, 3-4 clients have a VPN software named Astrill installed, one client has a Tencent Game Center (like Steam) installed, one client has a file encryption software (Tipray) installed, one client has a security software (Qihu 360) installed, and one client has some kind of net scanning software (NetSafety) installed.
It seems many kindly of softwares are able to cause this issue.
I understand that those 3rd party software are trying to inject into agent process and agent process terminate itself by using the self-protection menchanism to prevent 3rd party software running suspicious codes.
I want to know except adding the certificates that signed those DLLs into ENS common policy, Is there any other better solutions? to us it's seems not always safe to trust those certs.
Thanks in advance.
I would suggest you to raise a case with ENS Team to help you out further. Our Support can also help in identifying the third party and later trusting a third-party digital certificate of signed third-party DLLs injecting into McAfee processes. This support requires opening a Service Request. To expedite processing, the steps to achieve these tasks are provided in the below article.
Was my reply helpful?
If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!
HI @LKS ,
Thanks, I'm afraid we don't have much time to follow up the case as it only impacted a few client machines.
For now I just want to know if there has better solutions to this issue 🙂
We can uninstall product whose dll is injecting to Mcscript_Inuse.exe, reboot the machine and reproduce the issue.
You can try a couple of things. Run sysprep tool (available on download page and it may or may not resolve the issue), trust the certs, contact vendor for any updates that might resolve, or remove the offending product. Those are pretty much your options when it comes to dll injections.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Honestly, this is a very good Post! You have your question well framed, you have done your research and you even have a solution in place!
This issue comes up due to the fact that a third party software is injecting or trying to inject it's dll into our product and hence quite frankly, we have little to do here other than allow them to inject if you entirely trust them. It is basically allowing them to bypass our safety mechanism! Now in the case of security software, our recommendation is pretty straightforward - Please do not install 2 Security Software that has same or similar features on the same machines. It is pretty much like having more than one person trying to do the same job, at the same time, in the same place. It may work for a few, but most of the time, it fails!
Other softwares like VPNs or Gaming softwares definitely must be dealt with by contacting the respective vendor as I am not sure why they would want their dll injecting in to our product.
Thanks everyone, I understand.
I see most the client machines that failing to update DAT are the customer's IT department's computers. because they have domain admin right and able to install softwares.. sometimes it's really hard to control it...