2 Replies Latest reply on Sep 13, 2017 3:14 PM by woody188

    ENS 10.5.1/10.5.2 ATP TIE Client, W7 64BIT, Failed to finalize reputation for file,ErrorCode 0xc030002f for random EXE on systems

    bretzeli

      Hello,

       

      We are investigating this at development level and we asume this may be a source for the random hangs / freeze / "Blue circle" one of our customer has with:

       

      Around 800 clients W7 64BIT

      ENS 10.5.2

      AGENT 5.0.6

      TIE 2.1.0338 (HF2) Latest Version (Combi Broker and TIE Server ON ONE Server)

      DXL 3.1

      DLP 11 latest HF (ONLY in DEVICEBLOCK Mode > USB)

       

       

      Does ANYBODY has same errors if they:

       

      * TURN on DEBUG Logging in the POLICY

      * Open file c:\ProgramData\McAfee\Endpoint Security\Logs\AdaptiveThreatProtection_Debug.log

       

       

      c:\ProgramData\McAfee\Endpoint Security\Logs\AdaptiveThreatProtection_Debug.log

       

      Search for: "Failed to finalize reputation for file"

       

      9/05/2017 01:29:01.250 PM   mfeatp(2872.432) <SYSTEM> Orchestrator.Action.Debug: Non actionable reputation score(0) recieved for C:\WINDOWS\EXPLORER.EXE

      09/05/2017 01:29:02.661 PM   mfeatp(2872.3816) <SYSTEM> Remediationbl.RepairModule.Debug: Obtained hash information for raptor, path c:\windows\explorer.exe md5 38ae1b3c38faef56fe4907922f0385ba

      09/05/2017 01:29:05.435 PM   mfeatp(2872.1956) <SYSTEM> Orchestrator.JCM.Debug: JCM system event scan for process C:\WINDOWS\SYSTEM32\DLLHOST.EXE pid 852

      09/05/2017 01:29:05.436 PM   mfeatp(2872.5352) <SYSTEM> Orchestrator.JCM.Debug: Process C:\WINDOWS\SYSTEM32\DLLHOST.EXE reputation 99 final 0 result 0x00000000 flags 0x0000000001000000 type: 1 connectivity: 1

      09/05/2017 01:29:05.474 PM   mfeatp(2872.5352) <SYSTEM> Orchestrator.JTI.Debug: Process C:\WINDOWS\SYSTEM32\DLLHOST.EXE JTI reputation 99 rule 55 threat name JTI/Trusted.65591!a8edb86fc2a4 , JCM reputation 99, IsFinal 0

      09/05/2017 01:29:05.979 PM   mfeatp(2872.1748) <SYSTEM> Orchestrator.JCM.Debug: Process C:\WINDOWS\SYSTEM32\DLLHOST.EXE reputation 99 final 0 result 0x00000000 flags 0x0000000001000000 type: 1 connectivity: 1

      09/05/2017 01:29:09.838 PM   mfeatp(2872.5656) <SYSTEM> Orchestrator.JCM.Debug: JCM system event scan for process C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE pid 808

      09/05/2017 01:29:09.839 PM   mfeatp(2872.5352) <SYSTEM> Orchestrator.JCM.Debug: Process C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE reputation 99 final 0 result 0x00000000 flags 0x0000000001000000 type: 1 connectivity: 1

      09/05/2017 01:29:10.339 PM   mfeatp(2872.5352) <SYSTEM> Orchestrator.Action.Debug: Orchestrator finalizing reputation for C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE

      09/05/2017 01:29:10.339 PM   mfeatp(2872.5352) <SYSTEM> Orchestrator.JCM.Error: Failed to finalize reputation for file C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE. ErrorCode 0xc030002f (For random EXE Like explorer.exe even cmd.exe)

      09/05/2017 01:29:10.488 PM   mfeatp(2872.432) <SYSTEM> Orchestrator.JTI.Debug: Async: Process C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE JTI reputation 99 rule 0 threat name  , JCM reputation 99, IsFinal 0

      09/05/2017 01:29:10.489 PM   mfeatp(2872.432) <SYSTEM> Orchestrator.Action.Debug: Orchestrator finalizing reputation for C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE

      09/05/2017 01:29:10.866 PM   mfeatp(2872.2868) <SYSTEM> Orchestrator.JCM.Debug: Process C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE reputation 99 final 0 result 0x00000000 flags 0x0000000001000000 type: 1 connectivity: 1

      09/05/2017 01:29:14.799 PM   mfeatp(2872.1956) <SYSTEM> Orchestrator.JCM.Debug: JCM system event scan for process C:\WINDOWS\SYSTEM32\DLLHOST.EXE pid 8148

        • 1. Re: ENS 10.5.1/10.5.2 ATP TIE Client, W7 64BIT, Failed to finalize reputation for file,ErrorCode 0xc030002f for random EXE on systems
          woody188

          Server 2008 R2 getting high memory usage, ~283,792 K from mcshield.exe. Same McAfee software you have listed, just different Windows OS.

           

          09/13/2017 09:11:18.796 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\CCM\UPDATETRUSTEDSITES.EXE. ErrorCode 0xc030002f

          09/13/2017 09:11:18.982 AM   mfeatp(1732.4224) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE. ErrorCode 0xc030002f

          09/13/2017 09:11:20.218 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\SCRIPTS\LOGIN\LOGIN.EXE. ErrorCode 0xc030002f

          09/13/2017 09:11:31.614 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SERVICING\TRUSTEDINSTALLER.EXE. ErrorCode 0xc030002f

          09/13/2017 09:42:03.211 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file E:\CHECKERRORLOG\CHECKERRORLOG.EXE. ErrorCode 0xc030002f

          09/13/2017 10:00:05.710 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SERVICING\TRUSTEDINSTALLER.EXE. ErrorCode 0xc030002f

          09/13/2017 10:00:17.583 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\WUAUCLT.EXE. ErrorCode 0xc030002f

          09/13/2017 10:00:27.664 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SERVICING\TRUSTEDINSTALLER.EXE. ErrorCode 0xc030002f

          09/13/2017 10:22:03.027 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file E:\CHECKERRORLOG\CHECKERRORLOG.EXE. ErrorCode 0xc030002f

          09/13/2017 10:25:26.796 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\CCM\UPDATETRUSTEDSITES.EXE. ErrorCode 0xc030002f

          09/13/2017 10:25:29.916 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE. ErrorCode 0xc030002f

          09/13/2017 10:25:38.982 AM   mfeatp(1732.1624) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE. ErrorCode 0xc030002f

          09/13/2017 10:25:38.990 AM   mfeatp(1732.6356) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\CCM\SCNOTIFICATION.EXE. ErrorCode 0xc030002f

          09/13/2017 10:25:43.481 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SERVICING\TRUSTEDINSTALLER.EXE. ErrorCode 0xc030002f

          09/13/2017 10:25:54.342 AM   mfeatp(1732.4744) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\SPPSVC.EXE. ErrorCode 0xc030002f

          09/13/2017 11:02:03.058 AM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file E:\CHECKERRORLOG\CHECKERRORLOG.EXE. ErrorCode 0xc030002f

          09/13/2017 11:02:06.164 AM   mfeatp(1732.1624) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:658): Failed to set new reputation for process E:\CHECKERRORLOG\CHECKERRORLOG.EXE, result:0xc0300027

          09/13/2017 11:02:06.612 AM   mfeatp(1732.3620) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:658): Failed to set new reputation for process E:\CHECKERRORLOG\CHECKERRORLOG.EXE, result:0xc0300027

          09/13/2017 12:12:03.512 PM   mfeatp(1732.5024) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:658): Failed to set new reputation for process E:\CHECKERRORLOG\CHECKERRORLOG.EXE, result:0xc0300027

          09/13/2017 01:32:03.036 PM   mfeatp(1732.4224) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file E:\CHECKERRORLOG\CHECKERRORLOG.EXE. ErrorCode 0xc030002f

          09/13/2017 01:36:29.334 PM   mfeatp(1732.3620) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE. ErrorCode 0xc030002f

          09/13/2017 02:42:03.007 PM   mfeatp(1732.4744) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:658): Failed to set new reputation for process E:\CHECKERRORLOG\CHECKERRORLOG.EXE, result:0xc0300027

          09/13/2017 02:52:12.243 PM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\CCM\UPDATETRUSTEDSITES.EXE. ErrorCode 0xc030002f

          09/13/2017 02:52:12.558 PM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE. ErrorCode 0xc030002f

          09/13/2017 02:52:20.063 PM   mfeatp(1732.4232) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\SERVICING\TRUSTEDINSTALLER.EXE. ErrorCode 0xc030002f

          09/13/2017 02:57:42.913 PM   mfeatp(1732.4228) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE. ErrorCode 0xc030002f

          09/13/2017 02:57:44.090 PM   mfeatp(1732.4228) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\CCM\UPDATETRUSTEDSITES.EXE. ErrorCode 0xc030002f

          09/13/2017 02:59:00.429 PM   mfeatp(1732.4224) <SYSTEM> Orchestrator.JCM.Error (jcm_native.cpp:702): Failed to finalize reputation for file C:\WINDOWS\EXPLORER.EXE. ErrorCode 0xc030002f

          09/13/2017 02:59:19.909 PM   mfeesp(1692.5988) <SYSTEM> ApBl.AP.Error (XModule.cpp:67): Vtp get file image hash MD5 LastErr 0x0000054f An internal error occurred.

          • 2. Re: ENS 10.5.1/10.5.2 ATP TIE Client, W7 64BIT, Failed to finalize reputation for file,ErrorCode 0xc030002f for random EXE on systems
            woody188

            I removed and re-installed the ATP module via ePO. Seems to have resolved the errors. Mcshield.exe is still running at 211,476 K (and rising) and all other processes still running higher memory then before ENS but the errors are now gone.

             

            09/13/2017 04:11:09.772 PM   mfeatp(3452.7228) <SYSTEM> atpbl.ATP.Debug: ATP policy enforcement completed

            09/13/2017 04:11:09.778 PM   mfeatp(3452.2384) <SYSTEM> Orchestrator.JCM.Debug: Process C:\WINDOWS\SYSTEM32\DLLHOST.EXE reputation 99 final 0 result 0x00000000 flags 0x0000000001000000 type: 1 connectivity: 1

            09/13/2017 04:11:14.375 PM   mfeatp(3452.6596) <SYSTEM> Orchestrator.JCM.Debug: JCM system event scan for process C:\WINDOWS\SYSTEM32\DLLHOST.EXE pid 2296

            09/13/2017 04:11:29.137 PM   mfeatp(3452.2384) <SYSTEM> Orchestrator.JCM.Debug: JCM system event scan for process C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE pid 728

            09/13/2017 04:11:29.144 PM   mfeatp(3452.5456) <SYSTEM> Orchestrator.JCM.Debug: Process C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE reputation 99 final 0 result 0x00000000 flags 0x0000000001000000 type: 1 connectivity: 1

            09/13/2017 04:11:29.258 PM   mfeatp(3452.5456) <SYSTEM> Orchestrator.JTI.Debug: Process C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE JTI reputation 99 rule 51 threat name JTI/Trusted!65587 , JCM reputation 99, IsFinal 0

            09/13/2017 04:11:29.259 PM   mfeatp(3452.5456) <SYSTEM> Orchestrator.Action.Debug: Orchestrator finalizing reputation for C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE

            09/13/2017 04:11:29.765 PM   mfeatp(3452.6596) <SYSTEM> Orchestrator.JCM.Debug: Process C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE reputation 99 final 0 result 0x00000000 flags 0x0000000001000000 type: 1 connectivity: 1