9 Replies Latest reply on Oct 9, 2017 12:11 PM by greentree

    ENS 10.5.2 patch 2 msibox

    greentree

      Hello, perhaps someone has seen this or may be can point me into the right direction as I've been on this without any luck for a week and starting loosing it.

       

      Checked in patch 2 managed to screw a lot of systems in a strange way.... A device starts, a user tries to launch file explorer or right click on any file a mcafee ENS Threat prevention msi installation box appears that tries to install ENS Threat Prevention (which had been previously installed by ePO and present and running on the system). The msi installer fails because MSIEXEC.EXE violates the self protection rule. I've been monitoring the processes and couldn't see anything suspicious, except that on some machines after they got patch 2 installed HipHandlers64.dll was missing and the EXPLORER.EXE process was quiering the registry and folders for lots of ENS files, but the only file it couldn't find was HipHandlers64.dll. 

       

      2 workaround that I found so far was to remove the existing ENS 10.5.2 and install it again. Another option was to exclude msiexec.exe process from self protection.

       

      At the same time if Threat prevention patch 2 is checked in and client that has 10.5.2 installed runs the patches update (the update actually doesn't run because it determins that the latest version is installed) it breaks it again and the msibox starts appearing again. So I removed all ENS 10.5.2 patches from the repository. There haven't been any other ENS patches in the repo prior patch 2 checking in.

       

      The systems are windows 10 and the ePO is 5.3.1

       

      Any ideas would be much appreciated as this is driving me nuts

        • 1. Re: ENS 10.5.2 patch 2 msibox
          greentree

          in addition to EXPLORER.EXE process... Looks like when file explorer is called, or any file is right clicked on to call a menu, explorer.exe after going via mcafee reg keys tries to access some scan process that is mentioned in registry, and looks like this is when svhost.exe calls msiexec with parameter /v which is why msibox is displayed.

           

          however the whole reason why this is happening is unknown, and why threat prevention tries to reinstall itself, or may be fix itself... there's nothing in mcafee log, and I can't trace what file msiexec is actually executing. and more importantly why the msibox is even visible

          • 2. Re: ENS 10.5.2 patch 2 msibox
            manning

            I can't even check in 10.5.2. If I try to check in the components through the software manager in ePO, platform first, it just hangs at 50%. I have to stop and restart the services, log back into ePO and then when I look it appears to have been checked into the repository, but still appears as an update that needs to be check in/updated.

             

            There is a KB that indicates a hotfix was released on the 12th, but it is nowhere to be found on the My Products download pages, the ePO software manager or otherwise. I guess I should consider myself lucky?

            • 3. Re: ENS 10.5.2 patch 2 msibox
              greentree

              I added all stuff from the master repository, download install packages from mcafee web and check them in using the repo

              • 4. Re: ENS 10.5.2 patch 2 msibox
                epoadmin@leedsmet.ac.uk

                Hi,

                 

                We have this same issue, luckily we haven't widely deployed ENS 10.5 yet but this has cropped up on our test users and is preventing any further roll out for us.

                 

                We also running EPO 5.3.1 and the clients are Windows 10.

                 

                No problems until we checked in Patch 2 for ENS.

                 

                Any help would be appreciated.

                • 5. Re: ENS 10.5.2 patch 2 msibox
                  manning

                  Thank you for the reply. For whatever reason if I try to download and check in that way it still results in either a outright failed result or hangs at 50% indefinitely. And more frustrating as mentioned above is that platform appears to be both check in and needing to be check in.

                  • 6. Re: ENS 10.5.2 patch 2 msibox
                    greentree

                    the only solution that I've come up was to remove all ENS 10.5.2 patches and just check in 10.5.2 install packages. Then I pushed the deployment of 10.5.2 on devices that had 10.5.1 installed. No msibox. For the affected machines that had previously received the 10.5.2 patches (not full install packages!) I created a temp self protection policy with an exclusion for msiexec.exe process. After that on the affected machines msibox appears only once, fixes itself and that's it. I investigated further, and it looks like msibox is triggered because something is wrong with Scan for threats icon that is present on a context menu, when you right click on the file..

                     

                    @manning

                     

                    no idea...I guess you need to drill through the logs on the ePO server to see what's going on. my approach usually is if I can't check in a package via software manager I do it manually and it always works. I would also try to delete all the ENS packages from master repository and try to recheck them manually by downloading zips. Also don't forget to check in relevant extensions

                    • 7. Re: ENS 10.5.2 patch 2 msibox
                      manning

                      Thank you for replying and my apologies for the hijack.

                       

                      I had tried removing all the ENS stuff in the repository and it would fail and all content would remain, but figured I would try again and messed with the order of removal and it worked. Checking in then succeeded.

                       

                      Now, not sure if that was a good or bad idea yet as I haven't started updating clients by that means, though I have used the standalone installer without any issues. We'll see.

                      • 8. Re: ENS 10.5.2 patch 2 msibox
                        epoadmin@leedsmet.ac.uk

                        Mcafee have a support document for this issue now and a workaround.

                         

                        McAfee Corporate KB - Error 1336. There was an error creating a temporary file that is needed to complete this installat…

                         

                        Going to hold off deploying 10.5.2 for now until this is properly fixed.

                        • 9. Re: ENS 10.5.2 patch 2 msibox
                          greentree

                          Thanks for the link mate!

                           

                          I was on HipHandlers64.dll actually when I was monitoring the processes, but droped it because only a few clients had this file missing. In fact, when I copied this file to the clients that originally had is missing it helped only for a couple of days. After that msibox started appearing again.

                           

                          Well, hopefully the fix will fix it