1 2 3 Previous Next 53 Replies Latest reply on Oct 7, 2011 11:50 AM by Peter M

    Security Center changes IE security settings

      I am running Security Center 9.3.151 on Windows Vista Ultimate SP1. I use Internet Explorer 8 and I configure IE 8 (IE 8 > Tools > Internet Options > Advanced) to "Use SSL 3.0" and "Use TLS 1.0". I do not want to use SSL 2.0 ever.

      However, these settings are being changed by Security Center to disable TLS 1.0 and to enable both SSL 2.0 and SSL 3.0. The settings change whenever I right-click the McAfee SecurityCenter icon in the Windows Taskbar and select "Open SecurityCenter".

      I know it is SecurityCenter (mcshell.exe) changing the settings because I setup auditing within the registry to figure out which application is changing the settings. SecurityCenter changes the SecureProtocols value from 160 (TLS 1.0 and SSL 3.0) to 40 (SSL 2.0 and SSL 3.0). See auditing info below (potentially sensitive information was replaced with asterisks).

      The problem also occurs on Windows XP SP3.

      Please fix SecurityCenter so that it does not change the SecureProtocols value within the Internet Settings.

      ================ REGISTRY AUDITING INFO =================

      A registry value was modified.

      Subject:
      Security ID: ********\********
      Account Name: ********
      Account Domain: ********
      Logon ID: 0x5afa1

      Object:
      Object Name: \REGISTRY\USER\S-1-5-21-**********-**********-**********-1000\Software\Microsof t\Windows\CurrentVersion\Internet Settings
      Object Value Name: SecureProtocols
      Handle ID: 0x430
      Operation Type: Existing registry value modified

      Process Information:
      Process ID: 0x15e0
      Process Name: C:\Program Files\McAfee\MSC\mcshell.exe

      Change Information:
      Old Value Type: REG_DWORD
      Old Value: 160
      New Value Type: REG_DWORD
      New Value: 40
        • 1. RE: Security Center changes IE security settings
          Peter M
          In mine (default settings) SSL3.0 is ticked as well as SSL2.0 but not TLS1.0, and I believe that 3.0 overrides 2.0 anyway. I am aware that as of IE7 SSL2.0 has been regarded as a security risk.
          TLS1.0 isn't used any more as far as I know & isn't selected by default, in my setup anyway.

          (I'm wondering if the default settings may vary depending on what operating system you are using).

          Security Center is in fact an IE page albeit internal and relies upon IE being set at its default settings, so if you change them it may malfunction, or, as in your case, may alter them back.

          This is a rather technical question which can't be directly answered on this board. I'll have to flag it internally and hope that someone at McAfee HQ can answer it.

          Sorry but we are just unpaid volunteers here, not McAfee staff, but if I flag it, hopefully someone from McAfee will come up with an answer for you.
          • 2. RE: Security Center changes IE security settings
            Peter,

            Thank you for replying. I do appreciate you flagging my question for McAfee staff to look at it.

            You wrote, "TLS1.0 isn't used any more as far as I know ...". All of the financial and e-commerce web sites that I visit do use TLS 1.0 over SSL 3.0, if both are enabled in the web browser. TLS 1.0 is an improvement over SSL 3.0 (see http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf for details). And as you noted, SSL 2.0 is a security risk. So it seems wrong to me for SecurityCenter to enable the least secure protocol (SSL 2.0) and disable TLS 1.0. Hopefully, McAfee will investigate the issue and respond.

            Thanks again for your help.
            • 3. RE: Security Center changes IE security settings
              Peter M
              According to Microsoft TLS1.0 isn't enabled by default in any version of IE, see: http://support.microsoft.com/kb/811834

              From a Google search it appears that it should only be enabled if a particular website demands it. It's one of the older transport layers.

              I've never had it enabled here and have no problem with online financial transactions.

              I guess it's a matter of what's needed at the time.

              However, getting McAfee to change that behaviour would, I doubt, be a lost cause as the default settings are what Security Center looks for and those are SSL 2.0 and SSL 3.0.

              Anyway, I have asked.
              • 4. Security Center changes IE security settings - SSL2
                I was having exactly the same problem that pigglety described on 5-16-09 at 07:49am. I actually called McAfee tech support in Aug 2009 and told them about the problem. I even provided them with the excellent technical info that pigglety provided.

                At first McAfee technicians totally denied McAfee Security Suit would make any changes to the Windows Vista registry file. After speaking to three different McAfee technicians, I finally found someone in McAfee who admitted that there was indeed a bug in McAfee Security Suit, and everything would be fixed in the next updated version. I took the technician at McAfee at his word, and I have been patiently waiting for the next version of McAfee to be released.

                On Sept 21, 2009 McAfee Security Center (build 9.15.126) was released, and I installed it on my PC. I was really hoping that it would finally fix the issue where McAfee Security Security Center would automatically enable SSL2 on IE8 as well as Google Chrome. Well guess what? The newest build does NOT fix the problem. Everything that pigglety described on 5-16-09 is still true today, even with the newest McAfee Security Center installed.

                I am so disappointed with McAfee. It was a royal pain explaining over and over again the SSL2 software bug to the McAfee technicians. I have absolutely no desire to spend another hour on the phone going thru that drill again!

                If anyone has a solution, please let me know. Thanks!
                • 5. RE: Security Center changes IE security settings - SSL2
                  Peter M
                  Are you sure that these so-called default settings aren't ones that are in fact custom set by the commercial concerns?

                  In all my various installations ranging from XP and IE6 up to Windows 7 and IE8 the default SSL2 and 3 are the only ones checked by default in IE. That's with or without McAfee installed.

                  These can be manually altered of course.

                  I have never known these settings to be changed by any McAfee version, despite what the technicians may or may not have said. They aren't the developers and are only basically call center workers.

                  I would say your argument is more with Microsoft than it is with McAfee.
                  • 6. RE: Security Center changes IE security settings - SSL2
                    Yes I am sure.

                    If I disable the SSL2 option in IE8 or Chrome, it will remain disabled unless I launch McAfee Security Center.

                    Immediately after McAfee Security Center is launched, SSL2 will be re-enabled on IE8 and Chrome. It is such a pain.
                    • 7. RE: Security Center changes IE security settings - SSL2
                      Peter M
                      So what is the big deal anyway? SSL3 automatically overrides SSL2 in any case. According to Microsoft.
                      • 8. RE: Security Center changes IE security settings - SSL2
                        I acknowledge that it is not a catastrophic problem. However, it really bothers me that McAfee Security Center is overriding the way that I have manually configured IE8 and Google Chrome browsers.

                        It also concerns me that McAfee does not follow through in fixing bugs that have been reported to them.
                        • 9. RE: Security Center changes IE security settings - SSL2
                          Peter M
                          By the way, I would imagine that Microsoft dictates to all security software manufacturers whose products are designed to interact with Windows Security, that such settings must be protected, so McAfee in this case is only protecting the default settings, which is a function of security software after all.
                          Im sure a Microsoft Newsgroup or Forum would bear me out on that.

                          Addendum: I doubt such processes could be discussed in open forum as they involve patented/copyrighted processes from both Microsoft and McAfee. I do know that all security software makers have to follow a set of guidelines laid down by Microsoft. So I doubt you can blame McAfee totally for this.

                          I guess for now the answer is, don't open Security Center while using those settings.

                          The 2010 products will be releasing soon so who knows, things may change.
                          1 2 3 Previous Next