2 Replies Latest reply on Aug 3, 2010 10:08 AM by jguenrdc

    VSE 8.7 P3 and Vista x64

      I deployed P3 to a Vista x64 system to test it.  The versions on the system are:

       

      Agent: 4.5.0.1499

      VSE: 8.7.0.570, P3 (was P2)

      DAT: 6059

      BOF: 499

      (Our ePO is 4.5.0 Build 937)

       

      I used the original P3 patch, not the P3 Repost full install.

       

      After I installed P3, the following events began to occur:

       

      1) When rebooting, there are process spoofing warnings for the following items (I have it set to warn but not block):

      path                                   source

      c:\windows\explorer.exe     c:\windows\system32\userinit.exe

      c:\windows\explorer.exe     c:\windows\system32\svchost.exe

      c:\windows\explorer.exe     c:\windows\explorer.exe

      c:\windows\explorer.exe     c:\windows\system32\taskmgr.exe

       

      According to KB68448, this should be fixed, why am I still seeing it?

       

       

      2) When rebooting, there are Prevent termination of McAfee processes entries for the following items (I have it set to warn and block):

      path                                                                                                      source

      c:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe     c:\windows\system32\winlogon.exe

       

      2) There are frequent Prevent termination of McAfee processes entries for the following items (I have it set to warn and block):

      path                                                                                                             source

      c:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe     c:\windows\system32\svchost.exe

      c:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe        c:\windows\system32\svchost.exe

      c:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe                   c:\windows\system32\svchost.exe

      c:\Program Files (x86)\McAfee\Common Framework\NaPrdMgr.exe                 c:\windows\system32\svchost.exe

      c:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe          c:\windows\system32\svchost.exe

      c:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe               c:\windows\system32\svchost.exe

      c:\windows\system32\mfevtps                                                                       c:\windows\system32\svchost.exe

       


      I remember having these frequent Prevent termination entries when I first tested VSE 8.7 on Vista x64, but one of the patches fixed it.  I don't remember if it was P1 or P2.  It looks like it is back.

       

      Our two other Vista x64 systems are still on P2 and do not exhibit these  symptoms.  On the P3 system, I rebooted right after installing P3 (via  ePO) and the entries began showing up right away.

       

      Is anyone else seeing these issues with Vista x64 and P3?

       

      Jay

        • 1. Re: VSE 8.7 P3 and Vista x64

          Hi

           

          Can you please confirm you applied the hotfix attached to KB68448 prior to installing Patch 3?

           

          Many thanks

           

          Regards

          • 2. Re: VSE 8.7 P3 and Vista x64

            KB68448 says:

             

            This issue is resolved by an updated vscan.bof content file from the McAfee Common Updater site. The updated package is also attached to this article.

            With the updated content file on the system, Patch 3 can be applied and computers will never encounter the issue.

            NOTE: This content  file is also used by VirusScan Enterprise 8.5i. After the update, VSE  8.7i and 8.5i will report version 480 for the Buffer Overflow and Access Protection DAT Version.
             
            To get the updated vscan.bof:

            • Non-ePolicy Orchestrator (ePO) managed computers
              This updated file will be automatically downloaded and applied when  updating from the McAfee Common Updater site in the same way as daily  DAT files.
               
            • ePolicy Orchestrator managed computers, or those using Autoupdate Architect
              Add the package attached to this article to your repository or, configure the Repository Pull task to also retrieve Buffer Overflow DAT for VirusScan Enterprise packages.

             

             

             

            Before I installed P3, the repository pull and the DAT update tasks were set to get and install Buffer Overflow DATs.  The system in question already had Buffer Overflow DAT version 499 before I installed P3.  The way I read the KB, that means there shouldn't be a problem.  Am I missing something?

             

            Jay