Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1681 Views 9 Replies Latest reply: Oct 16, 2013 2:39 AM by dmease729 RSS
dmease729 Champion 267 posts since
Jul 22, 2011
Currently Being Moderated

Aug 6, 2013 5:21 AM

VSE hotfix file version inconsistencies and Agent error 2402

Hi,

 

I have recently taken over a number of ePO environments, and have noted the following:

 

We are constantly receiving 2402 client events from all of our managed systems.  Hotfixes 778101 and 805660 are checked in to the master repository. 


- Checking the registry location ...\McAfee\DesktopProtection on a managed system I can see an entry for Hotfix_805660.  I cannot see an entry for Hotfix 778101
- Checking the agent log on a managed system, I can see the source of the 2402 client events:
           "Update failed to version Hotfix 975"
           "Generating update event:EventID=2402........"

 

I have come across KB78396, however this relates to P3 and hotfixes that I am not dealing with at present.  "So...", I think, "...if hotfix 805660 updates the same files that hotfix 78396 does, I should just be able to remove 78396 from the repository - tis probably causing the complaints".  This is where confusion comes in... From the hotfix release notes:

 

- Hotfix 805660 released 29/01/13
- Hotfix 778101 released 02/11/12
- Both hotfixes update exactly the same files (huzzah! makes my life easier! ... ...?)
- Example file versions:
           - Hotfix 805660 updates adslokuu.dll to version 15.0.0.468
           - Hotfix 778101 updates adslokuu.dll to version 15.0.0.476
           - Hotfix 805660 updates mfeapconfig.dll to version 15.0.0.518
           - Hotfix 778101 updates mfeapconfig.dll to version 15.0.0.537

 

Muh?  So the hotfix that was released nearly 3 months earlier updates the files to later versions??

 

Checking the couple of example files on one of the managed systems returns the following versions:
          - adslokuu.dll = 15.0.0.476
          - mfeapconfig.dll = 15.0.0.537

 

So as I would appear to be running the later version of the dlls given the two hotfixes combined, I am hypothesising that my next step would be to simply remove hotfix 778101 from the master repository and watch this issue disappear. 

 

QUESTIONS: Could I possibly have thoughts on my hypothesis, and just to ensure my sanity could anybody explain why the later hotfix contains earlier versions of files?


Many thanks!

  • wwarren McAfee SME 775 posts since
    Nov 3, 2009

    The hotfix package 805660 is fairly unique in terms of what we release for hotfixes, not only because it addresses a vulnerability but because of its installer.

    Hotfixes that include our Syscore code "call out" to another installer that's already present in the VSE installation, passing along appropriate command line options. But due to a limitation in that installer's capability, it cannot invoke 2 separate install functions (that we were needing) in a singular install package.

     

    For this reason, you need 805660 if you ever used the 14.4 version of our Syscore files (explained in SB10034), to adopt the code fix that is built into and invoked by its installer.

    And you still need 778101 to install the newer Syscore files that address stability issues (and as it happens, a different vulnerability too).

    Support should be directing customers to use both as a precaution, but customers may eliminate 805660 if they know they never used 14.4 Syscore//VScore code.

     

    The odd event you're getting from the Agent isn't something I've heard be tied to these hotfixes. If confirmed, that would be of interest so I can inform my team to avoid causing that in future.

  • wwarren McAfee SME 775 posts since
    Nov 3, 2009

    First paragraph - Yes. Your understanding is clear.

    Second paragraph - Correct, fresh installs don't need it - but we tell you to run it anway because you can't distinguish a fresh install from an upgrade very easily.

    The wording of the hotfix is accurate.

    The timing of the releases is irrelevant. If 778101 is installed first you still need to run 805660 because the fix is run by its installer, the file versions don't matter. This need is due to the limitation I mentioned earlier; 778101 could not both install its updated drivers and close the vulnerability solved by 805660.

     

    What you've described is an installation of 778101 that did not complete for some reason, i.e. it didn't write the Hotfix_778101 registry value. Odd that all the files would get replaced and it not manage to write the registry value. You could try working with Support to see if that can be figured out.

  • wwarren McAfee SME 775 posts since
    Nov 3, 2009

    Mind=Blown, indeed . Your line of questioning is encroaching on the complexities of what our QA team have to deal with internally. We like to keep the curtain closed so you don't see the wizard and your brain melt instantly, but to the inquisitive and observant mind it's difficult to do! Thankfully we have this "That's proprietary info" card we can play when we really need to. Haha.

    It was the event 2402 that sent you on this path, so that was of interest to me to identify cause and squish - and it may be tied to that 778101 not completing the install completely... that certainly wasn't meant to happen.

  • cakeboss Newcomer 26 posts since
    Oct 24, 2012

    Did you ever find out what was causing the 2402 error?  I'm seeing the same thing on many systems while attempting to apply patch 2 and the two hotfixes.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points