2 Replies Latest reply on Nov 7, 2013 9:19 AM by Kary Tankink

    HIPS 8 Patch 3 in adaptive mode causes Windows 8 to reboot after logon, violations 1003 MFEFIRE WERFAULT

    chaitan

      Hi,

       

      Latest version of HIPS 8 Patch 3 was installed on Windows 8 laptop and connected to freshly installed EPO 5 with lates extensions for these products.

       

      Everything was fine until HIPS was enabled in EPO, it was possible to reboot, etc. Today I enabled Adaptive Modes for both IPS

      and Firewall in Default policies in EPO. After policy propagation to client, laptop self-rebooted after some time, I mean, the system

      just warned that it will reboot after 2 minutes and offered to close all applications.

       

      After that, user could not log in into Windows anymore. Namely, Windows logon screen appears, user enters credetials, 2-3 minutes

      pass, and laptop reboots.

       

      Fortunately it was still possible to logon by rebooting in Safe Mode from logon screen. In this case, following message appeared

      after logon:
      "Failed to connect to a Windows service. Windows couldn't connect to the AUInstallAgent service. This problem prevents standard users from signing in. As an adminstrative

      user, you can review the system event log for details about why the service didn't respond."  The problematic service is Windows All-User Install Agent.

       

      But problematic user logs on as administrator, and not a standard user.

       

      In the system log, I can see following information messages just before reboot:

       

      Info: "The following boot-start or system-start driver(s) did not load: dam"

      Info: "The process wininit.exe has initiated the restart of computer HOST01 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found. Reason code: 0x50006. Shutdown type: restart. Comment: The system process 'C:\windows\system32\services.exe' terminated unexpectedly with status code - 1073741819. The system will now shut down and restart".

      Or

      "The process C:\Windows\system32\winlogon.exe (HOST01) has intiated the restart of computer HOST01 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found. Reason code: 0x500ff. Shutdown type: restart."

      Error: "DCOM got error "1726" attempting to start the service netprofm with arguments: "Unavailale" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}"

      Warning: "Name resolution for the name isatap.Home timed out after none of the configured DNS servers responded"

       

      There are many identical exceptions in HipShiels.log file:

      k11-04 15:50:58.947 Alert: 0x4,4c Block event matching sig 1003

      11-04 15:51:02 [02108] VIOLATION: NoLog Id found 1003

      11-04 15:51:02 [02108] VIOLATION: [1] ------- Violation ---- Size 1193 ----

      <Event> <!-- Level=High, Reaction=Prevent -->

        <EventData

        SignatureID="1003"

        SignatureName="Windows Agent Shielding - Process Access"

        SeverityLevel="4"

        Reaction="3"

        ProcessUserName="NT AUTHORITY\SYSTEM"

        Process="&lt;SYSTEM&gt;"

        IncidentTime="2013-11-04 15:50:59"

        AllowEx="False"

        SigRuleClass="Program"

        ProcessId="4"

        Session="0"

        SigRuleDirective="open_with_terminate,open_with_modify"/>

        <Params>

          <Param name="Workstation Name" allowex="True">HOST01</Param>

          <Param name="Target File Name" allowex="False">MFEFIRE.EXE</Param>

          <Param name="Target Path" allowex="False">C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MFEFIRE.EXE</Param>

          <Param name="Target Distinguished Name" allowex="False">CN=&quot;MCAFEE, INC.&quot;, OU=IIS, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=&quot;MCAFEE, INC.&quot;, L=SANTA CLARA, S=CALIFORNIA, C=US</Param>

          <Param name="Target Organization Name" allowex="False">&quot;MCAFEE, INC.&quot;</Param>

          <Param name="Target Description" allowex="False">MCAFEE CORE FIREWALL SERVICE</Param>

          <Param name="Target Fingerprint" allowex="False">cc89cfc30d2d919562c1986974c74f9f</Param>

        </Params>

      </Event>

       

      (the same exception also for FIRESVC.EXE), and

       

      <Event> <!-- Level=High, Reaction=Prevent -->

        <EventData

        SignatureID="1003"

        SignatureName="Windows Agent Shielding - Process Access"

        SeverityLevel="4"

        Reaction="3"

        ProcessUserName="NT AUTHORITY\SYSTEM"

        Process="C:\WINDOWS\SYSTEM32\WERFAULT.EXE"

        IncidentTime="2013-11-04 14:14:49"

        AllowEx="False"

        SigRuleClass="Program"

        ProcessId="4652"

        Session="0"

        SigRuleDirective="open_with_terminate,open_with_modify"/>

        <Params>

          <Param name="Workstation Name" allowex="True">HOST01</Param>

          <Param name="Subject Distinguished Name" allowex="False">CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</Param>

          <Param name="Subject Organization Name" allowex="False">MICROSOFT CORPORATION</Param>

          <Param name="Executable Description" allowex="False">WINDOWS PROBLEM REPORTING</Param>

          <Param name="Executable Fingerprint" allowex="False">c89fab42cd5fd672506031d941529a74</Param>

          <Param name="Target File Name" allowex="False">MFEVTPS.EXE</Param>

          <Param name="Target Path" allowex="False">C:\WINDOWS\SYSTEM32\MFEVTPS.EXE</Param>

          <Param name="Target Distinguished Name" allowex="False">CN=&quot;MCAFEE, INC.&quot;, OU=IIS, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=&quot;MCAFEE, INC.&quot;, L=SANTA CLARA, S=CALIFORNIA, C=US</Param>

          <Param name="Target Organization Name" allowex="False">&quot;MCAFEE, INC.&quot;</Param>

          <Param name="Target Description" allowex="False">MCAFEE PROCESS VALIDATION SERVICE</Param>

          <Param name="Target Fingerprint" allowex="False">42eb23142c60c914cf1f652f1303f7b2</Param>

        </Params>

      </Event>

       

       

      While the problem was temporarily "fixed" after manually disabling McAfee Host Intrustion Prevention Service in Safe Mode and restarting, is it possible to determine what is happening  and how to prevent this situation?

       

      All software (HIPS, Agent, EPO) are of latest versions, at least they're listed as "Up to date" in EPO.

      Software versions:

      HIPS Client 8.0.0

      2151

      8.0.0.5153

       

      Eugeny.