9 Replies Latest reply: Nov 6, 2014 5:49 PM by wwarren RSS

    VSE 8.8 patch 4 Buffer Overflow threats

    ruudkr

      Dear all,

       

      we recently migrated our old ePO server to the new ePO 5.1 and upgraded our clients to VSE8.8 patch 4.

      Since then we get a lot of threat-messages about buffer overflow protection.

       

      I read some articles that mention old software being used that might be the cause of the buffer overflow messages. In a KB-article from McAfee, it is decribed that you can see which program is causing the BO-threat but unfortunately this does not show in the messages I get, an example is below:

       

       

       

      Threat name  : BO:Stack

       

      Threat Type : buffer overflow

       

      Threat Catergory : Host intrusion buffer overflow

       

      Threat Severity : Critical

       

      Action : blocked

       

      File: _:NTDLL.KiUserExceptionDispatcher::6a122ea2

       

      Event Desc. : Buffer Overflow detected and blocked

       

      Hostname : xxxxxxxxxxx

       

      IP address : xxx.xxx.xxx.xxx

       

      User : domain\username

       

      System Location : AD OU


      In the article, the program that caused the BO-threat should be mentioned in the file-part of the message in front op _:NTDLL but here is it empy.

       

      How can I identify which program caused this threat so I can see if the program can be updated? Or are these legitimate threats?

       

      Thanks in advance.

        • 1. Re: VSE 8.8 patch 4 Buffer Overflow threats
          llamamecomoquieras

          Morning,

           

          Do you have any detection in the OAS log?

           

          Regards,

           

          José María

          • 2. Re: VSE 8.8 patch 4 Buffer Overflow threats
            ruudkr

            Ola Jose Maria,

             

            I am not near the computer that gave a message this morning. So I have checked the logfile c:\programdata\mcafee\desktopProtection\BufferOverflowProtectionlog.txt remotely, assuming that that is the correct logfile to look in.

            There is the following error:

             

            7/30/2014 12:38:51 AM Blocked by Buffer Overflow Protection  IRNL\u787745 C:\windows\explorer.exe:NTDLL.KiUserExceptionDispatcher::6a122ea2 BO:Stack

             

            Is this the correct logfile and does it mean that the BO-threat is caused by Windows Explorer?

            • 3. Re: VSE 8.8 patch 4 Buffer Overflow threats
              llamamecomoquieras

              Hola

               

              Well from that log I can see the process Explorer.exe the one triggering the BOF (Buffer Overflow). The application is one of the application that McAfee knows who are causing the issue https://kc.mcafee.com/corporate/index?page=content&id=KB81308.

               

              Applications incompatible with DEP that are detected by BOP include:

              • Microsoft Office 2003 and Office XP (version 11 and older versions, due to MSO.DLL)
              • Microsoft Office 2007 (version 12, due to EuroTool.xlam)
              • Microsoft Access (due to VBE6.dll version 6.04.9972)
              • Explorer.exe (due to SEPCM.DLL from SizeExplorer Pro or JESTERSS.DLL from FlashJester) 
              • IExplore.exe, IE8 (due to corpol.dll, or Occache.dll that is version less)

              NOTE: This list is not comprehensive, but will be updated as additional applications are identified.

               

              What I wanted to make sure you do not have conficker that is why I said to check the On Access scan log too.

               

              Best regards,

               

              José María

              • 4. Re: VSE 8.8 patch 4 Buffer Overflow threats
                ruudkr

                Hoi ,

                 

                Is this also applicable to the Explorer in Windows 7?

                If so, is there something to prevent this from happening or excluding the explorer process from Buffer Overflow threats?

                 

                Thanks again.

                • 5. Re: VSE 8.8 patch 4 Buffer Overflow threats
                  llamamecomoquieras

                  Hi,

                   

                  Is this also applicable to the Explorer in Windows 7?

                  YES

                   

                  I would try to update the machine with the latest update and if still you get the error call McAfee support and open a case as this issue is still being investigated.

                   

                  I would not create the exclusion (may be you can create the exclusion as a workaround to get rid of the error) as you are opening a security hole doing that

                   

                  To create the exclusion if the machine is managed via ePO you will need to create it in ePO if not you can do it locally.

                   

                  When creating the exclusion just open the Buffer Overflow policy and set the Explorer.exe only and skip the other values.

                   

                  Best regards,

                   

                  José María

                  • 6. Re: VSE 8.8 patch 4 Buffer Overflow threats
                    yjtan12

                    Hi,

                     

                    I have a new laptop, when after uninstall JAVA from it, I got this same virus alert.

                     

                    C:\windows\explorer.exe:NTDLL.KiUserExceptionDispatcher::57ef4834 BO:Stack

                     

                    Any idea?

                     

                    What does it mean for Explorer.exe (due to SEPCM.DLL from SizeExplorer Pro or JESTERSS.DLL from FlashJester)  ?

                    Is it consider a virus and should I reformat the laptop?

                     

                    Thank you.

                     

                    Regards,

                    Melvin

                    • 7. Re: VSE 8.8 patch 4 Buffer Overflow threats
                      SafeBoot

                      Are you experiencing EXACTLY the same problem as described in this thread, and are you using VSE 8.8p4?

                      • 8. Re: VSE 8.8 patch 4 Buffer Overflow threats
                        erikt

                        I am having the same (or very similar issue).  We are on VSE 8.8

                        McAfee.bmp

                         

                        Here is what I see in the Buffer Overflow log file...

                         

                        10/28/2014         2:54:54 AM         Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\Explorer.EXE:NTDLL.KiUserExceptionDispatcher::1278a90               BO:Stack

                        10/28/2014         2:55:47 AM         Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\Explorer.EXE:NTDLL.KiUserExceptionDispatcher::1278fa0                BO:Memory

                        10/28/2014         2:56:15 AM         Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\Explorer.EXE:NTDLL.KiUserExceptionDispatcher::1278a90               BO:Memory

                        10/30/2014         2:22:51 AM         Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\Explorer.EXE:NTDLL.KiUserExceptionDispatcher::563cd2b               BO:Stack

                        11/4/2014            1:53:58 PM          Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\Explorer.EXE:NTDLL.KiUserExceptionDispatcher::4678fa0                BO:Memory

                        11/4/2014            1:53:59 PM          Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\Explorer.EXE:NTDLL.KiUserExceptionDispatcher::46943c0               BO:Stack

                        11/4/2014            1:53:59 PM          Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\Explorer.EXE:NTDLL.KiUserExceptionDispatcher::4678fa0                BO:Memory

                        11/4/2014            1:53:59 PM          Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\Explorer.EXE:NTDLL.KiUserExceptionDispatcher::46943c0               BO:Stack

                        11/4/2014            1:53:59 PM          Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\Explorer.EXE:NTDLL.KiUserExceptionDispatcher::4678fa0                BO:Memory

                        11/4/2014            1:54:01 PM          Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\Explorer.EXE:NTDLL.KiUserExceptionDispatcher::4678a90               BO:Memory

                        11/4/2014            5:57:29 PM          Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\Explorer.EXE:NTDLL.KiUserExceptionDispatcher::1251f50                BO:Memory

                        11/5/2014            8:23:51 AM         Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\explorer.exe:NTDLL.KiUserExceptionDispatcher::10078fa0             BO:Stack

                        11/5/2014            8:23:53 AM         Blocked by Buffer Overflow Protection ETOFT-CMD\Erik Toft                C:\WINDOWS\explorer.exe:NTDLL.KiUserExceptionDispatcher::10078a90            BO:Stack

                         

                        And in the Windows event log...

                        WEL.bmp

                         

                        Any assistance is appreciated.

                        • 9. Re: VSE 8.8 patch 4 Buffer Overflow threats
                          wwarren

                          You would follow the same advice cited earlier: https://kc.mcafee.com/corporate/index?page=content&id=KB81308.

                           

                          Either work toward identifying the DLL whose code is incompatible with Data Execution Prevention (DEP), or, adopt a workaround described in the article.

                          The most secure way forward is to identify the offending DLL and seek an update from the vendor.

                          Using the workaround puts an end to the noise immediately at the cost of introducing risk. Risk can be mitigated greatly by ensuring you're running the latest patches for the affected process.