8 Replies Latest reply on Sep 4, 2014 2:31 PM by daguerre101

    Mcafee blocking a mde file on the network

    daguerre101

      Hello everyone,

       

      We have been changing all the computers of the city of Whitehorse to mcafee. We have finished yesterday but there is a bug that appeared with the firemen. The firemen uses an access  file on the network. The shortcut used to reach it is looking  like this c:\program files\microsoft office\msaccess.exe /runtime r:\fire department/firebase/firebase.mde.

      Since we have installed mcafee, We cannot use it anymore. We remove mcafee and the firebase is working fine.  I was wondering if there is a possibility to exclude the firebase from the security settings of mcafee. I presume I can push it afterwards through the agent.

       

      I must say to you guys that mcafee is quite knew to me. I have not used it for years so maybe the answer is obvious but I still have not find it.

       

      Thank you in advance for your help!

      Have a nice day

      Daguerre

        • 1. Re: Mcafee blocking a mde file on the network
          ansarias

          Hello,

          First you need to identify which McAfee component is blocking. Most probably it will be Access Protection.

          Please check McAfee logs under Desktop Protection folder and check all logs and see c:\program files\microsoft office\msaccess.exe if you can find in any logs.

          Also confirm if you have installed HIPS on those machines ?

           

          Please let us know results.

          • 2. Re: Mcafee blocking a mde file on the network
            daguerre101

            Thank you for your answer!

            I did not find any Desktop protection folder but I think I have found another way to see the logs. I found this to be quite interesting since it's coming directly from the computer I was working yesterday in trying to understand the cause of the problem. Here is what i saw:

             

            Server ID:VM-MCAFEE-PRD1
            Event Received Time:9/2/14 2:41:28 PM
            Event Generated Time:9/2/14 2:40:19 PM
            Agent GUID:
            Detecting Prod ID (deprecated):VIRUSCAN8800
            Detecting Product Name:VirusScan Enterprise
            Detecting Product Version:8.8
            Detecting Product Host Name:WKS09001MSB
            Detecting Product IPv4 Address:172.16.104.128
            Detecting Product IP Address:172.16.104.128
            Detecting Product MAC Address:
            DAT Version:0
            Engine Version:0
            Threat Source Host Name:
            Threat Source IPv4 Address:172.16.104.128
            Threat Source IP Address:172.16.104.128
            Threat Source MAC Address:
            Threat Source User Name:
            Threat Source Process Name:C:\Program Files\FireBase\Office\MSACCESS.EXE
            Threat Source URL:
            Threat Target Host Name:WKS09001MSB
            Threat Target IPv4 Address:172.16.104.128
            Threat Target IP Address:172.16.104.128
            Threat Target MAC Address:
            Threat Target User Name:CITY\ponsjo
            Threat Target Port Number:
            Threat Target Network Protocol:
            Threat Target Process Name:
            Threat Target File Path:_:NTDLL.KiUserExceptionDispatcher::4374f0
            Event Category:Host intrusion buffer overflow
            Event ID:1099
            Threat Severity:Critical
            Threat Name:BO:Writable BO:Heap
            Threat Type:buffer overflow
            Action Taken:would block
            Threat Handled:true
            Analyzer Detection Method:OAS

             

             

            Events received from managed systems

             

             

            Event Description:Buffer Overflow detected and NOT blocked

             

            BTW, there is no antivirus right now so this is why you don't see any DAT on this resume.

            First thing: msaccess has been started from C:\Program Files\FireBase\Office\MSACCESS.EXE. Wondering why the msaccess file was in this weird place, i found that's because the access base is an old 97 access database.

            Here is the exact code of the shortcut:

            "C:\Program Files (x86)\FireBase\Office\MSACCESS.EXE" /runtime "R:\Infrastructure_and_Operations\Fire_and_Emergency_Services\Internal\Firebase \FireBase.mde" As you see the exe access is called then afterwards tries to reach the firebase database. As previously stated, it's not working anymore when mcafee is installed.

             

            What is HIPS exactly?

             

            Is this giving you any clues to what is the problem?

            Dag

            • 3. Re: Mcafee blocking a mde file on the network
              exbrit

              Moved this provisionally to VirusScan Enterprise.

              Peter

              Moderator

              • 4. Re: Mcafee blocking a mde file on the network
                ansarias

                Hello,

                 

                That is just informational log where McAfee is not blocking anything.

                Try to add MSACCESS.EXE into buffer overflow exclusion and see if it fixes the issue or not.

                • 5. Re: Mcafee blocking a mde file on the network
                  llamamecomoquieras

                  Morning,

                   

                  ansarias Well, not 100% agree with you on this.

                   

                  As per the event avobe, this issue is related in KB81308 and can affect to Office Applications to work, in the case Microsoft Access

                   

                  https://kc.mcafee.com/corporate/index?page=content&id=KB81308

                   

                  Best regards,

                   

                  Jose Maria

                  • 6. Re: Mcafee blocking a mde file on the network
                    ansarias

                    Yes, That's why I have asked to add into exclusion to stop further notifications and interrupt.

                    • 7. Re: Mcafee blocking a mde file on the network
                      llamamecomoquieras

                      Hi mate,

                       

                      Yes it is good to create an exclusion, but they should not add exclusions if possible, so better to follow the document and in the last case create the exclusion.

                       

                      Have a nice day!

                       

                      Best regards,

                       

                      Jose Maria

                      • 8. Re: Mcafee blocking a mde file on the network
                        daguerre101

                        Hi guys,

                        I effectively created an exclusion and it worked. Now the firemen can use their software without problems.

                         

                        Thank you for your help!

                        Have a nice day