3 Replies Latest reply on Jan 26, 2016 9:13 AM by wwarren

    "(...) Sanitize MFEVTP Service Process" in different Logfiles

    Don_Martin

      Hello,

       

      we did Encounter this one in several logfiles but don`t know how to deal with it. There are also no further informations and maybe it is my lack of knowledge how to transport this verb into a common usual german meaning but right know I just would like to know where this Rule is and if it is in some way necessary to configure it properly (I can not think of the named processes are not clean in any way).

       

      Thanks in advance and is there a list of know error code`s?

        • 1. Re: "(...) Sanitize MFEVTP Service Process" in different Logfiles
          wwarren

          Hi Don,

           

          Could you paste a complete example of the log entry you're referring to (removing any personal identifiers), and the name of the log file it came from (for context)?

          You can paste the text in German, that should be OK.

           

          Without more context this looks like an informational message. To "sanitize" our processes is to protect them from 3rd party code injection.

          • 2. Re: "(...) Sanitize MFEVTP Service Process" in different Logfiles
            Don_Martin

            Hello,

             

            out of BlFramework_Verbose.log:

            "

            --------------------------

            01/13/2016 05:21:17.961 PM   mfeesp(4576.4652) <SYSTEM>(Session0\Service-0x0-3e7$) ApBl.SP.Debug: ApState.cpp(1321): iReg|value|HKLM\SOFTWARE\Network Associates\TVD\Shared Components\Framework|Installed Path|

            01/13/2016 05:21:17.961 PM   mfeesp(4576.4652) <SYSTEM>(Session0\Service-0x0-3e7$) ApBl.SP.Debug: ApState.cpp(828):  result -->C:\Program Files (x86)\McAfee\Common Framework\x86\<

            01/13/2016 05:21:17.976 PM   mfeesp(4576.4652) <SYSTEM>(Session0\Service-0x0-3e7$) ApBl.SP.Debug: ApState.cpp(568): iDump Filter=x_ma_*

            01/13/2016 05:21:17.976 PM   mfeesp(4576.4652) <SYSTEM>(Session0\Service-0x0-3e7$) ApBl.SP.Debug: ApState.cpp(571): iDump Text=** MA McTray Sanitized by Endpoint **

            01/13/2016 05:21:17.976 PM   mfeesp(4576.4652) <SYSTEM>(Session0\Service-0x0-3e7$) ApBl.SP.Debug: ApState.cpp(577): InputFile=C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\SP_Default.rul

            01/13/2016 05:21:17.976 PM   mfeesp(4576.4652) <SYSTEM>(Session0\Service-0x0-3e7$) ApBl.SP.Debug: ApState.cpp(581):"

            -----------------------------

            out of MacMnSvc_[Computername].log

            2016-01-13 17:19:30.962 macmnsvc(3592.2232) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(4144) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6 595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll> via the rule <Sanitize MFEVTP Service Process>

            2016-01-13 17:19:30.962 macmnsvc(3592.2232) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(4144) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6 595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll> via the rule <Sanitize MFEVTP Service Process>

            2016-01-13 17:19:30.962 macmnsvc(3592.2232) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(4144) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6 595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll> via the rule <Sanitize MFEVTP Service Process>

            2016-01-13 17:19:30.962 macmnsvc(3592.2232) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(4144) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll> via the rule <Sanitize MFEVTP Service Process>

            -----

            same Logfile but maybe vice versa affecting each other:

            2016-01-13 17:22:06.304 macmnsvc(3592.2136) aac_service.Info: The process <C:\PROGRAM FILES\MCAFEE\ENDPOINT SECURITY\ENDPOINT SECURITY PLATFORM\MFEESP.EXE>(4872) was blocked from accessing('C' (1)) <AAC_OBJECT_KEY:HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MCAFEE TRUST\CERTIFICATES\> via the rule <Protect SystemCore Files and Registry Settings>

            2016-01-13 17:22:06.304 macmnsvc(3592.2136) aac_service.Info: The process <C:\PROGRAM FILES\MCAFEE\ENDPOINT SECURITY\ENDPOINT SECURITY PLATFORM\MFEESP.EXE>(4872) was blocked from accessing('C' (1)) <AAC_OBJECT_KEY:HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MCAFEE TRUST\CERTIFICATES\> via the rule <Protect SystemCore Files and Registry Settings>

            2016-01-13 17:22:06.304 macmnsvc(3592.2136) aac_service.Info: The process <C:\PROGRAM FILES\MCAFEE\ENDPOINT SECURITY\ENDPOINT SECURITY PLATFORM\MFEESP.EXE>(4872) was blocked from accessing('C' (1)) <AAC_OBJECT_KEY:HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MCAFEE TRUST\CRLS\> via the rule <Protect SystemCore Files and Registry Settings>

            2016-01-13 17:22:06.304 macmnsvc(3592.2136) aac_service.Info: The process <C:\PROGRAM FILES\MCAFEE\ENDPOINT SECURITY\ENDPOINT SECURITY PLATFORM\MFEESP.EXE>(4872) was blocked from accessing('C' (1)) <AAC_OBJECT_KEY:HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MCAFEE TRUST\CRLS\> via the rule <Protect SystemCore Files and Registry Settings>

            2016-01-13 17:22:06.304 macmnsvc(3592.2136) aac_service.Info: The process <C:\PROGRAM FILES\MCAFEE\ENDPOINT SECURITY\ENDPOINT SECURITY PLATFORM\MFEESP.EXE>(4872) was blocked from accessing('C' (1)) <AAC_OBJECT_KEY:HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MCAFEE TRUST\CTLS\> via the rule <Protect SystemCore Files and Registry Settings>

            2016-01-13 17:22:06.304 macmnsvc(3592.2136) aac_service.Info: The process <C:\PROGRAM FILES\MCAFEE\ENDPOINT SECURITY\ENDPOINT SECURITY PLATFORM\MFEESP.EXE>(4872) was blocked from accessing('C' (1)) <AAC_OBJECT_KEY:HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MCAFEE TRUST\CTLS\> via the rule <Protect SystemCore Files and Registry Settings>

            -----------------

            another cut out of MacMnSVC:

            2016-01-13 17:22:09.798 macmnsvc(3592.2136) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(5108) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6 595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll> via the rule <Sanitize MFEVTP Service Process>

            2016-01-13 17:22:09.798 macmnsvc(3592.2136) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(5108) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6 595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll> via the rule <Sanitize MFEVTP Service Process>

            2016-01-13 17:22:09.798 macmnsvc(3592.2136) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(5108) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6 595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll> via the rule <Sanitize MFEVTP Service Process>

            2016-01-13 17:22:09.798 macmnsvc(3592.2136) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(5108) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll> via the rule <Sanitize MFEVTP Service Process>

            2016-01-13 17:22:09.814 macmnsvc(3592.2136) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(5108) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6 595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll> via the rule <Sanitize MFEVTP Service Process>

            2016-01-13 17:22:09.814 macmnsvc(3592.2136) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(5108) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6 595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll> via the rule <Sanitize MFEVTP Service Process>

            2016-01-13 17:22:09.814 macmnsvc(3592.2136) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(5108) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6 595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll> via the rule <Sanitize MFEVTP Service Process>

            2016-01-13 17:22:09.814 macmnsvc(3592.2136) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(5108) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll> via the rule <Sanitize MFEVTP Service Process>

            --------------

             

            I can not see anything dangerous in there but due to the fact that I did not know the meaning of "sanitize" I can only guess these Messages are likewise the good old EventID514,516,519 but in an other Fashion and are completly to be ignored/without any harmful Content.

            Thank you :-) Still working on logfile comprehension

            • 3. Re: "(...) Sanitize MFEVTP Service Process" in different Logfiles
              wwarren

              The first example is what I would expect to see for the sanitizing of our processes. That's informational.

               

              These ones could be interesting.

              out of MacMnSvc_[Computername].log

              2016-01-13 17:19:30.962 macmnsvc(3592.2232) aac_service.Info: The process <C:\WINDOWS\SYSTEM32\MFEVTPS.EXE>(4144) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6 595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll> via the rule <Sanitize MFEVTP Service Process>

              These look like they'd be occurring on startup, when the process MFEVTPS.EXE is initializing and loading DLLs (or if the service restarted).

              Windows manages multiple versions of the same DLL using this side-by-side (winsxs) folder. It's curious that a Microsoft DLL would be blocked from loading, but perhaps the digital certificate for that file could not be validated. I expect this led to loading of a different comctl32.dll such as %windir%\system32\comctl32.dll and thus no adverse side effect.

               

              The powershell DLL, that's a curious one too. But again, the digital certificate may not have been able to validate. I'm pretty sure we don't load that DLL; but it might be that Microsoft does, and a Microsoft DLL we loaded earlier is wanting to use some Powershell functionality (being denied because of the validation check failing).  It would probably take an in-house reproduction with debugger attached to figure out why that DLL is being sought.

               

              These entries are a little worrying:

              2016-01-13 17:22:06.304 macmnsvc(3592.2136) aac_service.Info: The process <C:\PROGRAM FILES\MCAFEE\ENDPOINT SECURITY\ENDPOINT SECURITY PLATFORM\MFEESP.EXE>(4872) was blocked from accessing('C' (1)) <AAC_OBJECT_KEY:HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MCAFEE TRUST\CERTIFICATES\> via the rule <Protect SystemCore Files and Registry Settings>

              Our services should not be denied (by ourselves) from accessing this key. That it is being denied suggests to me that the process failed to acquire Trust, which means some 3rd party code may have managed to inject the MFEESP.EXE process.

              If these messages stop after a reboot, then ignore them. If they continue after a reboot, resetting the cache would be appropriate. And if they continue still, then I'd be looking for a 3rd party entity inside our process address space.

               

               

              Included with the product is a utility called VTPINFO.EXE

              You can use this to reset our cache, e.g. VTPINFO /ResetVTPCache. Normally you'd only do that under direction from Support, because resetting the cache has potential performance impact; you'd only do it if necessary.

              The tool can also perform validation checks on specific DLLs/Modules, which can confirm and explain a denial message about loading a specific DLL, for example:

              VTPINFO /validatemodule C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll

              The output is not intended for use by customers, but if you're interested and you're looking to identify "Why am I getting these messages that are like the good old Event 514, 516, 519?" then that is the tool to help answer that.