4 Replies Latest reply on May 4, 2016 2:27 PM by thenefield

    VSE8.8 Patch 7 mfebopk.sys Event 5038

    superplay-uk

      Hi Folks

       

      Currently we have VSE8.8 Patch 6 deployed, with Agent 4.8.0.1938, running on Windows 7 SP1.

       

      On a few test stations I manually installed Patch 7 prior to a full deployment.  As soon as this was done the following events started to be logged in the Client PCs security event log.  These were not present when using patch 6.

       

       

      Event 5038

       

      Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

       

      \Device\HarddiskVolume2\Windows\System32\drivers\mfebopk.sys

       

       

      I uninstalled VSE8.8 and made sure that the file mfebopk.sys no longer existed in the above location.

       

      Then I performed a manual full re-install of VSE8.8 using the Patch 7 Repost download, however the errors are still logged.

       

       

      Anyone Else seeing this?

       

      Thanks

        • 1. Re: VSE8.8 Patch 7 mfebopk.sys Event 5038
          wwarren

          We did make changes to Patch 7 that might get flagged by Code Integrity, but those changes were unavoidable for our part and not actually indicative of an issue (changes we had to make in how our drivers were built to work around a Win10 TH2 issue)

          So this event may be unavoidable, consequently.

           

          Is it just that file of ours mentioned in such events? mfebopk.sys is the buffer overflow protection driver, and only ever loaded on 32-bit systems.

          If it's just that file being mentioned, we can expect that others are not seeing the event because they're on 64-bit systems.

          • 2. Re: VSE8.8 Patch 7 mfebopk.sys Event 5038
            superplay-uk

            Thank you for assistance.

             

            This seen on only on 32-bit systems as you supected

            • 3. Re: VSE8.8 Patch 7 mfebopk.sys Event 5038
              wwarren

              FYI, since your posting I've seen other reports of the symptom and where a little more detail was available that the "why" was made clear.

               

              We will be releasing a hotfix that solves this (and the AP rule: Prevent Windows Process spoofing issue) in the coming weeks, hopefully before the end of April.

              • 4. Re: VSE8.8 Patch 7 mfebopk.sys Event 5038
                thenefield

                I am also having this issue.

                 

                It appears that the following driver files are signed with an untrusted "McAfee Test" certificate and is causing these issues:

                 

                C:\Windows\System32\drivers\mfebopk.sys

                C:\Windows\System32\drivers\mfeclnk.sys

                C:\Windows\System32\drivers\mferkdet.sys


                Furthermore, it introduces a significant delay (4-10 minutes) in the UAC prompt when accessing McAfee VirusScan Console.


                UPDATE: I just installed HF1123565 and it seemed to resolve the certificate issue. Still noticing the long delay in the UAC prompt. I am also on a domain and noticed that GPO updates seem to be getting blocked by the "Prevent Programs from running in the Temp folder".