Third-party application stops working or is impaired after McAfee Host Intrusion Prevention is installed or content is updated
Technical Articles ID:
KB67056
Last Modified: 5/7/2018
Last Modified: 5/7/2018
Environment
McAfee Host Intrusion Prevention 8.0
McAfee Host Intrusion Prevention 7.0
McAfee Host Intrusion Prevention 7.0
Solution
If a third-party product is installed and a behavior change occurred after a recent Host Intrusion Prevention agent installation or Host Intrusion Prevention content update, do the following:
Reproduce the issue to determine if any IPS security events are being triggered.
If the issue began occuring after a Host IPS Security Content update:
If the issue is not related to an IPS signature event trigger or a Host IPS Security Content update:
If issue occurs with only IPS module enabled and no <Event> violations occurred in HipShield.log
Gathering additional data
If a running third-party process is terminating with an exception or memory reference error when Host Intrusion Prevention IPS is enabled, do the following:
If a running third-party process stops responding or generates high sustained CPU at some point during start or after start when Host Intrusion Prevention IPS is enabled, do the following:
If the entire client computer stops responding during or after startup and Debug Diagnostics does not generate process dumps, do the following:
- Enable full IPS and FW logging (All) and reproduce the issue.
- Do this from within the ePolicy Orchestrator (ePO) console, using the Host Intrusion Prevention General policy or locally. See KB51517 for detailed information.
NOTE: Set the debug_enabled registry key for complete verbose logging.
Reproduce the issue to determine if any IPS security events are being triggered.
- See KB54473 and search in HipShield.log for VIOLATION:, examining any event violation details.
- If a new signature is blocking the activity due to an <Event> trigger:
- Right-click the event as displayed from ePO and create an exception.
- Make exceptions as granular as possible by using the advanced parameters available for the event.
- If there are limited advanced parameters for the event:
- If there is a CVE referenced in the IPS signature description and this indicates a security update patch is available, apply and disable the signature if required.
If the issue began occuring after a Host IPS Security Content update:
- Refer to McAfee Knowledge Base article KB53092 and test with a content remediation signature package.
If the issue is not related to an IPS signature event trigger or a Host IPS Security Content update:
- Disable all Host Intrusion Prevention modules (IPS, NIPS, AB, and FW), and retest to verify if the issue occurs.
- Disable IPS and stop the Host Intrusion Prevention agent service, then retest to verify if the issue occurs.
- If issue did not occur, refer to article KB66899 to ensure that you have enabled the option to allow unsupported protocols (even if FW is disabled, traffic can still be dropped because Host Intrusion Prevention is active). Retest with this option set.
- If this does not resolve the issue, uninstall the McAfee NDIS Intermediate Filter Miniport adapter, and retest to verify if the issue occurs.
If issue occurs with only IPS module enabled and no <Event> violations occurred in HipShield.log
- Identify the executable(s) associated with the application.
- Exclude the executable(s) for protection from the Host IPS Application Protection List.
- Repeat test for application functionality. Note the results.
- Re-include the executable(s) for protection from the Host IPS Application Protection List.
- Isolate the IPS engine that may be causing the issue. For details, see: KB54960
- Identify the IPS engine that causes the issue.
- Disable Signature 432. For details, see: KB60989
- Proceed to Gathering additional data.
Gathering additional data
If a running third-party process is terminating with an exception or memory reference error when Host Intrusion Prevention IPS is enabled, do the following:
- Ensure that full Host Intrusion Prevention logging is enabled during all data collection.
- Install the Microsoft Debug Diagnostic Tool on the client. See: http://www.microsoft.com/downloadS/details.aspx?FamilyID=28bd5941-c458-46f1-b24d-f60151d875a3&displaylang=en
- Configure the Debug Diagnostic Tool to monitor the terminating process(es):
- Click Add Rule and then click Next.
- For the rule type, select Crash, and then click Next.
- Select A specific process, highlight the running process to monitor and click Next.
- Under Advanced Configuration, select None for Action type for unconfigured first chance exceptions and then click Next.
- Select a rule name and dump location.
- Activate the rule and click Finish.
NOTE: The Debug Diagnostic tool now creates usermode process dumps for the process(s) associated with the third-party application when the process termination occurs.
- Obtain an additional userdump for the McAfee FireSvc.exe process. Do this using Debug Diagnostics:
- Open the Debug Diagnostic Tool user interface.
- Click the Processes tab.
- Right-click on FireSvc.exe.
- Select Create Full Userdump to create a process dump.
- Run the McAfee WebMER information tool on the client to collect system information and logs. For detailed information on the WebMer tool, see: KB59385
- Open a support ticket with the third-party vendor for analysis of their process dump(s). The vendor should be able to add advanced information on why their process is impaired.
- Send all user dumps and Host Intrusion Prevention WebMER results to Technical Support, along with the vendor analysis.
NOTE: If the application is an IExplore.exe or Outlook.exe plug-in, obtain user mode process dumps for each of these processes.
If a running third-party process stops responding or generates high sustained CPU at some point during start or after start when Host Intrusion Prevention IPS is enabled, do the following:
- Ensure full Host Intrusion Prevention logging is enabled during all data collection.
- Install the Microsoft Debug Diagnostic Tool on the client. See: http://www.microsoft.com/downloadS/details.aspx?FamilyID=28bd5941-c458-46f1-b24d-f60151d875a3&displaylang=en
- On the client, enable a CrashOnCtrlScrl keyboard dump configuration.
- Follow the instructions for PS/2 keyboard. See: http://support.microsoft.com/kb/Q244139
- Restart the client to reproduce to process issue.
- While the process stops responding, generate a userdump using the Debug Diagnostics Tool.
- Open the Debug Diagnostic Tool user interface.
- Click the Processes tab.
- Right-click on the process that has stopped responding.
- Select Create Full Userdump to create a process dump.
- Repeat the process to obtain a userdump for the FireSvc.exe process.
- While the process is still unresponsive, generate a full memory dump of the system using the keyboard.
- After the dump completes, restart the client in safe mode to disable the Host Intrusion Prevention service.
- Restart the computer again to save the memory dump file that was generated. A full kernel dump will be listed as memory.dmp in the root drive.
NOTE: Compress the memory dump before uploading to McAfee.
- Run the McAfee WebMER information tool on the client to collect system information and logs. For detailed information on the WebMer tool, see: KB59385
- Open a support ticket with the third-party vendor for analysis of their process dump(s). The vendor should be able to add advanced information on why their process is impaired.
- Send all user dumps and Host Intrusion Prevention WebMer results to Technical Support, along with the vendor analysis.
If the entire client computer stops responding during or after startup and Debug Diagnostics does not generate process dumps, do the following:
- On the client, enable a CrashOnCtrlScrl keyboard dump configuration.
- Follow the instructions for PS/2 keyboard. See: http://support.microsoft.com/kb/Q244139
- Restart the client and generate a kernel dump when the client stops responding.
- After the dump completes, restart the client in Safe Mode to disable the Host Intrusion Prevention service.
- Restart the computer again to save the memory dump file that was generated. A full kernel dump is seen as memory.dmp in the root drive.
NOTE: Compress the memory dump before uploading to McAfee.
- Run the McAfee WebMER information tool on the client to collect system information and logs. For detailed information on the WebMer tool, see: KB59385
- Open a support ticket with the third-party vendor for analysis of their process dump(s). The vendor should be able to add advanced information on why their process is impaired.
- Send all the dump and Host Intrusion Prevention WebMer results to Technical Support, along with the vendor analysis.
