Third-party application stops working or is impaired after McAfee Host Intrusion Prevention is installed or content is updated
Technical Articles ID:
KB67056
Last Modified: 9/21/2020
Last Modified: 9/21/2020
Environment
McAfee Host Intrusion Prevention (Host IPS) 8.0
Solution
If a third-party product is installed and a behavior change occurred after a recent Host IPS agent installation or Host IPS content update, do the following:
- Enable full IPS and FW logging (All) and reproduce the issue.
- Do it from within the ePolicy Orchestrator (ePO) console, using the Host Intrusion Prevention General policy or locally. See KB51517 for detailed information.
NOTE: Set thedebug_enabled registry key for complete verbose logging.
To determine if any IPS security events are being triggered, reproduce the issue:
- See KB54473 and search in
HipShield.log forVIOLATION , examining any event violation details. - If a new signature is blocking the activity due to an
<Event> trigger:- Right-click the event as displayed from ePO and create an exception.
- Make exceptions as granular as possible by using the advanced parameters available for the event.
- If there are limited advanced parameters for the event:
- If there is a CVE referenced in the IPS signature description and it indicates that a security update
patch is available, apply and disable the signature if required.
- If there is a CVE referenced in the IPS signature description and it indicates that a security update
If the issue began to occur after a Host IPS Security Content update:
- See McAfee Knowledge Base article KB53092 and test with a content remediation signature package.
If the issue is not related to an IPS signature event trigger or a Host IPS Security Content update:
- Disable all Host Intrusion Prevention modules (IPS, NIPS, AB, and FW). Retest and determine whether the issue occurs.
- Disable IPS and stop the Host Intrusion Prevention agent service. Then retest and determine whether the issue occurs.
- If the issue did not occur, see article KB66899. Make sure that you have enabled the option to allow unsupported protocols. (Even if FW is disabled, traffic can still be dropped because Host Intrusion Prevention is active.) Retest with this option set.
- If it does not resolve the issue, uninstall the McAfee NDIS Intermediate Filter Miniport adapter, and retest to verify if the issue occurs.
If issue occurs with only IPS module enabled, and no
- Identify the executables associated with the application.
- Exclude the executables for protection from the Host IPS Application Protection List.
- Repeat test for application functionality. Note the results.
- Reinclude the executables for protection from the Host IPS Application Protection List.
- Isolate the IPS engine that might be causing the issue. For details, see KB54960
- Identify the IPS engine that causes the issue.
- Disable Signature 432.
- Continue to Gathering additional data.
Gathering additional data
If a running third-party process terminates with an exception or memory reference error when Host Intrusion Prevention IPS is enabled, do the following:
- Make sure that full Host Intrusion Prevention logging is enabled during all data collection.
- Install the Microsoft Debug Diagnostic Tool on the client. See: http://www.microsoft.com/downloadS/details.aspx?FamilyID=28bd5941-c458-46f1-b24d-f60151d875a3&displaylang=en
- Configure the Debug Diagnostic Tool to monitor the terminating processes:
- Click Add Rule and then click Next.
- For the rule type, select Crash, and then click Next.
- Select A specific process, highlight the running process that you need to monitor, and click Next.
- Under Advanced Configuration, select None for Action type for unconfigured first chance exceptions and then click Next.
- Select a rule name and dump location.
- Activate the rule and click Finish.
NOTE: The Debug Diagnostic tool now creates user mode process dumps for the processes associated with the third-party application when the process termination occurs.
- Obtain another
userdump for the McAfeeFireSvc.exe process. Do this using Debug Diagnostics:- Open the Debug Diagnostic Tool user interface.
- Click the Processes tab.
- Right-click on
FireSvc.exe . - Select
Create Full Userdump to create a process dump.
- Run the McAfee WebMER information tool on the client and collect system information and logs. For detailed information about the WebMer tool, see KB59385.
- Open a support ticket with the third-party vendor for analysis of their process dumps. The vendor can add advanced information about why their process is impaired.
- Send all user dumps and Host Intrusion Prevention WebMER results to Technical Support. Include the vendor analysis.
NOTE: If the application is anIExplore.exe orOutlook.exe plug-in, obtain user mode process dumps for each of these processes.
If a running third-party process stops responding or generates high sustained CPU at some point during start or after start when Host Intrusion Prevention IPS is enabled, do the following:
- Make sure that full Host Intrusion Prevention logging is enabled during all data collection.
- Install the Microsoft Debug Diagnostic Tool on the client. See: http://www.microsoft.com/downloadS/details.aspx?FamilyID=28bd5941-c458-46f1-b24d-f60151d875a3&displaylang=en
- On the client, enable a
CrashOnCtrlScrl keyboard dump configuration. - Follow the instructions for PS/2 keyboard. See: http://support.microsoft.com/kb/Q244139
- Restart the client to reproduce to process issue.
- While the process stops responding, generate a
userdump using the Debug Diagnostics Tool.- Open the Debug Diagnostic Tool user interface.
- Click the Processes tab.
- Right-click on the process that has stopped responding.
- Select
Create Full Userdump to create a process dump.
- Repeat the process to obtain a
userdump for theFireSvc.exe process. - While the process is still unresponsive, generate a full memory dump of the system using the keyboard.
- After the dump completes, restart the client in safe mode to disable the Host Intrusion Prevention service.
- Restart the computer again to save the memory dump file that was generated. A full kernel dump gets listed as
memory.dmp in the root drive.
NOTE: Compress the memory dump before uploading to McAfee.
- Run the McAfee WebMER information tool on the client and collect system information and logs. For detailed information about the WebMer tool, see KB59385.
- Open a support ticket with the third-party vendor for analysis of their process dumps. The vendor can add advanced information about why their process is impaired.
- Send all user dumps and Host Intrusion Prevention WebMer results to Technical Support, with the vendor analysis.
If the entire client computer stops responding during or after startup and Debug Diagnostics does not generate process dumps, do the following:
- On the client, enable a
CrashOnCtrlScrl keyboard dump configuration. - Follow the instructions for PS/2 keyboard. See: http://support.microsoft.com/kb/Q244139
- Restart the client and generate a kernel dump when the client stops responding.
- After the dump completes, restart the client in Safe Mode to disable the Host Intrusion Prevention service.
- Restart the computer again to save the memory dump file that was generated. A full kernel dump is seen as memory.dmp in the root drive.
NOTE: Compress the memory dump before uploading to McAfee.
- Run the McAfee WebMER information tool on the client and collect system information and logs. For detailed information about the WebMer tool, see KB59385.
- Open a support ticket with the third-party vendor for analysis of their process dumps. The vendor can add advanced information about why their process is impaired.
- Send all dump and Host Intrusion Prevention WebMer results to Technical Support, with the vendor analysis.