Loading...

Knowledge Center


Event ID 514/516/519, Warning, Process **\VSTSKMGR.EXE pid (XXXX) contains signed but untrusted code (Troubleshooting)
Technical Articles ID:   KB71083
Last Modified:  1/8/2016
Rated:


Environment

McAfee VirusScan Enterprise (VSE) 8.8 Patch 1
McAfee VirusScan Enterprise 8.7i with Patch 5 (repost)
McAfee Agent 4.5 and later

For VirusScan Enterprise supported environments, see KB51111.

Summary

IMPORTANT: Event ID 514/516/519  does not indicate an issue with the VirusScan Enterprise (VSE) product; it relates to a new VSE security feature.

Event 516 occurs for legitimate reasons to raise awareness for the Administrator that McAfee code may be compromised. When a process has been permitted to run foreign code from within the address space of a McAfee process, some Access Protection rules may be circumvented because most Access Protection rules trust McAfee processes. Many third-party applications use this technique to provide valuable functionality to an organization. However, these Event IDs can also indicate that the system is infected with root-kit-like malware or that you are running an intrusive third-party application.

VSE generates this event when one of the following occurs:

  • One or more DLL files loaded by the mentioned process are from a third-party vendor (not Intel Security or Microsoft) and contain untrusted code.
  • The DLL files loaded by the mentioned process are from Microsoft (which are expected to be trusted), but the trust validation routine returns a failure.
  • The McAfee Agent loads certain DLL files which do not contain the necessary McAfee signature required for inspection by VSE 8.8.

Problem

The Windows System Event log reports multiple entries for Event ID 514/516/519. Entries similar to the following are recorded in the Windows System Event log:
Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 514
Description:
Process C:\Program Files\McAfee\VirusScan Enterprise\ pid (###) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver

Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 516
Description:
Process **\VSTSKMGR.EXE pid (XXXX) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver

 
Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 519
Description:
Process **\VSTSKMGR.EXE pid (####) could not be successfully validated with the mfevtp service and was blocked from performing a privileged operation with a McAfee driver
 

On some systems, an event is logged every few minutes, which can cause the System Event log to become very large over a short period of time.

No other symptoms are reported on the client.

IMPORTANT: VSE functionality and performance are not impacted. Events 514/516/519 do not indicate an issue with the VirusScan Enterprise (VSE) product; they relate to a new VSE security feature.

System Change

Installed VirusScan Enterprise (VSE) 8.8 or VSE 8.8 Patch 1.

Cause

VSE generates this event when one or more DLL files loaded by the mentioned process are from a third-party vendor (not Intel Security or Microsoft) and contain untrusted code. This can occur in the scenarios below. Intel Security strongly recommends that you investigate any reports of this issue to determine the specific cause.

Current scenarios:
  • Third-party application (hook)
    Occurs when third-party applications hook or inject their code into McAfee processes to provide functionality. Malware also uses such a technique. Intel Security does not trust these third-party programs (or malware for that matter) and generates the event to inform the administrator that the McAfee process may be compromised.

     
  • McAfee Agent
    Occurs when the McAfee Agent loads certain DLL files. These libraries (cryptocme2.dll or ccme_base.dll) do not contain a necessary McAfee signature required for inspection by VSE 8.8. This scenario is solved in newer releases of the McAfee Agent.

     
  • Microsoft Certificate Stores need updating
    The issue can be caused by Microsoft DLL files, which are expected to be trusted, but the trust validation routine returns a failure. This occurs when there is no corresponding or valid certificate for the file (this has been seen with MSI.dll from the MSI Installer 4.5.6001.22159).
The event should not cause Event Logs to be filled and disk space to be depleted. That is not the intent of the message. Engineering has identified a problem in the McAfee process VSTSKMGR.EXE that causes it to create an excessive number of event entries in the System Event Log.

Events 514/516/519 occur for legitimate reasons to raise awareness for the Administrator that McAfee code may be compromised. When a process has been permitted to run foreign code from within the address space of a McAfee process, some Access Protection rules may be circumvented because most Access Protection rules trust McAfee processes. Many third party applications use this technique to provide valuable functionality to an organization. However, these Event IDs can also indicate that the system is infected with root-kit-like malware or that you are running an intrusive third party application.

Solution

This issue is resolved in VSE 8.8 Patch 2 release, which is available from the Product Downloads site.

Patches are cumulative; Intel Security recommends that you install the latest one.

VSE 8.8 Patch 8 is the latest patch available from the Downloads tab of the ServicePortal at https://support.mcafee.com/downloads.
 
NOTE:
VSE 8.8 Patch 8 provides support for all supported Windows operating systems.


McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE:
 You will need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, as well as alternate locations for some products.

Solution

To address this in a logical order, work through the following articles in the order provided by the product experts.
  • To resolve the McAfee Agent 4.5 issue that loads certain DLL files which are expected to be trusted, follow the advice provided in KB74177.
  • To resolve the issue when third-party applications hook or inject their code into McAfee processes to provide functionality, follow the advice provided in KB74176.
  • To resolve the issue where Microsoft DLL files are expected to be trusted, but the trust validation routine returns a failure, follow the advice provided in KB74174.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.