Loading...

Knowledge Center


Event ID 514/516/519, Warning, Process **\VSTSKMGR.EXE pid (XXXX) contains signed but untrusted code (Troubleshooting)
Technical Articles ID:  KB71083
Last Modified:  02/12/2014
Rated:


Environment

McAfee VirusScan Enterprise 8.8
McAfee VirusScan Enterprise 8.7i with Patch 5 (repost)
McAfee Agent 4.5 and later

Summary

IMPORTANT: Event ID 514/516/519  does not indicate an issue with the VirusScan Enterprise (VSE) product; it relates to a new VSE security feature.

Event 516 occurs for legitimate reasons to raise awareness for the Administrator that McAfee code may be compromised. When a process has been permitted to run foreign code from within the address space of a McAfee process, some Access Protection rules may be circumvented because most Access Protection rules trust McAfee processes. Many third party applications use this technique to provide valuable functionality to an organization. However, these Event IDs can also indicate that the system is infected with root-kit-like malware or that you are running an intrusive third party application.

VSE generates this event when one of the following occurs:

  • One or more DLL files loaded by the mentioned process are from a third-party vendor (not McAfee or Microsoft) and contain untrusted code.
  • The DLL files loaded by the mentioned process are from Microsoft (which are expected to be trusted), but the trust validation routine returns a failure.
  • The McAfee Agent loads certain DLL files which do not contain the necessary McAfee signature required for inspection by VSE 8.8.

Problem

The Windows System Event log reports multiple entries for Event ID 514/516/519. Entries similar to the following are recorded in the Windows System Event log:

Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 514
Description:
Process C:\Program Files\McAfee\VirusScan Enterprise\ pid (###) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver

Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 516
Description:
Process **\VSTSKMGR.EXE pid (XXXX) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver

 
Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 519
Description:
Process **\VSTSKMGR.EXE pid (####) could not be successfully validated with the mfevtp service and was blocked from performing a privileged operation with a McAfee driver

On some systems the event is logged every few minutes.

No other symptoms are reported on the client.

IMPORTANT: VSE functionality and performance are not impacted.

Cause

VSE generates this event when one or more DLL files loaded by the mentioned process are from a third-party vendor (not McAfee or Microsoft) and contain untrusted code. This can occur in the scenarios below. McAfee strongly recommends that you investigate any reports of this issue to determine the specific cause.

Current scenarios:
  • Third-party application (hook)
    Occurs when third-party applications hook or inject their code into McAfee processes to provide functionality. Malware also uses such a technique. McAfee does not trust these third-party programs (or malware for that matter) and generates the event to inform the administrator that the McAfee process may be compromised.

     
  • McAfee Agent
    Occurs when the McAfee Agent loads certain DLL files. These libraries (cryptocme2.dll or ccme_base.dll) do not contain a necessary McAfee signature required for inspection by VSE 8.8. This scenario is solved in newer releases of the McAfee Agent.

     
  • Microsoft Certificate Stores need updating
    The issue can be caused by Microsoft DLL files, which are expected to be trusted, but the trust validation routine returns a failure. This occurs when there is no corresponding or valid certificate for the file (this has been seen with MSI.dll from the MSI Installer 4.5.6001.22159).

Solution

To address this in a logical order, work through the following articles in the order provided by the product experts.
  • To resolve the McAfee Agent 4.5 issue that loads certain DLL files which are expected to be trusted, follow the advice provided in KB74177.
  • To resolve the issue when third-party applications hook or inject their code into McAfee processes to provide functionality, follow the advice provided in KB74176.
  • To resolve the issue where Microsoft DLL files are expected to be trusted, but the trust validation routine returns a failure,  follow the advice provided in KB74174.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.