Loading...

Knowledge Center


The application or DLL [...] is not a valid Windows image
Technical Articles ID:  KB73521
Last Modified:  04/07/2014
Rated:


Environment

McAfee VirusScan Enterprise (VSE) 8.8 Patch 1 or later
McAfee VirusScan Enterprise 8.7i Patch 5

For product supported environments, see KB51111.

Problem 1

If you run an On-Demand Scan (ODS), a right-click scan, or open the VSE console, you see a bad image message similar to one of the following:

The application or DLL C:\WINDOWS\system32\msi.dll is not a valid Windows image. Please check this against your installation diskette

The application or DLL C:\Windows\system32\sxwmon32.dll is not a valid Windows image. Please check this against your installation diskette

The application or DLL C:\Windows\system32\AMInit.dll is not a valid Windows image. Please check this against your installation diskette

The application or DLL C:\Windows\system32\Vsxwmon32.dll is not a valid Windows image. Please check this against your installation diskette
 
The process name listed can include the following:
  • scan32.exe
  • scan64.exe
  • scncfg32.exe
  • mcshield.exe
  • myAgtSvc.exe
NOTES:
  • This issue applies only to 8.7i Patch 5 and VSE 8.8 Patch 1 and later.
  • This is the standard Windows dialog indicating that a third-party DLL is not a valid Windows image. Different executables and DLL files can be affected. This is an example message only.
  • The error has no consequences for the ODS. After you click OK, you see the usual ODS dialog as expected.

Problem 2

After installing VSE 8.8 Patch 1, you cannot start an ODS from the VSE console.

Generally, you do not see a popup message, but sometimes you see the following error:

Required DAT is missing or corrupted

If you disable Access Protection (AP), you can run the ODS without any problem.

Sometimes when you run an ODS with AP enabled, you see the following event reported in the event log:

Event ID: 514
Description: Process **\MCSHIELD.EXE pid (1560) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver.

System Change

Updated to VSE 8.7i Patch 5, or 8.8 Patch 1.

Cause

A new AP rule was introduced with VSE 8.7i Patch 5 and 8.8 Patch 1. This rule, Prevent hooking of McAfee processes, is enabled by default. The improved security offered by this rule protects against unsigned or signed DLL injection if the certificate is from a vendor other than Microsoft and McAfee.

If this issue is caused by Microsoft DLL files that are expected to be trusted, you have to update the Microsoft Certificate Store. This occurs when there is no corresponding or valid certificate for the file.

If the error is a result of another vendor's signed DLL and you trust the injection into the protected process, the certificate needs to be added to the McAfee Trust Certificate Store.

Depending on the DLL injection method used by your third-party application, one of the following applies: 
  • Programmatic DLL injection
    Applications may monitor when new processes are started, and invoke code that tries to inject a DLL into the address space of the new process. When that process is one of the McAfee protected processes and the Access Protection rule Prevent hooking of McAfee processes is enabled, the DLL injection attempt fails. It is blocked by the AP rule. 
  • AppInit_DLLs
    Applications might use a Windows DLL hooking method that leverages the registry value AppInit_DLLs to ensure processes load the specified DLL file(s) into their address space. For more information on AppInit_DLLs, see the Microsoft KnowledgeBase article at http://support.microsoft.com/kb/197571.

    You can verify if you have such an application installed by inspecting the contents of the registry value:

    x86 (32-bit) systems
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 

    x64 (64-bit) systems
    HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 

    NOTE: 64-bit systems contain both registry locations.

Solution 1

Use this solution if the Microsoft Certificate Store requires updating.

To address the issue regarding MSI.DLL (a Microsoft component), see the Microsoft KnowledgeBase article at http://support.microsoft.com/kb/972397.

NOTE: 
This hotfix is for Windows Installer 4.5. If you have Windows Installer 3.5, you must first upgrade to version 4.5, and then apply the hotfix.
If you have already applied the Microsoft hotfix, run the System File Checker. Type the following command and press ENTER:

sfc /scannow

For more information on using the System File Checker, see the Microsoft KnowledgeBase article at http://support.microsoft.com/kb/310747.
In addition to the files listed, this fix also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.

For additional technical information about how Windows updates root certificates in Windows XP SP2 and SP3, see the Microsoft TechNet article at http://technet.microsoft.com/en-us/library/bb457160.aspx.

For detailed technical information about how Windows updates root certificates in Windows Vista and later, see the Microsoft TechNet article at http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx.

NOTE: For more advanced users, there are other methods to update the certificate store:

Solution 2

To avoid the bad DLL message, you need to import a copy of the digital certificate for the third-party product into the McAfee Trust Certificate Store:
  1. Contact McAfee Technical Support.

    For contact details:

    Alternatively
    :
    Log in to the ServicePortal at https://support.mcafee.com:
    • If you are a registered user, type your User Id and Password, and click OK.
    • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
  2. Provide the .cer file you want to add to McAfee Support.
    The .cer certificate file is obtained from the DLL that is affected. If the file does not have a digital certificate, there is no option for avoiding the pop-up window.
     
  3. Run the executable provided by McAfee Support.
    The package uses SuperDAT technology. Therefore, you can run it on individual systems or add it to an ePolicy Orchestrator repository.
     
  4. Clear the VSE 8.8 scan cache if needed. See KB71905 for best practices.
  5. Restart your computer for the certificate store changes to take effect.
NOTES:
  • CAUTION: This article contains information about opening or modifying the registry.
    • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
    • Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986.
    • Do not run a .REG file that is not confirmed to be a genuine registry import file.
  • To disable Citrix API Hooks on a per-application basis, follow the instructions in the Citrix Document ID CTX10782: http://support.citrix.com/article/CTX107825.
     
  • If you have installed software from Lumension Security, the following two registry entries are also required:
Location:
HKLM\System\CurrentControlSet\services\sk\Parameters

64-bit systems
Type
Value Name
Value Data 
REG_DWORD
c:\Program files (x86)\McAfee\VirusScan Enterprise\Scan32.exe
0
REG_DWORD 
c:\Program files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.exe
0

32-bit systems
Type
Value Name
Value Data 
REG_DWORD
c:\Program files\McAfee\VirusScan Enterprise\Scan32.exe
0

Solution 3

To help confirm (or eliminate) whether it is a Microsoft file that is untrusted:

  1. Use the Microsoft Sysinternals Process Monitor (procmon.exe) to identify which DLL(s) were denied access from loading. For more information about using this utility, see http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
  2. Use Microsoft Sysinternals Signature Checker (sigcheck.exe) to determine if the file has a valid signature. For more information about using this utility, see http://technet.microsoft.com/en-us/sysinternals/bb897441.

    For this problem, use the following command:
Sigcheck -i -r -h <filename>>

If this tool shows the file is invalid or unsigned, McAfee cannot trust it. See Solution 1 for how to proceed.

NOTE: Reports might indicate that a Microsoft-looking file was untrusted and therefore was blocked from loading, but the component loading it was a trusted component. This leads to new symptoms where the Scan32/Scan64 process crashes. In this scenario, the Microsoft-looking file might actually be malware.

Solution 4

Install Patch 4 for VirusScan Enterprise 8.8.

This patch update includes improved logic for tolerating environments that have expired, but valid, digitally signed Microsoft binaries.

McAfee product software, upgrades, maintenance releases, and documentation are available from the McAfee Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE:
 You will need a valid Grant Number for access. KB56057 provides additional information about the McAfee Downloads site, as well as alternate locations for some products.


Workaround

CAUTION: Only disable the Common Standard Protection AP rule as a last resort. Because of the evolving nature of malware, McAfee strongly recommends keeping the AP rule enabled. If you disable the rule, you permit foreign code (including malware) to inject its content into critical McAfee processes, which can lead to missed detections and/or a compromised computing environment.

To disable the Common Standard Protection AP rule that prevents McAfee processes from being hooked:
  1. Click Start, Programs, McAfee, VirusScan Console.
  2. Double-click Access Protection.
  3. Select Common Standard Protection.
  4. Deselect both the Block and Report entries for Prevent hooking of McAfee processes (this is enabled by default).
  5. Click OK and exit VirusScan Console.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.