Last Modified: 04/07/2014
McAfee VirusScan Enterprise 8.7i Patch 5
For product supported environments, see KB51111.
The application or DLL C:\Windows\system32\sxwmon32.dll is not a valid Windows image. Please check this against your installation diskette
The application or DLL C:\Windows\system32\AMInit.dll is not a valid Windows image. Please check this against your installation diskette
The application or DLL C:\Windows\system32\Vsxwmon32.dll is not a valid Windows image. Please check this against your installation diskette
- This issue applies only to 8.7i Patch 5 and VSE 8.8 Patch 1 and later.
- This is the standard Windows dialog indicating that a third-party DLL is not a valid Windows image. Different executables and DLL files can be affected. This is an example message only.
- The error has no consequences for the ODS. After you click OK, you see the usual ODS dialog as expected.
Generally, you do not see a popup message, but sometimes you see the following error:
If you disable Access Protection (AP), you can run the ODS without any problem.
Sometimes when you run an ODS with AP enabled, you see the following event reported in the event log:
Description: Process **\MCSHIELD.EXE pid (1560) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver.
If this issue is caused by Microsoft DLL files that are expected to be trusted, you have to update the Microsoft Certificate Store. This occurs when there is no corresponding or valid certificate for the file.
If the error is a result of another vendor's signed DLL and you trust the injection into the protected process, the certificate needs to be added to the McAfee Trust Certificate Store.
Depending on the DLL injection method used by your third-party application, one of the following applies:
- Programmatic DLL injection
Applications may monitor when new processes are started, and invoke code that tries to inject a DLL into the address space of the new process. When that process is one of the McAfee protected processes and the Access Protection rule Prevent hooking of McAfee processes is enabled, the DLL injection attempt fails. It is blocked by the AP rule.
Applications might use a Windows DLL hooking method that leverages the registry value AppInit_DLLs to ensure processes load the specified DLL file(s) into their address space. For more information on AppInit_DLLs, see the Microsoft KnowledgeBase article at http://support.microsoft.com/kb/197571.
You can verify if you have such an application installed by inspecting the contents of the registry value:
x86 (32-bit) systems
x64 (64-bit) systems
NOTE: 64-bit systems contain both registry locations.
To address the issue regarding MSI.DLL (a Microsoft component), see the Microsoft KnowledgeBase article at http://support.microsoft.com/kb/972397.
NOTE: This hotfix is for Windows Installer 4.5. If you have Windows Installer 3.5, you must first upgrade to version 4.5, and then apply the hotfix.
If you have already applied the Microsoft hotfix, run the System File Checker. Type the following command and press ENTER:
For more information on using the System File Checker, see the Microsoft KnowledgeBase article at http://support.microsoft.com/kb/310747.
In addition to the files listed, this fix also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.
For additional technical information about how Windows updates root certificates in Windows XP SP2 and SP3, see the Microsoft TechNet article at http://technet.microsoft.com/en-us/library/bb457160.aspx.
For detailed technical information about how Windows updates root certificates in Windows Vista and later, see the Microsoft TechNet article at http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx.
NOTE: For more advanced users, there are other methods to update the certificate store:
- The Microsoft MMC snap-in. For more information, see http://technet.microsoft.com/en-us/library/cc770355.aspx.
- The Microsoft CERTMGR.exe tool. For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa376553.
- Contact McAfee Technical Support.
For contact details:
- Go to http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport.
- Non-US customers - select your country from the list of Worldwide Offices.
Alternatively:Log in to the ServicePortal at https://support.mcafee.com:
- If you are a registered user, type your User Id and Password, and click OK.
- If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
- Provide the .cer file you want to add to McAfee Support.
The .cer certificate file is obtained from the DLL that is affected. If the file does not have a digital certificate, there is no option for avoiding the pop-up window.
- Run the executable provided by McAfee Support.
The package uses SuperDAT technology. Therefore, you can run it on individual systems or add it to an ePolicy Orchestrator repository.
- Clear the VSE 8.8 scan cache if needed. See KB71905 for best practices.
- Restart your computer for the certificate store changes to take effect.
- CAUTION: This article contains information about opening or modifying the registry.
- The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
- Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986.
- Do not run a .REG file that is not confirmed to be a genuine registry import file.
- To disable Citrix API Hooks on a per-application basis, follow the instructions in the Citrix Document ID CTX10782: http://support.citrix.com/article/CTX107825.
- If you have installed software from Lumension Security, the following two registry entries are also required:
c:\Program files (x86)\McAfee\VirusScan Enterprise\Scan32.exe
c:\Program files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.exe
c:\Program files\McAfee\VirusScan Enterprise\Scan32.exe
- Use the Microsoft Sysinternals Process Monitor (procmon.exe) to identify which DLL(s) were denied access from loading. For more information about using this utility, see http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
- Use Microsoft Sysinternals Signature Checker (sigcheck.exe) to determine if the file has a valid signature. For more information about using this utility, see http://technet.microsoft.com/en-us/sysinternals/bb897441.
For this problem, use the following command:
If this tool shows the file is invalid or unsigned, McAfee cannot trust it. See Solution 1 for how to proceed.
NOTE: Reports might indicate that a Microsoft-looking file was untrusted and therefore was blocked from loading, but the component loading it was a trusted component. This leads to new symptoms where the Scan32/Scan64 process crashes. In this scenario, the Microsoft-looking file might actually be malware.
This patch update includes improved logic for tolerating environments that have expired, but valid, digitally signed Microsoft binaries.
McAfee product software, upgrades, maintenance releases, and documentation are available from the McAfee Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.
NOTE: You will need a valid Grant Number for access. KB56057 provides additional information about the McAfee Downloads site, as well as alternate locations for some products.
To disable the Common Standard Protection AP rule that prevents McAfee processes from being hooked:
- Click Start, Programs, McAfee, VirusScan Console.
- Double-click Access Protection.
- Select Common Standard Protection.
- Deselect both the Block and Report entries for Prevent hooking of McAfee processes (this is enabled by default).
- Click OK and exit VirusScan Console.
Glossary of Technical Terms
Please take a moment to browse our Glossary of Technical Terms.