"MSI.DLL" DLL not signed (Event ID 514/516/519)

Technical Articles ID: KB74174
Last Modified: 5/21/2020

Environment

McAfee VirusScan Enterprise (VSE) 8.8 with or without Patch 1

Summary

This article is one of several articles that cover the Event IDs 514, 516, and 519 that VSE generates. Each article covers a different cause and includes a different solution.

IMPORTANT: Event IDs 514, 516, and 519 do not indicate an issue with VSE; they relate to a new VSE security feature.

Event IDs 514, 516, and 519 occur for legitimate reasons to raise awareness for the Administrator that VSE code might be compromised. When a process is permitted to run foreign code from within the address space of a VSE process, some Access Protection rules might be circumvented because most Access Protection rules trust McAfee processes. Many third-party applications use this technique to provide valuable functionality to an organization. But, these Event IDs can also indicate that the system is infected with root-kit-like malware or that you are running an intrusive third-party application.

VSE generates these events when one of the following occurs:

One or more DLL files loaded by the mentioned process are from a third-party vendor, not McAfee or Microsoft, and contain untrusted code.
The DLL files loaded by the mentioned process are from Microsoft, and expected to be trusted, but the trust validation routine returns a failure.
The McAfee Agent loads certain DLL files that do not contain the needed signature needed for inspection by VSE 8.8.

This article addresses the issue caused by Microsoft DLL files.

Problem

The Windows System Event log reports multiple entries for Event ID 514, 516, or 519. The Windows System Event log records entries similar to the following:

Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 514
Description:
Process C:\Program Files\McAfee\VirusScan Enterprise\ pid (###) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver

Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 516
Description:
Process **\VSTSKMGR.EXE pid (XXXX) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver

Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 519
Description:
Process **\VSTSKMGR.EXE pid (####) could not be successfully validated with the mfevtp service and was blocked from performing a privileged operation with a McAfee driver

On some systems, the event is logged every few minutes.

No other symptoms are reported on the client.

IMPORTANT: VSE functionality and performance are not impacted.

System Change

Installed VSE 8.8.

Cause

Microsoft DLL files cause this issue when the trust validation routine returns a failure. This failure occurs when there is no corresponding or valid certificate for the file. For example, this failure has been seen with MSI.dll from the MSI Installer 4.5.6001.22159.

Solution

To resolve this issue:

Identification - troubleshoot
This step is necessary to identify other possible causes and to provide the solutions.

Know why the event occurs for your environment - it could be malware.
1. Review the Event ID to determine which process is involved. Most commonly, the process is VSTSKMGR.EXE as described in the Problem section. Other process names include MCSHIELD.EXE and SVCHOST.EXE.
2. Identify the individual DLLs and owning applications for files that load themselves into that process.
  1. Download Microsoft Process Explorer from http://technet.microsoft.com/en-us/sysinternals/bb896653.
  2. Run the Process Explorer tool procexp.exe on the computer where you see the event 516.
  3. From the Process Explorer main menu, click Options and select Verify Image Signatures.
  4. From the main menu, click View and select Show Lower Pane.
  5. Click View, Lower Pane View, and select DLLs.
  6. Click View, Select Columns.
  7. In the new window click the DLL tab, select Verified Signer, and then click OK.
  8. In the upper pane, expand wininit.exe, services, scroll down, and then select VsTskMgr.exe.
    
    The lower pane now shows all DLLs that are loaded for the VsTskMgr.exe process.
  9. In the lower pane, click the Verified Signer column to organize the DLLs. This option allows any unsigned DLLs to be grouped as Unable to Verify.
  10. Inspect the list of DLLs for non-McAfee and non-Microsoft files. Ignore the file WscAv.dll, which is also a McAfee file.
  11. If you do not see the untrusted third-party application's DLLs, click File, Save, and save the file as a text file. Provide the text file to Technical Support for assistance. For contact details, see the Related information section of this article.
Resolve the Microsoft DLL problem
When you identify the involved Microsoft DLL, you have to update the Microsoft Certificate Stores:

To address this issue for MSI.DLL (v4.5), see Microsoft Knowledge Base article http://support.microsoft.com/kb/972397.

In addition to the files listed, the related fix also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.

For more technical information about how Windows updates root certificates in Windows XP SP2 and SP3, see the Microsoft TechNet article at: http://technet.microsoft.com/en-us/library/bb457160.aspx.

For detailed technical information about how Windows updates root certificates in Windows Vista and later, see the Microsoft TechNet article at: http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx.
Reduce the number of events recorded in the Windows System event log
This issue is resolved VSE 8.8 Patch 2, which is available from the Product Downloads site using a valid Grant Number.

Patches are cumulative. Technical Support recommends that you install the latest one.

VSE 8.8 Patch 14 is the latest patch available from the Downloads tab on the ServicePortal at https://support.mcafee.com/downloads.

NOTE: VSE 8.8 Patch 14 supports all supported Windows operating systems.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

NOTE: This behavior was initially resolved with VSE 8.8 Patch 1 Hotfix 735512.The hotfix has been removed because of the release of VSE 8.8 Patch 2.

Related Information

NOTE: Content from unpublished KB73354 and KB74294 has been incorporated into this article.

Product Enhancement Request
If you require any of the following functionalities, use the Product Enhancement Request (PER) process:

Ability to switch exclude/ignore unsigned files on or off
Ability to exclude/ignore unsigned selected files (and still be warned about others)
Need for more information in events, such as file name and location
Ability to manage trust of third-party applications via the User Interface

If you require a change to product functionality, submit a new product idea at:

https://community.mcafee.com/t5/Enterprise-Product-Ideas/idb-p/business-ideas

The Ideas forum is accessible only to McAfee business and enterprise customers. Click Sign In and enter your McAfee ServicePortal (https://support.mcafee.com) User ID and password. If you do not yet have a McAfee ServicePortal or McAfee Community account, click Register to register for a new account on either website.

For more information about product ideas, see KB60021.

NOTE: The Ideas forum replaces the previous Product Enhancement Request system.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:

If you are a registered user, type your User Id and Password, and then click Log In.
If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Affected Products

Known Issue/Product Defect
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

"MSI.DLL" DLL not signed (Event ID 514/516/519)

Environment

Summary

Problem

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

"MSI.DLL" DLL not signed (Event ID 514/516/519)

Environment

Summary

Problem

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title