This article is one of several articles that cover the Event IDs 514, 516, and 519 that VSE generates. Each article covers a different cause and includes a different solution.
IMPORTANT: Event IDs 514, 516, and 519 do not indicate an issue with VSE; they relate to a new VSE security feature.
Event IDs 514, 516, and 519 occur for legitimate reasons to raise awareness for the Administrator that VSE code might be compromised. When a process is permitted to run foreign code from within the address space of a VSE process, some Access Protection rules might be circumvented because most Access Protection rules trust McAfee processes. Many third-party applications use this technique to provide valuable functionality to an organization. But, these Event IDs can also indicate that the system is infected with root-kit-like malware or that you are running an intrusive third-party application.
VSE generates these events when one of the following occurs:
- One or more DLL files loaded by the mentioned process are from a third-party vendor, not McAfee or Microsoft, and contain untrusted code.
- The DLL files loaded by the mentioned process are from Microsoft, and expected to be trusted, but the trust validation routine returns a failure.
- The McAfee Agent loads certain DLL files that do not contain the needed signature needed for inspection by VSE 8.8.
This article addresses the issue caused by Microsoft DLL files.