Third-party application DLL not signed (Event ID 514/516/519)
Technical Articles ID:
KB74176
Last Modified: 5/22/2020
Last Modified: 5/22/2020
Environment
McAfee VirusScan Enterprise (VSE) 8.8 with or without Patch 1
For details of VSE 8.x supported environments, see KB51111.
For details of VSE 8.x supported environments, see KB51111.
Summary
This article is one of several that covers Event IDs 514, 516, and 519 generated by VSE. Each article covers a different cause and includes a different solution.
IMPORTANT: Event IDs 514, 516, and 519 do not indicate an issue with VSE; they relate to a new VSE security feature.
Event IDs 514, 516, and 519 occur for legitimate reasons to raise awareness for the Administrator that VSE code might be compromised. When a process is permitted to run foreign code from within the address space of a process, some Access Protection rules might be circumvented because most Access Protection rules trust VSEprocesses. Many third-party applications use this technique to provide valuable functionality to an organization. But, these Event IDs can also indicate that the system is infected with root-kit-like malware or that you are running an intrusive third-party application.
VSE generates these events when one of the following occurs:
- One or more DLL files loaded by the mentioned process are from a third-party vendor, not McAfee or Microsoft, and contain untrusted code.
- The DLL files loaded by the mentioned process are from Microsoft, which is expected to be trusted, but the trust validation routine returns a failure.
- The McAfee Agent loads certain DLL files which do not contain the necessary signature required for inspection by VSE 8.8.
This article addresses the issue caused by third-party application DLL files.
Problem
The Windows System Event log reports multiple entries for Event ID 514, 516, or 519. The Windows System Event log entries similar to the following:
Event Type: Warning
Event Source:
Event Category: (256)
Event ID: 514
Description:
Process
Event Type: Warning
Event Source:
Event Category: (256)
Event ID: 516
Date: <Date>
Time: <time>
User: N/A
Computer: <name>
Description:
Process
Event Type: Warning
Event Source:mfehidk
Event Category: (256)
Event ID: 519
Description:
Process **\VSTSKMGR.EXE pid (####) could not be successfully validated with the mfevtp service and was blocked from performing a privileged operation with a McAfee driver
Event Source:
Event Category: (256)
Event ID: 519
Description:
Process
On some systems, the event is logged every few minutes.
No other symptoms are reported on the client.
IMPORTANT: VSE functionality and performance are not impacted.
System Change
Installed VSE 8.8.
Cause
Third-party application hooking occurs when third-party applications hook or inject their code into other processes to provide functionality. Some malware also uses this technique. These third-party programs, or malware, are not trusted by VSE. An event is generated to inform the administrator that the process might be compromised.
Solution
Perform the steps below to troubleshoot issues where third-party code is inserted into VSE processes or interact with McAfee kernel code from other processes:
- Identification - troubleshoot
This step is necessary to identify other possible causes and to provide the solutions.
Know why the event occurs for your environment - it could be malware.- Review the Event ID to determine which process is involved. Most commonly this is
VSTSKMGR.EXE as described in the Problem section. Other process names includeMCSHIELD.EXE andSVCHOST.EXE . - Identify the individual DLLs and owning applications for files that load themselves into that process.
- Download Microsoft Process Explorer from http://technet.microsoft.com/en-us/sysinternals/bb896653.
- Run the Process Explorer tool
procexp.exe on the computer where you see the event 516. - From the Process Explorer main menu, click Options and select Verify Image Signatures.
- From the main menu click View and select Show Lower Pane.
- Click View, Lower Pane View, and select DLLs.
- Click View, Select Columns.
- In the new window click the DLL tab, select Verified Signer, and then click OK.
- In the upper pane, expand
winnt.exe , services, and scroll down, then selectVsTskMgr.exe .
The lower pane now shows all DLLs that are loaded for theVsTskMgr.exe process.
- In the lower pane, click the Verified Signer column to organize the DLLs. This action allows any unsigned DLLs to be grouped as Unable to Verify.
- Inspect the list of DLLs for non-McAfee and non-Microsoft files. Ignore the file
WscAv.dll , - If you do not see the untrusted third-party application's DLLs, click File, Save, and save as a text file. Provide the text file to Technical Support for assistance. For contact details, see the Related information section of this article.
- Review the Event ID to determine which process is involved. Most commonly this is
- Resolve the third-party application (hook) problem
If the DLL can be prevented from loading into the process, VSE does not generate the event.
Deal with intrusive third-party applications
If you determine that the events are caused by a third-party application, and no option exists from the vendor to avoid hooking VSE processes or otherwise engaging with VSEcode, you can opt to trust the application so that no more Event 516 messages are generated for that specific application. These events still occur for other applications and for malware.
NOTE: An application can be trusted only if it has a digital signature. If it does not have a digital signature, VSE can never trust it. There is no way to suppress events for unsigned applications.
Risks associated with trusting a third-party application
Files that contain a digital certificate that you choose to trust are still scanned when first accessed. VSE uses a clean-file scan cache to avoid rescanning files that have already been scanned and found to be clean. Files that are trusted are added to the cache and will remain in the cache even after a DAT signature update occurs. This behavior is inherent with trusting digital signatures.
NOTE: When you add a file to the scan cache, the stored data includes the settings used to scan the file. If your scan settings are changed to a higher (more secure) level, trusted items in the cache would be rescanned.
If you determine that the events are caused by a third-party application, and no option exists from the vendor to avoid hooking VSE processes or otherwise engaging with VSEcode, you can opt to trust the application so that no more Event 516 messages are generated for that specific application. These events still occur for other applications and for malware.
NOTE: An application can be trusted only if it has a digital signature. If it does not have a digital signature, VSE can never trust it. There is no way to suppress events for unsigned applications.
Risks associated with trusting a third-party application
Files that contain a digital certificate that you choose to trust are still scanned when first accessed. VSE uses a clean-file scan cache to avoid rescanning files that have already been scanned and found to be clean. Files that are trusted are added to the cache and will remain in the cache even after a DAT signature update occurs. This behavior is inherent with trusting digital signatures.
NOTE: When you add a file to the scan cache, the stored data includes the settings used to scan the file. If your scan settings are changed to a higher (more secure) level, trusted items in the cache would be rescanned.
- Advantage: You might see the performance gain, even after a DAT update.
- Disadvantage: If new DAT signatures would normally find those trusted files to be infected, they would not be scanned by the On-Access Scanner to find that malware.
Mitigation
McAfee reserves the right to use the DAT signature updates to force trusted files to be removed from the clean-file scan cache, which causes them to be rescanned when accessed. You can also cause existing trusted files to be scanned. Perform an On-Demand Scan and disable the option Allow On-Demand scans to use the scan cache. See the "Related Information" section for additional information.
McAfee reserves the right to use the DAT signature updates to force trusted files to be removed from the clean-file scan cache, which causes them to be rescanned when accessed. You can also cause existing trusted files to be scanned. Perform an On-Demand Scan and disable the option Allow On-Demand scans to use the scan cache. See the "Related Information" section for additional information.
How to trust a third-party application
- Obtain the signature file.
- Right-click the third-party DLL file, or any of the third-party application signed files, and select Properties.
- Click the Digital Signatures tab.
- Select the appropriate digital signature from the Signature list.
- Click Details, View Certificate.
- Click the Details tab, then click Copy to File.
- Complete the
Certificate Export Wizard and note where you save the.cer file. The product development team recommends that you accept the default wizard options, with the exception of the file path.
- Import a copy of the product's digital certificate into the Trust certificate store.
- Contact Technical Support. See the Related Information section for the contact details.
- Provide the
.cer file you want to add. Technical Support will provide an executable package to add the certificate to the Trust certificate store. - Run the executable provided by Technical Support. Steps to do so using ePolicy Orchestrator are provided by Technical Support.
- Click Tools, General Options, Global Scan Settings deselect Enable saving scan data across reboots, and then click Apply, OK.
- Restart your computer. This step is necessary for the certificate store changes to take effect.
- Click Tools, General Options, Global Scan Settings, select Enable saving scan data across reboots, and then click Apply, OK.
After these steps, the Event 516 no longer occurs for the newly trusted third-party application.
NOTES: For advanced users, there are other methods to update the certificate store:
NOTES: For advanced users, there are other methods to update the certificate store:
-
The Microsoft MMC snap-in. See http://technet.microsoft.com/en-us/library/cc770355.aspx.
-
The Microsoft CERTMGR.exe tool. See http://msdn.microsoft.com/en-us/library/windows/desktop/aa376553.Technical Support provides the executable to make use of the CERTMGR.EXE tool.
-
Reduce the number of events recorded in the Windows System event log
This issue is resolved in VSE 8.8 Patch 2, which is available from the Product Downloads site using a valid Grant Number.
Patches are cumulative, so install the latest one.
VSE 8.8 Patch 14 is the latest patch available from the Downloads tab on the ServicePortal at https://support.mcafee.com/downloads.
NOTE: VSE 8.8 Patch 14 supports all supported Windows operating systems.
NOTE: This behavior was initially resolved with VSE 8.8 Patch 1 Hotfix 625756. Because of installation issues and conflicts with the Host Intrusion Prevention agent, the hotfix was removed. VSE 8.8 Patch 1 Hotfix 735512 superceded the hotfix to address this issue. This hotfix has also been removed because VSE 8.8 Patch 2 resolves the issue.
McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.
NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.
Related Information
NOTE: Content from KB73354 and KB74296, which are unpublished, is incorporated in this article.
If you require any of the following functionalities, submit a product idea:
If you require any of the following functionalities, submit a product idea:
- Ability to switch exclude/ignore unsigned files on or off
- Ability to exclude / ignore unsigned selected files (and still be warned about others)
- Need for more information in events, such as file name and location
- Ability to manage trust of third-party applications via the User Interface
If you require a change to product functionality, submit a new product idea at:
https://community.mcafee.com/t5/Enterprise-Product-Ideas/idb-p/business-ideas
The Ideas forum is accessible only to McAfee business and enterprise customers. Click Sign In and enter your McAfee ServicePortal (https://support.mcafee.com) User ID and password. If you do not yet have a McAfee ServicePortal or McAfee Community account, click Register to register for a new account on either website.
For more information about product ideas, see KB60021.
NOTE: The Ideas forum replaces the previous Product Enhancement Request system.
To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
- If you are a registered user, type your User Id and Password, and then click Log In.
- If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
Affected Products
Languages:
This article is available in the following languages:
GermanEnglish United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified
