"cryptocme2.dll" or "ccme_base.dll" not signed (Event IDs 514, 516, 519)
Artículos técnicos ID:
KB74177
Última modificación: 5/22/2020
Entorno
McAfee VirusScan Enterprise (VSE) 8.8 with or without Patch 1
For VSE supported environments, see KB51111.
Resumen
This article is one of several that cover the Event IDs 514, 516, and 519 generated by VSE. Each article covers a different cause and includes a different solution.
IMPORTANT: Event IDs 514, 516, and 519 do not indicate an issue with the VSE product; it relates to a new VSE security feature.
Event 516 occurs for legitimate reasons to raise awareness for the administrator that VSE code might be compromised. When a process is permitted to run foreign code from within the address space of a McAfee process, some Access Protection rules might be circumvented because most Access Protection rules trust McAfee processes. Many third-party applications use this technique to provide valuable functionality to an organization. But, these Event IDs can also indicate a system infection with root-kit-like malware or that you are running an intrusive third-party application.
VSE generates this event when one of the following occurs:
- One or more DLL files loaded by the mentioned process are from a third-party vendor, not McAfee or Microsoft, and contain untrusted code.
- The DLL files loaded by the mentioned process are from Microsoft, which is expected to be trusted, but the trust validation routine returns a failure.
- The McAfee Agent loads certain DLL files that do not contain the signature needed for inspection by VSE 8.8.
This article addresses the issue caused by a McAfee Agent DLL.
Problema
The Windows System Event log reports multiple entries for Event ID 514, 516, or 519. You see entries similar to the following in the Windows System Event log:
Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 516
Description:
Process **\VSTSKMGR.EXE pid (XXXX) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver
Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 514
Description:
Process C:\Program Files\McAfee\VirusScan Enterprise\ pid (###) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver
Event Type: Warning
Event Source: mfehidk
Event Category: (256)
Event ID: 519
Description:
Process **\VSTSKMGR.EXE pid (####) could not be successfully validated with the mfevtp service and was blocked from performing a privileged operation with a McAfee driver
On some systems, the event is logged every few minutes.
No other symptoms are reported on the client.
IMPORTANT: VSE functionality and performance are not impacted.
Motivo
These events occur when the McAfee Agent loads certain DLL files. These libraries (cryptocme2.dll or ccme_base.dll) do not contain a necessary signature required for inspection by VSE 8.8. This scenario is resolved in newer releases of McAfee Agent.
Solución
Take the following actions:
- Determine why this event occurs in your environment:
IMPORTANT: This step is necessary to identify other possible causes and to provide the solutions. You need to know why the event occurs for your environment because it could be malware.
- Review the Event ID and determine which process is involved. Most commonly the process is VSTSKMGR.EXE as described in the Problem section. Other process names include MCSHIELD.EXE and SVCHOST.EXE.
- Identify the individual DLLs and owning applications for files that load themselves into that process:
- Download Microsoft Process Explorer from http://technet.microsoft.com/en-us/sysinternals/bb896653.
- Run the Process Explorer tool procexp.exe on the computer where you see the event 516.
- From the Process Explorer main menu, click Options and select Verify Image Signatures.
- From the main menu, click View and select Show Lower Pane.
- Click View, Lower Pane View, and select DLLs.
- Click View, Select Columns.
- In the new window, click the DLL tab, select Verified Signer, and then click OK.
- In the upper pane, expand winnt.exe, services, scroll down, and then select VsTskMgr.exe. The lower pane now shows all DLLs that are loaded for the VsTskMgr.exe process.
- In the lower pane, click the Verified Signer column to organize the DLLs. This option allows any unsigned DLLs to be grouped as Unable to Verify.
- Inspect the list of DLLs for non-McAfee and non-Microsoft files. Ignore the file WscAv.dll, which is also a McAfee file.
- If you do not see the untrusted third-party application's DLLs, click File, Save, and save as a text file. Provide the text file to Technical Support for assistance. For contact details, see the Related information section of this article.
- Resolve the McAfee Agent issue. The issue with the cryptocme2.dll and ccme_base.dll libraries is resolved in McAfee Agent. The McAfee Agent version is available from the Product Downloads site using a valid Grant Number.
-
Reduce the number of events recorded in the Windows System event log. This issue is resolved in VSE 8.8 Patch 2, which is available from the Product Downloads site using a valid Grant Number.
NOTES:
- Patches are cumulative. Technical Support recommends that you install the latest one.
- This behavior was initially resolved with VSE 8.8 Patch 1 Hotfix 625756. But, because of some installation issues and conflicts with the Host Intrusion Prevention agent, the hotfix was removed. VSE 8.8 Patch 1 Hotfix 735512 superseded that hotfix, but has been removed because VSE 8.8 Patch 2 resolves the issue.
VSE 8.8 Patch 16 is the latest patch available from the Downloads tab on the ServicePortal at https://support.mcafee.com/downloads.
NOTE: VSE 8.8 Patch 16 supports all supported Windows operating systems.
|