BugCheck D1 error for mfefirek.sys (post installation)

Articoli tecnici ID: KB76593
Ultima modifica: 11/1/2020

Ambiente

McAfee Host Intrusion Prevention (Host IPS) 8.0

Problema

A system crash, or blue screen, occurs for mfefirek.sys after you install Host IPS 8.0 Patch 2.

The error below is displayed in the resulting dump file:

BugCheck D1

Problema

Packet meta values are incorrectly set to 0 for the transport and the IP header lengths. As a result, the firewall packet validations are not initialized correctly and a D1 bug check might occur for the Mfefirek.sys filtering driver.

NOTE: This issue does not occur on all VPN versions, but might occur on some VPN versions. McAfee recommends that customers validate their specific VPN versions on Host IPS Patch 2 (8.0.0.2151) before deployment on production systems.

McAfee has confirmed the issue could occur on the following VPN versions:

Windows 7 x86	Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Win	vpnva.sys	3.0.7012.0
Windows 7 x64	Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Win x64	vpnva64.sys	3.0.7012.0
Windows 7 SP1 x64	Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Win x64	vpnva64.sys	3.0.2032.0
Windows 7 SP1 x64	Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Win x64	vpnva64.sys	3.1.234.0
Windows 7 SP1 x64	Research In Motion VPN	rimvndis_amd64.sys	1.1.0.3
Windows 7 SP1 x86	F5 networks VPN Adapter/Citrix ICA for XenApp	covpnwlh.sys	6030.2009.514.2218
Win7 SP1 x64	Juniper Network Connect Virtual Adapter	dsncadapt.sys	7.2.0.7478

Modifica di sistema

You installed Host IPS Patch 2, version (8.0.0.2151).

Causa

McAfee analysis indicates that the issue occurs within the Windows Filter Platform (WFP) framework during network packet filtering by the WFP driver.

Soluzione

For systems currently running Host IPS Patch 2 (8.0.0.2151):
You might or might not be experiencing intermittent system instability on some client systems. For full resolution of this issue, customers can directly update their systems to the Patch 2 Hotfix 803520 rollup, which fully resolves this issue. Currently, Hotfix 803520 is in managed release and available from Technical Support. See KB77323 for Hotfix 803520 Release Notes.

For systems not currently running Host IPS Patch 2:
This issue might occur with the Patch 2 (8.0.0.2151) version. So, McAfee recommends that you validate and test your specific VPN versions, or any other products using the Windows Filter Platform (WFP) driver architecture, before deployment on production systems.

If prior testing validation is not possible, McAfee recommends customers running the above VPN versions, or other products using the WFP:

First apply Hotfix 833271
Then, upgrade to Host IPS 8.0 Patch 2.

See KB77324 for Release Notes and additional information about remediation for this issue. After upgrading to Host IPS 8.0 Patch 2, the above issue will be resolved.

NOTE: McAfee recommends you then upgrade systems to HF803520 to apply all available fixes in that hotfix update. But, it is not required to resolve this specific issue if HF833271 was applied before you upgraded to Patch 2. See KB77323 for Hotfix 803520 Release Notes.

NOTES:

Hotfix 833271 can be installed on either Host IPS 8.0 GA (8.0.0.1741) or Patch 1 (8.0.0.1919) systems before installing Patch 2 (8.0.0.2151).
HF833271 will prevent systems installed with certain VPN filter drivers from incurring a D1 bug check, after an upgrade to Patch 2. Contact Technical Support and request Hotfix HostIPS_Client800_HotFix833271.zip for this issue.
To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
- If you are a registered user, type your User Id and Password, and then click Log In.
- If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
IMPORTANT: The following files are required for Technical Support:
- Minimum Escalation Requirements (MER) files for your specific product. For information about downloading the MERs for each McAfee product, see KB59385 - How to use MER tools with supported McAfee products.
- Other files and logs, as requested by Technical Support.

Soluzione

Recommended Repository Check-in Procedure

This product update deployment task is configured for multiple update packages on a single managed product. When you check in multiple product update packages (hotfixes or patch updates) for a single managed product, note the following:

Check in all related update packages into the ePolicy Orchestrator (ePO) repository branch that you want
Check in the packages in the correct order of deployment.
Do not move or copy multiple packages, which are used for a single managed product update task, from one ePO branch to another.

To change ePO deployment branches when managing multiple package deployments (for example, from Evaluation to Current) do the following:

Delete all related packages from the first deployment branch.
NOTE: Deletion of the existing packages from a repository branch is the only effective means to ensure that correct deployment detection script sequencing is maintained for multiple package deployments.
Recheck the multiple packages into the new repository branch in the deployment order needed.
To update specific client systems from specific ePO repository branches, change the McAfee Agent policy settings for those systems. The Host IPS updates are pulled from the Evaluation branch instead of the Current branch. To change the McAfee Agent policy settings, go to McAfee Agent, General, My Default, Updates.

Recommended ePO product upgrade steps for systems currently running either Host IPS 8.0 GA (8.0.0.1741) or Patch 1 (8.0.0.1919):

Check in Host IPS 8.0 HF833271 to a designated branch of the ePO repository.
Check in Host IPS 8.0 Patch 2 (incremental update package) to a designated branch of the ePO repository.
To configure a product update task, first review the list of selectable Patches and Service Packs. The list is available under Products, patches, service packs, etc. entry for Package types.
If the list includes more than one entry for Host IPS 8.0, ensure that all these entries are selected.
If your system is not fully updated after running the update task once, rerun it again to fully update systems with all packages. Product update tasks adhere to the following logic when updating a managed product:
- Install content updates.
- Install an available hotfix update
- Install an available patch update.

The first product update task installs Hotfix 833271 and Patch 2 (and only Hotfix 833271 for some networks). The next update task will install Patch 2. Customers might opt to do it by configuring a single product update task using the following options:

Configure a Daily product update task to run once per day. All packages will be deployed after 1 (or 2) successive days (or 1–2 runs of the product update task).
Configure multiple scheduled task times for a single update task. All packages will be deployed after 1 (or 2) successive product update tasks are completed.
Configure a product update task to repeat (McAfee recommends 30 minutes, or more, task intervals). All packages will be deployed after 2 (or 3) successive product update tasks are completed.

NOTE: McAfee also recommends using Task Randomization in large environments to reduce high periods of bandwidth consumption.

Product Update tasks must be rerun on client systems not reporting the correct product version for Patch 2 (8.0.0.2151).

If client systems are reporting product version 8.0.0.2481 (HF833271), the Product Update tasks must be rerun on client systems to install Patch 2. Contact Technical Support for further assistance if you have product update issues after multiple product update tasks have run on the systems.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:

If you are a registered user, type your User Id and Password, and then click Log In.
If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Version Reporting:
The Host IPS product version can be verified by running the Host IPS: Client Versions report template under ePO Queries and Reports.

IMPORTANT: Systems displaying version 8.0.0.2481 applied have not successfully upgraded to Patch 2. As such, the deployment task must be run again to ensure proper upgrade to version 8.0.0.2151.

The report displays the report shows which the versions of Host IPS running on each client system. If a system is not fully upgraded to patch 2 (8.0.0.2151), the update task must be rerun on the system reporting (8.0.0.2481) to ensure it is fully upgraded to Patch 2 (8.0.0.2151).

Hotfix Reporting
Systems will need to have reported back full properties after the installations before the most current report data is available. To query hotfix information for Host IPS and VirusScan Enterprise directly from the SQL database, see KB67406.

Allegato

McAfeeHIP_ClientReadmeHotfix833271.zip
4K • < 1 minute @ broadband

Prodotti interessati

Host Intrusion Prevention 8.0
Known Issue/Product Defect

Lingue:

Questo articolo è disponibile nelle seguenti lingue:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Glossario dei termini tecnici

Evidenzia termini glossario

Ti consigliamo di consultare il nostro Glossario dei termini tecnici.

Knowledge Center

BugCheck D1 error for mfefirek.sys (post installation)

Ambiente

Problema

Problema

Modifica di sistema

Causa

Soluzione

Soluzione

Allegato

Prodotti interessati

Lingue:

Glossario dei termini tecnici

Title

Title

Knowledge Center

BugCheck D1 error for mfefirek.sys (post installation)

Ambiente

Problema

Problema

Modifica di sistema

Causa

Soluzione

Soluzione

Allegato

Prodotti interessati

Lingue:

Glossario dei termini tecnici

Scegli la regione

Title

Title