Loading...

Knowledge Center


Buffer Overflow violations after installing VirusScan Enterprise 8.8 Patch 4 and later
Technical Articles ID:   KB81308
Last Modified:  4/7/2017
Rated:


Environment

McAfee VirusScan Enterprise (VSE) 8.8 Patch 4

SizeExplorer Pro 
FlashJester
Microsoft Office 2003 and Office XP (version 11)
Microsoft Office 2007 (version 12)

For details of VSE 8.x supported environments, see KB51111.

Problem

Buffer Overflow Protection (BOP) detection events are reported after installing VSE 8.8 Patch 4 or later. These violations did not occur or were not reported with previous patch levels or VSE releases.

Example of a BOP log entry (from an English system):
            2/27/2014 3:15:18 PM Blocked by Buffer Overflow Protection  DOMAIN\User C:\Program Files\Microsoft Office97\Office\MSACCESS.EXE:NTDLL.KiUserExceptionDispatcher::1bfe08 BO:Writable BO:Heap

Example of a BOP log entry (from a Spanish system):
20/02/2014    13:04:19    Bloqueado por la protección contra desbordamientos de búfer     DOMAIN\User    C:\Archivos de programa\Microsoft Office\Office12\EXCEL.EXE:NTDLL.KiUserExceptionDispatcher::3ba3d58    Desbordamiento de búfer:de escritura Desbordamiento de búfer:pila

General explanation of a BOP log entry:

<date>   <time>   <Action taken by BOP, which will be to BLOCK or to WARN>   <User Account>   <Path to the victim process>:NTDLL.KiUserExceptionDispatcher::<address>   <Type of Buffer Overrun>

Dump information from a process that is blocked:

PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT
BUGCHECK_STR:  APPLICATION_FAULT_SOFTWARE_NX_FAULT

Cause

The BOP feature now uses Data Execution Prevention (DEP) to determine whether a violation has occurred for the list of processes protected by BOP. When a violation is detected, the BOP feature will take action to notify and/or block the monitored process.

IMPORTANT: These detections should be considered legitimate. Prior releases of VSE did not detect these violations because the feature monitored only certain API calls for a limited list of processes. With Patch 4, the scope has broadened, and now all APIs of the same limited list of processes are monitored. Therefore, detections of buffer overrun violations may now be more prevalent, especially if you use older or unpatched software.

Solution

The product development team  has verified that these detections are legitimate code that is not marked appropriately, attempting to execute from memory. The action to take for these applications is:
  • Upgrade the software to a more recent release (recommended)
  • Apply any available patches to your existing software
Not all DLLs of legitimate software applications will be able to fully comply with DEP. In such cases, please refer to the Workaround section of this article.

If you are not in a position to upgrade the affected software, refer to the Workaround section of this article until an upgrade is possible. Refer to the Related Information section of this article to understand the risk of using a workaround.

Applications incompatible with DEP that are detected by BOP include:
  • Microsoft Office 2003 and Office XP (version 11 and older versions, due to MSO.DLL)
  • Microsoft Office 2007 (version 12, due to EuroTool.xlam)
  • Microsoft Access (due to VBE6.dll version 6.04.9972)
  • Explorer.exe (due to SEPCM.DLL from SizeExplorer Pro or JESTERSS.DLL from FlashJester)
  • IExplore.exe, IE8 (due to corpol.dll, or Occache.dll that is version less)
NOTE: This list is not comprehensive, but will be updated as additional applications are identified.

Workaround

Change the BOP configuration:
  • Use exclusions.
    If you determine that the BOP violations are consistently from the same trusted process, you can exclude the specific process name from within the BOP configuration settings. For details on BOP exclusions see KB84283 or consult the Product Guide for your software version for more information on configuring exclusions.

    NOTE: This option is recommended in environments where the affected software cannot be upgraded. The product development team recommends that you use this method only until the affected software has been updated to no longer execute code from memory inappropriately.
  • Disable the VSE BOP feature locally or via the ePO console.
     

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.