Buffer Overflow violations after installing VirusScan Enterprise 8.8 Patch 4 and later

Technical Articles ID: KB81308
Last Modified: 7/9/2020

Environment

McAfee VirusScan Enterprise (VSE) 8.8 Patch 4

SizeExplorer Pro
FlashJester
Microsoft Office 2003 and Office XP (version 11)
Microsoft Office 2007 (version 12)

For details of VSE 8.x supported environments, see KB51111.

Problem

Buffer Overflow Protection (BOP) detection events are reported after the installation of VSE 8.8 Patch 4 or later. These violations did not occur or were not reported with previous patch versions or VSE releases.

Example of a BOP log entry (from an English system):

2/27/2014 3:15:18 PM Blocked by Buffer Overflow Protection DOMAIN\User C:\Program Files\Microsoft Office97\Office\MSACCESS.EXE:NTDLL.KiUserExceptionDispatcher::1bfe08 BO:Writable BO:Heap

Example of a BOP log entry (from a Spanish system):

20/02/2014 13:04:19 Bloqueado por la protección contra desbordamientos de búfer DOMAIN\User C:\Archivos de programa\Microsoft Office\Office12\EXCEL.EXE:NTDLL.KiUserExceptionDispatcher::3ba3d58 Desbordamiento de búfer:de escritura Desbordamiento de búfer:pila

General explanation of a BOP log entry:

<date> <time> <Action taken by BOP, which is to BLOCK or to WARN> <User Account><Path to the victim process>:NTDLL.KiUserExceptionDispatcher::<address> <Type of Buffer Overrun>

Dump information from a process that is blocked:

PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT
BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT

Cause

The BOP feature now uses Data Execution Prevention (DEP) to determine whether a violation has occurred for the list of processes protected by BOP. When a violation is detected, the BOP feature takes action to notify and/or block the monitored process.

IMPORTANT: These detections should be considered legitimate. Prior releases of VSE did not detect these violations because the feature monitored only certain API calls for a limited list of processes. With Patch 4, the scope has broadened, and now all APIs of the same limited list of processes are monitored. So, detections of buffer overrun violations might now be more prevalent, especially if you use older or unpatched software.

Solution

The product development team has verified that these detections are legitimate code that is not marked appropriately, trying to execute from memory. The action to take for these applications is:

Upgrade the software to a more recent release (recommended)
Apply any available patches to your existing software

Not all DLLs of legitimate software applications can fully comply with DEP. In such cases, see the Workaround section of this article.

If you can't upgrade the affected software, see the Workaround section of this article until an upgrade is possible. See the Related Information section of this article to understand the risk of using a workaround.

Applications incompatible with DEP that are detected by BOP include:

Microsoft Office 2003 and Office XP (version 11 and older versions, due to MSO.DLL)
Microsoft Office 2007 (version 12, due to EuroTool.xlam)
Microsoft Access (due to VBE6.dll version 6.04.9972)
Explorer.exe (due to SEPCM.DLL from SizeExplorer Pro or JESTERSS.DLL from FlashJester)
IExplore.exe, IE8 (due to corpol.dll, or Occache.dll that is version less)

NOTE: This list is not comprehensive, but will be updated when other applications are identified.

Workaround

Change the BOP configuration:

Use exclusions.
If you determine that the BOP violations are consistently from the same trusted process, you can exclude that process name from the BOP configuration settings. For details about BOP exclusions, see KB84283. For more information about configuring exclusion, see the Product Guide for your software version.

NOTE: This option is recommended in environments where the affected software cannot be upgraded. The product development team recommends that you use this method only until the affected software has been updated to no longer execute code from memory inappropriately.
Disable the VSE BOP feature locally or via the ePO console.

Related Information

Buffer Overflow protection in VirusScan Enterprise is a 0-day protection feature to block execution of code from buffer overflow attacks.

The BOP feature is applicable only to 32-bit systems. For a list of Processes Protected by BOP, see KB58007.
BOP is applicable only to select processes (including Microsoft Office applications).
You can minimize the risk of disabling Buffer Overflow Protection by ensuring that all protected processes are at current patch levels.

Affected Products

Known Issue/Product Defect
VirusScan Enterprise 8.8 (EOL)

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Knowledge Center

Buffer Overflow violations after installing VirusScan Enterprise 8.8 Patch 4 and later

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Buffer Overflow violations after installing VirusScan Enterprise 8.8 Patch 4 and later

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Choose your region

Title

Title