Loading...

Knowledge Center


Application and Change Control Memory Protection should be disabled with Host Intrusion Prevention and or Endpoint Security installed
Technical Articles ID:   KB81465
Last Modified:  3/22/2019
Rated:


Environment

McAfee Application and Change Control (MACC) 8.x, 7.x,
McAfee Host Intrusion Prevention (Host IPS) 8.0
McAfee Endpoint Security (ENS) Threat Prevention 10.x

Microsoft Windows (all supported versions)

Summary

When MACC memory protection is running at the same time as Host IPS or ENS memory protection, the endpoint stops responding (hangs).

Because ENS and Host IPS have many more types of memory protection techniques than MACC, Technical Support recommends you disable MACC memory protection on the endpoints. Use the Host IPS or ENS memory protection features instead.

For full MACC Memory Protection recommendations, see the best practices in PD24662.

Also, it has been noticed that the SysCore MPT driver performs a stack validation which conflicts with the way that MACC injects into process memory.

Solution

IMPORTANT: The proper order of installation (fresh install) is ENS first, then MACC.

To ensure that MACC and ENS can coexist on an endpoint, the MACC Memory Protection (MP) feature must be disabled. Disabling MP can be accomplished through policy change (ePO managed) or locally on the endpoint (standalone). The steps below detail how to use both methods to disable this feature.

To disable Memory Protection in the MACC policy, do the following:
  1. Log on to the ePO console.
  2. Click Menu, Policy, Policy Catalog.
  3. Select the Solidcore <version number>:Application Control (varies depending on the extension version) entry from the Product drop-down list.
  4. Select the Application Control Options (Windows) entry from the Category drop-down list.
  5. Click Duplicate for the McAfee Default policy, specify the policy name, and then click OK.
  6. Double-click the created policy, and then click the Features tab.
  7. Select Enforce feature control from ePO, deselect the Memory Protection option for Feature Control, and then click Save.
  8. Apply the policy to the appropriate endpoints.
  9. Perform a reboot.
NOTE: A reboot is required to enable or disable MACC Memory Protection. Disabling in the policy will only set the status and the change will not occur until the next reboot. See the following example:

C:\>sadmin features list

checksum
Enabled
 
deny-read
Disabled
 
deny-write
Enabled
 
discover-updaters
Enabled
 
enduser-notification
Enabled
 
execution-control
Enabled
 
integrity
Enabled
 
mp
Enabled
Disabled-On-Reboot
mp-casp
Enabled
Disabled-On-Reboot
mp-nx
Enabled
Disabled-On-Reboot
mp-vasr
Enabled
Disabled-On-Reboot
mp-vasr-forced-relocation
Enabled
Disabled-On-Reboot
network-tracking
Enabled
 
pkg-ctrl
Enabled
 
script-auth
Enabled
 
throttle
Enabled
 


NOTE: To disable Memory Protection using the sc:run command client task, see KB81202 and use the following argument for step 5: features disable MP


After ENS installation, perform the steps below with MACC to manually allow ENS to run:

  1. Run the Solidifier command line interface (CLI) on the endpoint as administrator.
  2. At the prompt, type sadmin recover to recover the CLI.
  3. At the prompt, type sadmin features disable MP to disable MP.
  4. Reboot the endpoint.

 

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Spanish Spain
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.