Compatibility issues can occur when third-party applications inject McAfee processes

Technical Articles ID: KB83123
Last Modified: 4/22/2021

Environment

McAfee Agent 5.x
McAfee Endpoint Security 10.x
McAfee Threat Intelligence Exchange Module for VirusScan Enterprise 1.x
McAfee VirusScan Enterprise 8.8 Update 4 Hotfix 929019
McAfee VirusScan Enterprise 8.8 Update 5 and later

All above McAfee products use SysCore. All supported McAfee products that use SysCore now include a later build of SysCore than the minimum version of 15.3, in which self-protection was introduced.

Third-party hooking applications include¹:

Avecto Privilege Guard
BeyondTrust

¹ This list will be updated as other third-party hooking applications are identified.

Summary

McAfee products include self-protection mechanisms to prevent tampering with McAfee files, folders, processes, registry entries, and executables. Self-protection mechanisms are needed to provide and maintain a high level of security and trust in the software, especially to secure against malware attacks.

Some third-party software applications might inject or "hook" McAfee processes, or attempt to, by loading their own code (a DLL) into the McAfee process. Third-party applications might use hooking techniques as a means to provide more functionality to the user or administrator. But there is no legitimate reason for hooking the McAfee protected system-level services.

While this behavior is similar to a malware attack, from the viewpoint of the third-party vendor, the third-party application is just behaving as expected. It is providing functionality that supports the purpose of the third-party application. Third-party vendors recognize that they do not need to hook all processes, and many provide a compatibility setting that allows excluding specific processes from being injected with their code.

Adverse effects can occur when untrusted third-party code injects or hooks protected McAfee services. Known issues include system deadlocks requiring manual remediation.

Problem

The following issues can occur when untrusted third-party applications inject or hook protected McAfee services:

The system is unresponsive on boot.
The Windows desktop fails to load.
A deadlock occurs after installing McAfee Agent 5.x, Endpoint Security 10.x, VirusScan Enterprise 8.8 Update 4 Hotfix 929019, or VirusScan Enterprise 8.8 Update 5 and later.
A reputation change that occurs when using Threat Intelligence Exchange, might result in failed cleaning of a running PE (Portable Executable) that has been deemed malicious after execution.
There is poor performance, such as a slow user experience.

System Change

Any of the following products were installed:

McAfee Agent 5.x
Endpoint Security 10.x
VirusScan Enterprise 8.8 Update 4 Hotfix 929019
VirusScan Enterprise 8.8 Update 5 and later
Threat Intelligence Exchange Module for VirusScan Enterprise 1.x

Solution 1

McAfee allows you to trust the digital certificate of a third-party product. For information and risks associated with this action, see Solution 1, Step 2 "Resolve the third-party application (hook) problem" in: KB74176 - Third-party application DLL not signed (Event ID 514/516/519).

Solution 2

Prevent the hooking of McAfee processes by consulting the third-party vendor for available configuration options.

The following McAfee processes must not be injected. This list is not all-inclusive. Use Task Manager to confirm what McAfee processes are in use in your environment.

Process	Fully Qualified Path
dxlservice.exe	C:\Program Files\McAfee\Data_Exchange_Layer\bin\dxlservice.exe
dxlservicemonitor.exe	C:\Program Files\McAfee\Data_Exchange_Layer\bin\dxlservicemonitor.exe
fcag.exe	C:\Program Files\McAfee\DLP\Agent\fcag.exe
fcags.exe	C:\Program Files\McAfee\DLP\Agent\fcags.exe
fcagte.exe	C:\Program Files\McAfee\DLP\Agent\fcagte.exe
fcagswd.exe	C:\Program Files\McAfee\DLP\Agent\fcagswd.exe
fcagd.exe	C:\Program Files\McAfee\DLP\Agent\fcagd.exe
fcpst.exe	C:\Program Files\McAfee\DLP\Agent\fcpst.exe
fcagd.exe	C:\Program Files\McAfee\DLP\Agent\x86\fcagd.exe
fcpst.exe	C:\Program Files\McAfee\DLP\Agent\x86\fcpst.exe
macmnsvc.exe	C:\Program Files\McAfee\Agent\macmnsvc.exe
macompatsvc	C:\Program Files\McAfee\Agent\x86\macompatsvc.exe
masvc.exe	C:\Program Files\McAfee\Agent\masvc.exe
mcshield.exe	C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe
mctray.exe	C:\Program Files\McAfee\Agent\x86\mctray.exe
mfeatp.exe	C:\Program Files\McAfee\Endpoint Security\Adaptive Threat Protection\mfeatp.exe
mfeesp.exe	C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe
mfefire.exe	C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
mfefw.exe	C:\Program Files\McAfee\Endpoint Security\Firewall\mfefw.exe
mfemactl.exe	C:\Program Files\McAfee\Agent\x86\mfemactl.exe
mfemms.exe	C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
mfetp.exe	C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe
mfevtps.exe	C:\Windows\System32\mfevtps.exe
mfewc.exe	C:\Program Files\McAfee\Endpoint Security\Web Control\mfewc.exe
TIEService.exe	C:\Program Files\McAfee\TIEM\TIEService.exe

Solution 3

Third-party product: Avecto Privilege Guard

There are three options for this third-party product:

Option 1: Add McAfee binaries to the Avecto Privilege Guard injection exclusion list. Achieved by modifying the registry on the endpoint
Option 2: Add McAfee binaries to the Avecto Privilege Guard injection exclusion list by modifying the registry using a Group Policy Object (GPO) policy
Option 3: Add McAfee binaries to the Avecto Privilege Guard injection exclusion list in the ePO extension provided by Avecto

NOTE: Option 2 and 3 conflict with each other if you use both of them, and if the policies are different.

Option 1: Add McAfee binaries to the Avecto Privilege Guard injection exclusion list. Achieved by modifying the registry on the endpoint

CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see the Microsoft Windows registry information for advanced users article.
Do not run a REG file that is not confirmed to be a genuine registry import file.

Press Windows+R, type regedit, and click OK.
Navigate to the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client\
Click Edit, New, Multi-String Value and name the new registry entry DriverHookExclusions.
Right-click DriverHookExclusions and select Modify.
In the Value data field, add the full file paths, from Solution 2.

NOTE: Separate the full file paths with a carriage return; do not use commas. The full paths and processes are case sensitive.
Click OK.
Repeat steps 2–6 for the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avecto\Privilege Guard Client\
Reboot the system.

Option 2: Add McAfee binaries to the Avecto Privilege Guard injection exclusion list by modifying the registry using a Group Policy Object (GPO) policy

CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see the Microsoft Windows registry information for advanced users article.
Do not run a REG file that is not confirmed to be a genuine registry import file.

In the Avecto Privilege Guard Management Console, navigate to Computer Configuration, Policies.
Right-click Privilege Guard Settings and select Advanced Agent Settings.
Select 64-bit Agent Values from the Edit drop-down list on the lower left of the window.
Click Add Value and name the new registry entry HookExclusions.
Select Multi-String in the Type column.
Double-click in the Value Data column.
In the Value Data field, add the process names from Solution 2.

NOTE: Separate the process names with a carriage return; do not use commas. The process names are case sensitive.
Click OK.

This group policy is applied like any other group policy. First, the change is replicated to all domain controllers. Then, clients look for policy updates about every 90 minutes. Or, policies are updated after a reboot or logon. To manually look for policy updates, run gpupdate from a command prompt. To force a policy update regardless of whether the policies have changed, run gpupdate /force from a command prompt.

Affected Products

Endpoint Security Firewall 10.7.x
Endpoint Security Firewall 10.6.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Endpoint Security Web Control 10.7.x
Endpoint Security Web Control 10.6.x
Known Issue/Product Defect
McAfee Agent 5.7.x
McAfee Agent 5.6.x
Threat Intelligence Exchange Module for VirusScan Enterprise
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Compatibility issues can occur when third-party applications inject McAfee processes

Environment

Summary

Problem

System Change

Solution 1

Solution 2

Solution 3

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Compatibility issues can occur when third-party applications inject McAfee processes

Environment

Summary

Problem

System Change

Solution 1

Solution 2

Solution 3

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title