Loading...

Knowledge Center


"Prevent Windows Process spoofing" Access Protection rule blocks legitimate processes after upgrading to SysCore 15.4.0.811
Technical Articles ID:   KB86694
Last Modified:  4/14/2017
Rated:


Environment

McAfee Agent (MA) Hotfix 1110392 (5.0.2.333)
McAfee Host Intrusion Prevention (Host IPS) 8.0 Patch 7
McAfee VirusScan Enterprise (VSE) 8.8 Patch 7

SysCore 15.4.0.811

Problem

After upgrading products that provide SysCore 15.4.0.811, the following VSE Access Protection (AP) rules block legitimate Windows processes:
  • Prevent common programs from running files from the Temp folder
  • Prevent svchost executing non-Windows executables
  • Prevent programs registering to autorun
  • Prevent Windows Process spoofing (Anti-virus Standard Protection: Prevent Windows Process spoofing)
NOTE: These rules are disabled by default. If you have not enabled these rules, you will not experience this issue.

Symptoms include:
  • A blank screen at Windows logon
  • Blocking of Windows processes such as explorer.exe or services.exe
  • A sudden spike in 1092 and 1095 events reported in ePolicy Orchestrator dashboards

Software that upgrades to the affected version of SysCore includes:
  • Host IPS 8.0 Patch 7
  • MA Hotfix 1110392 (5.0.2.333)
  • VSE 8.8 Patch 7

System Change

You upgraded or deployed one of the following software packages:
  • Host IPS 8.0 Patch 7
  • MA Hotfix 1110392 (5.0.2.333)
  • VSE 8.8 Patch 7

Solution

{VSE88P9.EN_US}
{VSE88PATCHES.EN_US}

Solution

This issue was previously resolved in VSE 8.8 Patch 6 and 7 Hotfix 1123565.

{GENSPPA.EN_US}

Workaround

To avoid problems associated with AP rule violations, add the following exclusions to the aforementioned AP rules:
**\smss.exe
c:\windows\csrss.exe
c:\windows\explorer.exe
c:\windows\system32\services.exe
c:\windows\system32\smss.exe
c:\windows\system32\svchost.exe
c:\windows\system32\userinit.exe
c:\windows\system32\winlogon.exe
c:\windows\syswow64\csrss.exe
c:\windows\syswow64\explorer.exe
c:\windows\syswow64\svchost.exe
c:\windows\syswow64\userinit.exe

To recover systems that have been affected by AP rule violations:

IMPORTANT: The following steps apply only to systems already adversely affected by the AP rules.
  1. Correct the AP rules policies as detailed above.
  2. Hard reboot the system (power off the system, and then power on).
  3. Log on as usual.
 

Workaround

Disable the following rules:
  • Prevent common programs from running files from the Temp folder
  • Prevent svchost executing non-Windows executables
  • Prevent programs registering to autorun
  • Prevent Windows Process spoofing (Anti-virus Standard Protection: Prevent Windows Process spoofing)

Disclaimer

The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.