Loading...

Knowledge Center


"Prevent Windows Process spoofing" Access Protection rule blocks legitimate processes after upgrading to SysCore 15.4.0.811
Technical Articles ID:   KB86694
Last Modified:  4/14/2017
Rated:


Environment

McAfee Agent (MA) Hotfix 1110392 (5.0.2.333)
McAfee Host Intrusion Prevention (Host IPS) 8.0 Patch 7
McAfee VirusScan Enterprise (VSE) 8.8 Patch 7

SysCore 15.4.0.811

Problem

After upgrading products that provide SysCore 15.4.0.811, the following VSE Access Protection (AP) rules block legitimate Windows processes:
  • Prevent common programs from running files from the Temp folder
  • Prevent svchost executing non-Windows executables
  • Prevent programs registering to autorun
  • Prevent Windows Process spoofing (Anti-virus Standard Protection: Prevent Windows Process spoofing)
NOTE: These rules are disabled by default. If you have not enabled these rules, you will not experience this issue.

Symptoms include:
  • A blank screen at Windows logon
  • Blocking of Windows processes such as explorer.exe or services.exe
  • A sudden spike in 1092 and 1095 events reported in ePolicy Orchestrator dashboards

Software that upgrades to the affected version of SysCore includes:
  • Host IPS 8.0 Patch 7
  • MA Hotfix 1110392 (5.0.2.333)
  • VSE 8.8 Patch 7

System Change

You upgraded or deployed one of the following software packages:
  • Host IPS 8.0 Patch 7
  • MA Hotfix 1110392 (5.0.2.333)
  • VSE 8.8 Patch 7

Solution

This issue is resolved in VirusScan Enterprise 8.8.0 Update 9, which is available from the Product Downloads site at: http://mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.

VSE 8.8 Update 11 is the latest update available from the Downloads tab on the ServicePortal at https://support.mcafee.com/downloads.

NOTE: VSE 8.8 Update 11 supports all supported Windows operating systems.

Solution

This issue was previously resolved in VSE 8.8 Patch 6 and 7 Hotfix 1123565.

Updates are available when you log on to the ServicePortal at: https://support.mcafee.com/downloads.

Workaround

To avoid problems associated with AP rule violations, add the following exclusions to the aforementioned AP rules:
**\smss.exe
c:\windows\csrss.exe
c:\windows\explorer.exe
c:\windows\system32\services.exe
c:\windows\system32\smss.exe
c:\windows\system32\svchost.exe
c:\windows\system32\userinit.exe
c:\windows\system32\winlogon.exe
c:\windows\syswow64\csrss.exe
c:\windows\syswow64\explorer.exe
c:\windows\syswow64\svchost.exe
c:\windows\syswow64\userinit.exe

To recover systems that have been affected by AP rule violations:

IMPORTANT: The following steps apply only to systems already adversely affected by the AP rules.
  1. Correct the AP rules policies as detailed above.
  2. Hard reboot the system (power off the system, and then power on).
  3. Log on as usual.
 

Workaround

Disable the following rules:
  • Prevent common programs from running files from the Temp folder
  • Prevent svchost executing non-Windows executables
  • Prevent programs registering to autorun
  • Prevent Windows Process spoofing (Anti-virus Standard Protection: Prevent Windows Process spoofing)

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.