Knowledge Center

McAfee software upgrade fails if Host Intrusion Prevention feature "Startup IPS protection enabled" is enabled
Technical Articles ID:   KB86909
Last Modified:  11/21/2016


McAfee Agent (MA) 5.x
McAfee Data Loss Prevention Endpoint (DLPE) 9.x
McAfee Endpoint Intelligence Agent (EIA) 2.x
McAfee Endpoint Security (ENS) Firewall 10.1
McAfee Endpoint Security (ENS) Threat Prevention 10.1
McAfee Host Intrusion Prevention (Host IPS) 8.x
McAfee VirusScan Enterprise (VSE) 8.x

McAfee SysCore 15.4


An upgrade for any McAfee software that includes McAfee SysCore 15.4 (refer to the affected products in the Environment field) fails on systems where the following Host IPS 8.0 - IPS Options rule is enabled:
Startup IPS protection enabled
NOTE: The Host IPS 8.0 - IPS Options feature Startup IPS protection enabled rule is disabled by default. If you have not enabled the rule, you will not experience this issue.


The Startup Type for McAfee Validation Trust Protection Service is set to disabled and the service does not start. Products that require this service are negatively affected.

The exact effects vary depending on the individual product. For example, with VSE, the McShield (On-Access Scanner) service will not start.


The VSCore install log contains the following errors:
[08:26:41:237] - StartService: currentStartValue 4
[08:26:41:237] - StartService: preserved StartValue 2
[08:26:41:268] - Unlock Service DACL mfevtp
[08:26:41:284] - Waiting for mfevtp service to unlock. 10 retries left
[08:26:42:298] - Waiting for mfevtp service to unlock. 9 retries left
[08:26:43:313] - Waiting for mfevtp service to unlock. 8 retries left
[08:26:44:328] - Waiting for mfevtp service to unlock. 7 retries left
[08:26:45:342] - Waiting for mfevtp service to unlock. 6 retries left
[08:26:46:357] - Waiting for mfevtp service to unlock. 5 retries left
[08:26:47:371] - Waiting for mfevtp service to unlock. 4 retries left
[08:26:48:386] - Waiting for mfevtp service to unlock. 3 retries left
[08:26:49:400] - Waiting for mfevtp service to unlock. 2 retries left
[08:26:50:415] - Waiting for mfevtp service to unlock. 1 retries left
[08:26:51:430] - Error opening service mfevtp: 5
[08:26:51:430] - ERROR! ConfigureServiceStart: Failed to get handle to service. GetLastError=5
[08:26:51:461] - Lock Service DACL mfevtp
[08:26:51:461] - WARNING! StartService: failed to set Start 0


The McAfee Validation Trust Protection Service fails to start in a timely fashion. This prevents the upgrade from completing successfully.

A relatively rare timing issue during the SysCore installation results in the mfevtp service being left in a disabled state if Host IPS is installed with boot-time protection enabled. The following sequence of events causes this issue to occur:


  1. The SysCore installer (mfehidn) executes to upgrade SysCore.
  2. Mfehidn signals Host IPS to disable its self protection to complete the upgrade.
  3. Mfehidn sends a command to stop firesvc.
  4. Firesvc begins its shutdown process. Firesvc notifies the Service Control Manager (SCM) that it has fully shut down, even though it is still completing the shutdown process.
  5. Mfehidn begins installing immediately after it is notified that firesvc has shut down.
  6. Mmfehidn updates the mfehidk service.
  7. SCM detects the change to mfehidk and modifies the registry keys associated with the dependent services (mfevtp and mcshield).
  8. Firesvc completes the shutdown and enables the boot-time protection rules.
  9. Mfehidn completes the installation.
  10. SCM detects that the dependencies are correct and attempts to set the dependent services (mfevtp and mcshield) to automatic start, but is blocked because the boot-time rules are in effect.


This issue was resolved in the Host IPS Startup Protection rules included with the May 2016 content release.

To learn more about this release, see the Host Intrusion Prevention Content 6952 Release Notes (http://www.mcafee.com/us/resources/release-notes/hips/HIPS_6952_May_2016.pdf).


To prevent this issue from occurring, disable boot-time protection in the Host IPS Options policy when you deploy a product that updates SysCore:
  1. Log on to the ePO console.
  2. Navigate to Menu, Policy, and select the Policy Catalog.
  3. Select Host Intrusion Prevention 8.0:IPS from the Product drop-down list.
  4. Select IPS Options (Windows, Linux, Solaris) from the Category drop-down list.
  5. Edit the IPS Options policy assigned to the clients you want to update.
  6. Deselect the Startup IPS Protection enabled box.
  7. Click Save.

Rate this document


This article is available in the following languages:

English United States

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.