Loading...

Knowledge Center


McAfee software upgrade fails if Host Intrusion Prevention feature "Startup IPS protection enabled" is enabled
Technical Articles ID:   KB86909
Last Modified:  11/21/2016
Rated:


Environment

McAfee Agent (MA) 5.x
McAfee Data Loss Prevention Endpoint (DLPE) 9.x
McAfee Endpoint Intelligence Agent (EIA) 2.x
McAfee Endpoint Security (ENS) Firewall 10.1
McAfee Endpoint Security (ENS) Threat Prevention 10.1
McAfee Host Intrusion Prevention (Host IPS) 8.x
McAfee VirusScan Enterprise (VSE) 8.x

McAfee SysCore 15.4

Problem

An upgrade for any McAfee software that includes McAfee SysCore 15.4 (refer to the affected products in the Environment field) fails on systems where the following Host IPS 8.0 - IPS Options rule is enabled:
Startup IPS protection enabled
NOTE: The Host IPS 8.0 - IPS Options feature Startup IPS protection enabled rule is disabled by default. If you have not enabled the rule, you will not experience this issue.

Problem

The Startup Type for McAfee Validation Trust Protection Service is set to disabled and the service does not start. Products that require this service are negatively affected.

The exact effects vary depending on the individual product. For example, with VSE, the McShield (On-Access Scanner) service will not start.

Problem

The VSCore install log contains the following errors:
[08:26:41:237] - StartService: currentStartValue 4
[08:26:41:237] - StartService: preserved StartValue 2
[08:26:41:268] - Unlock Service DACL mfevtp
[08:26:41:284] - Waiting for mfevtp service to unlock. 10 retries left
[08:26:42:298] - Waiting for mfevtp service to unlock. 9 retries left
[08:26:43:313] - Waiting for mfevtp service to unlock. 8 retries left
[08:26:44:328] - Waiting for mfevtp service to unlock. 7 retries left
[08:26:45:342] - Waiting for mfevtp service to unlock. 6 retries left
[08:26:46:357] - Waiting for mfevtp service to unlock. 5 retries left
[08:26:47:371] - Waiting for mfevtp service to unlock. 4 retries left
[08:26:48:386] - Waiting for mfevtp service to unlock. 3 retries left
[08:26:49:400] - Waiting for mfevtp service to unlock. 2 retries left
[08:26:50:415] - Waiting for mfevtp service to unlock. 1 retries left
[08:26:51:430] - Error opening service mfevtp: 5
[08:26:51:430] - ERROR! ConfigureServiceStart: Failed to get handle to service. GetLastError=5
[08:26:51:461] - Lock Service DACL mfevtp
[08:26:51:461] - WARNING! StartService: failed to set Start 0

Cause

The McAfee Validation Trust Protection Service fails to start in a timely fashion. This prevents the upgrade from completing successfully.

A relatively rare timing issue during the SysCore installation results in the mfevtp service being left in a disabled state if Host IPS is installed with boot-time protection enabled. The following sequence of events causes this issue to occur:

 

  1. The SysCore installer (mfehidn) executes to upgrade SysCore.
  2. Mfehidn signals Host IPS to disable its self protection to complete the upgrade.
  3. Mfehidn sends a command to stop firesvc.
  4. Firesvc begins its shutdown process. Firesvc notifies the Service Control Manager (SCM) that it has fully shut down, even though it is still completing the shutdown process.
  5. Mfehidn begins installing immediately after it is notified that firesvc has shut down.
  6. Mmfehidn updates the mfehidk service.
  7. SCM detects the change to mfehidk and modifies the registry keys associated with the dependent services (mfevtp and mcshield).
  8. Firesvc completes the shutdown and enables the boot-time protection rules.
  9. Mfehidn completes the installation.
  10. SCM detects that the dependencies are correct and attempts to set the dependent services (mfevtp and mcshield) to automatic start, but is blocked because the boot-time rules are in effect.

Solution

This issue was resolved in the Host IPS Startup Protection rules included with the May 2016 content release.

To learn more about this release, see the Host Intrusion Prevention Content 6952 Release Notes (http://www.mcafee.com/us/resources/release-notes/hips/HIPS_6952_May_2016.pdf).

Workaround

To prevent this issue from occurring, disable boot-time protection in the Host IPS Options policy when you deploy a product that updates SysCore:
  1. Log on to the ePO console.
  2. Navigate to Menu, Policy, and select the Policy Catalog.
  3. Select Host Intrusion Prevention 8.0:IPS from the Product drop-down list.
  4. Select IPS Options (Windows, Linux, Solaris) from the Category drop-down list.
  5. Edit the IPS Options policy assigned to the clients you want to update.
  6. Deselect the Startup IPS Protection enabled box.
  7. Click Save.

Disclaimer

The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.