Loading...

Knowledge Center


Access Protection and On-Access Scanner are disabled after installing VirusScan Enterprise 8.8 on a system with Host Intrusion Prevention 8.0 Patch 4 or earlier
Technical Articles ID:   KB87668
Last Modified:  3/9/2017

Environment

McAfee Host Intrusion Prevention (Host IPS) 8.0 Patch 4 or earlier
McAfee VirusScan Enterprise (VSE) 8.8 Patches 5-8

Problem

Access Protection and the On-Access Scanner are disabled after you install VSE 8.8 Patches 5-8 on a system with Host IPS 8.0 Patch 4 or earlier.

You see the following error in the VSE Core installation log (vse8.8.0.core_install_xxxxxx_xxxxxx.log):
Returning 4294967295
You see the following errors in the hipshield.log:
 07-20 14:07:09 [03028] VIOLATION: [6] ------- Violation ---- Size 1152 ----
<Event> <!-- Level=High, Reaction=Prevent -->
  <EventData
  SignatureID="1002"
  SignatureName="Windows Agent Shielding - Registry Access"
  SeverityLevel="4"
  Reaction="3"
  ProcessUserName="DAVE-W7CLIENT\Administrator"
  Process="C:\PROGRAM FILES\MCAFEE\AGENT\X86\MCTRAY.EXE"
  IncidentTime="2016-07-20 14:07:06"
  AllowEx="False"
  SigRuleClass="Registry"
  ProcessId="2968"
  Session="1"
  SigRuleDirective="create"/>
  <Params>
    <Param name="Workstation Name" allowex="True">DAVE-W7CLIENT</Param>
    <Param name="Subject Distinguished Name" allowex="False">CN=&quot;MCAFEE, INC.&quot;, OU=ENGINEERING, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=&quot;MCAFEE, INC.&quot;, L=SANTA CLARA, S=OREGON, C=US</Param>
    <Param name="Subject Organization Name" allowex="False">&quot;MCAFEE, INC.&quot;</Param>
    <Param name="Executable Description" allowex="False">MCTRAY APPLICATION</Param>
    <Param name="Executable Fingerprint" allowex="False">e610ae6cd67d803ecddea2e438ef0a9a</Param>
    <Param name="Registry Key" allowex="True">\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MCAFEE\HIP\CONFIG\SETTINGS</Param>
  </Params>
</Event>
...

 07-20 14:36:49 [01028] VIOLATION: [4] ------- Violation ---- Size 1233 ----
<Event> <!-- Level=High, Reaction=Prevent -->
  <EventData
  SignatureID="1002"
  SignatureName="Windows Agent Shielding - Registry Access"
  SeverityLevel="4"
  Reaction="3"
  ProcessUserName="NT AUTHORITY\SYSTEM"
  Process="C:\WINDOWS\TEMP\MAE924.TMP\X64\MFEHIDIN.EXE"
  IncidentTime="2016-07-20 14:36:49"
  AllowEx="False"
  SigRuleClass="Registry"
  ProcessId="1468"
  Session="0"
  SigRuleDirective="modify"/>
  <Params>
    <Param name="Workstation Name" allowex="True">DAVE-W7CLIENT</Param>
    <Param name="Subject Distinguished Name" allowex="False">CN=&quot;MCAFEE, INC.&quot;, OU=ENGINEERING, OU=DIGITAL ID CLASS 3 - MICROSOFT SOFTWARE VALIDATION V2, O=&quot;MCAFEE, INC.&quot;, L=SANTA CLARA, S=OREGON, C=US</Param>
    <Param name="Subject Organization Name" allowex="False">&quot;MCAFEE, INC.&quot;</Param>
    <Param name="Executable Description" allowex="False">MCAFEE SYSTEM CORE INSTALLER</Param>
    <Param name="Executable Fingerprint" allowex="False">efc0b88169d2c91c70f58dd412e7f5d4</Param>
    <Param name="Registry Value(s)" allowex="True">\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MCAFEE\HIP\CONFIG\SETTINGS\IPS_HIPSENABLED</Param>
    <Param name="New Data" allowex="True">00000000</Param>
  </Params>
</Event>

Cause

Host IPS 8.0 Patch 4 and earlier does not recognize certain modern security signing requirements. These versions incorrectly identify the VSE installation as an attempt to compromise Host IPS.

Solution

{VSE88P9.EN_US}

Workaround

Upgrade Host IPS 8.0 to Patch 5 or later.

Disclaimer

The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.