ENS doesn't work as expected with third-party software installed

Technical Articles ID: KB88302
Last Modified: 3/25/2021

Environment

McAfee Endpoint Security (ENS) Firewall 10.x
McAfee ENS Threat Prevention 10.x
McAfee ENS Web Control 10.x

Digital Guardian
Symantec Encryption Desktop

Summary

ENS does not work as expected when some types of third-party software are installed. When you disable or uninstall the third-party software, ENS works as expected.

Problem 1

This problem is known to occur when the third-party software Symantec Encryption Desktop is installed. The Firewall and Web Control modules do not work as expected.

The following errors display in the ENS Platform error log file:

LineNum.    Column 1
52808    11/02/2016 01:49:31.735 PM    mfewc(2480.2316) <???????> WebControl.SaSSHMod.Error (SALog.cpp:173): Unable to get GTI reputation. TS Error code = 1
52809    11/02/2016 01:49:32.416 PM    mfewc(2480.7076) <???????> WebControl.SaSSHMod.Error (SALog.cpp:173): TS_RateUrlExtended failed in callback method:[1]
53519    11/02/2016 01:54:30.308 PM    mfefw(2404.2948) <???????> blframework.FIREWALL.Error (_FcLeafRule.cpp:919): Failed to convert start 66.112.192.0/18 to FcIpAddress!
53520    11/02/2016 01:54:30.318 PM    mfefw(2404.2948) <???????> blframework.FIREWALL.Error (_FcLeafRule.cpp:894): Failed to convert 215.45.120.71 to FcIpAddress!
53521    11/02/2016 01:54:30.318 PM    mfefw(2404.2948) <???????> blframework.FIREWALL.Error (_FcLeafRule.cpp:894): Failed to convert 215.45.120.71 to FcIpAddress!
53522    11/02/2016 01:54:50.629 PM   mfeesp(2384.2764) <???????> GTIBL.GTI.Error (GTIImpl.cpp:644): TS_RateConnection failed. Returned = 1
53523    11/02/2016 01:54:51.529 PM   mfeesp(2384.3020) <???????> GTIBL.GTI.Error (GTIImpl.cpp:644): TS_RateConnection failed. Returned = 1

Problem 2

This problem is known to occur when the third-party software Digital Guardian is installed. The update mechanism does not work as expected.

You might see the following in the ENS Platform error log file:

mfeesp(15712.13100) ApBl.SP.Activity: NT AUTHORITY\SYSTEM ran FWWINDOWSFIREWALLHANDLER.EXE, which attempted to access DGAPI64.DLL, violating the rule "Core Protection - Sanitize McAfee processes", and was blocked. For information about how to respond to this event, see KB85494.

Cause

The third-party software injects code into McAfee processes. McAfee software considers third-party DLLs that inject into McAfee processes untrusted, and those processes also become untrusted. McAfee software then denies access to the untrusted processes, which causes the affected McAfee process to not work as expected. For detailed information about ENS and third-party injection, see: KB88085 - Third-party DLL injectors, code detours, and hooking.

When a third-party DLL is detected trying to load into MFECANARY.EXE, the digital certificate for the process is populated in the certificate table. This certificate table is in the user interface at Endpoint Security Common policy, your enforced policy, Show Advanced, Certificates. The certificate table is populated with the Vendor, Subject, and Hash of the associated public key.

NOTE: If the certificate for the third-party software is not populated in the certificate table, you might have an issue other than the one described in this article.

Solution

ENS provides an option to trust the third-party software and allow client systems to run its code within McAfee processes. If you want to trust the certificate of the third-party software, select Allow for the certificate in the certificate table.

NOTE: This setting might result in reduced security.

Affected Products

Configuration
Endpoint Security Firewall 10.7.x
Endpoint Security Firewall 10.6.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Endpoint Security Web Control 10.7.x
Endpoint Security Web Control 10.6.x

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Knowledge Center

ENS doesn't work as expected with third-party software installed

Environment

Summary

Problem 1

Problem 2

Cause

Solution

Affected Products

Languages:

Title

Title

Knowledge Center

ENS doesn't work as expected with third-party software installed

Environment

Summary

Problem 1

Problem 2

Cause

Solution

Affected Products

Languages:

Choose your region

Title

Title