Loading...

Knowledge Center


How to troubleshoot when Endpoint Security blocks third-party applications
Technical Articles ID:   KB88482
Last Modified:  2/1/2018
Rated:


Environment

McAfee Endpoint Security (ENS) Adaptive Threat Protection 10.x
McAfee ENS Threat Prevention 10.x

Problem

A third-party application stopped working after installing ENS.

Cause

One of the ENS security features judged the application, or part of the application, as malicious or suspicious, and so warranted containment or cleaning. The cause is likely the result of one of the following ENS features. If you determine the application to be safe, you can exclude it from the ENS feature that is blocking it. The Solution sections in this article describe the features, how to identify the feature causing the issue, and the recommended resolutions.

Common module: Threat Prevention module: Adaptive Threat Protection module:

Solution

Common -> Self Protection

Self Protection provides security for files, folders, the registry, processes, and other items for ENS components. Like Access Protection, the protections are implemented using an underlying technology named Arbitrary Access Control (AAC).

How to determine whether Self Protection is blocking the application
  • The issue no longer occurs after disabling Self Protection at Endpoint Security Common policy, Options Category, <policy name>, Show Advanced, Self Protection, Enable Self Protection.
  • The SelfProtection_Activity.log indicates that the application was blocked from performing an operation, and that block resulted in a problem for the application.
How to prevent Self Protection from blocking an application
  • Add an exclusion for the process that Self Protection is blocking.
  • Disable Self Protection (not recommended).

Solution

Threat Prevention -> Access Protection

Access Protection is a behavioral based technology that enforces a BLOCK to specific actions as defined in the enabled Access Protection rules. The scope of the feature includes processes, services, files, folders, registry keys, and values (the capability of blocking TCP and UDP ports is in the Firewall module). Like Self Protection, Access Protection is enforced using an underlying technology named Arbitrary Access Control (AAC).

How to determine whether Access Protection is blocking the application
  • The issue no longer occurs after disabling Access Protection at Endpoint Security Threat Prevention policy, Access Protection Category, <policy name>, Access Protection, Enable Access Protection.
  • The AccessProtection_Activity.log indicates that the application was blocked from performing an operation (and that block resulted in a problem for the application).
How to prevent Access Protection from blocking an application
  • Identify the Access Protection rule that the process violated, and exclude the process from that rule.

Solution

Threat Prevention -> On-Access Scanner

The On-Access Scanner (OAS) is the real-time scanner that runs continuously, scanning files as they are accessed for READ, or after they have been changed (WRITE). Some of the features that are part of Adaptive Threat Protection depend on the OAS settings. For example, Real Protect does not apply its additional scanning to a process that is excluded from OAS scanning.

How to determine whether the On-Access Scanner is blocking the application
  • The issue no longer occurs after disabling the On-Access Scanner at Endpoint Security Threat Prevention policy, On-Access Scan Category, <policy name>, Enable On-Access Scan.
  • The OnAccessScan_Activity.log contains detection information for the application or its files.
  • The On-Access Scanner prevents users from overwriting non-read-only files on a network share that also contains read-only files. This known issue is resolved in ENS 10.5.2. For more information, see KB88535.
How to prevent the On-Access Scanner from blocking an application
  • Add a file exclusion for the application or its files, such as excluding the folder containing those files.
  • Use the GetClean tool, and if it identifies the application or its files as items to submit to McAfee, continue with submitting those file details to McAfee.
  • Trust the application's digital certificate to leverage Scan Avoidance that is built into the On-Access Scanner feature:
    1. Obtain the signature file.
      1. Right-click the third-party DLL file, or any files signed by the third-party application, and select Properties.
      2. Click the Digital Signatures tab.
      3. Select the appropriate digital signature from the Signature list.
      4. Click Details, View Certificate.
      5. Click the Details tab, then click Copy to File.
      6. Complete the Certificate Export Wizard and note where you save the .cer file. The product development team recommends that you accept the default wizard options, except for the file path. 
    2. Import a copy of the product's digital certificate into the Trust certificate store.
      1. Contact Technical Support. See the Related Information section for the contact details.
      2. Provide the .cer file you want to add. Technical Support will provide an executable package to add the certificate to the Trust certificate store.
      3. Run the executable provided by Technical Support. (Steps to do so via ePolicy Orchestrator will be provided by Technical Support.)
      4. Restart your computer. A restart is needed for the certificate store changes to take effect.

Solution

Threat Prevention -> Exploit Prevention

Exploit Prevention protects programs against exploits where those programs might have vulnerable code. If you find this feature is impacting the behavior of a third-party application, it is likely that the third-party application contains exploit behavior such as executing code from read-only memory. So, even if you find a workaround to the symptom by disabling the feature or creating an exclusion, it is advisable to seek a long-term solution from the third-party application vendor. A long-term solution protects you from running potentially vulnerable code in your environment.

How to determine whether Exploit Prevention is blocking the application
  • The issue no longer occurs after disabling one of the following Exploit Prevention features at Endpoint Security Threat Prevention policy, Exploit Prevention Category:
    • Generic Privilege Escalation Prevention (GPEP) - This feature is disabled by default. 
    • Windows Data Execution Prevention (DEP) and DEP exclusions - DEP is disabled by default.
    • Signatures - Only High severity signatures are enabled by default.
    • Application Protection Rules - Explicitly named processes are monitored by default; you might have added additional processes on your own.
  • The ExploitPrevention_Activity log indicates that the application was blocked.
How to prevent Exploit Prevention from blocking an application
  • For Generic Privilege Escalation Prevention, disable the feature.
  • For Windows Data Execution Prevention, add an exclusion for the process being monitored or disable DEP.
  • For Signatures, set the relevant signature to Report only, or disable both Block and Report.
  • For Application Protection Rules, disable the rule blocking the applicable process.

Solution

Threat Prevention -> ScriptScan

ScriptScan is applicable only if the affected process is Internet Explorer (IE), or any add-ins or functionality that depends on IE. A browser helper object is used to facilitate scanning of scripts that IE loads.

How to determine whether ScriptScan is blocking the application
  • The issue no longer occurs after disabling ScriptScan at Endpoint Security Threat Prevention policy, On-Access Scan Category, <policy name>, Enable ScriptScan.
How to prevent ScriptScan from blocking an application
  • Exclude the URL or domain if the compatibility issue is specific to a certain URL or webpage.
  • Disable ScriptScan.

Solution

Adaptive Threat Protection -> Dynamic Application Containment

Dynamic Application Containment (DAC) uses additional behavior-based Access Protection rules to monitor a contained process. A contained process is one that has met the reputation score as configured for DAC, and that Threat Intelligence or other product functionality has advised DAC to contain. A DAC-contained process can be blocked because the DAC rules can prevent the process from performing certain activities (as defined by each DAC rule that is enabled).

How to determine whether Dynamic Application Containment is blocking the application
  • Event ID 37275 "Application contained" is present in the ePolicy Orchestrator Threat Event log from the affected system, and found locally in the affected system's ENS console Event log.
  • The DynamicApplicationContainment_Activity.log includes text indicating the application "was contained at the request of" a product or feature.
  • The issue no longer occurs if DAC is configured to use Observe mode only at Endpoint Security Adaptive Threat Protection policy, Options Category, Action Enforcement section, Enable Observe mode. (Events are generated but policy is not enforced).
How to prevent Dynamic Application Containment from blocking an application
  • Disable the applicable DAC rule, or deselect the "Block" option for that rule.
  • Exclude the process in the DAC exclusion policy.
  • Use the Threat Intelligence Exchange Server to manually set a known good reputation for the process.

Solution

Adaptive Threat Protection -> Real Protect

Real Protect provides post execution analysis of a process, using client-based scanning, cloud-based scanning, or both. Based on its findings it can lead to a conviction as malware and subsequent cleaning.

How to determine whether Real Protect is blocking the application
  • The issue no longer occurs after disabling the option "Enable client-based scanning" or "Enable cloud-based scanning" at Endpoint Security Adaptive Threat Protection policy, Options Category, Real Protect Scanning section.
  • The AdaptiveThreatPrevention_Activity.log records a detection of the application (for example, Orchestrator.Action.Activity: Action Details::  File: <file> , Mode: Enforce , Scanner: Real Protect Client , Reputation: <reputation> , ActionTaken: Clean).
  • The AdaptiveThreatPrevention_Debug.log records a static detection of the application (for example, Orchestrator.RealProtectStatic.Debug:  File: <file> : RP Static reputation <repuation 1> classification 1 silent 0 detection name <name> JCM reputation <repuation 2> (the important entry is the classification value of 1)).
  • The AdaptiveThreatPrevention_Debug.log records a cloud detection of the application (for example, Orchestrator.RepChangeListener.Debug:  real protect cloud found <detection name> in process id <PID> , file <file>).
How to prevent Real Protect from blocking an application
  • Use On-Access Scanner exclusions to exclude the files being detected. 
    NOTE: On-Access Scanner exclusions also prevent Adaptive Threat Protection from requesting Dynamic Application Containment to contain a process.
  • Use Threat Intelligence Exchange Server to change the enterprise reputation for the files as appropriate.
  • Use Threat Intelligence Exchange Server to add the certificate for the wanted files.

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.