Loading...

Knowledge Center


Endpoint Security 10.x installation fails because of untrusted DLL injection
Technical Articles ID:   KB89239
Last Modified:  5/4/2017
Rated:


Environment

McAfee Endpoint Security (ENS) Firewall 10.x
McAfee ENS Threat Prevention 10.x
McAfee ENS Web Control 10.x

Problem

The installation of ENS 10.x starts successfully, but rolls back and fails in the presence of third-party applications.

The System log contains the following Windows event:
 
WARNING    <timestamp>  mfehidk   None   514   N/A   computername   Process **\mfesetup.exe pid (5432) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver.
 
The installation logs record errors similar to the following:
 
McAfee_Endpoint_BootStrapper_<timestamp>.log:
 
<timestamp> [21272] [BootStrapperMain] C:\ProgramData\McAfeeTmpInstall_Common\setupCC.exe /qn INSTALLDIR="C:\Program Files\McAfee\Endpoint Security" /ignore /norestart
<timestamp> [21272] [BootStrapperMain] Install failed return code : 16030
<timestamp> [21272] [BootStrapperMain] [ERROR]: Dependency Installation Failed. Dependency :Common
<timestamp> [21272] [BootStrapperMain] Modules Installation Failed
<timestamp> [21272] [BootStrapperMain] Exiting Installation.
 
Common Bootstrapper (McAfee_Common_Bootstrapper_<timestamp>.log):
 
<timestamp> [4492] [BootstrapperMain] Gain installer exclusion through mfeEpAAC MFEPROTECT failed
<timestamp> [4492] [BootstrapperMain] Extraction successful
<timestamp> [4492] [BootstrapperMain] This is a 64 bit system
<timestamp> [4492] [BootstrapperMain] "\MfeEpAac.exe" -add -rootlocation "C:\Program Files\McAfee\Endpoint Security" -rootlocation "C:\Program Files (x86)\McAfee\Endpoint Security" -folder "C:\ProgramData\McAfee\Endpoint Security"
<timestamp> [4492] [BootstrapperMain] PROCESS return code : 5
<timestamp> [4492] [BootstrapperMain] Running application to gain installer exclusion failed : 5
<timestamp> [4492] [BootstrapperMain] Could not gain required AAC privileges to proceed further! Aborting install!!
 
MfeEpAac (McAfee_MfeEpAac_<timestamp>.log):
 
<timestamp> [05232] args: valid=0x00000001 add=True DelContent=False:
<timestamp> [05232] Parent is not Installer, LastErr 0x00000005 Access is denied.
<timestamp> [05232] ValidateModuleReport failed for C:\\Mcafee\ESN_10_5\SetupTP.exe, entry=true
<timestamp> [05232] Exit: LastErr 0x00000005 Access is denied
 
NOTE: Sometimes the MfeEpAac log reports the third-party DLL involved:
 
<timestamp> [09460] args: valid=0x00000001 add=True DelContent=False:
<timestamp> [09460] Parent is not Installer, LastErr 0x00000005 Access is denied.
<timestamp> [09460] ValidateModuleReport failed for C:\Program Files (x86)\folder name\3rdparty.dll, entry=false
<timestamp> [09460] VerifyParentEntryPointIsMcAfeeSigned: VerifyProcess PID[9292] LastErr 0x00000005 Access is denied.
<timestamp> [09460] Could not connect to AAC LastErr 0x00000005 Acceso denegado. LastErr 0x00000005 Access is denied.
<timestamp> [09460] Exit: LastErr 0x00000005 Access is denied.

ma_vscore_install_<timestamp>.txt:
 
<timestamp>, 38,919702, 0, 1724, 5464, AVFGuid._DEFAULT_, **** VALIDATION FAILURE **** C:\Windows\System32\3rdparty.dll
<timestamp>, 45,839275, 0, 1724, 5464, AVFGuid._DEFAULT_, **** VALIDATION FAILURE **** C:\Windows\System32\3rdparty.dll

Cause

The installation of ENS 10.x can fail in the presence of third-party applications that attempt to inject or hook into the ENS installation processes. Many third-party vendors create software that leverages DLL injection to facilitate their product functionality. For detailed information about ENS and third-party injection, see KB88085.

The installation processes validate all modules loaded into the installer to prevent installation tampering and to provide an uncompromised product when the installation is completed.

The installer uses built-in operating system (OS) functionality to validate each module loaded into the installer. If the installer finds a module that cannot be validated by the OS, the installation will be aborted.

Solution

During the ENS installation, temporarily uninstall/disable third-party applications that attempt to inject or hook into the ENS installation processes.

Collect data during the ENS installation failure:
If the ENS logs do not report the name of the third-party application DLL involved, you must use debugging tools to collect data during the failed ENS installation.
  1. Start Microsoft Process Monitor (see KB86691 for information about Process Monitor).
  2. Start AMTrace (see KB86691 for information about AMTrace) with the rollover option.
  3. Recreate the issue by running a local ENS installation (using setupEP.exe) as an administrator.
  4. Stop AMTrace and save the log.
  5. Stop Process Monitor and save the log.
  6. Collect a Minimum Escalation Requirements (MER) file (run as an administrator).
Identify the third-party application DLL injection:
Analyze the logs to identify the third-party application DLL. 
  1. Open the Process Monitor log, search for ENS installation processes or filter the capture, and examine single events.
  2. Select the Process tab when you look at single events.
  3. Sort by Company and check which modules are loaded into the chosen process.
  4. Identify any non-Microsoft and any non-McAfee modules.
  5. If the Process Monitor log is not sufficient to identify the third-party application DLL involved, analyze the AMTrace log. If you need assistance, contact Technical Support.
Verify the third-party application is causing the ENS installation failure:
Run Microsoft Sigcheck against the identified third-party application module. Sigcheck is part of the Sysinternals suite available at https://technet.microsoft.com/en-us/sysinternals.

To run Sigcheck against an identified module, use the following syntax:
 
sigcheck -i -a <path to identified module>\module.dll > c:\temp\module.txt

Review the output to determine whether the module is the cause of the ENS installation failure and if so, the reason why.

Install ENS with the third-party application temporarily uninstalled/disabled:
During the ENS installation, temporarily uninstall/disable the third-party application that attempted to inject or hook into the ENS installation processes.
  1. Temporarily uninstall or disable the third-party application.
  2. Install ENS 10.x.
  3. Re-install/enable the third-party application.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.