Application Control and Change Control driver issues (Windows Update)

Technical Articles ID: KB91257
Last Modified: 5/27/2021

Environment

McAfee Application and Change Control (MACC) 7.0.x and later
Microsoft Windows - all versions

Problem

You might experience one or more of the following issues when you use MACC 7.0.x and later Windows agent:

Crash (blue screen) 3b, 6b
Windows update issues (Hardlink/Solidification)
CMD/PowerShell crashes
Command line interface (CLI) communication issues when CLI is running status command
Performance issues
Boot loops

NOTE: Customers in Update/Observe mode might not experience issues until they move to Enabled (Blocking) mode.

For more information, see:

Cause

The issues described in this article are a direct result of changes that have been made to the MACC architecture.

Issues with rename callback, specifically the SetInformationFile for FileHardlinkInformation, have been found. Every time a new hard link is created, a call is made to the cctl_process_change with the Boolean hard_link_set in the cctl_path_t context for the new link. This action means that there is a new hard link being created. Logic in cctl_add_inv defers the checksum calculation if the operation is within a transacted operation.

When code is introduced to all hard links of a file, and when all entries in the inventory are updated, checking of hard_link_set is missed. This fact causes an undesired opening and unnecessary processing of the transacted file. In other words, the new hard links are added to the inventory and there is no need to update all other entries. Doing so can result in a race condition that develops during transacted operations. See the Related Information section of this article for more information.

Solution

Apply the correct update for your version of MACC:

MACC 8.2.1 Update 5 or later
MACC 8.0.2 Update 1 or later

NOTE: This issue has been corrected in the versions listed above for the client and the latest 8.2.6/8.3 extension.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

IMPORTANT:

Before you perform this workaround, see: KB91225 - A system crash without blue screen or a command line interface crash occurs on Windows 10 or Server 2016 systems after placing Application and Change Control in modes other than Disabled
Resolidify the client systems after you upgrade from a previous version of either Application Control (435 and below) or Major Windows Feature upgrades (example: RS4 to RS5).
Resolidification must be completed after you apply the new extension and sync your clients for the updated rule groups below and before re-enablement.
You still need to resolidify clients if upgrading to newer client from 8.2.1.143 and earlier and didn't resolidify on upgrading to 8.2.1.435.

To resolidify a system:

Create a Client Task (Run Commands) with the following commands (sadmin is not needed as part of these commands):

bu
config set SoPriority=2
config set MaplCommLostRestart=0
so C:\
config set MaplCommLostRestart=5
config set SoPriority=1
eu

NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.

Workaround

If the solution above does not work on Update 5:

Disable CatalogCertExtraction:

sadmin config set CatalogCertExtractionDisabled=1

Increase the Trusted Installer Preshutdown timeout.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TrustedInstaller
Name: PreshutdownTimeout
Type: REG_DWORD
Data: 36ee80 (3600000 millisecond)

Start the registry editor (regedit)
Expand the following registry key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TrustedInstaller

Right-click the TrustedInstaller and click Permissions.
Check Full Control for Administrators in Group or user names.
Change the value of PreshutdownTimeout by double-clicking PreshutdownTimeout.
Right-click the TrustedInstaller and click Permissions.
Check out Full Control for Administrators in Group or user names.

Related Information

Hard links

A hard link is the Windows file system representation of a file by which more than one path references a single file in the same volume. This approach is now used for Microsoft Windows 10 February updates. The management of hard links by MACC causes checksum mismatches and other issues during the Microsoft Windows 10 update installations. This issue also occurs with MACC 7.0.x and 8.0.x.

Currently, when modifying the hard links content, the inventory information (checksum, status) is updated only for the current path modified. By default, all files have at least one hard link. The file change event does NOT include the list of hard links associated with that file. Because the inventory information is not updated for all paths at the same time, executing the same file from a different path results in a checksum-mismatch. This mismatch impacts the Windows update process.

Catalog Cert Extraction

Microsoft Windows binaries can be catalog signed or have an embedded signature. MACC uses specific code to extract embedded certificates. The certificates can be extracted in kernel space and or user-space. Extraction of embedded certificates occurs quickly and is the only type of signing supported with MACC up until the 7.0.x release.

In MACC 7.0.x, support for reputation-based execution was introduced. In one of the workflows, you could allow or block a file by the reputation of its certificate. Because several files in Microsoft Windows are actually catalog signed, this feature requires extraction of catalog signatures. Microsoft had provided APIs to extract the catalog certificates for binaries. These APIs are used by MACC. These APIs are slow and significantly affect performance. To mitigate this effect, MACC stores certificates in the inventory, so that once extracted, they can be reused. Storing them in the inventory means that during inventory merge time, certificates must be extracted once. When an upgrade is run, files are changed, the inventory is merged and the catalog certificate extraction occurs.

If all reputation is disabled, there is no need to extract the catalog certificates.

sadmin config set CatalogCertExtractionDisabled=1

You must re-enable this feature by using the Run Command in ePO. Create a Client Task (Run Command) with the following commands: (sadmin keyword is not needed)

bu
config set SoPriority=2
config set MaplCommLostRestart=0
so -c
config set MaplCommLostRestart=5
config set SoPriority=1
eu

Affected Products

Application and Change Control 8.2.x
Application and Change Control 8.1.x
Application and Change Control 8.0.x
Application and Change Control 7.0.x (EOL)
Known Issue/Product Defect

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Portuguese Brasileiro

Knowledge Center

Application Control and Change Control driver issues (Windows Update)

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Application Control and Change Control driver issues (Windows Update)

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Choose your region

Title

Title