Reboot loop with Endpoint Security 10.5.5/10.6.1 July Update

Technical Articles ID: KB91642
Last Modified: 10/30/2020

Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.6.1 July 2019 Update, 10.5.5 July 2019 Update

Problem

A reboot loop can occur after you install or upgrade to ENS 10.5.5 July 2019 Update or ENS 10.6.1 July 2019 Update. The issue occurs only if other Subject Interface Package (SIP) providers are present, and Exploit Prevention is enabled.
For more information about SIP providers, see the Related Information section below.

System Change

You installed or upgraded ENS to the 10.5.5 July 2019 Update or the 10.6.1 July 2019 Update.

Cause

During the ENS installation or upgrade, the Exploit Prevention component loaded within lsass.exe runs out of stack memory because of the presence of other SIP providers. As a result lsass.exe crashes, causing Windows to reboot. To end the reboot loop, you must have physical access to the system.

Solution

This issue is resolved in ENS 10.5.5 July 2019 Update Repost and ENS 10.6.1 July 2019 Update Repost.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: https://www.mcafee.com/enterprise/en-us/downloads/my-products.html.

NOTE: You need a valid Grant Number for access. See KB56057 - How to download Enterprise product updates and documentation for more information about the Product Downloads site, and alternate locations for some products.

To recover a system in a reboot loop:
If you have already run into this problem, to recover:

CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
Do not run a REG file that is not confirmed to be a genuine registry import file.

Make sure that the Exploit Prevention policy is set to Disabled.
Boot the system in Safe Mode. See the following information if you have disk encryption software.
- If you have Drive Encryption, see this article for information about how to boot the system in Safe Mode: KB73714 - How to access Windows Safe Mode when Drive Encryption is installed.
- If you have third-party disk encryption software and need instructions to boot the system in Safe Mode, contact the vendor for the disk encryption product.
Go to the Registry and search for the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Endpoint\Common\BusinessObjectRegistry\BO
Set Enable to 0.
Reboot the system.

Related Information

SIP providers:
You can find additional information about SIP providers here:
https://attack.mitre.org/techniques/T1198/
https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/

SIP discovery:
The link to the first article includes information about how you can discover the presence of SIP providers in your environment. The article states to inspect the following registry keys and confirm whether DLL pointers are to Microsoft DLLs. Pointers to a non-Microsoft DLL confirm that a third-party application is present.

HKLM\SOFTWARE\Microsoft\Cryptography\OID
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID
HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust

IMPORTANT: If you identify a third-party SIP provider, do not continue with the current ENS 10.5.5 July 2019 Update or ENS 10.6.1 July 2019 Update.

Affected Products

Endpoint Security Threat Prevention 10.6.x
Install/Uninstall
Known Issue/Product Defect
Upgrade/Migrate

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Reboot loop with Endpoint Security 10.5.5/10.6.1 July Update

Environment

Problem

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Reboot loop with Endpoint Security 10.5.5/10.6.1 July Update

Environment

Problem

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title