Loading...

Knowledge Center

Reboot loop after installing or upgrading to Endpoint Security 10.5.5 July Update or 10.6.1 July Update
Technical Articles ID:   KB91642
Last Modified:  8/13/2019
Rated:

Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.6.1 July Update, 10.5.5 July Update

Problem

A reboot loop can occur after you install or upgrade to ENS 10.5.5 July Update or ENS 10.6.1 July Update. The issue occurs only if other Subject Interface Package (SIP) providers are present and Exploit Prevention is enabled. For more information about SIP providers, see the Related Information section below.

System Change

You installed or upgraded ENS to the 10.5.5 July Update or the 10.6.1 July Update.

Cause

During the ENS installation or upgrade, the Exploit Prevention component loaded within lsass.exe runs out of stack memory because of the presence of other SIP providers. As a result lsass.exe crashes, which causes Windows to reboot. To end the reboot loop, you must have physical access to the system.

Solution

This issue is resolved in ENS 10.5.5 July Update Repost and ENS 10.6.1 July Update Repost.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.


To recover a system in a reboot loop:
If you have already run into this problem, to recover:

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.
  1. Make sure that the Exploit Prevention policy is set to Disabled.
  2. Boot the system in Safe Mode. See the following information if you have disk encryption software.
    • If you have McAfee Drive Encryption, see KB73714 for information about how to boot the system in Safe Mode.
    • If you have third-party disk encryption software and need instructions to boot the system in Safe Mode, contact the vendor for the disk encryption product.
  3. Go to the Registry and search for the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Endpoint\Common\BusinessObjectRegistry\BO
     
  4. Set Enable to 0.
  5. Reboot the system.

Related Information

SIP providers:
You can find additional information about SIP providers here:
https://attack.mitre.org/techniques/T1198/
https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/

SIP discovery:
The link to the first article includes information about how you can discover the presence of SIP providers in your environment. The article states to inspect the following registry keys and confirm whether DLL pointers are to Microsoft DLLs. Pointers to a non-Microsoft DLL confirm that a third-party application is present.
 
HKLM\SOFTWARE\Microsoft\Cryptography\OID
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID
HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust

IMPORTANT: If you identify a third-party SIP provider, do not continue with the current ENS 10.5.5 July Update or ENS 10.6.1 July Update.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.