Endpoint Protection

Hi,

I'm using SEPM 14 MP2 and having issue in running McAfee Client Proxy (MCP) version 2.3.2.251 installed on Windows 10 (version 1703).

MCP services run fine when SEP is installed without Application and Device Control feature. I have seen some threads which mention that Symantec injects sysfer.dll into processes for ADC.

I have added following McAfee files and folders exception but it still doesn't help in starting McAfee Validation Trust Protection Service (mfevtps.exe).

However, if I add C:\Windows\System32 (not including subfolder) under Application Control exception then the services run fine.

How can I troubleshoot or narrow it down further to the file which is getting called by mfevtps.exe service and getting blocked?

Exceptions in place (includes subfolders):

1. C:\Program Files\Common Files\McAfee\
2. c:\program files\mcafee\
3. c:\program files (x86)\common files\mcafee\
4. c:\windows\system32\mfevtps.exe

I have also tried article https://support.symantec.com/en_US/article.tech235064.html but it didn't help.

The exceptions that you put in, are they specifically for ADC and not just the normal ones for scanning?

Yes. The will need to be ADC excpetions so it stops sysfer from injecting.

Yes. The exceptions cover ADC as well but are not specific to ADC. Does it need to be ADC only exceptions?

Yes. It will need tospecifically be ADC Application Exception.

Hi John,

Still doesn't work. I changed all exceptions to Application Control only.

Are there any other processes in the System32 folder that need to be added?

You could run Process Monitor and launch the application.  Then look to see what is attempting to be opened.  If you see anything new, add that to the ADC Exception policy.

It is loading some DLLs but I can't see any open file requests to any EXEs.

Do we need to add DLLs in the exceptions as well?

Can you send me your .pml file as well as an export of your Centralized exceptions?

Hi John,

PFA bootlog.zip and mfeforcestart.zip (manual start) containing the .pml files.

And Test-Workstation Exceptions.zip containing exception policy.

Thanks,

Dinesh Sharma

Hi Dinesh,

Do any of these procmons show McAfee Validation Trust Protection Service starting correctly?  If not, please either uninstall ADC or add the System32 folder ADC exception and run procmon to show it starting up correclty.

I will need it to compare.

Thanks,

John Owens

Hi Dinesh,

For Application file exceptions you need to put the full path to the file and not just the file name.

Please remove the excpetions you have added for Mcafee already and add the following:

File Exception - Application Control

C:\Windows\system32\mfevtps.exe

Application Control Folder Excpetion

C:\Program Files\McAfee\
C:\Program Files\Common Files\McAfee\

Let me know if that works for you.

Thanks,

John Owens

Hi John,

PFA BootLogMFERunning.pml and BootLogMFEStopped.pml.

It only works with Application control exception added for System32.

Also attached the export of exceptions. I have removed all McAfee exceptions and added the ones you listed.

Thanks,

Dinesh Sharma

Hi Dinesh,

Please try adding the following and then test and let me know the results.

File Exception - Application Control

C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
C:\Windows\system32\mfemms.exe

C:\Program Files\McAfee\MCP\McpService.exe
C:\Windows\system32\McpService.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\mfefire.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfehcs.exe
C:\Windows\system32\mfehcs.exe

Thanks,

John Owens

Hi Dinesh,

Add these as well:

File Exception - Application Control

C:\Windows\system32\mfevtps.exe
C:\Windows\system32\mfehidin.exe
C:\PROGRAM FILES\MCAFEE\AGENT\macompatsvc.exe

Thanks,

John Owens

Hi John,

Still doesn't work. Attached is the exception policy I used.

Maybe it is looking into some windows service with sysfer.dll loaded and shutting down itself. So I also tried adding C:\Windows\System32\svchost.exe after trying with the exceptions you listed. But still no luck.

Thanks,

Dinesh Sharma

Hi John,

Actually there is a improvement here.

After adding these exceptions I can see McAfee processes running now in task manager. However, the windows service "McAfee Validation Trust Protection Service" is still not running.

Attached screenshot.

Thanks,

Dinesh Sharma

And the service starts automatically when you add the System32 directory into exceptions?  What happens if you start it manually?  Does it start and stay started?

Try this:  Change all of your exceptions from Application Control to All Scans. Check for improvement.

I just found this document as well:  Make sure you follow it too.

https://support.symantec.com/en_US/article.tech235064.html

Thanks!

Any improvements??

Hi John,

Still same. Can see the processes running but the service is still stopped.

Yes after adding exception for system32 the service does start on restart.

I had already tried https://support.symantec.com/en_US/article.tech235064.html

Thanks,

Dinesh

I have the same issue... is there any update to this?

Hi Mark,

Please open a support ticket if you are not able to resolve this with https://support.symantec.com/en_US/article.tech235064.html as well as the exclusions I mentioned in this forum post.

John Owens

Hi John, and Mark,

I was working with McAfee support and they came up with some more exceptions. I will be testing them today.

Following is the response from McAfee:

-----------------------------------------------------------------------------------------

We have checked with the engineering team and found that vtpinfo.exe is hanging, we can see that the sysfer.dll injection still in the vtpinfo.DMP

So please add exclusions as shown below.

<C:\Program Files\Common Files\McAfee\SystemCore\vtpinfo.exe>

<C:\Program Files\McAfee\MCP\x64\mfehidin.exe>

<C:\Program Files\McAfee\MCP\x64\vtpinfo.exe>

Services:

C:\Windows\system32\mfevtps.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe"

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe"

C:\Program Files\McAfee\Agent\masvc.exe" /ServiceStart C:\Program Files\McAfee\Agent\macmnsvc.exe" /ServiceStart C:\Program Files\McAfee\Agent\x86\macompatsvc.exe"

Directories:

C:\Program Files\Common Files\McAfee\SystemCore\ C:\Program Files\McAfee\ C:\ProgramData\McAfee\

After that please open the command prompt with admin right on that system and check the output.

cmd> <C:\Program Files\Common Files\McAfee\SystemCore\vtpinfo.exe> /SetSearchPath "<C:\Program Files\McAfee\MCP>"

If it is still not completing then we request you to uninstall the MCP and reinstall it again.

Thank you.  Please let me know if this resolves the issue and I will update our Knowledge Base document to reflect the same.

Hi Dinesh,

In fact I have realised that my issue is slighty different to yours.  I am running the same version of MCP on Windows 10 1709 but with SEP 14 RU1 MP1.  Prior to this we were using SEP 14 MP2 on Windows 10 1709 and it was working fine.

Since upgrading to SEP 14 RU1 MP1 MCP seems to be unable to connect to the web gateway and eventually crashes.  We have been working with our TAM and trying to go through a process of removing SEP client components but it seems that MCP is only stable if I don't install SEP at all.  Even uninstalling SEP leaves it in an unstable state.

Will keep investigating and let you know but I never used to have any issues with SEP 14 MP2 on Windows 10 1709.

Mark.

Hi Mark, and John,

We started getting these issue with MCP 2.3 onward. I think the older version had a separate service called McAfee Client Proxy. From version 2.3 onward there is no such service and it is launched by mfevtps.exe or mfemms.exe.

After adding exceptions from last response from McAfee it did resolve the issue when MCP is installed with McAfee Agent from ePO cloud, but not when installed as a standalone product.

But according to the following response from McAfee this service is not required in standalone mode. However, they are unable to figure out why adding system32 exception resolves the issues.

Response from McAfee:

--------------------------------------------------------

As discussed I had an interaction with the engineering Team and below is the brief summary

1. McAfee Validation Trust protection Service need not be running for MCP to be working.

2. When only MCP is present the mfevtps.exe of windows service need not be running as we don't depend on it.

3. When there is McAfee Agent or any other McAfee VSC products ,mfevtps.exe service will be running.

So the conclusion here is if MCP is the only McAfee product present , this service need not be running .

Also I understand that you have seen this service getting started when c://Windows/System32 is been added to the exemptions in SEP.

Normally only c:\windows\system32\mfevtps.exe is required for sysfer.dll to stop getting injected.But if the whole directory is required for sysfer.dll to be stop injecting , this has to be checked from the Symantec product level.

Does the service have any dependcies ?

Yes. McAfee mfehidk driver. (C:\windows\system32\drivers\mfehidk.sys).

Have you seen this?

http://www.symantec.com/docs/TECH235064

What happens if you add (C:\windows\system32\drivers\mfehidk.sys) to the exclusion list?

Any difference?

Thanks,

John Owens

Hi John,

No. It didn't make any difference.

Thanks,

Dinesh Sharma

Something of Mcafee has to be somewhere in the System32 folder... or that exception would not work to resolve the issue.