Endpoint Protection

 View Only

  • 1.  SEP Blocking Mcafee EPO Icon

    Posted Jun 15, 2016 02:49 PM

    Urgent help needed

    SEP Blocking mcafee EPO icon from running thus causing encryption problems Here is the error in the Mcafee log file:

    2016-06-15 11:07:39.132 macmnsvc(2280.3900) aac_service.Info: The process <C:\PROGRAM FILES\MCAFEE\AGENT\X86\MCTRAY.EXE>(7088) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\SysWOW64\SYSFER.DLL> via the rule <Sanitize McTray Process>

    SEP Version:  12.1.6860.6400

    EPO Version: 5.1

    Running SEP AV Full protection and Mcafee Endpoint Encryption on laptops

    Speradic, not affecting all clients.

    Any thoughts on this?



  • 2.  RE: SEP Blocking Mcafee EPO Icon

    Posted Jun 15, 2016 02:51 PM

    What log is this from? Why is EPO trying to access sysfer? And what is affected by this?



  • 3.  RE: SEP Blocking Mcafee EPO Icon

    Posted Jun 15, 2016 03:34 PM
      |   view attached

    Mcafee EPO Encryption log.. We cannot get the Mcafee Epo Icon to show up in the taskbar causing issues with EPO. This is the error thats showing up in the log file.. Attached is the entire log file. According to Mcafee this is an SEP AV issue.

    Attachment(s)

    txt
    macmnsvc_SANLW74WJ1N32.txt   331 KB 1 version


  • 4.  RE: SEP Blocking Mcafee EPO Icon

    Posted Jun 15, 2016 03:44 PM

    Mcafee is saying which one of its rules is doing the blocking

    The process <C:\PROGRAM FILES\MCAFEE\AGENT\X86\MCTRAY.EXE>(5336) was blocked from accessing('C' (1)) <AAC_OBJECT_SECTION:C:\Windows\SysWOW64\sysfer.dll> via the rule <Sanitize McTray Process>

    What happens when you disable that rule in mcafee?



  • 5.  RE: SEP Blocking Mcafee EPO Icon

    Posted Jun 15, 2016 03:51 PM

    Looks like mcafee is also blocking itself:

    2016-06-02 09:11:25.891 macmnsvc(2220.3560) aac_service.Info: The process <C:\PROGRAM FILES (X86)\MCAFEE\TELEMETRY\MCTELSVC.EXE>(4708) was blocked from accessing('C' (1)) <AAC_OBJECT_FILE:C:\Program Files\Common Files\McAfee\SystemCore\extraTELE.rul> via the rule <Protect SystemCore Files and Registry Settings>

    It looks more like mcafee doing the blocking per those rules that are setup.



  • 6.  RE: SEP Blocking Mcafee EPO Icon

    Posted Jun 15, 2016 06:00 PM

    Is McAfee Agent self protection is enabled?



  • 7.  RE: SEP Blocking Mcafee EPO Icon

    Posted Jul 05, 2016 12:37 PM

    After a lot of digging with Symantec & McAfee support, we traced the source of this issue to SEP's Application & Device Control (ADC) that injects the sysfer.dll file into the McAfee updaterui.exe file. 

    To fix this, create file level exceptions for the updaterui.exe and mctray.exe files. Make sure you do NOT use variables and instead specify the entire path. 

    https://support.symantec.com/en_US/article.HOWTO80920.html

    Once the exceptions are created, update the policy on the endpoints, and forcibly end any running updaterui.exe instances from the task manager. (This makes sure that if the dll was already injected you re-trigger without the issue)