cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7
‎10-12-2020 04:49 AM

How to block Microsoft tool.

Jump to solution

Dear Team,

We have a Microsoft troubleshooting tool with extension *.diagcab. Can we stop it from being execution.

 

Thx in advance for your time!!

0 Kudos
Reply
1 Solution

Accepted Solutions
BenEllis
Employee
Employee
Report Inappropriate Content
Message 6 of 7
‎10-13-2020 07:57 AM

Re: How to block Microsoft tool.

Jump to solution

Thank you the reason you cannot block this is because in 8.2.1.435 and above we added VTP trust. Which auto allows Microsoft and Mcafee Certs no matter what. 

If you really need to block this you can open a case and we can see what we can do to disable this feature. but VTP was added in 8.2.1 Update 4 and above. 

How the Validation and Trust Protection service works

The VTP service (MFEVTPS.exe) inspects DLLs and running processes that interact with McAfee code to verify whether objects are trusted.

An object is a network, file, registry, or process. Trusted means the third-party process is allowed to access McAfee objects. For example, a trusted third-party process is allowed to be injected into McAfee processes or to read McAfee registry keys.

To function properly, the VTP service depends on:

  • Microsoft Cryptographic service (CryptSvc)
  • Trust-related APIs
  • Health of the certificate store or catalog files

 

Here's how the VTP service works:

  1. A validation check runs when McAfee code needs to verify that the acting process is trusted, the target object is trusted, or both.
  2. When McAfee processes are initialized, the VTP service validates that McAfee is loading trusted code. AAC makes sure that McAfee loads only trusted DLLs.

 

Only McAfee and Microsoft code are implicitly trusted.

Caching

The VTP service caches the results of a validation check to improve the performance of future validation checks. The VTP service always examines the cache first when performing a validation check.

  • If a validation check returns a result that the object is not trusted, that object is cached as untrusted.
  • If an object is cached incorrectly as untrusted, only a cache reset can correct it.

 

The cache resets when a system restarts in Safe Mode or by running this command:

VTPInfo.exe /ResetVTPCache.

You can also reset the cache from the DAT.

Trust failures

A trust failure is a VTP service validation check that results in "untrusted" when the expected result was "trusted." Trust failures occur because AAC denies access to untrusted code. The process is not allowed to access McAfee processes as a form of self-protection.

Here are some examples of trust failures:

  • A McAfee process was injected by an untrusted third party, so the process fails a validation check.
  • A Microsoft catalog-signed file has invalid signing information, so it can't be verified and fails to load by a McAfee process.
  • A valid DLL file was cached incorrectly as "untrusted," and subsequent attempts to load it are denied.

 

All of these examples can cause the affected McAfee processes to fail.

BenJamin Ellis

View solution in original post

Reply
6 Replies
BenEllis
Employee
Employee
Report Inappropriate Content
Message 2 of 7
‎10-12-2020 05:10 AM

Re: How to block Microsoft tool.

Jump to solution

1. you can block it by banning hash or name.

 

https://docs.mcafee.com/bundle/application-change-control-8.3.x-product-guide-windows/page/GUID-F0F9...

https://docs.mcafee.com/bundle/application-change-control-8.3.x-product-guide-windows/page/GUID-1881...

you cant block all extension unfortunately. but if you are using tie. You could set the reputation and block based off reputation. 

BenJamin Ellis
0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7
‎10-12-2020 10:37 PM

Re: How to block Microsoft tool.

Jump to solution

Thx BenEllis for your time!!

I tried to bane it by SHA-1 value through this command: sadmin auth –b –c <checksumvalue>

But below is the result of the command: 

C:\Program Files\McAfee\Solidcore>sadmin auth -b -c abda636c99b021c9e624812d3f5d41a33ee8fd5f
Too many arguments.
Type "sadmin help auth" for help.

Any insight!!

0 Kudos
Reply
BenEllis
Employee
Employee
Report Inappropriate Content
Message 4 of 7
‎10-13-2020 05:12 AM

Re: How to block Microsoft tool.

Jump to solution

odd what version you on? i did this same command on 8.2.6 and it worked fine. 

 

BenJamin Ellis
0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7
‎10-13-2020 06:12 AM

Re: How to block Microsoft tool.

Jump to solution

Thx Benjamin Ellis!!

It's weird. Now it's okay. But having executed it I'm still able to run the file. For your reference I have attached the file. The file name is "MicrosoftProgram_Install_and_Uninstall.meta.diagcab". 

Thank you. 

MicrosoftProgram_Install_and_Uninstall.meta.zip
0 Kudos
Reply
BenEllis
Employee
Employee
Report Inappropriate Content
Message 6 of 7
‎10-13-2020 07:57 AM

Re: How to block Microsoft tool.

Jump to solution

Thank you the reason you cannot block this is because in 8.2.1.435 and above we added VTP trust. Which auto allows Microsoft and Mcafee Certs no matter what. 

If you really need to block this you can open a case and we can see what we can do to disable this feature. but VTP was added in 8.2.1 Update 4 and above. 

How the Validation and Trust Protection service works

The VTP service (MFEVTPS.exe) inspects DLLs and running processes that interact with McAfee code to verify whether objects are trusted.

An object is a network, file, registry, or process. Trusted means the third-party process is allowed to access McAfee objects. For example, a trusted third-party process is allowed to be injected into McAfee processes or to read McAfee registry keys.

To function properly, the VTP service depends on:

  • Microsoft Cryptographic service (CryptSvc)
  • Trust-related APIs
  • Health of the certificate store or catalog files

 

Here's how the VTP service works:

  1. A validation check runs when McAfee code needs to verify that the acting process is trusted, the target object is trusted, or both.
  2. When McAfee processes are initialized, the VTP service validates that McAfee is loading trusted code. AAC makes sure that McAfee loads only trusted DLLs.

 

Only McAfee and Microsoft code are implicitly trusted.

Caching

The VTP service caches the results of a validation check to improve the performance of future validation checks. The VTP service always examines the cache first when performing a validation check.

  • If a validation check returns a result that the object is not trusted, that object is cached as untrusted.
  • If an object is cached incorrectly as untrusted, only a cache reset can correct it.

 

The cache resets when a system restarts in Safe Mode or by running this command:

VTPInfo.exe /ResetVTPCache.

You can also reset the cache from the DAT.

Trust failures

A trust failure is a VTP service validation check that results in "untrusted" when the expected result was "trusted." Trust failures occur because AAC denies access to untrusted code. The process is not allowed to access McAfee processes as a form of self-protection.

Here are some examples of trust failures:

  • A McAfee process was injected by an untrusted third party, so the process fails a validation check.
  • A Microsoft catalog-signed file has invalid signing information, so it can't be verified and fails to load by a McAfee process.
  • A valid DLL file was cached incorrectly as "untrusted," and subsequent attempts to load it are denied.

 

All of these examples can cause the affected McAfee processes to fail.

BenJamin Ellis
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 7 of 7
‎10-14-2020 05:12 AM

Re: How to block Microsoft tool.

Jump to solution

Thx Ben for your great detail!!

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC