cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Nick_B
Level 11
Report Inappropriate Content
Message 1 of 6
‎09-24-2019 03:06 AM

Desktop Application Being Blocked by McAfee's MFEConsole.exe

Hey McAfee Community,

A customer of ours has a desktop application which is being blocked by MFEConsole.exe.

The application in question makes use of a DLL called Bit4uPKI-Store.dll and is being blocked by MFEConsole.exe (see below the 1092 error as seen in the logs).

Bit4uPKI-Store.dll is blockedBit4uPKI-Store.dll is blocked

The exclusion for the MFEConsole.exe process is shown below.

AP Exclusion for MFEConsole.exeAP Exclusion for MFEConsole.exe

 I hope you'll forgive the language in use - the client site is in Italy - but hopefully it will still make sense.

When the issue was first identified an exclusion was added in respect of MFEConsole.exe and this appeared to resolve the issue however, it now appears that the issue will manifest itself at random moments with no pattern observed so far.

Look forward to hearing your suggestions!

Reply
5 Replies
Daveb3d
MVP
Report Inappropriate Content
Message 2 of 6
‎09-24-2019 09:24 AM

Re: Desktop Application Being Blocked by McAfee's MFEConsole.exe

It looks like the DLL is trying to inject into the McAfee process, if I'm understanding correctly.  The language is getting me a bit.  I'm not sure why it would ever need to do this.  I wouldn't recommend your exclusion as it could allow somebody to compromise ENS, potentially.  If you have to allow the DLL go to the Common policy and load the cert for the DLL in there.

 

Thanks,

Dave

0 Kudos
Reply
Nick_B
Level 11
Report Inappropriate Content
Message 3 of 6
‎09-25-2019 03:13 AM

Re: Desktop Application Being Blocked by McAfee's MFEConsole.exe

Cheers Dave, you've got a point there.

With that in mind, I thought of an additional two potential options to help resolve this issue, so the 3 options available now are:

1. Ascertain the certificate used to sign the DLL, load it into the ENS Common Options policy and allow it to run.

2. Add an exclusion for the affected McAfee process (MFEConsole.exe) in the Self Protection Exclusions section (as seen below).

Adding a Self Protection ExclusionAdding a Self Protection Exclusion

 

 

 3. Add an exclusion for the affected McAfee process in the AAC section (shown below).

Adding an AAC ExclusionAdding an AAC Exclusion

I guess the ideal scenario would be to upload the certificate of the DLL (assuming it has one) and allow it to run its code in McAfee processes but failing that should one of the alternate options work?

Cheers guys.

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 4 of 6
‎09-25-2019 09:08 AM

Re: Desktop Application Being Blocked by McAfee's MFEConsole.exe

One thing I do wonder is if you can't put the DLL in as a "Process" exclusion.  Not sure if it will work, but just a thought.

 

Dave

0 Kudos
Reply
Nick_B
Level 11
Report Inappropriate Content
Message 5 of 6
‎09-25-2019 01:14 PM

Re: Desktop Application Being Blocked by McAfee's MFEConsole.exe

Sure, I had considered that but in this context at least I think what they're looking for in terms of a process is a traditional, .exe style process so to speak.

I've asked the IT chap who logged the ticket if he can translate the text accompanying the images he sent in. Might help clarify things a bit.

0 Kudos
Reply
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 6 of 6
‎09-27-2019 01:10 PM

Re: Desktop Application Being Blocked by McAfee's MFEConsole.exe

Very good discussion in this thread! I would like to quote the below from the KBA that deals with handling of a similar issue:

"The third-party software injects code into McAfee processes. McAfee software considers third-party DLLs that inject into McAfee processes untrusted, and those processes also become untrusted. McAfee software then denies access to the untrusted processes, causing the affected McAfee process to not work as expected. For detailed information about Endpoint Security and third-party injection, see KB88085.

When a third-party DLL is detected attempting to load into MFECANARY.EXE, the digital certificate for the process is populated in the certificate table in the user interface at Endpoint Security Common policy, your enforced policy, Show AdvancedCertificates. The certificate table is populated with the Vendor, Subject, and Hash of the associated public key."

Please feel free to let me know if you do not find this information helpful.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC