SR # <4-20423413021>

Hi,

Using ENS 10.6.1x we have been able to workaround the problem by disabling AMSI in the On-Access-Policy. In the meantime we got 2 new ENS 10.6.1 modules (common and the threat prevention) by McAfee support to be tested. But they did not solve the problem.

If we install the ENS 10.7.x on our clients disabling AMSI in the OAS policy will not workaround the problem anymore. Most strange thing in our case is, that nothing is logged anywhere, even if debug logging is enabled on agent and threat prevention level in terms of the deployment agent we are using.

Excluding the affected software in the OAS policy as part of low risk profile from scanning does not work either.

In terms of the code integrity events, I can say, we see them too. But in my opinion they are not caused by ENS they are related to Windows Defender and you find articles and notes inside the Win 10 change logs about it.  Following just an example

Changelog win 10 1903 / KB4512941

Addresses an issue in which Windows Defender Application Control will not allow third-party binaries to be loaded from a Universal Windows Platform application. CodeIntegrity event error 3033 appears as, “Code Integrity determined that a process (<process name>) attempted to load <binary name> that did not meet the Store signing level requirements.”

M.

Running Sysinternals Procmon showed repeated references to the HKLM\SOFTWARE\Microsoft\AMSI\Providers, which is normal and expected as indicator that an AMSI event was triggered.  Then errors once it begins processing requests using the provider (mfeamsiprovider.dll).  These same errors do not occur on Systems below 1903.  We have not rolled back to 10.6.1 to test machines since disabling AMSI handling in the OAS policy fixes the issue.  We did have to completely disable AMSI because enabling it with the "enable observe mode" checked caused the same issue.

Our software deployment application is heavily reliant on WMI calls so we saw the most amount of pain stemming from that.  I don't know if your app has integrations with WMI or if its just script runs that is causing this issue.


As for the code integrity events, they are definitely caused by McAfee on our systems and not that Microsoft support bulletin for a few reasons.

• We have disabled Windows Defender so it would not be responding to AMSI event.
• We have the August patch installed in which they've resolved the Windows Defender Issue
• The offending process is not a UWP application, its a standard Win32 app and because of this "Store Signing" is not in the loop.  Only standard "Microsoft Signing".

In our scenario we saw a spike in CPU usage by the process svchost.exe (hosting WinMgmt) and in the CodeIntegrity log that process was referenced.

Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll that did not meet the Microsoft signing level requirements.

This seems to align with changes to signing requirements on 1903 documented by Microsoft Docs on AMSI.  Although its worth noting that the FeatureBits flag made no difference in our scenario.

Are you seeing issue only on 1903 machines with 10.7?

-Paul

I can confirm having AMSI enabled plus the observe mode inside the OAS policy will cause trouble with the deployment agent. It is really necessary to completely switch off the AMSI support inside the OAS policy.

The deployment agent we actually use has no WMI integration and is based on running scripts.

I am still wondering that you do not have any issues with your deployment tool using the 10.7 with the AMSI support disabled. By switching from ENS 10.6 to 10.7 we got the problem back that we could workaround by disabling AMSI thus we had to roll back all 10.7 to 10.6 installations.

Actually we do not have an 1903 installation anymore. I just can offer to test something on 1809 or 1909.

THX for changing informations

M.

Any fixes for this issue ? Have the same on 1909 with the ENS 10.7 May verion.

Actually we use the ENS 10.7 that had been released in May  and installed  it on a bunch of Computers.

I have to say the problem we had been faced with seems to be gone.

There are some minor issues but compared to all the ENS releases since autumn last year the MAy version has been used to replace all our previous 10.6 installations.

KR

M.