This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Locked POA because of MCAfee Access Protection

Dear Sirs,

 

I came a cross a notebook with full disk encryption, which poa is locked. Doing a post mortem analyse it seems that :

C:\WINDOWS\SYSWOW64\BEFCSVCN.EXE

and

NT-AUTORITÄT\SYSTEM C:\PROGRAM FILES (X86)\SOPHOS\SAFEGUARD ENTERPRISE\CLIENT\SGNAUTHSERVICEN.EXE

try to write to HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common.

This Registry tree is protected by MCAfee Access Protection because it belongs to out Virus Scan Enterprise 8.8 installation.

Operating System ist Windows 7 x64.

From the user I heard the following:

He started his computer, and loged on. After a short period the computer closed all aplications and rebooted. In POA he needed to do a Challenge and Response. This happend 3 times in a short period of time. After that the POA was locked.

 

Question:

Is it possible to configure Sophos Safeguard this way that he leaves the MCAfee Registry keys as they are?

By the way why does Sophos  try to manipulate these registry keys?

 

Here are the MCAfee logs lines:

31.05.2017 06:55:33 Blockiert durch Zugriffsschutzregel NT-AUTORITÄT\SYSTEM C:\PROGRAM FILES (X86)\SOPHOS\SAFEGUARD ENTERPRISE\CLIENT\SGNAUTHSERVICEN.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben

31.05.2017 07:40:39 Blockiert durch Zugriffsschutzregel NT-AUTORITÄT\SYSTEM C:\WINDOWS\SYSWOW64\BEFCSVCN.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben

31.05.2017 07:55:05 Blockiert durch Zugriffsschutzregel NT-AUTORITÄT\SYSTEM C:\WINDOWS\SYSWOW64\BEFCSVCN.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben

31.05.2017 07:55:37 Blockiert durch Zugriffsschutzregel NT-AUTORITÄT\SYSTEM C:\PROGRAM FILES (X86)\SOPHOS\SAFEGUARD ENTERPRISE\CLIENT\SGNAUTHSERVICEN.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben

31.05.2017 07:56:08 Blockiert durch Zugriffsschutzregel NT-AUTORITÄT\SYSTEM C:\WINDOWS\SYSWOW64\BEFCSVCN.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben

31.05.2017 07:56:25 Blockiert durch Zugriffsschutzregel SCHULER\wiersch C:\WINDOWS\EXPLORER.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben

Here are the logfile.sgt logfile (just the human readable things) have a look at the end the read errors are IMHO related :

Z:\work>strings logfile.sgt

Strings v2.53 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGTransCtrln.dll
sgtransctrl.cpp
CSG_TRANS_CTRL::RunUploadService3
FATAL ERROR Machine is not available stop working
SGN_MasterServicen.exe
SGTransCtrln.dll
sgtransctrl.cpp
CSG_TRANS_CTRL::RunUploadService3
FATAL ERROR Machine is not available stop working
SGN_MasterServicen.exe
SGTransCtrln.dll
sgtransctrl.cpp
CSG_TRANS_CTRL::RunUploadService3
FATAL ERROR Machine is not available stop working
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGNAuthServicen.exe
SGNAuthServicen.exe
LCClientService.cpp,
LCClientService::WatchingCorruptionSemaphore(
Local cache is corrupt, forcing shutdown
L.YD
SGNAuthServicen.exe
SGNAuthServicen.exe
LCClientService.cpp,
LCClientService::WatchingCorruptionSemaphore(
Local cache is corrupt, forcing shutdown
V.Y<
SGNAuthServicen.exe
SGMBASEN.dll
wnt\SGMFilesystemOperations.cpp
IsDirectory5
GetFileAttributes() failed with last error=0x00000570
V.Y<
SGNAuthServicen.exe
SGMBASEN.dll
wnt\SGMFilesystemOperations.cpp
IsDirectory5
GetFileAttributes() failed with last error=0x00000570
W.Y<
SGNAuthServicen.exe
SGMBASEN.dll
wnt\SGMFilesystemOperations.cpp
IsDirectory5
GetFileAttributes() failed with last error=0x00000570
W.Y<
SGNAuthServicen.exe
SGMBASEN.dll
wnt\SGMFilesystemOperations.cpp
IsDirectory5
GetFileAttributes() failed with last error=0x00000570
-W.Y<
SGNAuthServicen.exe
BEGina.dll
BEAuxFunct.cpp
AuxBackupOrRestore
BEGINA: Kernel Restore failed
XW.Y<
SGNAuthServicen.exe
SGNAuthServicen.exe
LCClientService.cpp,
LCClientService::WatchingCorruptionSemaphore(
Local cache is corrupt, forcing shutdown
Z.Y8
SGNAuthServicen.exe
BEGina.dll
BEAuxFunct.cpp
AuxBackupOrRestore
BEGINA: Kernel Restore failed
Z.Y8
SGNAuthServicen.exe
SGNAuthServicen.exe
LCClientService.cpp,
LCClientService::WatchingCorruptionSemaphore(
Local cache is corrupt, forcing shutdown

I would be glad to hear a way to solve this I fear more locked computers.

 

Cheers,

Thorsten

 

 

 



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi Thorsten,

    Thanks for getting in touch.

    I suspect the issue here is that McAfee Access Protection hasn't been set to exclude SafeGuard and so sees it as something that needs to be blocked.

    We include detection for known software in all our products and I would have expected McAfee to do the same, but maybe a manual exclusion is required.

    I would speak to McAfee and find out how to add the exclusions, or remove it and add one of the many Sophos Endpoint products which include these features as standard and are designed to work together straight out the box.