Dear Sirs,
I came a cross a notebook with full disk encryption, which poa is locked. Doing a post mortem analyse it seems that :
C:\WINDOWS\SYSWOW64\BEFCSVCN.EXE
and
NT-AUTORITÄT\SYSTEM C:\PROGRAM FILES (X86)\SOPHOS\SAFEGUARD ENTERPRISE\CLIENT\SGNAUTHSERVICEN.EXE
try to write to HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common.
This Registry tree is protected by MCAfee Access Protection because it belongs to out Virus Scan Enterprise 8.8 installation.
Operating System ist Windows 7 x64.
From the user I heard the following:
He started his computer, and loged on. After a short period the computer closed all aplications and rebooted. In POA he needed to do a Challenge and Response. This happend 3 times in a short period of time. After that the POA was locked.
Question:
Is it possible to configure Sophos Safeguard this way that he leaves the MCAfee Registry keys as they are?
By the way why does Sophos try to manipulate these registry keys?
Here are the MCAfee logs lines:
31.05.2017 06:55:33 Blockiert durch Zugriffsschutzregel NT-AUTORITÄT\SYSTEM C:\PROGRAM FILES (X86)\SOPHOS\SAFEGUARD ENTERPRISE\CLIENT\SGNAUTHSERVICEN.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben
31.05.2017 07:40:39 Blockiert durch Zugriffsschutzregel NT-AUTORITÄT\SYSTEM C:\WINDOWS\SYSWOW64\BEFCSVCN.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben
31.05.2017 07:55:05 Blockiert durch Zugriffsschutzregel NT-AUTORITÄT\SYSTEM C:\WINDOWS\SYSWOW64\BEFCSVCN.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben
31.05.2017 07:55:37 Blockiert durch Zugriffsschutzregel NT-AUTORITÄT\SYSTEM C:\PROGRAM FILES (X86)\SOPHOS\SAFEGUARD ENTERPRISE\CLIENT\SGNAUTHSERVICEN.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben
31.05.2017 07:56:08 Blockiert durch Zugriffsschutzregel NT-AUTORITÄT\SYSTEM C:\WINDOWS\SYSWOW64\BEFCSVCN.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben
31.05.2017 07:56:25 Blockiert durch Zugriffsschutzregel SCHULER\wiersch C:\WINDOWS\EXPLORER.EXE HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MFEHIDK\ Common - Standardschutz:Veränderungen der McAfee-Dateien und -Einstellungen verhindern Blockierte Aktion: Schreiben
Here are the logfile.sgt logfile (just the human readable things) have a look at the end the read errors are IMHO related :
Z:\work>strings logfile.sgt
Strings v2.53 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGTransCtrln.dll
sgtransctrl.cpp
CSG_TRANS_CTRL::RunUploadService3
FATAL ERROR Machine is not available stop working
SGN_MasterServicen.exe
SGTransCtrln.dll
sgtransctrl.cpp
CSG_TRANS_CTRL::RunUploadService3
FATAL ERROR Machine is not available stop working
SGN_MasterServicen.exe
SGTransCtrln.dll
sgtransctrl.cpp
CSG_TRANS_CTRL::RunUploadService3
FATAL ERROR Machine is not available stop working
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGN_MasterServicen.exe
SGMEntitiesn.dll
W32_User.cpp
CheckLocalUser4
LookUpAccountName5 Error 1(Username:SCHULER\wiersch)
SGNAuthServicen.exe
SGNAuthServicen.exe
LCClientService.cpp,
LCClientService::WatchingCorruptionSemaphore(
Local cache is corrupt, forcing shutdown
L.YD
SGNAuthServicen.exe
SGNAuthServicen.exe
LCClientService.cpp,
LCClientService::WatchingCorruptionSemaphore(
Local cache is corrupt, forcing shutdown
V.Y<
SGNAuthServicen.exe
SGMBASEN.dll
wnt\SGMFilesystemOperations.cpp
IsDirectory5
GetFileAttributes() failed with last error=0x00000570
V.Y<
SGNAuthServicen.exe
SGMBASEN.dll
wnt\SGMFilesystemOperations.cpp
IsDirectory5
GetFileAttributes() failed with last error=0x00000570
W.Y<
SGNAuthServicen.exe
SGMBASEN.dll
wnt\SGMFilesystemOperations.cpp
IsDirectory5
GetFileAttributes() failed with last error=0x00000570
W.Y<
SGNAuthServicen.exe
SGMBASEN.dll
wnt\SGMFilesystemOperations.cpp
IsDirectory5
GetFileAttributes() failed with last error=0x00000570
-W.Y<
SGNAuthServicen.exe
BEGina.dll
BEAuxFunct.cpp
AuxBackupOrRestore
BEGINA: Kernel Restore failed
XW.Y<
SGNAuthServicen.exe
SGNAuthServicen.exe
LCClientService.cpp,
LCClientService::WatchingCorruptionSemaphore(
Local cache is corrupt, forcing shutdown
Z.Y8
SGNAuthServicen.exe
BEGina.dll
BEAuxFunct.cpp
AuxBackupOrRestore
BEGINA: Kernel Restore failed
Z.Y8
SGNAuthServicen.exe
SGNAuthServicen.exe
LCClientService.cpp,
LCClientService::WatchingCorruptionSemaphore(
Local cache is corrupt, forcing shutdown
I would be glad to hear a way to solve this I fear more locked computers.
Cheers,
Thorsten
This thread was automatically locked due to age.