McAfee® VirusScan® Enterprise Version 8.8 Patch 1 Release Notes

Thank you for using McAfee software. This document contains important information about this release. McAfee strongly recommends that you read the entire document.

Version

Patch 1

Refer to (McAfee) KnowledgeBase article KB65944 for the most current information regarding this release.

Product

This release was developed for use with:

Supported minimum versions:

For a list of supported environments for VirusScan Enterprise 8.8 on Microsoft Windows, see (McAfee) KnowledgeBase article KB51111. McAfee Agent 4.0 is End of Life December 31, 2011. The latest McAfee Agent versions available are 4.5 and 4.6.

This document makes references to the following products as VirusScan Modules:

Release date

September 13, 2011

Rating

McAfee recommends this release for all environments. Patch 1 is considered a Mandatory Release Rating. See (McAfee) KnowledgeBase article KB51560 for information on ratings.

About

This release contains a variety of improvements and fixes. McAfee has spent a significant amount of time finding, fixing, and testing this release. However, it is strongly recommended to verify this update in test and pilot groups prior to mass deployment. Please review the Improvements, Known issues, and Resolved issues sections below for additional information.

This document supplements the product Release Notes in the release package.

File inventory

This release package contains the following files:

    File name Description
    Deferred.mfe Installation support file
    PATCH1.HTM This Release Notes document
    PATCH1.MSP Microsoft Installer Patch file
    PKGCATALOG.Z Package catalog file
    SETUP.EXE Installer for this release
    SETUP.INI Initialization file for SETUP.EXE
    VIRUSCAN8800(191).ZIP ePolicy Orchestrator 4.x extension for VirusScan Enterprise
    VIRUSCANREPORTS120(136).ZIP ePolicy Orchestrator 4.x Reports for VirusScan Enterprise
    VSE880DET.MCS ePolicy Orchestrator detection script for VirusScan Enterprise

The following files are updated with this Patch:

    File name Version
    adslokuu.dll 14.4.0.354
    BBCpl.dll 8.8.0.849
    csscan.exe 14.4.0.354
    dainstall.exe 14.4.0.354
    entvutil.exe 14.4.0.354
    ftl.dll 14.4.0.354
    lockdown.dll 14.4.0.354
    mcshield.dll 14.4.0.354
    mcshield.exe 14.4.0.354
    mcvssnmp.dll 14.4.0.354
    mfeann.exe 14.4.0.354
    mfeapconfig.dll 14.4.0.457
    mfeapfa.dll 14.4.0.457
    mfeapfk.sys 14.4.0.457
    mfeavfa.dll 14.4.0.457
    mfeavfk.sys 14.4.0.457
    mfebopa.dll 14.4.0.457
    mfebopk.sys 14.4.0.457
    mfeclnk.sys 14.4.0.457
    mfehida.dll 14.4.0.457
    mfehidin.exe 14.4.0.457
    mfehidk.sys 14.4.0.457
    mfehidk_messages.dll 14.4.0.457
    mfeOtlkAddin.dll 14.4.0.354
    mferkda.dll 14.4.0.457
    mferkdet.sys 14.4.0.457
    mfetdi2k.sys 14.4.0.457
    mfevtpa.dll 14.4.0.457
    mfevtps.exe 14.4.0.457
    mfewfpk.sys 14.4.0.457
    mytilus3.dll 14.4.0.354
    mytilus3_server.dll 14.4.0.354
    mytilus3_worker.dll 14.4.0.354
    naevent.dll 14.4.0.354
    naievent.dll 14.4.0.354
    OtlkScan.dll 14.4.0.354
    OtlkUI.dll 14.4.0.354
    scriptff.dll 14.4.0.354
    scriptsn.dll 14.4.0.354
    shstat.dll 8.8.0.849
    traceapp.dll 14.2.0.0
    VSCAN.BOF 567
    vsodscpl.dll 8.8.0.849

Improvements

This release of the software includes the following improvements.

Resolved issues

The resolved issues are divided into subsections per Patch, showing when each fix was added to the compilation.

Patch 1

  1. Issue: Installation fails with ERROR 1920, citing 'The McShield Service failed to start'. This can occur when Microsoft Windows is installed to a sub-folder rather than the root. (Reference: 638858)
    Resolution: The system core installer has been revised to recognize all system paths.
  2. Issue: A Bugcheck 5 error could occur if memory allocations are not checked for failure, resulting in an invalid memory reference. (Reference: 643013, 651019, 673463, 676448)
    Resolution: The memory allocation is now checked for success prior to referencing it.
  3. Issue: Malicious software might change NTFS folder permissions on McAfee folders in order to disable the software. (Reference: 643440)
    Resolution: Self protection now protects McAfee folders, files and registry data from permission changes.
  4. Issue: Process exclusion for Buffer Overflow was broken after introducing more granularities in Buffer Overflow exclusions using Module Name and API Name. (Reference: 651569, 686711, 687670)
    Resolution: Process exclusions for Buffer Overflow work as expected on standalone machines, ePolicy Orchestrator managed systems and during ePolicy Orchestrator Policy Migration.
  5. Issue: When multiple signatures are included in an EXTRA.DAT, the buffer used to store the description information for the “About” window might not be large enough. (Reference: 651670)
    Resolution: Buffer size for storing Extra.DAT signature information has been increased to 4 times its original size.
  6. Issue: When the option “Show add-in user interface error” is enabled in Outlook, the following pop-up error appears every time Outlook is started and the first e-mail is opened or created: “Custom UI Runtime Error in McAfee E-mail Scan Add-in”. (Reference: 651887, 656365, 656366, 656644, 656674, 656678, 657131, 657398, 657409, 657411, 657413, 657414, 657433, 661628, 675246)
    Resolution: McAfee E-mail Scan Add-in has been fixed to return correct “success” error code to Outlook. The pop-up error no longer appears.
  7. Issue: Files on network locations might trigger an unhandled exception leading to a system crash if the network experiences a failure or the object is unreadable. One report of this occurred when opening Outlook 2010 with PST files configured to reside on remote storage. (Reference: 660014, 663389, 665822, 667934)
    Resolution: The exception is handled to avoid a system crash.
  8. Issue: Access Protection rules involving the block of System:Remote fail to enforce. This also applies to preventing remote access to shares. (Reference: 661424)
    Resolution: VirusScan Enterprise identifies remote share access and enforces Access Protection rules that prevent remote access to shares.
  9. Issue: The XML file generated for Event 1202 contained incorrect values for GMTTime and UTCTime fields. (Reference: 661702, 676893)
    Resolution: GMTTime and UTCTime fields for Event 1202 now have the correct time information.
  10. Issue: A Bugcheck C2, “Bad_Pool_Caller” error, could occur under varied conditions. One instance was triggered when using Virtual Machine Converter. (Reference: 662350, 666697, 673448, 678179, 690657, 691258)
    Resolution: A memory corruption issue has been resolved.
  11. Issue: A variety of symptoms, including an application crash, might occur with the ScriptScan feature disabled. (Reference: 662684, 665748, 668796, 668807, 669035, 669605, 669773, 669875, 671666, 671668, 671671, 671672, 672710, 675259, 675261, 676492, 685467, 685551, 685566, 685650, 686667, 686828, 687336, 693321, 696789, 696834)
    Resolution: ScriptScan DLLs are no longer accessed if the feature is disabled.
  12. Issue: An attempt to add an exclusion to the Access Protection rule "Protect Internet Explorer favorites and settings" failed when the edit box reached its maximum limit. (Reference: 663135)
    Resolution: Buffer size for storing processes to exclude has been increased, enabling customers to add exclusions.
  13. Issue: When filtering network Input/Output, a timing issue could occur, leading to a kernel thread stack exhaustion. This issue could result in a system crash. (Reference: 664539, 665345)
    Resolution: VirusScan Enterprise now uses a Deferred Procedure Call to ensure a fresh thread stack.
  14. Issue: A bugcheck 50 error could occur when a McAfee driver encountered unexpected data while examining loaded resources of a third-party application. (Reference: 667172)
    Resolution: The McAfee driver has been updated to handle this situation.
  15. Issue: A memory leak could occur with the process validation service and the Microsoft .NET runtime support library, mscoree.dll. (Reference: 673462)
    Resolution: Changes made to the process validation service have removed the dependency of the Microsoft .NET runtime support library, mscoree.dll.
  16. Issue: When Hotfix 660014, which introduces folder permission restrictions, is installed, McAfee Agent installations might be blocked by an Access Protection rule. (Reference: 684965, 686259, 686272)
    Resolution: The McAfee Agent is no longer blocked when trying to set folder permissions.
  17. Issue: A defect in the matching engine prevents the deletion of folder names that are a substring of “Program Files”, such as “c:\pro” or “c:\prog”. (Reference: 685273)
    Resolution: The matching engine now only matches complete folder names, so deleting “Program Files” is prevented, but deleting “C:\pro”, “c:\prog”, or other substrings is allowed.
  18. Issue: An issue in the clean-file scan cache logic was identified on systems supporting the Server Message Block 2 (SMB2) protocol that could allow files to be written to a share and not be scanned. (Reference: 686645, 686650, 690277)
    Resolution: When On-Access Scanner tries to scan a share file and the scan does not succeed, the scanner now returns an OPLOCK error to McShield. McShield returns NOTSCANNED status to the driver and the file is not added to the cache, causing the file to be scanned when accessed.
  19. Issue: When Hotfix 660014, which introduces Access Protection rule: Prevent modification of McAfee files and settings, is installed, VirusScan Enterprise prevents installation and adding features to Windows systems. (Reference: 691269, 691651)
    Resolution: VSCAN.BOF content file has been modified to properly restrict access to McAfee files and settings.
  20. Issue: The On-Demand Scanner cleanup events (1034, 1035, 1202, and 1203) have timestamps that are identical to the On-Demand Scanner start time. (Reference: 691660)
    Resolution: VirusScan Enterprise now obtains the current time before generating On-Demand Scab cleanup events.

Installation instructions

Standalone instructions

  1. Extract the Patch files to a temporary folder on your hard drive.
  2. Double-click the file SetupVSE.Exe inside the temporary folder created in Step 1.
  3. Follow the instructions of the installation wizard.

Installation steps for ePolicy Orchestrator

  1. On the computer where the ePolicy Orchestrator console resides, extract the Patch zip file to a temporary folder on your hard drive.
  2. Open the ePolicy Orchestrator console and add the package from the temporary folder created in Step 1 to the repository.
  3. If newer versions of the extension or report files are included with the package, they must be checked into the ePolicy Orchestrator repository separately.


NOTE: Refer to Checking in Packages Manually in the ePolicy Orchestrator online Help, for instructions on adding a package to the repository. The package type is Product or Update (.ZIP).

Removing installation

Windows Installer 3.x and later now support the rolling back of Patches. This can be done one of two ways.

  • For Windows XP, Windows 2003, Windows Vista, Windows 2008, and Windows 7 operating systems, the Patch can be removed manually via Add/Remove Programs if the user has administrative rights to the local system.
  • For all operating systems that support Windows Installer 3.x, a command-line option can be used to remove the Patch silently.

    Example: C:\WINDOWS\system32\Msiexec.exe /I {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} MSIPATCHREMOVE={3B2C6116-6F11-4A6E-846A-4F0708936E16} /q
  • The GUID information used here changes from one Patch to another. Always use the information in the Release Notes for the Patch that you are removing.
  • Because the Patch is removed via MSIEXEC, the functions inside setup.exe, which normally prevent reboots from occurring during silent processes, are not executed. In order to prevent a possible automatic reboot from occurring after a Patch removal, simply add the REBOOT=R parameter to the command-line option above.
  • Patch removal is an MSI reinstall function. When a Patch is removed, all features affected by the Patch are reset to installation defaults. Any features not modified by the Patch are left with their current settings.
  • Update VirusScan Enterprise after removing the Patch to ensure that the latest versions of the engine and DAT files are run.

Important Notice: Removing Patch 1 from a client system places the client system in an unsupported state. See Known Issues for further details.

Verifying installation

Always reboot the client system prior to validating that the installation has been successfully installed.

Reporting

Reporting

There is update information in the ePolicy Orchestrator properties section for each computer. The ePolicy Orchestrator Properties tab displays two entries in the VirusScan 8.8 General branch:

    Patch – Displays the current Patch installed.

    Fixes - Displays any number of Hotfixes listed in the registry.

Known issues

Here is a list of known issues that we were aware of at production time.

  1. Issue: Common Standard Protection: Prevent hooking of McAfee processes is a specialized Access Protection rule that can only be enabled or disabled. It will not be possible to exclude or include additional processes in this rule due to its unique design.
  2. Issue: After installing Patch 1, you must restart the MOVE-AV service or restart the system.
  3. Issue: Access Protection rules are not localized with this release. Localization is planned to be re-established with future patch releases.
  4. Issue: Uninstalling VirusScan Enterprise 8.8 Patch 1 might remove some critical files shared by other McAfee products and is not supported for this release. If an uninstallation is performed, then this release must be re-applied (as a minimum) before the system can be supported again.
  5. Issue: Microsoft update or product feature might fail to install when Access Protection is enabled. See (McAfee) KnowledgeBase article KB72458 for information regarding this issue.
  6. Issue: A rare Bugcheck might occur if the On-Access Scanner service is paused, disabled or restarted and the system is immediately shutdown or restarted. See (McAfee) KnowledgeBase article KB72678 for information regarding this issue.
  7. Issue: Uninstalling VirusScan Enterprise 8.8 Patch 1 enables the Trusted installers option in the On-Access Scanner properties. McAfee intends to address this issue with future patch releases.

License attributions

COPYRIGHT

COPYRIGHT

Copyright © 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.