Product
This release was developed for use with:
- VirusScan Enterprise: 8.8.0
Supported minimum versions:
- McAfee Agent: 4.0.0.1496
- Detection Definitions (DAT): 6400
- Scan Engine: 5.4.00
For a list of supported environments for VirusScan Enterprise 8.8 on Microsoft Windows, see (McAfee) KnowledgeBase article KB51111. McAfee Agent 4.0 is End of Life December 31, 2011. The latest McAfee Agent versions available are 4.5 and 4.6.
This document makes references to the following products as VirusScan Modules:
- McAfee® VirusScan® Enterprise for Offline Virtual Images 1.0
- McAfee® VirusScan® Enterprise for Offline Virtual Images 2.0
- McAfee® VirusScan® Enterprise for use with SAP NetWeaver® platform 1.0
- McAfee® VirusScan® Enterprise for Storage 1.0
- McAfee® Optimized Virtual Environments for Servers
- McAfee® Optimized Virtual Environments - Antivirus for Virtual Desktop Infrastructure
Rating
McAfee recommends this release for all environments. Patch 1 is considered a Mandatory Release Rating. See (McAfee) KnowledgeBase article KB51560 for information on ratings.
Mandatory
McAfee considers this release to be a required update for all environments. Mandatory Patches and Hotfixes resolve vulnerabilities that might affect product functionality and compromise security. These updates must be applied to maintain a viable and supported product. Failure to apply Mandatory updates might result in a security breach.
About
This release contains a variety of improvements and fixes. McAfee has spent a significant amount of time finding, fixing, and testing this release. However, it is strongly recommended to verify this update in test and pilot groups prior to mass deployment. Please review the Improvements, Known issues, and Resolved issues sections below for additional information.
This document supplements the product Release Notes in the release package.
File inventory
This release package contains the following files:
File name | Description |
Deferred.mfe | Installation support file |
PATCH1.HTM | This Release Notes document |
PATCH1.MSP | Microsoft Installer Patch file |
PKGCATALOG.Z | Package catalog file |
SETUP.EXE | Installer for this release |
SETUP.INI | Initialization file for SETUP.EXE |
VIRUSCAN8800(191).ZIP | ePolicy Orchestrator 4.x extension for VirusScan Enterprise |
VIRUSCANREPORTS120(136).ZIP | ePolicy Orchestrator 4.x Reports for VirusScan Enterprise |
VSE880DET.MCS | ePolicy Orchestrator detection script for VirusScan Enterprise |
The following files are updated with this Patch:
File name | Version |
adslokuu.dll | 14.4.0.354 |
BBCpl.dll | 8.8.0.849 |
csscan.exe | 14.4.0.354 |
dainstall.exe | 14.4.0.354 |
entvutil.exe | 14.4.0.354 |
ftl.dll | 14.4.0.354 |
lockdown.dll | 14.4.0.354 |
mcshield.dll | 14.4.0.354 |
mcshield.exe | 14.4.0.354 |
mcvssnmp.dll | 14.4.0.354 |
mfeann.exe | 14.4.0.354 |
mfeapconfig.dll | 14.4.0.457 |
mfeapfa.dll | 14.4.0.457 |
mfeapfk.sys | 14.4.0.457 |
mfeavfa.dll | 14.4.0.457 |
mfeavfk.sys | 14.4.0.457 |
mfebopa.dll | 14.4.0.457 |
mfebopk.sys | 14.4.0.457 |
mfeclnk.sys | 14.4.0.457 |
mfehida.dll | 14.4.0.457 |
mfehidin.exe | 14.4.0.457 |
mfehidk.sys | 14.4.0.457 |
mfehidk_messages.dll | 14.4.0.457 |
mfeOtlkAddin.dll | 14.4.0.354 |
mferkda.dll | 14.4.0.457 |
mferkdet.sys | 14.4.0.457 |
mfetdi2k.sys | 14.4.0.457 |
mfevtpa.dll | 14.4.0.457 |
mfevtps.exe | 14.4.0.457 |
mfewfpk.sys | 14.4.0.457 |
mytilus3.dll | 14.4.0.354 |
mytilus3_server.dll | 14.4.0.354 |
mytilus3_worker.dll | 14.4.0.354 |
naevent.dll | 14.4.0.354 |
naievent.dll | 14.4.0.354 |
OtlkScan.dll | 14.4.0.354 |
OtlkUI.dll | 14.4.0.354 |
scriptff.dll | 14.4.0.354 |
scriptsn.dll | 14.4.0.354 |
shstat.dll | 8.8.0.849 |
traceapp.dll | 14.2.0.0 |
VSCAN.BOF | 567 |
vsodscpl.dll | 8.8.0.849 |
Improvements
This release of the software includes the following improvements.
Patch 1
- The McAfee Link Driver has been updated to ensure the terminal server logoff does not finish before handles are cleaned up, in order to prevent a potential race condition.
- This release enhances the Self protection to prevent unauthorized access to critical VirusScan Enterprise processes. Please see Resolved issues, reference 643440, for further details.
- This release ships with a new Access Protection rule that hardens VirusScan Enterprise against malware that performs process injection. See (McAfee) KnowledgeBase article KB71083 and KB71812 for information regarding this improvement.
NOTE: The rule Common Standard Protection: Prevent hooking of McAfee processes is enabled by default. Legitimate applications are known to perform process injection, and this Access Protection rule might have indeterminate results with those legitimate applications. These same programs should be able to recover when failing to inject into processes. However, it is strongly recommended to verify this update in test and pilot groups prior to mass deployment.
- The ePolicy Orchestrator extension file has been updated to include management of the new Access Protection rule, Common Standard Protection: Prevent hooking of McAfee processes.
Resolved issues
The resolved issues are divided into subsections per Patch, showing when each fix was added to the compilation.
Patch 1
- Issue: Installation fails with ERROR 1920, citing 'The McShield Service failed to start'. This can occur when Microsoft Windows is installed to a sub-folder rather than the root. (Reference: 638858)
Resolution: The system core installer has been revised to recognize all system paths.
- Issue: A Bugcheck 5 error could occur if memory allocations are not checked for failure, resulting in an invalid memory reference. (Reference: 643013, 651019, 673463, 676448)
Resolution: The memory allocation is now checked for success prior to referencing it.
- Issue: Malicious software might change NTFS folder permissions on McAfee folders in order to disable the software. (Reference: 643440)
Resolution: Self protection now protects McAfee folders, files and registry data from permission changes.
- Issue: Process exclusion for Buffer Overflow was broken after introducing more granularities in Buffer Overflow exclusions using Module Name and API Name. (Reference: 651569, 686711, 687670)
Resolution: Process exclusions for Buffer Overflow work as expected on standalone machines, ePolicy Orchestrator managed systems and during ePolicy Orchestrator Policy Migration.
- Issue: When multiple signatures are included in an EXTRA.DAT, the buffer used to store the description information for the “About” window might not be large enough. (Reference: 651670)
Resolution: Buffer size for storing Extra.DAT signature information has been increased to 4 times its original size.
- Issue: When the option “Show add-in user interface error” is enabled in Outlook, the following pop-up error appears every time Outlook is started and the first e-mail is opened or created: “Custom UI Runtime Error in McAfee E-mail Scan Add-in”. (Reference: 651887, 656365, 656366, 656644, 656674, 656678, 657131, 657398, 657409, 657411, 657413, 657414, 657433, 661628, 675246)
Resolution: McAfee E-mail Scan Add-in has been fixed to return correct “success” error code to Outlook. The pop-up error no longer appears.
- Issue: Files on network locations might trigger an unhandled exception leading to a system crash if the network experiences a failure or the object is unreadable. One report of this occurred when opening Outlook 2010 with PST files configured to reside on remote storage. (Reference: 660014, 663389, 665822, 667934)
Resolution: The exception is handled to avoid a system crash.
- Issue: Access Protection rules involving the block of System:Remote fail to enforce. This also applies to preventing remote access to shares. (Reference: 661424)
Resolution: VirusScan Enterprise identifies remote share access and enforces Access Protection rules that prevent remote access to shares.
- Issue: The XML file generated for Event 1202 contained incorrect values for GMTTime and UTCTime fields. (Reference: 661702, 676893)
Resolution: GMTTime and UTCTime fields for Event 1202 now have the correct time information.
- Issue: A Bugcheck C2, “Bad_Pool_Caller” error, could occur under varied conditions. One instance was triggered when using Virtual Machine Converter. (Reference: 662350, 666697, 673448, 678179, 690657, 691258)
Resolution: A memory corruption issue has been resolved.
- Issue: A variety of symptoms, including an application crash, might occur with the ScriptScan feature disabled. (Reference: 662684, 665748, 668796, 668807, 669035, 669605, 669773, 669875, 671666, 671668, 671671, 671672, 672710, 675259, 675261, 676492, 685467, 685551, 685566, 685650, 686667, 686828, 687336, 693321, 696789, 696834)
Resolution: ScriptScan DLLs are no longer accessed if the feature is disabled.
- Issue: An attempt to add an exclusion to the Access Protection rule "Protect Internet Explorer favorites and settings" failed when the edit box reached its maximum limit. (Reference: 663135)
Resolution: Buffer size for storing processes to exclude has been increased, enabling customers to add exclusions.
- Issue: When filtering network Input/Output, a timing issue could occur, leading to a kernel thread stack exhaustion. This issue could result in a system crash. (Reference: 664539, 665345)
Resolution: VirusScan Enterprise now uses a Deferred Procedure Call to ensure a fresh thread stack.
- Issue: A bugcheck 50 error could occur when a McAfee driver encountered unexpected data while examining loaded resources of a third-party application. (Reference: 667172)
Resolution: The McAfee driver has been updated to handle this situation.
- Issue: A memory leak could occur with the process validation service and the Microsoft .NET runtime support library, mscoree.dll. (Reference: 673462)
Resolution: Changes made to the process validation service have removed the dependency of the Microsoft .NET runtime support library, mscoree.dll.
- Issue: When Hotfix 660014, which introduces folder permission restrictions, is installed, McAfee Agent installations might be blocked by an Access Protection rule. (Reference: 684965, 686259, 686272)
Resolution: The McAfee Agent is no longer blocked when trying to set folder permissions.
- Issue: A defect in the matching engine prevents the deletion of folder names that are a substring of “Program Files”, such as “c:\pro” or “c:\prog”. (Reference: 685273)
Resolution: The matching engine now only matches complete folder names, so deleting “Program Files” is prevented, but deleting “C:\pro”, “c:\prog”, or other substrings is allowed.
- Issue: An issue in the clean-file scan cache logic was identified on systems supporting the Server Message Block 2 (SMB2) protocol that could allow files to be written to a share and not be scanned. (Reference: 686645, 686650, 690277)
Resolution: When On-Access Scanner tries to scan a share file and the scan does not succeed, the scanner now returns an OPLOCK error to McShield. McShield returns NOTSCANNED status to the driver and the file is not added to the cache, causing the file to be scanned when accessed.
- Issue: When Hotfix 660014, which introduces Access Protection rule: Prevent modification of McAfee files and settings, is installed, VirusScan Enterprise prevents installation and adding features to Windows systems. (Reference: 691269, 691651)
Resolution: VSCAN.BOF content file has been modified to properly restrict access to McAfee files and settings.
- Issue: The On-Demand Scanner cleanup events (1034, 1035, 1202, and 1203) have timestamps that are identical to the On-Demand Scanner start time. (Reference: 691660)
Resolution: VirusScan Enterprise now obtains the current time before generating On-Demand Scab cleanup events.
Installation instructions
- To use this release, you must have VirusScan Enterprise 8.8 software installed on the computer you intend to update with this release.
- This release does not work with earlier versions of McAfee VirusScan Enterprise software.
- A reboot might be needed to fully load the system drivers into memory.
- The package installation does not force the reboot.
Standalone instructions
- Extract the Patch files to a temporary folder on your hard drive.
- Double-click the file SetupVSE.Exe inside the temporary folder created in Step 1.
- Follow the instructions of the installation wizard.
Installation steps for ePolicy Orchestrator
- On the computer where the ePolicy Orchestrator console resides, extract the Patch zip file to a temporary folder on your hard drive.
- Open the ePolicy Orchestrator console and add the package from the temporary folder created in Step 1 to the repository.
- If newer versions of the extension or report files are included with the package, they must be checked into the ePolicy Orchestrator repository separately.
NOTE: Refer to Checking in Packages Manually in the ePolicy Orchestrator online Help, for instructions on adding a package to the repository. The package type is Product or Update (.ZIP).
Removing installation
Windows Installer 3.x and later now support the rolling back of Patches. This can be done one of two ways.
- For Windows XP, Windows 2003, Windows Vista, Windows 2008, and Windows 7 operating systems, the Patch can be removed manually via Add/Remove Programs if the user has administrative rights to the local system.
- For all operating systems that support Windows Installer 3.x, a command-line option can be used to remove the Patch silently.
Example: C:\WINDOWS\system32\Msiexec.exe /I {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} MSIPATCHREMOVE={3B2C6116-6F11-4A6E-846A-4F0708936E16} /q
- The GUID information used here changes from one Patch to another. Always use the information in the Release Notes for the Patch that you are removing.
- Because the Patch is removed via MSIEXEC, the functions inside setup.exe, which normally prevent reboots from occurring during silent processes, are not executed. In order to prevent a possible automatic reboot from occurring after a Patch removal, simply add the REBOOT=R parameter to the command-line option above.
- Patch removal is an MSI reinstall function. When a Patch is removed, all features affected by the Patch are reset to installation defaults. Any features not modified by the Patch are left with their current settings.
- Update VirusScan Enterprise after removing the Patch to ensure that the latest versions of the engine and DAT files are run.
Important Notice: Removing Patch 1 from a client system places the client system in an unsupported state. See Known Issues for further details.
Verifying installation
Always reboot the client system prior to validating that the installation has been successfully installed.
- Open the VirusScan Enterprise Console and select Help | About VirusScan Enterprise, from the menu. The About VirusScan Enterprise window, Installed Patches, displays "1".
- Confirm that the expected files are installed by checking the version number of individual files. File versions should match the list of files in File inventory section above.
NOTE: Patch releases are not displayed or do not report that the Patch is installed if an error occurred during installation, or if a file did not install correctly.
NOTE: Once the extensions are updated, the version can be verified in the ePolicy Orchestrator Extensions list (see File inventory for version information).
Reporting
Reporting
There is update information in the ePolicy Orchestrator properties section for each computer. The ePolicy Orchestrator Properties tab displays two entries in the VirusScan 8.8 General branch:
Patch – Displays the current Patch installed.
Fixes - Displays any number of Hotfixes listed in the registry.
License attributions
COPYRIGHT
COPYRIGHT
Copyright © 2011 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.