McAfee 8.0 problem on XP

  • Thread starter Thread starter Sam
  • Start date Start date
S

Sam

I've noticed the following item in the Event Viewer:
Event Type: Error
Event Source: McLogEvent
Event Category: None
Event ID: 5050
Date: 4/28/2004
Time: 5:12:49 PM
User: SAM1\Sam
Computer: SAM1
Description:
The McShield scanning service cannot get the TCB privelege
Please check that the account McShield is running under has the "Act as part of the operating system" right.
Click to expand...

Also, when I try to access the McShield Service, it complains that "the
specified device instance handle does not correspond to a present device."
I've checked and C:\Program Files\McAfee.com\vso\mcshield.exe exists and
has all the normal permissions.

Does anyone know what's going on here? McAfee VirusScan seems to be working
OK otherwise.

Thanks.

Sam
 
I've noticed the following item in the Event Viewer:


Also, when I try to access the McShield Service, it complains that
"the specified device instance handle does not correspond to a present
device." I've checked and C:\Program Files\McAfee.com\vso\mcshield.exe
exists and has all the normal permissions.

Does anyone know what's going on here? McAfee VirusScan seems to be
working OK otherwise.
Click to expand...

What it means is below.

Some privileges, such as Act as Part of the Operating System and Debug
Programs, are extremely potent. An account having the Act as Part of the
Operating System privilege (also referred to as the Trusted Computing
Base or TCB privilege) essentially behaves as a highly trusted system
component. No privilege is more trusted than the TCB privilege, therefore
the only account that has it by default is LocalSystem.

What I suspect here is that the service which can be accessed off of
Control Panel/Administrative Tools *double-click the service in question*
Logon tab and if the service is not using *LocalSystem* and is set to
*This Account* with some user-id and psw, then the account doesn't have
the privileges like the LocalSystem account and it needs the account that
the O/S uses.

I suggest you use LocalSystem account to run the service.

That may be your problem and how it was set to another type of account,
if that is what happened, I don't know. And any of the rest you speak of,
I don't know. :)

Of course, the only way you can get there is with an Admin account to
change the settings.


Duane :)
 
Sometime on, or about Thu, 29 Apr 2004 02:14:36 GMT, Duane Arnold
scribbled:
What it means is below.

Some privileges, such as Act as Part of the Operating System and Debug
Programs, are extremely potent. An account having the Act as Part of the
Operating System privilege (also referred to as the Trusted Computing
Base or TCB privilege) essentially behaves as a highly trusted system
component. No privilege is more trusted than the TCB privilege, therefore
the only account that has it by default is LocalSystem.

What I suspect here is that the service which can be accessed off of
Control Panel/Administrative Tools *double-click the service in question*
Logon tab and if the service is not using *LocalSystem* and is set to
*This Account* with some user-id and psw, then the account doesn't have
the privileges like the LocalSystem account and it needs the account that
the O/S uses.

I suggest you use LocalSystem account to run the service.

That may be your problem and how it was set to another type of account,
if that is what happened, I don't know. And any of the rest you speak of,
I don't know. :)

Of course, the only way you can get there is with an Admin account to
change the settings.

Duane :)
Click to expand...

Thanks for the response. It is running as LocalSystem. In fact all sevices,
except those running as a Network service have that privilege on my system.
That's that part I couldn't figure out. I'm the only one who uses this
computer and I have full administrative privileges.

Sam
 
Sam said:
Sometime on, or about Thu, 29 Apr 2004 02:14:36 GMT, Duane Arnold
scribbled:
Click to expand...
Thanks for the response. It is running as LocalSystem. In fact all sevices,
except those running as a Network service have that privilege on my system.
That's that part I couldn't figure out. I'm the only one who uses this
computer and I have full administrative privileges.
Click to expand...

Mcshield.exe is listed in the link.



http://securityresponse.symantec.com/avcenter/venc/data/[email protected]



I am not saying your machine has been compromised. And it may not be by the
particular exploit above, but something is not right here. :) By reading
the message you posted above, it appears to me that the McShield scanning
service may possibly not even be running. It doesn't appear to be running as
it barks on the TCB privileges it must have that not even your Admin account
can provide.



You may want to hit the machine with Trend Micro House Call - an on line AV
scanner, just on GP. :)



Also, the (free) Process Explorer, which will allow you to look at processes
running and also the processes the running processes are running, to help
you make a determination as to what is happening/running on the machine.
Active Ports (free) will help you determine if any connections to unknown
IP(s) are being made.



You may also want to harden the XP O/S to attack a little bit, if you have
not already done so.



http://www.uksecurityonline.com/index5.php



After you make your determination with a possible solution if anything is
really wrong or not, you may want to use the Host as a prevention measure.



http://www.mvps.org/winhelp2002/hosts.htm

http://www.snapfiles.com/get/hoststoggle.html



I think Active Ports and Process Explorer are at SnapFile.



HTH



Duane :)
 
Sometime on, or about Thu, 29 Apr 2004 03:44:04 GMT, Duane Arnold
scribbled:
Mcshield.exe is listed in the link.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

I am not saying your machine has been compromised. And it may not be by the
particular exploit above, but something is not right here. :) By reading
the message you posted above, it appears to me that the McShield scanning
service may possibly not even be running. It doesn't appear to be running as
it barks on the TCB privileges it must have that not even your Admin account
can provide.

You may want to hit the machine with Trend Micro House Call - an on line AV
scanner, just on GP. :)

Also, the (free) Process Explorer, which will allow you to look at processes
running and also the processes the running processes are running, to help
you make a determination as to what is happening/running on the machine.
Active Ports (free) will help you determine if any connections to unknown
IP(s) are being made.

You may also want to harden the XP O/S to attack a little bit, if you have
not already done so.

http://www.uksecurityonline.com/index5.php

After you make your determination with a possible solution if anything is
really wrong or not, you may want to use the Host as a prevention measure.

http://www.mvps.org/winhelp2002/hosts.htm

http://www.snapfiles.com/get/hoststoggle.html

I think Active Ports and Process Explorer are at SnapFile.

HTH

Duane :)
Click to expand...

Hmmm! The service "says" that it's running. I also checked the Task Manager
and I did see that something called McShield.exe running. I'll try an
online virus checker just to be safe though.

I thought I was reasonably secure... I'm behind a router with NAT and run a
software Firewall (ZoneAlarm Pro) as well. Every GRC test shows me as
completely stealthed. I keep my system up-to-date with the most current
patches and have been running an Anti-Virus program.

Sam
 
Sometime on, or about Thu, 29 Apr 2004 03:44:04 GMT, Duane Arnold
scribbled:


Hmmm! The service "says" that it's running. I also checked the Task
Manager and I did see that something called McShield.exe running. I'll
try an online virus checker just to be safe though.

I thought I was reasonably secure... I'm behind a router with NAT and
run a software Firewall (ZoneAlarm Pro) as well. Every GRC test shows
me as completely stealthed. I keep my system up-to-date with the most
current patches and have been running an Anti-Virus program.
Click to expand...

It's good that you have all of that. And I also have a NAT router,
BlackIce, IPsec to better secure the LAN with the machines, along with
*hardening* the XP and Win 2K machines and running Ad-aware and an AV. I
also know that it means nothing once malware has hit the machine as it
can defeat and circumvent all of it.

IPsec can get to the TCP/IP first at boot, which has a chance to stop
something outbound at boot because it's integrated with the O/S. I don't
think ZA has a chance at boot to get to the TCP/IP first before malware
can get there on outbound, since it's not integrated with the O/S.

Also, the XP's SP2 FW will be able to get to the TCP/IP connection first
at boot, since it is also integrated with the O/S.

http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
http://www.analogx.com/contents/articles/ipsec.htm

You best be looking around from time to time for yourself with some
tools, instead of that *I am stealth nonsense* and what ZA may be telling
you, although you're kind of truly stealthed behind that NAT router.

It starts with the O/S and if it's not secure, then how can anything on
the machine be secure.

Duane :)
 
Sometime on, or about Thu, 29 Apr 2004 05:06:57 GMT, Duane Arnold
scribbled:
It's good that you have all of that. And I also have a NAT router,
BlackIce, IPsec to better secure the LAN with the machines, along with
*hardening* the XP and Win 2K machines and running Ad-aware and an AV. I
also know that it means nothing once malware has hit the machine as it
can defeat and circumvent all of it.

IPsec can get to the TCP/IP first at boot, which has a chance to stop
something outbound at boot because it's integrated with the O/S. I don't
think ZA has a chance at boot to get to the TCP/IP first before malware
can get there on outbound, since it's not integrated with the O/S.

Also, the XP's SP2 FW will be able to get to the TCP/IP connection first
at boot, since it is also integrated with the O/S.

http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
http://www.analogx.com/contents/articles/ipsec.htm

You best be looking around from time to time for yourself with some
tools, instead of that *I am stealth nonsense* and what ZA may be telling
you, although you're kind of truly stealthed behind that NAT router.

It starts with the O/S and if it's not secure, then how can anything on
the machine be secure.

Duane :)
Click to expand...

Online AV scan turned up nothing. I've run AdAware, SpyBot and
PestPatrol... nothing. I totally uninstalled McAfee and deleted any
reference to them in the registry. I reinstalled and I still get the "the
specified device instance handle does not correspond to a
present device" error when I access Properties of the Service. I'm now
wondering if this is done by design for some strange reason?

Sam
 
Online AV scan turned up nothing. I've run AdAware, SpyBot and
PestPatrol... nothing. I totally uninstalled McAfee and deleted any
reference to them in the registry. I reinstalled and I still get the "the
specified device instance handle does not correspond to a
present device" error when I access Properties of the Service. I'm now
wondering if this is done by design for some strange reason?
Click to expand...

I'll put it to you this way from a programmer's point of view. If a security
program I was depending upon to protect the machine started dumping error
messages into the Event log indicating it is having a permission issue, then
I would be NOT be guessing I think everything's OK and I am going to let it
go. You never know about that part of the program logic that may or not be
able to protect do to the permission issue with the O/S.

Therefore, I would be in touch with the product's Tech Support about the
issue looking for a solution to the problem. It's as simple as that. But
that's just me. :)

Duane :)
 
Sometime on, or about Thu, 29 Apr 2004 23:49:33 GMT, Duane Arnold
scribbled:
I'll put it to you this way from a programmer's point of view. If a security
program I was depending upon to protect the machine started dumping error
messages into the Event log indicating it is having a permission issue, then
I would be NOT be guessing I think everything's OK and I am going to let it
go. You never know about that part of the program logic that may or not be
able to protect do to the permission issue with the O/S.

Therefore, I would be in touch with the product's Tech Support about the
issue looking for a solution to the problem. It's as simple as that. But
that's just me. :)

Duane :)
Click to expand...

See the message above... apparently at
http://forums.mcafeehelp.com/viewtopic.php?t=16274 there's a discussion of
this exact same issue. Apparently lot's of people have seen it and it looks
like a bug from McAfee.

Sam
 
Back
Top