Mcafee DLP, Microsoft September 2015 update disables Mcafee-DLP

5 Microsoft Patches take out Mcafee DLP copy handler function. Device control (USB) black is not affected.

Environment

McAfee Data Loss Prevention Endpoint (DLP Endpoint) software earlier than 9.3.425 (DLP Endpoint 9.3 Patch 4 HF25)

Microsoft Windows 7 64-bit (32-bit is not affected.)

Problem

Several applications fail to start after you install Microsoft Patch MS15-038 or MS15-090 or MS15-085 or MS KB3083992 on systems with DLP Endpoint earlier than 9.3 patch 4 hf 25(9.3.425.x).

Affected applications include, but are not limited to:

• CMD.EXE
  
• Explorer.EXE
  
• MMC-based applications
  
• Microsoft Office applications
  
• PowerShell
  

Example startup errors include:

• csc.exe- Application Error — The application was unable to start correctly (0xc0000142)
  
• iexplore.exe- Application Error — The application was unable to start correctly (0xc0000018)
  
• mmc.exe- Application Error — The application was unable to start correctly (0xc0000018)
  
• cmd.exe- Application Error — The application was unable to start correctly (0xc0000018)
  

Cause

The issue is caused by a third-party component in DLP Endpoint.

NOTE: This issue does not affect the Device Control only operation mode. The other two operation modes may have the issue.

Solution

Intel Security has released DLP Endpoint 9.3 Patch 4 Hotfix 25 and  DLP Endpoint 9.3 Patch 5 and later to resolve this issue. 

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You will need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, as well as alternate locations for some products.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.

Workaround

Either remove the Microsoft patch (MS15-038, MS15-090, MS15-085, or MS KB3083992) or disable the affected components in DLP Endpoint.

The affected components in DLP Endpoint include:

• File Copy Handler
  
• Clipboard Service
  
• Portable Devices Handler (MTP)
  
• Screen Capture Service
  
• Internet Explorer Add-on
  
• Firefox Handler
  
• Cloud Protection Handlers (all)
  

To disable the affected components:

1. Open the DLP Management Console.
   
2. Open the Agent Configuration menu.
   
3. Click Edit Global Agent Configuration.
   
4. Select the Miscellaneous tab.
   
5. Deselect the components you would like to disable.
   
6. Click OK.
   
7. On the Agent Configuration menu, click Apply Global Agent Configuration.
   

NOTE: This will not update custom Agent Configurations. Those must be updated from the ePolicy Orchestrator policy catalog.

To remove Microsoft KB via Command line:

1. Run Command line as admin
2. Run the following commands:

• “wusa /uninstall /kb:3045685 /quiet /forcerestart”
  
• “wusa /uninstall /kb:3045999 /quiet /forcerestart”
  
• “wusa /uninstall /kb:3060716 /quiet /forcerestart”
  
• “wusa /uninstall /kb:3071756 /quiet /forcerestart”
  
• “wusa /uninstall /kb:3083992 /quiet /forcerestart”
  

Potential impact of disabling handlers:

• File Copy Handler – This was introduced in DLP Endpoint 9.3.0
  Removable storage protection enhancement adding Windows Explorer
  sandbox In McAfee DLP Endpoint version 9.2, the client software
  processed files copied by Windows Explorer to removable storage devices
  before they were actually copied to the destination. The new protection
  rule algorithm hooks the Windows MoveFile and CopyFile APIs when files
  are being copied to removable storage, and suspends the transfer until
  the McAfee DLP Endpoint client software completes the scan and applies
  the policy. The feature can be deactivated on the Agent Configuration |
  Miscellaneous page.
  
  
• Portable Device Handler (MTP) (9.3.100) (Patch 1)
  Removable storage protection rules enhancement Media Transfer Protocol
  (MTP) support has been added to removable storage protection rules. MTP
  is a protocol for transferring media files and associated metadata
  between portable devices or between portable devices and computers. MTP
  devices are not traditional removable devices because the device
  implements the file system, not the computer the device is connected
  to.

  The feature supports all removable storage protection rule actions
  except Encrypt. Protection rules with the Encrypt action fall back to
  Block, and files are placed in the quarantine folder. Only USB
  connections are currently supported.

  Note Microsoft Windows Server 2003 does not identify removable devices
  in Windows Explorer. Therefore, removable storage protection rules with
  MTP support cannot be applied on this platform.

  The following services affect:
  

  • Clipboard Service – Copying from Application to application or outside specified applications.
    
  • Screen Capture Service – Snagit, Snipping tool. etc… 
    
  • Internet Explorer Add-on – Web post protection
    
  • Firefox Handler – Web post protection
    
  • Cloud Protection Handlers (all) – Protection from Cloud (dropbox, google drive, box…etc)
    

Related Information

See Microsoft article 3045999 for details on patch MS15-038: https://support.microsoft.com/en-us/kb/3045999
See Microsoft Article for details on MS15-090: https://technet.microsoft.com/en-us/library/security/ms15-090.aspx
See Microsoft Article for details on MS15-085:  https://technet.microsoft.com/en-us/library/security/ms15-085.aspx
See Microsoft Article for details on MS15-038: https://technet.microsoft.com/en-us/library/security/ms15-038.aspx
See Microsoft Article 3083992 for details : https://technet.microsoft.com/library/security/3083992