Compatibility issues can occur when third-party applications inject our processes

Technical Articles ID: KB83123
Last Modified: 2023-02-27 16:35:25 Etc/GMT

Environment

Trellix Agent 5.x
Trellix Endpoint Security 10.x

NOTE: McAfee Agent was rebranded to Trellix Agent in version 5.7.7.

All supported products that use SysCore now include a later build of SysCore than the minimum version of 15.3, in which self-protection was introduced.

Third-party hooking applications include:

Avecto Privilege Guard
BeyondTrust

Summary

Our products include self-protection mechanisms to prevent tampering with our files, folders, processes, registry entries, and executables. Self-protection mechanisms are needed to provide and maintain a high level of security and trust in the software, especially to secure against malware attacks.

Some third-party software applications might inject or "hook" our processes, or attempt to, by loading their own code (a DLL) into the our process. Third-party applications might use hooking techniques as a means to provide more functionality to the user or administrator. But there is no legitimate reason for hooking our protected system-level services.

While this behavior is similar to a malware attack, from the viewpoint of the third-party vendor, the third-party application is just behaving as expected. It is providing functionality that supports the purpose of the third-party application. Third-party vendors recognize that they do not need to hook all processes, and many provide a compatibility setting that allows excluding specific processes from being injected with their code.

Adverse effects can occur when untrusted third-party code injects or hooks our protected services. Known issues include system deadlocks requiring manual remediation.

Problem

You might see the following issues when untrusted third-party applications inject or hook our protected services:

The system is unresponsive on boot.
The Windows desktop fails to load.
A deadlock occurs after installing Trellix Agent 5.x or Endpoint Security 10.x.
A reputation change that occurs when using Threat Intelligence Exchange, might result in a failed cleaning of a running PE (Portable Executable) that has been deemed malicious after execution.
There is poor performance, such as a slow user experience.

Solution 1

We allow you to trust the digital certificate of a third-party product. For information and risks associated with this action, see Solution 1, step 2 "Resolve the third-party application (hook) problem" in: KB74176 - Third-party application DLL not signed (Event ID 514/516/519).

Solution 2

Prevent the hooking of our processes by consulting the third-party vendor for available configuration options.

The following processes must not be injected. This list is not all-inclusive. Use Task Manager to confirm which of our processes are in use in your environment.

Process	Fully Qualified Path
dxlservice.exe	C:\Program Files\McAfee\Data_Exchange_Layer\bin\dxlservice.exe
dxlservicemonitor.exe	C:\Program Files\McAfee\Data_Exchange_Layer\bin\dxlservicemonitor.exe
fcag.exe	C:\Program Files\McAfee\DLP\Agent\fcag.exe
fcags.exe	C:\Program Files\McAfee\DLP\Agent\fcags.exe
fcagte.exe	C:\Program Files\McAfee\DLP\Agent\fcagte.exe
fcagswd.exe	C:\Program Files\McAfee\DLP\Agent\fcagswd.exe
fcagd.exe	C:\Program Files\McAfee\DLP\Agent\fcagd.exe
fcpst.exe	C:\Program Files\McAfee\DLP\Agent\fcpst.exe
fcagd.exe	C:\Program Files\McAfee\DLP\Agent\x86\fcagd.exe
fcpst.exe	C:\Program Files\McAfee\DLP\Agent\x86\fcpst.exe
macmnsvc.exe	C:\Program Files\McAfee\Agent\macmnsvc.exe
macompatsvc	C:\Program Files\McAfee\Agent\x86\macompatsvc.exe
masvc.exe	C:\Program Files\McAfee\Agent\masvc.exe
mcshield.exe	C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe
mctray.exe	C:\Program Files\McAfee\Agent\x86\mctray.exe
mfeatp.exe	C:\Program Files\McAfee\Endpoint Security\Adaptive Threat Protection\mfeatp.exe
mfeesp.exe	C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe
mfefire.exe	C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
mfefw.exe	C:\Program Files\McAfee\Endpoint Security\Firewall\mfefw.exe
mfemactl.exe	C:\Program Files\McAfee\Agent\x86\mfemactl.exe
mfemms.exe	C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
mfetp.exe	C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe
mfevtps.exe	C:\Windows\System32\mfevtps.exe
mfewc.exe	C:\Program Files\McAfee\Endpoint Security\Web Control\mfewc.exe
TIEService.exe	C:\Program Files\McAfee\TIEM\TIEService.exe

Solution 3

Third-party product: Avecto Privilege Guard
There are three options for this third-party product:

Option 1: Add our binaries to the Avecto Privilege Guard injection exclusion list. Achieved by modifying the registry on the endpoint
Option 2: Add our binaries to the Avecto Privilege Guard injection exclusion list by modifying the registry using a Group Policy Object (GPO) policy
Option 3: Add our binaries to the Avecto Privilege Guard injection exclusion list in the ePO extension provided by Avecto

NOTE: Option 2 and 3 conflict with each other if you use both of them, and if the policies are different.

Option 1: Add our binaries to the Avecto Privilege Guard injection exclusion list. Achieved by modifying the registry on the endpoint

CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see the Microsoft Windows registry information for advanced users article.
Do not run a REG file that is not confirmed to be a genuine registry import file.

Press Windows+R, type regedit, and click OK.
Go to the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client\
Click Edit, New, Multi-String Value and name the new registry entry DriverHookExclusions.
Right-click DriverHookExclusions and select Modify.
In the Value data field, add the full file paths, from Solution 2.

NOTE: Separate the full file paths with a carriage return; do not use commas. The full paths and processes are case sensitive.
Click OK.
Repeat steps 2–6 for the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avecto\Privilege Guard Client\
Reboot the system.

Option 2: Add our binaries to the Avecto Privilege Guard injection exclusion list by modifying the registry using a Group Policy Object (GPO) policy

CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see the Microsoft Windows registry information for advanced users article.
Do not run a REG file that is not confirmed to be a genuine registry import file.

In the Avecto Privilege Guard Management Console, navigate to Computer Configuration, Policies.
Right-click Privilege Guard Settings and select Advanced Agent Settings.
Select 64-bit Agent Values from the Edit drop-down list on the lower left of the window.
Click Add Value and name the new registry entry HookExclusions.
Select Multi-String in the Type column.
Double-click in the Value Data column.
In the Value Data field, add the process names from Solution 2.

NOTE: Separate the process names with a carriage return; do not use commas. The process names are case sensitive.
Click OK.

This group policy is applied like any other group policy. First, the change is replicated to all domain controllers. Then, clients look for policy updates about every 90 minutes. Or, policies are updated after a reboot or logon. To manually look for policy updates, run gpupdate from a command prompt. To force a policy update regardless of whether the policies have changed, run gpupdate /force from a command prompt.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Compatibility issues can occur when third-party applications inject our processes

Environment

Summary

Problem

Solution 1

Solution 2

Solution 3

Affected Products

Languages:

Title

Title

Knowledge Center

Compatibility issues can occur when third-party applications inject our processes

Environment

Summary

Problem

Solution 1

Solution 2

Solution 3

Affected Products

Languages:

Choose your region

Title

Title