Reboot loop with Endpoint Security 10.6.1 July 2019 Update

Technical Articles ID: KB91642
Last Modified: 2022-03-16 04:42:10 Etc/GMT

Environment

Endpoint Security (ENS) Threat Prevention 10.6.1 July 2019 Update

Problem

A reboot loop can occur after you install or upgrade to ENS 10.6.1 July 2019 Update. The issue occurs only if other Subject Interface Package (SIP) providers are present, and Exploit Prevention is enabled.
For more information about SIP providers, see the "Related Information" section below.

System Change

You installed or upgraded ENS to the 10.6.1 July 2019 Update.

Cause

During the ENS installation or upgrade, the Exploit Prevention component loaded within lsass.exe runs out of stack memory because of the presence of other SIP providers. As a result lsass.exe crashes, causing Windows to reboot. To end the reboot loop, you must have physical access to the system.

Solution

This issue is resolved in ENS 10.6.1 July 2019 Update Repost.

Our product software, upgrades, maintenance releases, and documentation are available on the Product Downloads site.

NOTE: You need a valid Grant Number for access. See KB56057 - How to download product updates and documentation for more information about the Product Downloads site, and alternate locations for some products.

To recover a system in a reboot loop:
If you've already run into this problem, to recover:

CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see the Microsoft Windows registry information for advanced users article.
Do not run a REG file that is not confirmed to be a genuine registry import file.

Make sure that the Exploit Prevention policy is set to Disabled.
Boot the system in Safe Mode. See the following information if you have disk encryption software.
- If you have Drive Encryption, see KB73714 - How to access Windows Safe Mode when Drive Encryption is installed.
- If you have third-party disk encryption software and need instructions to boot the system in Safe Mode, contact the vendor for the disk encryption product.
Go to the Registry and search for the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Endpoint\Common\BusinessObjectRegistry\BO
Set Enable to 0.
Reboot the system.

Related Information

SIP providers:
You can find additional information about SIP providers here:
MITRE article on SIP hijacking
Microsoft article on SIP

SIP discovery:
The link to the first article includes information about how you can discover the presence of SIP providers in your environment. The article states to inspect the following registry keys and confirm whether the DLL pointers point to Microsoft DLLs. Pointers that point to a non-Microsoft DLL confirm that a third-party application is present.

HKLM\SOFTWARE\Microsoft\Cryptography\OID
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID
HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust

IMPORTANT: If you identify a third-party SIP provider, don't continue with the current ENS 10.6.1 July 2019 Update.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Reboot loop with Endpoint Security 10.6.1 July 2019 Update

Environment

Problem

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Reboot loop with Endpoint Security 10.6.1 July 2019 Update

Environment

Problem

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Choose your region

Title

Title