DLP Endpoint process crashes on HSP-enabled endpoints when integrated with Titus or AIP

Technical Articles ID: KB96826
Last Modified: 2023-10-18 03:57:37 Etc/GMT

Environment

Data Loss Prevention (DLP) Endpoint 11.10.x
Windows 10 and 11
Titus SDK
Microsoft Information Protection SDK

For supported environments, see KB68147 - Supported platforms for Data Loss Prevention Endpoint.

Problem

The DLP Endpoint for Windows process crashes on Hardware-enforced Stack Protection (HSP)-enabled endpoints when integrated with Titus or AIP.

On Control-flow Enforcement Technology (CET) / HSP, the supported hardware Fcag.exe and Fcagte.exe crash with the following error code:

c0000409 (Security check failure or Stack buffer overrun)

Cause

The crash isn't due to the DLP Endpoint for Windows quality issues. Trellix DLP binaries have been complied with CET to support HSP. The Titus SDK (3.1.14.13) and AIP are compiled with .NET 4.7.2, which doesn't support CET. Hence, they fail the CET security checks, resulting in the error.

The shadow stack protections terminate the DLP process. This is due to third-party DLLs being loaded into the Trellix DLP Endpoint process (Fcag.exe and Fcagte.exe), and the intended return addresses in the Titus & MIP DLLs aren't present in the shadow stack.

Solution

Titus SDK and MIP SDK are required to support CET/HSP for proper integration.

Workaround

The HSP must be disabled in the following processes.

C:\Program Files\McAfee\DLP\Agent\fcag.exe
C:\Program Files\McAfee\DLP\Agent\fcagte.exe

To disable HSP, first, you must disable DLP access protection by performing the following steps:

NOTE: Disabling DLP access protection isn't recommended. Enable the setting immediately after disabling Exploit protection for DLP process.

Login to ePolicy Orchestrator (ePO) and navigate to Policy Catalog.
Click Data Loss Prevention 11.10.
Click Windows Client Configuration.
Select Advanced Configuration under the Access Protection settings.
Select Disabled from the drop-down next to DLP access protection, as shown below:

HSP can be disabled using three methods:

Manual Windows Security
PowerShell command
Group Policy Object (GPO)

For details about these methods, see Import, export, and deploy exploit protection configurations.

Following are the steps to disable the DLP process Fcag.exe and Fcagte.exe:

Manual Windows Security:

This mitigation can be controlled like other exploit protections, including toggling the enforcement using the Windows Defender UI.

Go to Windows Security | App & browser control | Exploit protection settings | Program settings | Add program to customize.
Select the exact file path.
Select C:\Program Files\McAfee\DLP\Agent\fcag.exe.
Enable Override system settings.
Disable all others, as shown in the image below:

NOTE: Follow the same steps mentioned above for C:\Program Files\McAfee\DLP\Agent\fcagte.exe.

PowerShell command

Run the following command through PowerShell:

Set-ProcessMitigation -Name "C:\Program Files\McAfee\DLP\Agent\fcag.exe" -Disable UserShadowStack

Set-ProcessMitigation -Name "C:\Program Files\McAfee\DLP\Agent\fcagte.exe" -Disable UserShadowStack

GPO:

An XML file can be exported from "Export Settings" in the Exploit protection page and imported into the GPO.

The XML file contains the following entries:

<AppConfig Executable="C:\Program Files\McAfee\DLP\Agent\fcag.exe">

<UserShadowStack UserShadowStack="false" UserShadowStackStrictMode="false" />

</AppConfig>

<AppConfig Executable="C:\Program Files\McAfee\DLP\Agent\fcagte.exe">

<UserShadowStack UserShadowStack="false" UserShadowStackStrictMode="false" />

</AppConfig>

Use Group Policy to distribute the configuration:

On your Group Policy management device, open the Group Policy Management Console.
Right-click the Group Policy Object that you want to configure and edit.
Go to Computer configuration under the Group Policy Management Editor.
Select Administrative templates.
Expand the tree to Windows components | Microsoft Defender Exploit Guard | Exploit protection.

Double-click Use a common set of Exploit protection settings and set the option to Enabled.
In the Options: section, enter the location and file name of the Exploit protection configuration file that you want to use.
For example:
C:\MitigationSettings\Config.XML\\Server\Share\Config.xml
https://localhost:8080/Config.xml
C:\ExploitConfigfile.xml
Select OK.
Deploy the updated GPO as you normally do.

Following are the steps to enable the DLP Access Protection:

Login to ePO and navigate to Policy Catalog.
Click Data Loss Prevention 11.10.
Click Windows Client Configuration.
Select Advanced Configuration, under the Access Protection settings.
Select Enabled from the drop-down next to DLP access protection, as shown below:

Related Information

For more information on HSP, see the following documentation:

Knowledge Center

DLP Endpoint process crashes on HSP-enabled endpoints when integrated with Titus or AIP

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Title

Title

Knowledge Center

DLP Endpoint process crashes on HSP-enabled endpoints when integrated with Titus or AIP

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Choose your region

Title

Title