During a product installation of ENS Threat Prevention, or an Exploit Prevention content update, Windows Defender might incorrectly detect and delete the Exploit Prevention content file
HIPHandlers.dll or
HIPHandlers64.dll as a malicious file. The detection name is
HackTool:Win32/Mimikatz!. In the context of an ENS Threat Prevention installation, this detection can result in an installation failure.
If the issue occurs during an Exploit Prevention content update, the Windows Event Log contains a Windows Defender event similar to the example below:
Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/Mimikatz.PTT&threatid=2147735582&enterprise=1
Name: HackTool:Win32/Mimikatz.PTT
ID: 2147735582
Severity: High
Category: Tool
Path: file:_C:\ProgramData\McAfee\Agent\Current\ENDPCNT_1000\DAT\0000\EXP_20190705_09419_ENDP_AM_1000\agent-windows\HIPHandlers.dll
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
User:
Process Name: C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe
Action: Not Applicable
Action Status: No additional actions required
Error Code: 0x00000000
Security intelligence Version: AV: 1.293.2643.0, AS: 1.293.2643.0, NIS: 1.293.2643.0
Engine Version: AM: 1.1.16000.6, NIS: 1.1.16000.6
If the issue occurs during an ENS Threat Prevention installation, the file
McAfee_ThreatPrevention_Install.log contains the logging below:
11:32:12:589 - Copy file succeededed for HIPHandlers64.dat
11:32:22:672 - Copy failed for HIPHandlers64.dll: 225
11:32:22:672 - Copy source path : C:\Users\ADMINI~1\AppData\Local\Temp\\HIPHandlers64.dll
11:32:22:672 - Copy destination path : C:\Program Files\McAfee\Endpoint Security\Threat Prevention\IPS\HIPHandlers64.dll
11:32:22:834 - Copy file succeededed for Signatures_8.xml
11:32:22:848 - Copy file succeededed for ips_hooking_whitelist_8.xml
11:32:22:855 - Copy file succeededed for ENS_AP_Rules.dat
11:32:22:855 - Copy file succeededed for Hiphandlers.dat
11:32:22:895 - Copy file succeededed for HIPHandlers.dll
11:32:22:895 - McAfee CustomAction : End CopyBOPBinaries
CustomAction CopyBOPBinaries.B0543E55_ECD7_4CB6_89C0_A49DF5349B0E returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (00:9C) [11:32:22:926]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (00:9C) [11:32:22:926]: User policy value 'DisableRollback' is 0
MSI (s) (00:9C) [11:32:22:926]: Machine policy value 'DisableRollback' is 0
Action ended 11:32:22: InstallFinalize. Return value 3.
NOTE: Error 225 indicates a failure reason of
ERROR_VIRUS_INFECTED.