Release Notes
McAfee® VirusScan® Enterprise Version 8.8.0 Patch 2

Thank you for using McAfee software. This document contains important information about this release. McAfee strongly recommends that you read the entire document.

About this release

This release contains a variety of improvements and fixes. Although this release has been thoroughly tested, McAfee strongly recommends that you verify this update in test and pilot groups prior to mass deployment. Please review the Improvements, Known issues, and Resolved issues sections below for additional information.

This document supplements the product Release Notes in the current release package.

For a list of supported environments and latest information for VirusScan Enterprise 8.8.0 on Microsoft Windows, see (McAfee) KnowledgeBase article KB51111.

Patch version

Patch 2

Product

This release was developed for use with:

  • VirusScan Enterprise 8.8.0
  • VirusScan Enterprise 8.8.0 Patch 1

Supported minimum versions:

  • Scan Engine: 5.4.00
  • Detection Definitions (DAT): 6700+
  • McAfee Agent: 4.5.0.1810 or 4.6.0.2292

    NOTE: McAfee Agent 4.0.0 reached End of Life on December 31, 2011. The latest available McAfee Agent versions are 4.5.0 and 4.6.0.

This document might refer to the following products as "VirusScan Modules":

  • McAfee® VirusScan® Enterprise for Offline Virtual Images 1.0
  • McAfee® VirusScan® Enterprise for Offline Virtual Images 2.0
  • McAfee® VirusScan® Enterprise for use with SAP NetWeaver® platform 1.0
  • McAfee® VirusScan® Enterprise for Storage 1.0
  • McAfee® Optimized Virtual Environments for Servers
  • McAfee® Optimized Virtual Environments - Antivirus for Virtual Desktop Infrastructure

Package date

August 14, 2012

Rating

McAfee recommends this release for all environments. This release is considered a High Priority rating. See (McAfee) KnowledgeBase article KB51560 for information on ratings.

Improvements

For the most recent list of VirusScan Enterprise 8.8.0 improvements, refer to (McAfee) KnowledgeBase article KB51111.

This release includes the following improvements:

  1. This version of VirusScan Enterprise supports:

    • Lotus Notes 7.0.x
    • Lotus Notes 8.0.x - 8.5.x
    See the VirusScan Enterprise 8.8.0 Installation Guide for information about supported applications.
  2. Processes that write data to disk frequently and/or write a lot of data in a short amount of time, can experience poor performance from scanning.

    VirusScan now supports a 'Delayed Write Scan' mode of operation that delays all scanning of modified files to lower priority background threads. This setting is disabled by default and is enabled with HotFix 719680. To maintain security when enabling this mode, ensure the "Scan on Read" setting is enabled. Additionally, removable media and network file share write operations will still be scanned immediately on "close".

    Refer to (McAfee) KnowledgeBase article KB75374 for HotFix 719680 documentation and downloading instructions.
  3. The McAfee splash screen has been updated with this release.

Known issues

For the most recent list of VirusScan Enterprise 8.8.0 known issues, refer to (McAfee) KnowledgeBase article KB51111.

The following known issues were found during testing:

  1. Issue: If McAfee Host Intrusion Prevention System (Host IPS) patch 1, which contains a 14.4.0 version of the core drivers, is installed to the system when installing this patch, a system crash might occur due to a problem in the 14.4.0 core. This patch upgrades the core drivers to version 15.0.0, but the issue might still occur because the 14.4.0 drivers are still in memory and might cause the system to crash during shutdown.
    Workaround: This issue is fixed in the 15.0.0 core. Once the system reboots, the system should not experience this issue because the 15.0.0 drivers are loaded properly.
  2. Issue: McAfee SiteAdvisor Enterprise 3.5.0 displays an ôorangeö browser balloon (GTI server unavailable) for all sites after installing VirusScan Enterprise 8.8.0 Patch 2.
    WorkAround: An update for McAfee SiteAdvisor Enterprise 3.5.0 is available, refer to (McAfee) KnowledgeBase article KB75858 for additional details. McAfee SiteAdvisor Enterprise 3.5.0 Patch 1 and later releases are not affected.
  3. Issue: After installing Patch 2, you must restart the MOVE-AV service or restart the system.

Resolved issues

This release includes the following resolved issues:

  1. Issue: Third-party products that inject DLLs into processes could cause the VirusScan Enterprise service (VsTskMgr.exe) to periodically poll data and frequently log event 516 entries. (Reference: 625756)
    Resolution: The VirusScan Enterprise Task Manager service no longer causes prolific generation of the event 516.
  2. Issue: When a VirusScan Enterprise patch update is applied, the update would "succeed" and appear to be at the correct patch level even if a file was missing or corrupted in the repository. (Reference: 629564)
    Resolution: A missing or corrupt patch file in the repository now causes VirusScan Enterprise updates to fail.

    Note: You must still manually fix the issue with the repository before the update can be successful.
  3. Issue: A flaw in the Windows registry filtering model caused the McAfee Access Protection driver to incorrectly block remote registry accesses. (Reference: 668312)
    Resolution: Microsoft identified a workaround and McAfee implemented the fix.
  4. Issue: The Reports Extension might fail to check into the repository if the default group for the queries already exist. (Reference: 670759)
    Resolution: All queries now include a group reference so they do not try to recreate the default group.
  5. Issue: A STOP error (Bugcheck 7f) could occur with the McAfee filter driver due to lost content header information when transmitting through a raw socket on Windows 7. This issue was seen with some third-party VPN clients. (Reference: 682177)
    Resolution: The McAfee filter driver now ensures header information is preserved and forwarded through a raw socket.
  6. Issue: McShield might fail to start due to an API not properly calling processor group affinity for Non-Uniform Memory Access systems. (Reference: 685950)
    Resolution: The API to set processor group affinity is now called correctly.
  7. Issue: When a McAfee driver queried for the engine version, the return value was a non-empty string if a version was not found in the registry. (Reference: 689986)
    Resolution: The return value has been updated to send an empty string if no engine version is found.
  8. Issue: During an On-Demand Scan, the user was able to stop or cancel the scan, regardless of configured settings, by clicking the scan task in the console and selecting Show Progress. (Reference: 694042)
    Resolution: Managed ePolicy Orchestrator On-Demand Scan tasks now properly enforce the password protection settings for the user if managed tasks are displayed in the user console.
  9. Issue: Access Protection rules that begin with the special wildcard character "?", even with no rules set to block, would cause the CPU to spike to 100% usage. (Reference: 696654)
    Resolution: The Access Protection driver now properly addresses the issue when evaluating rules beginning with "?".
  10. Issue: A STOP error (Bugcheck 8E) could occur with VirusScan Enterprise if a locked file was being scanned under some circumstances. (Reference: 702469)
    Resolution: VirusScan Enterprise now prevents the STOP error when scanning locked files.
  11. Issue: When adding or removing a storage media device, the CPU usage could spike due to repeated attempts to acquire a resource that might be in an unguarded dead-lock state. (Reference: 703065)
    Resolution: VirusScan Enterprise now recompiles rules from a separate thread to resolve the underlying dead-lock condition.
  12. Issue: The Lotus Notes scan driver did not support the new multi-threaded Lotus Notes Client version 8.0 and later. (Reference: 708485)
    Resolution: The Lotus Notes scan driver code now allows processing in multi-threaded Lotus Notes Clients version 8.0 and later.
  13. Issue: The Lotus Notes scan driver sometimes encountered an out-of-bounds situation that caused an access violation, resulting in a crash on exit. (Reference: 712419)
    Resolution: The Lotus Notes scan driver now handles the access violation, preventing a crash on exit.
  14. Issue: If event ID 560 (security failure audit messages) was enabled, the event was logged during every policy enforcement. (Reference: 716044)
    Resolution: Policy enforcement no longer causes Event ID 560 to occur on the client.
  15. Issue: A STOP error (Bugcheck D5 or C2) could occur due to a race condition caused by a pool corruption with VirusScan Enterprise and Host Data Protection. (Reference: 726019)
    Resolution: VirusScan Enterpirse was modified to eliminate the pool corruption that could cause the race condition.
  16. Issue: When an On-Demand Scan started, the wrong API call returned the machine name and user name individually and then concatenated them. (Reference: 726909)
    Resolution: VirusScan Enterprise now calls the correct API to return the name of the user or other security principal associated with the calling thread.
  17. Issue: When using Microsoft Outlook 2010 mail client, an On-Demand Email Scan would stop scanning mail items that returned a NULL session object. The VirusScan Enterprise Outlook Email Scanner was unable to scan NULL session objects. (Reference: 727314)
    Resolution: The VirusScan Enterprise Outlook Email Scanner now skips scanning any NULL session objects.
  18. Issue: Under low memory conditions, a STOP error (Bugcheck 8E) could occur due to failure with allocated memory from the system pool. (Reference: 727788)
    Resolution: VirusScan Enterprise no longer causes a STOP error due to a memory allocation failure.
  19. Issue: Some core files could fail to upgrade with VirusScan Enterprise 8.8.0 causing the installer to remove the core files from the system instead of reverting back to the previous state.(Reference: 730735)
    Resolution: The installer now ensures the core files will not be removed from the system after a failed upgrade.
  20. Issue: Some event XML data included empty strings, which are not honored by the event parser. (Reference: 732299)
    Resolution: Empty strings are now accepted for the following fields in the XML events:

    • FileName and VirusType for Detection events
    • ProcessName for PortBlock events
  21. Issue: ScriptScan URL exclusions did not allow several special characters, including '/', in the ePolicy Orchestrator VirusScan Enterprise policy settings. (Reference: 733717)
    Resolution: ScriptScan URL exclusions with now will not allow only '*' and '?' as originally intended.
  22. Issue: A STOP error (Bugcheck 7E) occurs due to a race condition between internal interface registration and deregistration. (Reference: 735108)
    Resolution: Simplified internal synchronization to avoid a registration race condition.
  23. Issue: A STOP error (Bugcheck D5 or C2) would occur from a race condition caused by corruption in the kernel pool when attempting to free a buffer that had already been freed. (Reference: 735511)
    Resolution: VirusScan Enterprise was modified to eliminate the race condition that could corrupt the kernel pool.
  24. Issue: When installing to a machine with Host Intrusion Prevention (Host IPS), Host IPS blocks a McAfee process (mfehidin.exe) from setting Access Control List (ACL) on a McAfee driver (mfevtps). (Reference: 735512)
    Resolution: The Host IPS Entercept Agent service is now stopped before upgrading the syscore drivers and vscore files.
  25. Issue: Lotus Notes Scanner does not support the new multi-threaded environment of Lotus Notes Clients version 8.0 and later. (Reference: 740019)
    Resolution: Lotus Notes Scanner is now thread-safe in multithreaded environments of Lotus Notes Clients version 8.0 and later.
  26. Issue: Access Protection would cause incompatibilities with some Microsoft Windows component installers. (Reference: 740244)
    Resolution: Access Protection was modified to remove the incompatibility.
  27. Issue: Attempting a remote connection to the SAP server using the WebIRichClient with On-Access Scanner enabled prevented the system from connecting and caused the WebIRichClient software to become non-responsive. (Reference: 741714)
    Resolution: The file filter was revised to temporarily delay a scan if a file had been modified under conditions that could block concurrent access through the file system.
  28. Issue: The McAfee McShield service could encounter a dead-lock situation in an internal utility routine when processing scans of modified files. In this case, the McShield internal dead-lock watchdog timer fires and the McShield service stops. (Reference: 754042)
    Resolution: Scans of modified files are now conducted with corrected context information passed to internal utility routines, avoiding the dead-lock situation.
  29. Issue: When running an On-Demand scan on disk volumes where Update Sequence Number (USN) journals are not enabled, the last access time of the corresponding files might be updated. (Reference: 756797)
    Resolution: VirusScan Enterprise On-Demand scanner no longer modifies the file time stamp while performing scans.
  30. Issue: If a file was cached as clean and then later added to the User Defined Detections (UDD) in the Registry, the file is not detected by the On-Access Scanner until the service restarts. (Reference: 762155)
    Resolution: On-Access Scanner resets the cache so when the file is addded to UDD it will now be detected.
  31. Issue: A STOP error (Bugcheck 50) could occur as part of handling changes to the Windows PendingRename registry value by referencing an invalid memory location. (Reference: 773909)
    Resolution: VirusScan Enterprise no longer accesses invalid memory locations when processing the PendingRename registry value.

Previously resolved issues

Resolved issues in Patch 1.

  1. Issue: Installation fails with ERROR 1920, citing 'The McShield Service failed to start'. This can occur when Microsoft Windows is installed to a sub-folder rather than the root. (Reference: 638858)
    Resolution: The system core installer has been revised to recognize all system paths.
  2. Issue: A Bugcheck 5 error could occur if memory allocations are not checked for failure, resulting in an invalid memory reference. (Reference: 643013, 651019, 673463, 676448)
    Resolution: The memory allocation is now checked for success prior to referencing it.
  3. Issue: Malicious software might change NTFS folder permissions on McAfee folders in order to disable the software. (Reference: 643440)
    Resolution: Self protection now protects McAfee folders, files and registry data from permission changes.
  4. Issue: Process exclusion for Buffer Overflow was broken after introducing more granularities in Buffer Overflow exclusions using Module Name and API Name. (Reference: 651569, 686711, 687670)
    Resolution: Process exclusions for Buffer Overflow work as expected on standalone machines, ePolicy Orchestrator managed systems and during ePolicy Orchestrator Policy Migration.
  5. Issue: When multiple signatures are included in an EXTRA.DAT, the buffer used to store the description information for the ôAboutö window might not be large enough. (Reference: 651670)
    Resolution: Buffer size for storing Extra.DAT signature information has been increased to 4 times its original size.
  6. Issue: When the option ôShow add-in user interface errorö is enabled in Outlook, the following pop-up error appears every time Outlook is started and the first e-mail is opened or created: ôCustom UI Runtime Error in McAfee E-mail Scan Add-inö. (Reference: 651887, 656365, 656366, 656644, 656674, 656678, 657131, 657398, 657409, 657411, 657413, 657414, 657433, 661628, 675246)
    Resolution: McAfee E-mail Scan Add-in has been fixed to return correct ôsuccessö error code to Outlook. The pop-up error no longer appears.
  7. Issue: Files on network locations might trigger an unhandled exception leading to a system crash if the network experiences a failure or the object is unreadable. One report of this occurred when opening Outlook 2010 with PST files configured to reside on remote storage. (Reference: 660014, 663389, 665822, 667934)
    Resolution: The exception is handled to avoid a system crash.
  8. Issue: Access Protection rules involving the block of System:Remote fail to enforce. This also applies to preventing remote access to shares. (Reference: 661424)
    Resolution: VirusScan Enterprise identifies remote share access and enforces Access Protection rules that prevent remote access to shares.
  9. Issue: The XML file generated for Event 1202 contained incorrect values for GMTTime and UTCTime fields. (Reference: 661702, 676893)
    Resolution: GMTTime and UTCTime fields for Event 1202 now have the correct time information.
  10. Issue: A Bugcheck C2, ôBad_Pool_Callerö error, could occur under varied conditions. One instance was triggered when using Virtual Machine Converter. (Reference: 662350, 666697, 673448, 678179, 690657, 691258)
    Resolution: A memory corruption issue has been resolved.
  11. Issue: A variety of symptoms, including an application crash, might occur with the ScriptScan feature disabled. (Reference: 662684, 665748, 668796, 668807, 669035, 669605, 669773, 669875, 671666, 671668, 671671, 671672, 672710, 675259, 675261, 676492, 685467, 685551, 685566, 685650, 686667, 686828, 687336, 693321, 696789, 696834)
    Resolution: ScriptScan DLLs are no longer accessed if the feature is disabled.
  12. Issue: An attempt to add an exclusion to the Access Protection rule "Protect Internet Explorer favorites and settings" failed when the edit box reached its maximum limit. (Reference: 663135)
    Resolution: Buffer size for storing processes to exclude has been increased, enabling customers to add exclusions.
  13. Issue: When filtering network Input/Output, a timing issue could occur, leading to a kernel thread stack exhaustion. This issue could result in a system crash. (Reference: 664539, 665345)
    Resolution: VirusScan Enterprise now uses a Deferred Procedure Call to ensure a fresh thread stack.
  14. Issue: A bugcheck 50 error could occur when a McAfee driver encountered unexpected data while examining loaded resources of a third-party application. (Reference: 667172)
    Resolution: The McAfee driver has been updated to handle this situation.
  15. Issue: A memory leak could occur with the process validation service and the Microsoft .NET runtime support library, mscoree.dll. (Reference: 673462)
    Resolution: Changes made to the process validation service have removed the dependency of the Microsoft .NET runtime support library, mscoree.dll.
  16. Issue: When Hotfix 660014, which introduces folder permission restrictions, is installed, McAfee Agent installations might be blocked by an Access Protection rule. (Reference: 684965, 686259, 686272)
    Resolution: The McAfee Agent is no longer blocked when trying to set folder permissions.
  17. Issue: A defect in the matching engine prevents the deletion of folder names that are a substring of ôProgram Filesö, such as ôc:\proö or ôc:\progö. (Reference: 685273)
    Resolution: The matching engine now only matches complete folder names, so deleting ôProgram Filesö is prevented, but deleting ôC:\proö, ôc:\progö, or other substrings is allowed.
  18. Issue: An issue in the clean-file scan cache logic was identified on systems supporting the Server Message Block 2 (SMB2) protocol that could allow files to be written to a share and not be scanned. (Reference: 686645, 686650, 690277)
    Resolution: When On-Access Scanner tries to scan a share file and the scan does not succeed, the scanner now returns an OPLOCK error to McShield. McShield returns NOTSCANNED status to the driver and the file is not added to the cache, causing the file to be scanned when accessed.
  19. Issue: When Hotfix 660014, which introduces Access Protection rule: Prevent modification of McAfee files and settings, is installed, VirusScan Enterprise prevents installation and adding features to Windows systems. (Reference: 691269, 691651)
    Resolution: VSCAN.BOF content file has been modified to properly restrict access to McAfee files and settings.
  20. Issue: The On-Demand Scanner cleanup events (1034, 1035, 1202, and 1203) have timestamps that are identical to the On-Demand Scanner start time. (Reference: 691660)
    Resolution: VirusScan Enterprise now obtains the current time before generating On-Demand Scab cleanup events.

Installation instructions

To use this release, you must have VirusScan Enterprise 8.8.0 software installed on the computer you intend to update with this release.

Standalone instructions

To install this release directly to a system, you must have installation rights.

  1. Extract the Patch files to a temporary folder on your hard drive.
  2. Double-click the Setup.exe file inside the temporary folder created in Step 1.
  3. Follow the instructions of the installation wizard.

ePolicy Orchestrator instructions

To deploy this release to managed systems.

  1. Open the ePolicy Orchestrator console and add the zip package to your repository. Refer to Checking in Packages Manually in the ePolicy Orchestrator online help for instructions on adding a package to the repository. The package type for this installation is "Products or Updates (.ZIP)".

    NOTE: If the VirusScan Enterprise reports or extension files are updated with this release, extract them from the package .zip file to a temporary folder and check them into the ePolicy Orchestrator Extension repository separately.
  2. Deploy to the appropriate client systems with an agent update task.

Verifying installation

Always reboot the client system prior to validating that the installation is successfully installed.

To verify that the product is installed successfully, check any of the folowing items:

  • After the ePolicy Orchestrator agent collects property information, the client system details display the HotFix/Patch version.
  • On the client system, check for a registry key entry Patch_2 in the HKey_Local_Machine\Software\McAfee\DesktopProtection tree.

    NOTE: On a 64-bit OS, this entry might be located under the HKey_Local_Machine\Software\Wow6432Node\McAfee\DesktopProtection tree.
  • Confirm that the expected files are installed by checking the version number of individual files. File versions should match the list of files in File inventory section.

    NOTE: Releases are not displayed or do not report installed if an error occurred during installation, or if a file did not install correctly.

Removing installation files

Windows Installer 3.x and later now supports rolling back Patches.

To remove the installation files, perform an uninstall using one of the following options:

  • For Windows XP, Windows 2003, Windows Vista, Windows 2008, and Windows 7 operating systems, remove the Patch manually using Add/Remove Programs. (You must have appropriate rights to the local system.)
  • For all operating systems that support Windows Installer 3.x, remove the Patch silently using command-line option.

    Example: C:\WINDOWS\system32\Msiexec.exe /I {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} MSIPATCHREMOVE={0B3104AC-07A2-4A6B-866E-CCA504A571B2} /q

    Note the following:
    • The GUID information in the command depends on the Patch being removed. Always use the information in the Release Notes for the Patch that you are removing.
    • Because the Patch is removed using MSIEXEC, the functions inside setup.exe, which normally prevent reboots from occurring during silent processes, are not executed. To prevent a possible automatic reboot from occurring after a Patch removal, add the REBOOT=R parameter to the command line above.
    • Patch removal is an MSI reinstall function. When a Patch is removed, all features affected by the Patch are reset to installation defaults. Any features not modified by the Patch are left with their current settings.
    • Update VirusScan Enterprise after removing the Patch to ensure that the latest versions of the engine and DAT files are run.

File inventory

The following files are updated with this Patch:

Product documentation

McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the (McAfee) KnowledgeBase.

  1. Go to the McAfee Technical Support ServicePortal.
  2. Under Self Service, access the type of information you need:

      To access... Do this...
      User
      documentation
      1. Click Product Documentation.
      2. Select a product, and then select a version.
      3. Select a product document.
      (McAfee)
      KnowledgeBase
      • Click Search the KnowledgeBase for answers to your product questions.
      • Click Browse the KnowledgeBase for articles listed by product and version.

Legal notices

COPYRIGHT

Copyright© 2012 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

Trademark attributions

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

License agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.