Cupfighter.net

I could not install McAfee 8.7 on all server in several high secure environments. I got the infamous McAfee 8.7 Error 1920, service McShield failed to start. Also got the 5004 error from McLogEvent when I did a custom install and did not start McShield during install. I already tried all options from McAfee Support (especially changing imagepath for mfeapfk.sys mfeavfk.sys, mfebopk.sys in the registry looked promising since I already had the latest version of the patch) after it didn’t work out, I’ve logged an incident at McAfee. I went up to 3rd level support, in the end it turned out that if I disabled all policies it worked. That made support think the issue was solved. That’s not true of course. Therefore I did some further investigation to find out which setting it was. (I cannot afford to switch off all securtiy settings of course). It turned out I had to change the following setting:
Client computers can trust the following certificate stores
change from:
Enterprise Root Certification Authorities
to:
Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

With the first option, only a very small list of certificates is available in the “trusted root certification authorities” list of certificates. After I’ve changed the policy there are plenty certificates in the list.

McAfee has added new drivers (Device manager, show hidden Devices, Non-Plug and Play Drivers to show them). One of these, the McAfee Validation Trust Protection Service (mfevtps), needs one of the root certificates in the extended list as shown above.