Cupfighter.net » McAfee http://www.cupfighter.net A blog by Schuberg Philis colleagues Thu, 09 Feb 2012 14:27:59 +0000 en hourly 1 http://wordpress.org/?v= Get rid of Event ID 5156: The Windows Filtering Platform has allowed a connection http://www.cupfighter.net/index.php/2009/10/get-rid-of-event-id-5156-the-windows-filtering-platform-has-allowed-a-connection/ http://www.cupfighter.net/index.php/2009/10/get-rid-of-event-id-5156-the-windows-filtering-platform-has-allowed-a-connection/#comments Mon, 05 Oct 2009 12:47:49 +0000 Cupfighter http://www.cupfighter.net/?p=568 When you install McAfee on Windows Server 2008, and probably Windows Vista also, you can get a lot of messages in your security log. Like this one:

ID 5156

Event ID 5156 means that WFP has allowed a connection. When most connections are allowed your security log will fill up very fast.

You can disable Object Access auditing but then you’ll miss other events which might be of interest. So, instead, let’s just disable Success Auditing for Filtering Platform Connections. It’s not possible to disable auditing subcategories with a policy or other GUI tool, but I found out that you can enable and disable specific subcategories with a special command-line tool: Auditpol.exe, which is included with Windows Vista and Windows Server 2008. I used the following command:

auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable

As you can see this disables Success auditing for the Filtering Platform Connection subcategory.

For more info check out this article:

http://msdn.microsoft.com/en-us/library/bb309058(VS.85).aspx

]]> http://www.cupfighter.net/index.php/2009/10/get-rid-of-event-id-5156-the-windows-filtering-platform-has-allowed-a-connection/feed/ 3 Infamous McAfee 8.7 Error 1920, service McShield failed to start http://www.cupfighter.net/index.php/2009/09/infamous-mcafee-8-7-error-1920-service-mcshield-failed-to-start/ http://www.cupfighter.net/index.php/2009/09/infamous-mcafee-8-7-error-1920-service-mcshield-failed-to-start/#comments Fri, 25 Sep 2009 15:41:30 +0000 Jan Jacob Bos http://www.cupfighter.net/?p=548 I could not install McAfee 8.7 on all server in several high secure environments. I got the infamous McAfee 8.7 Error 1920, service McShield failed to start. Also got the 5004 error from McLogEvent when I did a custom install and did not start McShield during install. I already tried all options from McAfee Support (especially changing imagepath for mfeapfk.sys mfeavfk.sys, mfebopk.sys in the registry looked promising since I already had the latest version of the patch) after it didn’t work out, I’ve logged an incident at McAfee. I went up to 3rd level support, in the end it turned out that if I disabled all policies it worked. That made support think the issue was solved. That’s not true of course. Therefore I did some further investigation to find out which setting it was. (I cannot afford to switch off all securtiy settings of course). It turned out I had to change the following setting:
Client computers can trust the following certificate stores
change from:
Enterprise Root Certification Authorities
to:
Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

With the first option, only a very small list of certificates is available in the “trusted root certification authorities” list of certificates. After I’ve changed the policy there are plenty certificates in the list.

McAfee has added new drivers (Device manager, show hidden Devices, Non-Plug and Play Drivers to show them). One of these, the McAfee Validation Trust Protection Service (mfevtps), needs one of the root certificates in the extended list as shown above.

]]> http://www.cupfighter.net/index.php/2009/09/infamous-mcafee-8-7-error-1920-service-mcshield-failed-to-start/feed/ 1