KB# | 1629 |
Title | McAfee's VSE Access Protection prevents successful SD installation |
URL Name | McAfee-s-VSE-Access-Protection-prevents-successful-SD-installation |
Summary | The presence of McAfee VSE Access protection can collide with SecureDoc, preventing successful SecureDoc installation, leaving the device in a perpetual Temporary Autoboot status in the SES Console. Excessively aggressive VSE AP rules make it impossible for the SecureDoc Installer to make certain required changes. This article clarifies how this happens and what must be done to correct it and permit SecureDoc to install successfully. |
Scenario:
McAfee’s VSE Access Protection prevents successful SecureDoc installation.
Symptom:
During SD installation, the device did not move to a deployed stage and displays “Temp Autoboot” status within the SES console. The Secure Moment could not be achieved (the point at which any temporary means of authenticating to the device have been eliminated and only permitted users may log on).
There is no other issue observed post installation of SecureDoc agent except device never moves to deployed state.
Probable Causes:
The screenshot below demonstrates the VSE AP rules that block WinMagic files from writing to the registry locations:
McAfee customers may have setup up the VSE AP rules too restrictive, for read, write and block access on registry, folders and other locations. These rules will prevent virus(s) from propagating and affecting device(s) in questioned. In SecureDoc case, McAfee does not detect the installation files as virus(s) but rather restricts them based on the aggressive rules that customers have implemented.
McAfee whitepaper on access protection rules: “Anti-Virus Standard Protection: Prevent user rights policies from being altered”
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20870/en_US/5345wp_tops_vse_ap_0109s.pdf
Product version affected:
SD 7.1 HF2
Environment (OS/hardware/software):
McAfee VSE version 8.7, 8.8 and later versions
Multiple devices
Windows 7, 8.1, and 10
Informational Gathering and Troubleshooting:
Obtain the following logs:
1. VSE AP Rules (an example one above)
2. Applications and System Event Viewer Logs
3. Registry settings
4. UserData Folder
Resolution:
Solution 1:
It is a recommended “Best Practice” to disable/uninstall McAfee Anti-Virus prior to installing SecureDoc client software. This will allow for a successful SD installation and conversion.
Given the unpredictable behavior(s) of any particular AV product during the installation of SecureDoc Client (which includes driver-level components) can be impossible to determine - particularly from one AV product to another AV product, or version to version.
NOTE: If there are still reoccurring issues following the re-enabling of McAfee Anti-Virus, please proceed to solution 2.
Solution 2:
Add the following list of SD executable files to McAfee’s File Exception List (White List).
Symptoms | Antivirus Software | Whitelisting Files |
SD-17571 | McAfee VSE Access Protection | 1. SDPin.exe |