An update for the McAfee Endpoint Security (ENS) security software was released today that caused major headaches for system administrators all over the world as it prevented users from being able to login to their computers.
We were first notified of this issue when a reader pointed us to a Reddit post stating that employees at UK Power Networks were told that they were not "allowed to log into their computers due to 'mcafee system update'. IT saying people will loose their data if they log in?".
At first it was assumed that this was a security incident such as ransomware, but from comments we quickly learned that this was a bad McAfee ENS Exploit Prevention content update that was causing issues with older versions of ENS.
It is also reported that this update caused issues with Experian that led to an outage of their services.
Conflict with older version of McAfee ENS
According to a McAfee support bulletin, if a Windows PC is using McAfee ENS 10.2, has Exploit Prevention enabled, and installed today's Exploit Prevent definition update 9418, it would make it so you were unable to log into Windows. To fix this issue, McAfee quickly released definition update 9419, which prevented new workdstations from experiencing this issue.
Unfortunately, for the workstations that were already affected, even if you disabled Exploit Prevention, users would still be unable to login until a manual Windows Registry fix was made.
This fix would have to be done via Safe Mode, which as you can imagine, would be a royal pain for an organization with thousands, if not hundreds of thousands, workstations.
The fix offered by McAfee is to:
- Ensure that the Exploit Prevention policy is set to Disabled.
- Boot the system in Safe Mode. See the following information if you have disk encryption software.
- If you have McAfee Drive Encryption, see KB73714 for information about how to boot the system in Safe Mode.
- If you have third-party disk encryption software, you might need to obtain instructions to boot the system in Safe Mode. Contact the vendor for the disk encryption product for instructions.
- Go to the Registry and search for the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Endpoint\Common\BusinessObjectRegistry\BO
- Set Enable to 0.
- Reboot the system.
BleepingComputer has reached out to UKPN, Experian, and McAfee and will update the article when we hear back.
H/T ceilt.com
Comments
sdel85 - 3 years ago
Any organization running this old of a version of Endpoint Security (ENS) should really be asking themselves, “what is our security team doing and why have we not been staying updated?”. This version is almost 2 years old and there have been numerous version updates and patches to address vulnerabilities not to mention to address new malware variants and techniques.
mitchellbuehler - 3 years ago
This version of ENS has been End of Life since DECEMBER of 2018, and the notice that this was going to happen went out in JUNE of 2018! Any organization still using an end of life product with that much advance notice in production when newer versions are readily available and easily upgradable are ASKING for problems. It is not McAfee's responsibility to perform every single QA check against every update for EOL products.