Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Console logins timing and disconnected agents due to McAfee interop issue

App Control: Console logins timing and disconnected agents due to McAfee interop issue

Environment

  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions
  • McAfee Endpoint Security Agent

Symptoms

  • Both McAfee Endpoint Security and the App Control agents are installed on the server system
  • Console logins are timing out with error message "Something Went Wrong"
  • App Control Server Tamper Protection Rapid Config has been enabled
  • AD logins and/or AD Policy mappings are enabled
  • All or multiple agents show disconnected in the console
  • PHP_Errors:
    PHP Fatal error:  Maximum execution time of 240 seconds exceeded in C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\SOAPUtil.php on line 71
    User "admin" requested URL "/login.php" and encountered error "Maximum execution time of 240 seconds exceeded" in C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\SOAPUtil.php on line 71
    

Cause

The McAfee endpoint agent is injecting into the Parityserver.exe process which triggers the App Control agent's Tamper Protection rules which then cause the server service to hang or crash

Resolution

The following solutions exist:
  1. Use local user login (e.g. admin) when connecting to the console
  2. Add exclusions in McAfee for the App Control Server per this KB
    • Please verify no injection happens using Procmon > Start the capture > collect some data > double click "Parityserver.exe" > Process tab > verify no McAfee DLLs are listed
    • If McAfee still injects into the "Parityserver.exe" process > please create a support case with McAfee support to have it resolved
  3. Disable or uninstall McAfee
  4. Disable the App Control Agent's Tamper Protection permanently:
  • Login to the console with a local user > Go to Assets > Computers > open the Computer Details for the agent installed on the server > Disable Tamper Protection on right

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-16-2021
Views:
918
Contributors