McAfee VirusScan Enterprise 8.7i Patch 3本月10日发布后，有一个比较严重的BUG，在启用了禁止伪装Windows进程选项时，会造成系统启动、切换用户帐户时无法显示桌面，我当时也提到过临时解决方案，McAfee官方也及时发现了该BUG，并建议用户临时禁用该功能。
After installing VirusScan Enterprise (VSE) 8.7i Patch 3 and restarting your computer, the Windows desktop is not displayed with the Access Protection rule Standard Protection: Prevent Windows Process spoofing enabled.
Windows Task Manager shows that Explorer.exe is not running.
Installed Patch 3 for VSE 8.7i and restarted computer.
The Access Protection rule Standard Protection: Prevent Windows Process spoofing is enabled and configured to Block. The issue is caused by changes to vscan.bof, a content file for Access Protection rules and buffer overflow protection.
This issue has been reported for the Explorer.exe process. Other Windows processes are not affected.
This issue is resolved by an updated vscan.bof content file on the McAfee Common Updater site. This updated file will be automatically downloaded and applied to all VSE systems (regardless of patch level) in the same was as daily DAT files.
This means Patch 3 can be applied and systems will never encounter the issue.
The updated package is also attached to this article.
NOTE: This content file is also used by VirusScan Enterprise 8.5i. After the update, both VSE 8.7i and 8.5i will report version 480 for the Buffer Overflow and Access Protection DAT Version.
Disable the Access Protection rule.
NOTE: Because Explorer.exe is not running, there is no Start button or VirusScan Enterprise (VSE) icon in the system tray.
To open the VirusScan Console
- Press CTRL+ALT+DEL.
- Click Task Manager, File, New Task (Run...).
- Navigate to C:\Program Files\McAfee\VirusScan Enterprise\mcconsol.exe.
- Click OK.
Right-click Access Protection and select Properties.
Select Anti-virus Standard Protection.
Select Prevent Windows Process spoofing and deselect the Block option.
NOTE: Optionally, you can deselect Report to completely disable the rule.
If you log into your system quickly, you might not encounter this issue, even when the rule to block spoofing of Windows processes is enabled. This is because Explorer.exe is running before the Access Protection Rule takes effect.
77K • < 1 minute @ 56k, < 1 minute @ broadband