McAfee VirusScan Enterprise 8.7i Patch 3本月10日发布后，有一个比较严重的BUG，在启用了禁止伪装Windows进程选项时，会造成系统启动、切换用户帐户时无法显示桌面，我当时也提到过临时解决方案，McAfee官方也及时发现了该BUG，并建议用户临时禁用该功能。

一个好消息时，今日McAfee已经提供了修复该问题的热修复补丁，并进行了自动升级推送，之前有进行过自定义排除的朋友，可以取消排除项目，重新启用该功能了。首次安装Patch 3的朋友，记得安装完成后，暂不要重启系统，直接启动在线更新，以便能够正常使用系统。

更新日志

Problem

After installing VirusScan Enterprise (VSE) 8.7i Patch 3 and restarting your computer, the Windows desktop is not displayed with the Access Protection rule Standard Protection: Prevent Windows Process spoofing enabled.
Windows Task Manager shows that Explorer.exe is not running.

System Change

Installed Patch 3 for VSE 8.7i and restarted computer.

Cause

The Access Protection rule Standard Protection: Prevent Windows Process spoofing is enabled and configured to Block. The issue is caused by changes to vscan.bof, a content file for Access Protection rules and buffer overflow protection.
This issue has been reported for the Explorer.exe process. Other Windows processes are not affected.

Solution

This issue is resolved by an updated vscan.bof content file on the McAfee Common Updater site. This updated file will be automatically downloaded and applied to all VSE systems (regardless of patch level) in the same was as daily DAT files.
This means Patch 3 can be applied and systems will never encounter the issue.
The updated package is also attached to this article.
NOTE: This content file is also used by VirusScan Enterprise 8.5i. After the update, both VSE 8.7i and 8.5i will report version 480 for the Buffer Overflow and Access Protection DAT Version.

Workaround

Disable the Access Protection rule.
NOTE: Because Explorer.exe is not running, there is no Start button or VirusScan Enterprise (VSE) icon in the system tray.
To open the VirusScan Console

1. Press CTRL+ALT+DEL.
2. Click Task Manager, File, New Task (Run...).
3. Navigate to C:\Program Files\McAfee\VirusScan Enterprise\mcconsol.exe.
4. Click OK.

5. Right-click Access Protection and select Properties.

6. Select Anti-virus Standard Protection.

7. Select Prevent Windows Process spoofing and deselect the Block option.
   NOTE: Optionally, you can deselect Report to completely disable the rule.

8. Click OK.

Related Information

If you log into your system quickly, you might not encounter this issue, even when the rule to block spoofing of Windows processes is enabled. This is because Explorer.exe is running before the Access Protection Rule takes effect.

Attachment 1

VSE87HF557464.zip
77K • < 1 minute @ 56k, < 1 minute @ broadband

提供下Patch 3的下载，不包含主程序

点击此处进入下载页