Well, thanks to Matthew, and a hunch on my side before I posted, I found
the problem and workarounds.
Dell pre-installs Wave System's Embassy Trust Suite on their D620's to
manage the built in TPM. McAfee's Buffer Overflow protection has a
known incompatability with the DocManager portion of the Embassy Suite.
Below is the workaround Wave advises:
http://www.wavesys.com/support/CSC/CustomerService/Documents/DM-009.htm
This was also an issue with Managed VirusScan as referenced in the above
link, and McAfee knows how to fix it, as they corrected it on the
Managed VirusScan product. Hopefully it's fixed in VirusScan Enterprise
8.0i quickly. It sounds like it will definitely require a newly
released patch level.
Turning off buffer overflow protection in McAfee, or removing the
DocManager portion of the Embassy Suite are th only two work arounds
advised.
For kicks, I will do testing with the Dell image and 8.0i Patch 10.
Since Patch 11 has known issues on 2003 DC's related to the network
driving and overloading LSASS.EXE (one of the exe that crashes from this
incompatability), I'm curious to see if the old network driver doesn't
cause the crash. If it does, then anyone using Patch 11a might not see
this problem as patch 11a is identical to patch 11, but it uses patch
10's network driver.
I'll report back tomorrow on my findings. It could be other parts of
Patch 11 that cause the problem.
FYI - The reason my custom image didn't crash is because I didn't
install the DocManager portion of the Embassy Suite. It was the only
thing different in my image and Dell image interms of installed
software, so I had a hunch that may have been the culprit. This now
confirms it.
-----Original Message-----
From: Evan Mann
Sent: Tuesday, May 02, 2006 5:23 PM
To: 'Pour, Matthew'
Subject: RE: McAfee 8.0 crashing Dell D620's
I installed the Wave software in my custom image, but I removed 1
portion of it, the local document encryption piece, and don't have the
problem. Interesting.
The Wave Embassy suite is needed to run the fingerprint reader, which we
purchase, so I guess I need to do more testing to see if the custom
install w/o the document encryption piece solves it, or Patch 10 doesn't
have the issue. Sounds like I'm going to need to get WAVE Systems and
McAfee on the phone with each other.
Thanks!
Evan
-----Original Message-----
From: Pour, Matthew
Sent: Tuesday, May 02, 2006 5:22 PM
To: Evan Mann
Subject: RE: McAfee 8.0 crashing Dell D620's
We found the problem to reside with this application that Dell placed on
their image:
Wave Embassy - fingerprint scanning software.
Good luck!
Matthew Pour
BMC Software
Information Security
-----Original Message-----
From: Evan Mann [mailto:emann@pinnaclefinancial.com]
Sent: Tuesday, May 02, 2006 4:04 PM
To: focus-virus@securityfocus.com
Subject: McAfee 8.0 crashing Dell D620's
Has anyone else noticed that installing McAfee Enterprise 8.0i with
Patch 11 will crash services.exe (and various other system processes) on
Dell Latitude D620's that maintain the Dell loaded image of XP
Professional?
I have not tested to see if the problem also exists with Patch 10 or
not.
If I reload a Dell D620 from scratch, and install all the same software
Dell pre-installs, McAfee 8.0i+Patch 11 does not crash the machine. So
it appears to be something in the way Dell loads the computer.
