Try our new Certificate Revocation List Check Tool
CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.
Category published:  DLP | Data Loss Prevention Hotfixes, Updates Mcafee/Trellix   Click on the Category button to get more articles regarding that product.

Mcafee DLP, Microsoft September 2015 update disables Mcafee-DLP

Posted by admin on 27.09.2015

5 Microsoft Patches take out Mcafee DLP copy handler function. Device control (USB) black is not affected.


McAfee Data Loss Prevention Endpoint (DLP Endpoint) software earlier than 9.3.425 (DLP Endpoint 9.3 Patch 4 HF25)

Microsoft Windows 7 64-bit (32-bit is not affected.)


Several applications fail to start after you install Microsoft Patch MS15-038 or MS15-090 or MS15-085 or MS KB3083992 on systems with DLP Endpoint earlier than 9.3 patch 4 hf 25(9.3.425.x).

Affected applications include, but are not limited to:

  • Explorer.EXE
  • MMC-based applications
  • Microsoft Office applications
  • PowerShell

Example startup errors include:

  • csc.exe- Application Error — The application was unable to start correctly (0xc0000142)
  • iexplore.exe- Application Error — The application was unable to start correctly (0xc0000018)
  • mmc.exe- Application Error — The application was unable to start correctly (0xc0000018)
  • cmd.exe- Application Error — The application was unable to start correctly (0xc0000018)


The issue is caused by a third-party component in DLP Endpoint.

NOTE: This issue does not affect the Device Control only operation mode. The other two operation modes may have the issue.


Intel Security has released DLP Endpoint 9.3 Patch 4 Hotfix 25 and  DLP Endpoint 9.3 Patch 5 and later to resolve this issue. 

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at:

NOTE: You will need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, as well as alternate locations for some products.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.


Either remove the Microsoft patch (MS15-038MS15-090MS15-085, or MS KB3083992) or disable the affected components in DLP Endpoint.

The affected components in DLP Endpoint include:

  • File Copy Handler
  • Clipboard Service
  • Portable Devices Handler (MTP)
  • Screen Capture Service
  • Internet Explorer Add-on
  • Firefox Handler
  • Cloud Protection Handlers (all)

To disable the affected components:

  1. Open the DLP Management Console.
  2. Open the Agent Configuration menu.
  3. Click Edit Global Agent Configuration.
  4. Select the Miscellaneous tab.
  5. Deselect the components you would like to disable.
  6. Click OK.
  7. On the Agent Configuration menu, click Apply Global Agent Configuration.

NOTE: This will not update custom Agent Configurations. Those must be updated from the ePolicy Orchestrator policy catalog.

To remove Microsoft KB via Command line:

1. Run Command line as admin
2. Run the following commands:

  • “wusa /uninstall /kb:3045685 /quiet /forcerestart”
  • “wusa /uninstall /kb:3045999 /quiet /forcerestart”
  • “wusa /uninstall /kb:3060716 /quiet /forcerestart”
  • “wusa /uninstall /kb:3071756 /quiet /forcerestart”
  • “wusa /uninstall /kb:3083992 /quiet /forcerestart”

Potential impact of disabling handlers:

  • File Copy Handler – This was introduced in DLP Endpoint 9.3.0
    Removable storage protection enhancement adding Windows Explorer
    sandbox In McAfee DLP Endpoint version 9.2, the client software
    processed files copied by Windows Explorer to removable storage devices
    before they were actually copied to the destination. The new protection
    rule algorithm hooks the Windows MoveFile and CopyFile APIs when files
    are being copied to removable storage, and suspends the transfer until
    the McAfee DLP Endpoint client software completes the scan and applies
    the policy. The feature can be deactivated on the Agent Configuration |
    Miscellaneous page.

  • Portable Device Handler (MTP) (9.3.100) (Patch 1)
    Removable storage protection rules enhancement Media Transfer Protocol
    (MTP) support has been added to removable storage protection rules. MTP
    is a protocol for transferring media files and associated metadata
    between portable devices or between portable devices and computers. MTP
    devices are not traditional removable devices because the device
    implements the file system, not the computer the device is connected

    The feature supports all removable storage protection rule actions
    except Encrypt. Protection rules with the Encrypt action fall back to
    Block, and files are placed in the quarantine folder. Only USB
    connections are currently supported.

    Note Microsoft Windows Server 2003 does not identify removable devices
    in Windows Explorer. Therefore, removable storage protection rules with
    MTP support cannot be applied on this platform.

    The following services affect:

    • Clipboard Service – Copying from Application to application or outside specified applications.
    • Screen Capture Service – Snagit, Snipping tool. etc… 
    • Internet Explorer Add-on – Web post protection
    • Firefox Handler – Web post protection
    • Cloud Protection Handlers (all) – Protection from Cloud (dropbox, google drive, box…etc)

Related Information

See Microsoft article 3045999 for details on patch MS15-038:
See Microsoft Article for details on MS15-090:
See Microsoft Article for details on MS15-085:
See Microsoft Article for details on MS15-038:
See Microsoft Article 3083992 for details :

 Category published:  DLP | Data Loss Prevention Hotfixes, Updates Mcafee/Trellix   Click on the Category button to get more articles regarding that product.