How the Validation and Trust Protection service works

The VTP service (MFEVTPS.exe) inspects DLLs and running processes that interact with McAfee code to verify whether objects are trusted.

An object is a network, file, registry, or process. Trusted means the third-party process is allowed to access McAfee objects. For example, a trusted third-party process is allowed to be injected into McAfee processes or to read McAfee registry keys.

To function properly, the VTP service depends on:

  • Microsoft Cryptographic service (CryptSvc)
  • Trust-related APIs
  • Health of the certificate store or catalog files

Here's how the VTP service works:

  1. A validation check runs when McAfee code needs to verify that the acting process is trusted, the target object is trusted, or both.
  2. When McAfee processes are initialized, the VTP service validates that McAfee is loading trusted code. AAC makes sure that McAfee loads only trusted DLLs.

Only McAfee and Microsoft code are implicitly trusted.

Caching

The VTP service caches the results of a validation check to improve the performance of future validation checks. The VTP service always examines the cache first when performing a validation check.

  • If a validation check returns a result that the object is not trusted, that object is cached as untrusted.
  • If an object is cached incorrectly as untrusted, only a cache reset can correct it.

The cache resets when a system restarts in Safe Mode or by running this command:

VTPInfo.exe /ResetVTPCache.

You can also reset the cache from the DAT.

Trust failures

A trust failure is a VTP service validation check that results in "untrusted" when the expected result was "trusted." Trust failures occur because AAC denies access to untrusted code. The process is not allowed to access McAfee processes as a form of self-protection.

Here are some examples of trust failures:

  • A McAfee process was injected by an untrusted third party, so the process fails a validation check.
  • A Microsoft catalog-signed file has invalid signing information, so it can't be verified and fails to load by a McAfee process.
  • A valid DLL file was cached incorrectly as "untrusted," and subsequent attempts to load it are denied.

All of these examples can cause the affected McAfee processes to fail.