Recently I found an issue my Roon Server can no longer see any Network Devices (including my Roon Ready Cambridge Audio Edge NQ which as was using as primary audio rendering device). Local Audio devices (USB DAC) were still accessible. After few day’s of tests I found the root cause, - an update of McAfee software, McAfee Agent 5.7.3.245 to be precise. Earlier it had issues with McAfee throwing errors like:
User %WORKGROUP%%Username% launched process C:\Users%Username%\AppData\Local\Roon\Application\Roon.exe, which got access to C:\Users%Username%\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1994326832-1066739575-5522801-117642\354e90e2b22565e3b3b73aa5606ba94d_052ec91d-1f62-4e97-be04-9a70e78435ac. This action violates rule “Malware Behavior: Windows EFS abuse”. Access is granted as there is no blocking configured in rule.
Analyzer/detector
Analyzer version 10.6.0.11787
Product name McAfee Endpoint Security
Analyzer rule ID 6148
Name of analyzer rule Malware Behavior: Windows EFS abuse
Product version 10.7.0.2298
Function name Preventing exploit actions
Threat
Action taken Block Threat Category Class or “File” access Threat Event ID 18060 Threat Processed Yes Malware Behavior threat name: Windows EFS abuse Threat Severity Critical Threat Timestamp 9/29/2021 8:41 AM Threat Type Exploit Prevention
A source
Time of access to the source 29.9.2021 8:39 AM
Source creation time 9/15/2021 4:08 PM
Source description “C: \ Users \ %Username% \ AppData \ Local \ Roon \ Application \ 100800831 \ … \ Roon.exe”
Source file path C: \ Users \ buiniche \ AppData \ Local \ Roon \ Application
Source File Size 66704
Source change time 9/15/2021 4:08 PM
Source process file hash 87252206efc561bf2e4ef73156afe6ae
Source process name Roon.exe
Source process signed Yes
Source process signer C = US, S = NEW YORK, L = BEDFORD, O = ROON LABS LLC, CN = ROON LABS LLC
Source username CORPDOM \ %Username%
Target
%Hostname% target hostname
Target resource name
Target Resource Path C: \ Users \ %Username% \ AppData \ Roaming \ Microsoft \ Crypto \ RSA \ S-1-5-21-1994326832-1066739575-5522801-117642 \ 354e90e2b22565e3b3b73aa5606ba94d_052ec91d-be478-435
Target resource signed No
SYSTEM target username
Other
Access request completed Delete
Vector type Local system
Length of time before detection (days) 13
However those issues didn’t affect Roon’s server functionality, after update of McAfee agent it looks they added some blocking rule.
Currently Roon Server is installed on my corporate laptop (started to use Roon month ago, was still exploring deployment options), I decided to switch to more robust setup and purchase dedicated NUC for Roon server.
Hopefully this info would help to safe some time if you are using Roon sharing an environment with McAfee software.