Roon Server on Win10 with McAfee can no longer access network audio interfaces

Recently I found an issue my Roon Server can no longer see any Network Devices (including my Roon Ready Cambridge Audio Edge NQ which as was using as primary audio rendering device). Local Audio devices (USB DAC) were still accessible. After few day’s of tests I found the root cause, - an update of McAfee software, McAfee Agent 5.7.3.245 to be precise. Earlier it had issues with McAfee throwing errors like:

User %WORKGROUP%%Username% launched process C:\Users%Username%\AppData\Local\Roon\Application\Roon.exe, which got access to C:\Users%Username%\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1994326832-1066739575-5522801-117642\354e90e2b22565e3b3b73aa5606ba94d_052ec91d-1f62-4e97-be04-9a70e78435ac. This action violates rule “Malware Behavior: Windows EFS abuse”. Access is granted as there is no blocking configured in rule.
Analyzer/detector
Analyzer version 10.6.0.11787
Product name McAfee Endpoint Security
Analyzer rule ID 6148
Name of analyzer rule Malware Behavior: Windows EFS abuse
Product version 10.7.0.2298
Function name Preventing exploit actions

Threat

Action taken Block Threat Category Class or “File” access Threat Event ID 18060 Threat Processed Yes Malware Behavior threat name: Windows EFS abuse Threat Severity Critical Threat Timestamp 9/29/2021 8:41 AM Threat Type Exploit Prevention

A source
Time of access to the source 29.9.2021 8:39 AM
Source creation time 9/15/2021 4:08 PM
Source description “C: \ Users \ %Username% \ AppData \ Local \ Roon \ Application \ 100800831 \ … \ Roon.exe”
Source file path C: \ Users \ buiniche \ AppData \ Local \ Roon \ Application
Source File Size 66704
Source change time 9/15/2021 4:08 PM
Source process file hash 87252206efc561bf2e4ef73156afe6ae
Source process name Roon.exe
Source process signed Yes
Source process signer C = US, S = NEW YORK, L = BEDFORD, O = ROON LABS LLC, CN = ROON LABS LLC
Source username CORPDOM \ %Username%

Target
%Hostname% target hostname
Target resource name
Target Resource Path C: \ Users \ %Username% \ AppData \ Roaming \ Microsoft \ Crypto \ RSA \ S-1-5-21-1994326832-1066739575-5522801-117642 \ 354e90e2b22565e3b3b73aa5606ba94d_052ec91d-be478-435
Target resource signed No
SYSTEM target username

Other
Access request completed Delete
Vector type Local system
Length of time before detection (days) 13

However those issues didn’t affect Roon’s server functionality, after update of McAfee agent it looks they added some blocking rule.

Currently Roon Server is installed on my corporate laptop (started to use Roon month ago, was still exploring deployment options), I decided to switch to more robust setup and purchase dedicated NUC for Roon server.

Hopefully this info would help to safe some time if you are using Roon sharing an environment with McAfee software.

I’ve read a lot about problems with Windows 10 and updates when using a third-party product rather than Microsoft’s own security program. This does not only concern Roon, but is Microsoft’s policy. If it can’t be banned, they don’t want to make it easier for the competition. Incidentally, Microsoft is not doing any worse today as far as this product line is concerned. It is even free of charge.

It is not precisely like you are writing.
A well-configured third party security system on my Windows 10 works seamlessly with Roon. Whereas, there are constantly problems with this on Mac.
I will not say how much time I lost investigating what Roon is doing that third party Security System on Mac becomes crazy …

I would say compatibility issues between 3rd party products running on different OS is something usual these days, now it comes on how lucky you are with your setup and how much efforts you are ready to invest to make work it properly if you are unlucky.

If the issue I faced would appear on my personal device, I would try to proceed with McAfee support to remove Roon software from potential security risks, however as laptop is corporate device and Roon isn’t a business application, I think for me the best option would be to stick with dedicated server for Roon. I was going to take a look into ROCK anyway as its quite fancy to have OS dedicated for music rendering

I thing that It is not a matter of luck, but of professionalism. There is no magic here. This is just a bad or well-written function, or a bad or well-made configuration.

I think that’s all a Windows 10 or 11 user needs, the rest is throwing money away and adding problems.

cd11060×784 67.9 KB

cd531×704 37.4 KB

Yep, but usage scenarios may be different, you may use Windows under group policies with limited access to configuration options or Roon may conflict with 3rd party you can’t remove from your setup, so for me its a matter of luck if your primary PC is suitable for Roon or not.