Showing results for 
Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 2

Access Protection blocking

After a suggestion from one of my account reps, we tightened up Access Protection on our systems.  A recent McAfee health check concurred with the changes that were made.  We are now seeing numerous blocks in the logs for valid items.  Some of them are HP DLL files, others are pieces of the Altiris agent.  Still other look like legitimate items beings blocked.  Generally the policy is:  Anti-virus Standard ProtectionSmiley Tonguerevent Windows Process spoofing Action blocked : Read  Does this mean it allowed read, blocked read??

Anyone have some definitive guidelines?  I have attached a sample log.  Running VSE 8.8, McAfee 4.6

1 Reply
Level 9
Report Inappropriate Content
Message 2 of 2

Re: Access Protection blocking

It means the "read action" was blocked. You see, one such block in your logs is:


Now, where does the explorer.exe usually reside? Yeah, not there. So McAfee sees the explorer.exe in a place it shouldn't be and denies access to it because to the protection software this looks sort of malicious. Now obviously this directory has to do with software distribution and the file probably should be there.

So, the action of "reading" is blocked. The question is now who tries to read the files there and if that is only one or two processes you can simply solve the issue by adding them in the "proccesses to exclude" section of the "Prevent Windows Process spoofing" rule inside the "Anti-virus Standard Protection" section. Otherwise you might need to disable this rule entirely.

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.