After a suggestion from one of my account reps, we tightened up Access Protection on our systems. A recent McAfee health check concurred with the changes that were made. We are now seeing numerous blocks in the logs for valid items. Some of them are HP DLL files, others are pieces of the Altiris agent. Still other look like legitimate items beings blocked. Generally the policy is: Anti-virus Standard Protectionrevent Windows Process spoofing Action blocked : Read Does this mean it allowed read, blocked read??
Anyone have some definitive guidelines? I have attached a sample log. Running VSE 8.8, McAfee 4.6
It means the "read action" was blocked. You see, one such block in your logs is:
Now, where does the explorer.exe usually reside? Yeah, not there. So McAfee sees the explorer.exe in a place it shouldn't be and denies access to it because to the protection software this looks sort of malicious. Now obviously this directory has to do with software distribution and the file probably should be there.
So, the action of "reading" is blocked. The question is now who tries to read the files there and if that is only one or two processes you can simply solve the issue by adding them in the "proccesses to exclude" section of the "Prevent Windows Process spoofing" rule inside the "Anti-virus Standard Protection" section. Otherwise you might need to disable this rule entirely.