cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

OSX with 'Core Protection - Protect core McAfee files and folders' alert

We're seeing some (about 50 out of ~1000) of our OSX devices) are flagging an alert stating that Core protection is taking issue with the xClient process. I can find nothing relating to this online. Has anyone else had this problem? Is there a way of excluding this process from alerting? Agent GUID abbe1cb0-7c4e-11e8-1b47-c82a140b924c Event Generated Time Dec 5, 2018, 2:13:13 AM Event Category 'File' class or access Event ID 1092 Threat Severity Information Threat Type Self Protection Action Taken Blocked Threat Target Host Name DABG03A-01 Threat Source Process Name XClient Event Description Access Protection Rule Violation Detected And Blocked
4 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: OSX with 'Core Protection - Protect core McAfee files and folders' alert

Can't say that I see this process on either of my test MACs. Sorry!

What you could try is: Open Activity Monitor and select the item and click the information icon. You should get a path to the file or some further details on it i.e. where it's located and what files it's reading

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: OSX with 'Core Protection - Protect core McAfee files and folders' alert

so xClient is an executable in /usr/local/bin. It isn't running when I've logged in. I suspecct its part of the login process.

 

Also, these alerts have died down - I wonder whether they trigger once when the new version of endpoint was deployed?? I'm very tempted to set an exclude for this alert, as I don't think its a bad thing happening.

 

Jim

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: OSX with 'Core Protection - Protect core McAfee files and folders' alert

Hi Jim

Thanks for looping back on this. Installations do tend to trigger some of our rules, it obviously depends on what actions those installations take. It would be interesting to know why that process is trying to access our core files and folders! That is something only the vendor of xClient would be able to answer though. If you find out anything else, please feel free to share it here for others to see 🙂 

If it isn't causing an issue on the local client, personally, I wouldn't add an exclusions purely because you don't know what it is doing and why it is trying to access our core files and folders. Avoid adding exclusions just because it is creating events. Minimal exclusions should be set otherwise the system is more vulnerable to attacks.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: OSX with 'Core Protection - Protect core McAfee files and folders' alert

This is still happening, xClient is part of the OSX operating system. I'm surprised there is no mention of it out on the web, so I'd guess its something to do with our unique setup here.

 

It only seems to happen maybe once (and then not every time), when endpoint protection is first installed, so I'm not going to lose sleep over it.

 

I'll readdress this if anything starts going wrong as a result of this, but I'm happy to leave this as one of lifes great mysteries for now.

 

Jim

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community