cancel
Showing results for 
Search instead for 
Did you mean: 

OSX with 'Core Protection - Protect core McAfee files and folders' alert

We're seeing some (about 50 out of ~1000) of our OSX devices) are flagging an alert stating that Core protection is taking issue with the xClient process. I can find nothing relating to this online. Has anyone else had this problem? Is there a way of excluding this process from alerting? Agent GUID abbe1cb0-7c4e-11e8-1b47-c82a140b924c Event Generated Time Dec 5, 2018, 2:13:13 AM Event Category 'File' class or access Event ID 1092 Threat Severity Information Threat Type Self Protection Action Taken Blocked Threat Target Host Name DABG03A-01 Threat Source Process Name XClient Event Description Access Protection Rule Violation Detected And Blocked
3 Replies
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: OSX with 'Core Protection - Protect core McAfee files and folders' alert

Can't say that I see this process on either of my test MACs. Sorry!

What you could try is: Open Activity Monitor and select the item and click the information icon. You should get a path to the file or some further details on it i.e. where it's located and what files it's reading

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: OSX with 'Core Protection - Protect core McAfee files and folders' alert

so xClient is an executable in /usr/local/bin. It isn't running when I've logged in. I suspecct its part of the login process.

 

Also, these alerts have died down - I wonder whether they trigger once when the new version of endpoint was deployed?? I'm very tempted to set an exclude for this alert, as I don't think its a bad thing happening.

 

Jim

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: OSX with 'Core Protection - Protect core McAfee files and folders' alert

Hi Jim

Thanks for looping back on this. Installations do tend to trigger some of our rules, it obviously depends on what actions those installations take. It would be interesting to know why that process is trying to access our core files and folders! That is something only the vendor of xClient would be able to answer though. If you find out anything else, please feel free to share it here for others to see :-) 

If it isn't causing an issue on the local client, personally, I wouldn't add an exclusions purely because you don't know what it is doing and why it is trying to access our core files and folders. Avoid adding exclusions just because it is creating events. Minimal exclusions should be set otherwise the system is more vulnerable to attacks.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.