cancel
Showing results for 
Search instead for 
Did you mean: 

OSX with 'Core Protection - Protect core McAfee files and folders' alert

We're seeing some (about 50 out of ~1000) of our OSX devices) are flagging an alert stating that Core protection is taking issue with the xClient process. I can find nothing relating to this online. Has anyone else had this problem? Is there a way of excluding this process from alerting? Agent GUID abbe1cb0-7c4e-11e8-1b47-c82a140b924c Event Generated Time Dec 5, 2018, 2:13:13 AM Event Category 'File' class or access Event ID 1092 Threat Severity Information Threat Type Self Protection Action Taken Blocked Threat Target Host Name DABG03A-01 Threat Source Process Name XClient Event Description Access Protection Rule Violation Detected And Blocked
4 Replies
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: OSX with 'Core Protection - Protect core McAfee files and folders' alert

Can't say that I see this process on either of my test MACs. Sorry!

What you could try is: Open Activity Monitor and select the item and click the information icon. You should get a path to the file or some further details on it i.e. where it's located and what files it's reading

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: OSX with 'Core Protection - Protect core McAfee files and folders' alert

so xClient is an executable in /usr/local/bin. It isn't running when I've logged in. I suspecct its part of the login process.

 

Also, these alerts have died down - I wonder whether they trigger once when the new version of endpoint was deployed?? I'm very tempted to set an exclude for this alert, as I don't think its a bad thing happening.

 

Jim

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: OSX with 'Core Protection - Protect core McAfee files and folders' alert

Hi Jim

Thanks for looping back on this. Installations do tend to trigger some of our rules, it obviously depends on what actions those installations take. It would be interesting to know why that process is trying to access our core files and folders! That is something only the vendor of xClient would be able to answer though. If you find out anything else, please feel free to share it here for others to see 🙂 

If it isn't causing an issue on the local client, personally, I wouldn't add an exclusions purely because you don't know what it is doing and why it is trying to access our core files and folders. Avoid adding exclusions just because it is creating events. Minimal exclusions should be set otherwise the system is more vulnerable to attacks.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: OSX with 'Core Protection - Protect core McAfee files and folders' alert

This is still happening, xClient is part of the OSX operating system. I'm surprised there is no mention of it out on the web, so I'd guess its something to do with our unique setup here.

 

It only seems to happen maybe once (and then not every time), when endpoint protection is first installed, so I'm not going to lose sleep over it.

 

I'll readdress this if anything starts going wrong as a result of this, but I'm happy to leave this as one of lifes great mysteries for now.

 

Jim

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center