cancel
Showing results for 
Search instead for 
Did you mean: 
pdc_irl
Level 7

HIPS V7 (patch2) on vista 64bit

Would be interested to know if anyone has a similar setup.

I have a 64-bit version of vista, and noticing some wierdness with HIPS. I'm see loads of de-activated HIPs icons appearing on the system tray (all with the small red 'disabled' icon) and one 'active' icon. Having a look at the access protection log its showing up loads of entries (as shown below)

the version of HIPS is 7.0.0.8333 (patch 2) and the macafee agent is version 4. I've seen a reference to a HIPS patch 3 (KB Document ID: 616837) but can't see any sign of it on the download site.
VirusScan version is 8.5 P6.. but get the same after I upgrade to VSCAN 8.7

I'm also getting requests in relation to the svchost.exe and firesvc.exe consuming alot of CPU time on machines, they should all be on HIPS7 P2 so I'm hoping that maybe patch3 can sort this out?

Thank in advance

== log example ===

20/10/2008 15:16:37 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\system32\msiexec.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes Action blocked : Terminate

20/10/2008 15:16:38 Blocked by Access Protection rule NT AUTHORITY\SYSTEM **\HIPSVC.EXE C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes Action blocked : Terminate

20/10/2008 15:16:39 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes Action blocked : Terminate

20/10/2008 15:16:39 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes Action blocked : Terminate

20/10/2008 15:16:39 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes Action blocked : Terminate

20/10/2008 15:16:39 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes Action blocked : Terminate

20/10/2008 15:16:40 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes Action blocked : Terminate

20/10/2008 15:16:40 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes Action blocked : Terminate

20/10/2008 15:16:54 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes Action blocked : Terminate

20/10/2008 15:16:54 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes Action blocked : Terminate
Tags (2)
0 Kudos
5 Replies
Raja
Level 9

RE: HIPS V7 (patch2) on vista 64bit

Patch 3 isn't out yet and won't be posted for a while.

The entries are related to VSE 8.5 access protection and are not HIP related.
I would turn off access protection and see if it makes a difference.

-R-
0 Kudos
pdc_irl
Level 7

RE: HIPS V7 (patch2) on vista 64bit

Thanks Raja for the reply.

I've seen this on other end-users where loads of log file entries are generated for similar events.

I have the access protection policy enabled, primarily because my company is in majority of developers. If they discovered they could disable the AV or HIPS, they would turn it off. I had to implement the policy as they were turning the AV off to make their machines run faster. (some people just ain't happy with a top spec Core2 duo machine with 4Gb RAM)

is there a way for the access protection to stop clashing with mcafee products, yet stop staff from stopping the processes?
0 Kudos
Raja
Level 9

RE: HIPS V7 (patch2) on vista 64bit

HIP has it's own self protect. With the IPS module on, the end user can't disable it.
You can remove all access the to the local GUI.
0 Kudos
jac35
Level 9

RE: HIPS V7 (patch2) on vista 64bit

Same thing here many many entries svchost.exe Blocked by Access Protection Rule. Is this normal? Don't really want to shut off access protection rules. Which one would be causing this? can it be tweaked?
0 Kudos
Raja
Level 9

RE: HIPS V7 (patch2) on vista 64bit

You should be asking that question in the VSE forum.
Access protection rules are a component of VSE.
0 Kudos