cancel
Showing results for 
Search instead for 
Did you mean: 
paia
Level 7
Report Inappropriate Content
Message 1 of 9

Acces Protection blocking registry modifications

Is there any chance how to exclude Access Protection from blocking registry modifications, that are made by service "System"?

Example of blocked action:















23.1.201518:07:28Blocked by Access Protection ruleNT AUTHORITY\SYSTEMSystem\Registry\Machine\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{D47690A8-33E0-41CB-8D1C-A6A3335891F9}Common Maximum Protection:Prevent programs registering as a serviceAction blocked : Create

I was trying to add System to allowed procesess, but it's not working as desired (still blocking).

8 Replies

Re: Acces Protection blocking registry modifications

Looks like NetBT related process is trying to make it, better try to get exact process name which is trying to make registry and edit the McAfee AP rule and add that process into Process to exclude tab.


paia
Level 7
Report Inappropriate Content
Message 3 of 9

Re: Acces Protection blocking registry modifications

The action is made by System, another examples:

24.1.201515:31:21Blocked by Access Protection ruleNT AUTHORITY\SYSTEMSystem\Registry\Machine\System\CurrentControlSet\Services\BTHPORT\ParametersCommon Maximum ProtectionSmiley Tonguerevent programs registering as a serviceAction blocked : Create
24.1.201515:31:31Blocked by Access Protection ruleNT AUTHORITY\SYSTEMSystem\Registry\Machine\System\CurrentControlSet\Services\WwanUsbServCommon Maximum ProtectionSmiley Tonguerevent programs registering as a serviceAction blocked : Create
25.1.201518:09:17Blocked by Access Protection ruleNT AUTHORITY\SYSTEMSystem\Registry\Machine\System\CurrentControlSet\Services\ACPI\ParametersCommon Maximum ProtectionSmiley Tonguerevent programs registering as a serviceAction blocked : Create
26.1.201513:54:27Blocked by Access Protection ruleNT AUTHORITY\SYSTEMSystem\Registry\Machine\System\CurrentControlSet\Services\mfenlfk\Parameters\NdisAdapters\{AA8FEC2D-12B6-4D89-8BFB-CABF187712CE}Common Maximum ProtectionSmiley Tonguerevent programs registering as a serviceAction blocked : Create
26.1.201513:59:47Blocked by Access Protection ruleNT AUTHORITY\SYSTEMSystem\Registry\Machine\System\CurrentControlSet\Services\VSS\Diag\VolSnapCommon Maximum ProtectionSmiley Tonguerevent programs registering as a serviceAction blocked : Create
paia
Level 7
Report Inappropriate Content
Message 4 of 9

Re: Acces Protection blocking registry modifications

Screenshot from ePO log:

accessprot.PNG

Re: Acces Protection blocking registry modifications

Looks like these changes by own application to their related registries but McAfee is blocking them.

Quick question : Do you don't want these logs to be logged into AP logs with block enabled.

paia
Level 7
Report Inappropriate Content
Message 6 of 9

Re: Acces Protection blocking registry modifications

I want the changes to be made, so AP not blocking... E.g. Junos Pulse VPN client is registering virtual adapter, this action is blocked, VPN is failing = big problem for our remote users.

Re: Acces Protection blocking registry modifications

Change the AP policy from ePO console with remove block and report option for this rule.

ScreenShot_ 20.07 11-Feb-15.jpg

paia
Level 7
Report Inappropriate Content
Message 8 of 9

Re: Acces Protection blocking registry modifications

This will disable the whole protection (not acceptable by our policy), I just want to make exclusion for these registry changes, that are made by "System" process (as shown above).

Re: Acces Protection blocking registry modifications

In this case you have find exact application .exe which is registering the service during installation/upgrade or by any activity. That exe if you add into process to exclude tab than McAfee AP will not block it.

You can't add System under process to exclude as it will not work.