cancel
Showing results for 
Search instead for 
Did you mean: 
epository
Level 10
Report Inappropriate Content
Message 1 of 13

Access Protection Exceptions - Seeing a lot from services.exe and svchost.exe


All,

I am seeing a ton of Access Protection alerts in VSE.

From Common Maximum Protection and Antivirus Standard Protection...etc.

To make an exclusion, I can only use the Threat Source Process name....which in almost all my cases is services.exe and svchost.exe.

How can I exclude these events without compromising security on my network?

12 Replies

Re: Access Protection Exceptions - Seeing a lot from services.exe and svchost.exe

Hi,

I will open a case with McAfee support as it is not possible to exclude without selecting the process and I think the AP shouldnt collect tons of events as it is doing.

In the maintime as a workaround remove the option report and it will not load your logs.

Regards,

José María

epository
Level 10
Report Inappropriate Content
Message 3 of 13

Re: Access Protection Exceptions - Seeing a lot from services.exe and svchost.exe


So....I can basically never turn this feature on in VSE to actively blocking as I can only make exceptions by Process Name, and it is not recommended to exclude the services.exe and svchost.exe processes?

Would really like some feedback from McAfee on this.

Re: Access Protection Exceptions - Seeing a lot from services.exe and svchost.exe

Hi,

I would suggest to open a case with McAfee suport and please let me know the answer as I am quite sure it will be the same than mine now if they do not release a patch/hotfix to change the corrent functionality.

Best regards,

José María

epository
Level 10
Report Inappropriate Content
Message 5 of 13

Re: Access Protection Exceptions - Seeing a lot from services.exe and svchost.exe

Well,

How about this?

Since Acess Protection is part of OAS...exclude the basic OAS policy from scanning the McAfee Folders?

I dont know...I mean, with the world at 90% Windows environments, you would think McAfee would have some pre-canned policies.

Re: Access Protection Exceptions - Seeing a lot from services.exe and svchost.exe

Hi,

When you say that Access Protection is part of OAS you are not right.

AP and OAS are two diferents components that is why is not possible to create a exclusion in OAS to resolve your issue and you need to create the exclusion under AP.

Again, I would suggest to open a case with McAfee support to report the issue and maybe they can release a fix in the future to avoid this big ammount of lines in the Access Protection logs.

Best regards

José María

epository
Level 10
Report Inappropriate Content
Message 7 of 13

Re: Access Protection Exceptions - Seeing a lot from services.exe and svchost.exe

But when i look at an AP event in epo, is says Detection Method OAS?

Great, so we have all these block features which could never be turned on unless u exempt svchost.exe, services.exe ...etc as processes, which would pretty much negate any security....????

Re: Access Protection Exceptions - Seeing a lot from services.exe and svchost.exe


That is why I said not to exclude the process as you will open a security hole.

It need to be check by McAfee and may be they need to change something in the VSE behaviour....

Regards,

José María

exbrit
Level 21
Report Inappropriate Content
Message 9 of 13

Re: Access Protection Exceptions - Seeing a lot from services.exe and svchost.exe

Moved to VSE as a better spot.

Peter

Volunteer Moderator

Re: Access Protection Exceptions - Seeing a lot from services.exe and svchost.exe

sorry for the sucky output, but this is what wmiprvse.exe is hitting...all the mfe*.sys files. ...but no way to make an exclusion for these files. Threat Source Process Name->Threat Target Process Name->Threat Target File Path Number of Threat Events Number of Detecting Product Host Name Number of Threat Target File Path Total 70600 12,857 12 C:\Windows\system32\wbem\wmiprvse.exe 39279 7,148 7 39279 7,148 7 C:\Windows\System32\drivers\mfeapfk.sys 7830 1,427 1 C:\Windows\System32\drivers\mfewfpk.sys 7829 1,427 1 C:\Windows\System32\drivers\mfesmfk.sys 7759 1,409 1 C:\Windows\System32\drivers\mfenlfk.sys 7514 1,366 1 C:\Windows\System32\drivers\mfefirek.sys 6849 1,245 1 C:\Windows\System32\drivers\mfebopk.sys 1355 251 1 C:\Windows\System32\drivers\mfetdik.sys 143 23 1 C:\windows\system32\wbem\wmiprvse.exe 31320 5,708 4 31320 5,708 4 C:\Windows\System32\drivers\mfeavfk.sys 7830 1,427 1 C:\Windows\System32\drivers\mfeclnk.sys 7830 1,427 1 C:\Windows\System32\drivers\mfehidk.sys 7830 1,427 1 C:\Windows\System32\drivers\mferkdet.sys 7830 1,427 1 C:\WINDOWS\system32\wbem\wmiprvse.exe 1 1 1 1 1 1 C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe 1 1 1