cancel
Showing results for 
Search instead for 
Did you mean: 
RyanG
Level 7
Report Inappropriate Content
Message 1 of 10

Access Protection Rules Run at Installation though Disabled

I'm hoping someone here can help me out, because I'm at a loss for what is going on.

I've got a custom unmanaged installation of McAfee 8.7i Patch 5 (w/McAfee Agent 4.8.0.641) with  Buffer Overflow not installed and Access Protection is set as disabled. Nonetheless, a number of Access Protection rules run at installation on Windows 7 x64. Even in the off chance that it was running, the Common Maximum ProtectionSmiley Tonguerevent programs registering as a service rule is set to Report only and Common Standard ProtectionSmiley Tonguerotect Mozilla & FireFox files and settings is set for neither Block or Report as no one uses it.

Any help would be greatly appreciated!

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Windows\system32\services.exe    \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mfeavfk\Security    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

6/3/2013    11:39:02 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Windows\syswow64\MsiExec.exe    C:\Program Files\Mozilla Firefox\components\Scriptff.dll    Common Standard ProtectionSmiley Tonguerotect Mozilla & FireFox files and settings    Action blocked : Create

6/3/2013    11:39:02 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Windows\system32\services.exe    \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\McTaskManager\Security    Common Maximum ProtectionSmiley Tonguerevent programs registering as a service    Action blocked : Create

9 Replies
McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: Access Protection Rules Run at Installation though Disabled

>Access Protection is set as disabled

AP won't be disabled until the policy has been applied. That won't happen until post-installation. Until then, you'll get AP violations.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
RyanG
Level 7
Report Inappropriate Content
Message 3 of 10

Re: Access Protection Rules Run at Installation though Disabled

Despite that fact that AP is set as disabled upon install, it isn't really disabled until after post-installation. That's kind of dumb. Are those AP violations actually being enforced or not?

apoling
Level 14
Report Inappropriate Content
Message 4 of 10

Re: Access Protection Rules Run at Installation though Disabled

Hi,

best would be to actually check these AP rules's status on the very client if the policy went down/applied or not.

By "AP is disabled" you mean Access Protection as a module is disabled or the rule you  mentioned is "disabled" (i.e. by not checking the Block option) ?

Attila

RyanG
Level 7
Report Inappropriate Content
Message 5 of 10

Re: Access Protection Rules Run at Installation though Disabled

Hi Attila,

I used MID to configure the installation and unchecked "Enable Access Protection". I don't want it to run at all until I manually enable it later on. I do this when configuring new workstation deployments.

Unfortunately, it does appear to run immediately after installation (during definition updates), as evidenced by the log entries above, but then disables itself later on.

As for the rules above, none of the them are set to Block and only the Common Maximum ProtectionSmiley Tonguerevent programs registering as a service rule is set to Report.

RyanG
Level 7
Report Inappropriate Content
Message 6 of 10

Re: Access Protection Rules Run at Installation though Disabled

Can I safely ignore those entries?

RyanG
Level 7
Report Inappropriate Content
Message 7 of 10

Re: Access Protection Rules Run at Installation though Disabled

Does anyone have any additional thoughts? This is holding up my workstation deployment.

alexn
Level 14
Report Inappropriate Content
Message 8 of 10

Re: Access Protection Rules Run at Installation though Disabled

Is it unmanged machine right? and this machine was not manged with epo even in past, right? It was standalone and it is standalone.

on 6/6/13 3:35:10 PM CDT
RyanG
Level 7
Report Inappropriate Content
Message 9 of 10

Re: Access Protection Rules Run at Installation though Disabled

Correct. These are freshly imaged OOBE Windows 7 builds.

Highlighted
apoling
Level 14
Report Inappropriate Content
Message 10 of 10

Re: Access Protection Rules Run at Installation though Disabled

I might have.

In a second run please redo the MID package so that these processes are in the exclusion list of respective rules (except for svchost.exe - or not, but do make sure that once these workstations are managed, the policy does NOT contain svchost.exe as exception, in any AP rule).

This is just a weak workaround but might be of some use.

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.