cancel
Showing results for 
Search instead for 
Did you mean: 
RyanG
Level 7
Report Inappropriate Content
Message 1 of 10

Access Protection Rules Run at Installation though Disabled

I'm hoping someone here can help me out, because I'm at a loss for what is going on.

I've got a custom unmanaged installation of McAfee 8.7i Patch 5 (w/McAfee Agent 4.8.0.641) with  Buffer Overflow not installed and Access Protection is set as disabled. Nonetheless, a number of Access Protection rules run at installation on Windows 7 x64. Even in the off chance that it was running, the Common Maximum Protection:Prevent programs registering as a service rule is set to Report only and Common Standard Protection:Protect Mozilla & FireFox files and settings is set for neither Block or Report as no one uses it.

Any help would be greatly appreciated!

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Windows\system32\services.exe    \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mfeavfk\Security    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:58 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:38:59 AM    Blocked by Access Protection rule     NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

6/3/2013    11:39:02 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Windows\syswow64\MsiExec.exe    C:\Program Files\Mozilla Firefox\components\Scriptff.dll    Common Standard Protection:Protect Mozilla & FireFox files and settings    Action blocked : Create

6/3/2013    11:39:02 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Windows\system32\services.exe    \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\McTaskManager\Security    Common Maximum Protection:Prevent programs registering as a service    Action blocked : Create

9 Replies
McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: Access Protection Rules Run at Installation though Disabled

>Access Protection is set as disabled

AP won't be disabled until the policy has been applied. That won't happen until post-installation. Until then, you'll get AP violations.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
RyanG
Level 7
Report Inappropriate Content
Message 3 of 10

Re: Access Protection Rules Run at Installation though Disabled

Despite that fact that AP is set as disabled upon install, it isn't really disabled until after post-installation. That's kind of dumb. Are those AP violations actually being enforced or not?

apoling
Level 14
Report Inappropriate Content
Message 4 of 10

Re: Access Protection Rules Run at Installation though Disabled

Hi,

best would be to actually check these AP rules's status on the very client if the policy went down/applied or not.

By "AP is disabled" you mean Access Protection as a module is disabled or the rule you  mentioned is "disabled" (i.e. by not checking the Block option) ?

Attila

RyanG
Level 7
Report Inappropriate Content
Message 5 of 10

Re: Access Protection Rules Run at Installation though Disabled

Hi Attila,

I used MID to configure the installation and unchecked "Enable Access Protection". I don't want it to run at all until I manually enable it later on. I do this when configuring new workstation deployments.

Unfortunately, it does appear to run immediately after installation (during definition updates), as evidenced by the log entries above, but then disables itself later on.

As for the rules above, none of the them are set to Block and only the Common Maximum Protection:Prevent programs registering as a service rule is set to Report.

RyanG
Level 7
Report Inappropriate Content
Message 6 of 10

Re: Access Protection Rules Run at Installation though Disabled

Can I safely ignore those entries?

RyanG
Level 7
Report Inappropriate Content
Message 7 of 10

Re: Access Protection Rules Run at Installation though Disabled

Does anyone have any additional thoughts? This is holding up my workstation deployment.

alexn
Level 14
Report Inappropriate Content
Message 8 of 10

Re: Access Protection Rules Run at Installation though Disabled

Is it unmanged machine right? and this machine was not manged with epo even in past, right? It was standalone and it is standalone.

on 6/6/13 3:35:10 PM CDT
RyanG
Level 7
Report Inappropriate Content
Message 9 of 10

Re: Access Protection Rules Run at Installation though Disabled

Correct. These are freshly imaged OOBE Windows 7 builds.

Highlighted
apoling
Level 14
Report Inappropriate Content
Message 10 of 10

Re: Access Protection Rules Run at Installation though Disabled

I might have.

In a second run please redo the MID package so that these processes are in the exclusion list of respective rules (except for svchost.exe - or not, but do make sure that once these workstations are managed, the policy does NOT contain svchost.exe as exception, in any AP rule).

This is just a weak workaround but might be of some use.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community