In trying to resolve a security scan finding I am trying to modify the registry but my changes don't seem to stick. Here is one example:
Manual Fix Procedures
Change the registry key HKLM\Software\Network Associates\TVD\Shared Components\
On Access Scanner\mcshield\Configuration so that the value of Alert_UsersCanRemove is 0.
;Change the registry key HKLM\Software\McAfee\VSCore\
On Access Scanner\mcshield\Configuration so that the value of Alert_UsersCanRemove
There are other settings also. I make the change but it does not stay, it reverts back to the "finding" value. I at first changed
only the setting under VScore. But then I noticed te same thing under TVD. So the question is why doesn't the value stay and
why are there 2 spots to make a change?
ePO is running on the network. VirusScan is v8.5. I did try changing the registry setting at home but it still changed back (not connected
to the network, epo or Group Policy). Anyone have an answer?
Under your access protection rules, if the Prevent modification of McAfee files and settings is checked, you wont be able to make changes to that. That is a policy managed by EPO so it comes down as policy to block those changes. You may want to check your logs to see if it is that policy that is blocking those changes.
Thanks. Actually, I do not have access protection loaded. This is a development LAN not connected to the Internet and Access Protection would be too
restrictive. Just have Buffer Overflow Prot, On-Delivery email scanner, Unwanted Programs Policy, On-Access scanner, Quarantine Manager, Full Scan
But as I believe I mentioned why are there 2 spots in the registry, VSCORE and TVD? And do BOTH spots need to be changed to satisfy the scan? I actually did change the one setting in both spots (had to create keys in TVD) and it still reverted back. Maybe McAfee framework is doing this?
AT A LOSS.
Sounds like you have a policy set in EPO which is being enforced and overwriting your change on the desktop.
I don't use 8.5 any more (using 8.7), but you should find the GUI equivalent of the Registry key under "On Access Scan Properties"/ "General Settings" / "Messages" / "Actions available to user" - "Remove Messages from the list". When that setting is ticked, it will be 1 in the registry, unticked is 0.
There should be a corresponding setting in EPO for the VirusScan policy. It needs to be changed there to make it enforced correctly.
For anyone who comes across this, I experienced the same thing. I found this resolved my problem:
The rules I unblocked to allow the modifications to the registry were:
Afterwards, make sure you enable Block again when you are finished with your modifications. I leave Report checked for auditing purposes.
This is based on 8.7i