cancel
Showing results for 
Search instead for 
Did you mean: 
joel
Level 7
Report Inappropriate Content
Message 1 of 9

McAfee 8.8 and Windows System Resource Manager

We have recently deployed McAfee 8.8 in out production terminal server 2003 and our 2008R2 environment.  Since then we have noticed that our Access Protection Log is filling with the following messages on both 2003 and 2008R2:

2/27/2011 5:09:07 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\MCUPDATE.EXE Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/27/2011 5:09:07 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/27/2011 6:32:08 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/27/2011 10:00:09 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 2:19:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scan64.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 9:10:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 9:23:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 9:23:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McTray.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 10:00:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 10:00:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McTray.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 10:03:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 11:32:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

We have not changed the configuration of WSRM since deployment of 8.8 and we did not have this issue before.  We currently have WSRM set to use the default “Equal Per Session” policy, so it should not kill any process just deprioritize them if they eat up to much of the CPU.  Has anyone else seen this issue or can offer any insight?  If it helps any we are using EPO 4.5.

8 Replies
McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 2 of 9

McAfee 8.8 and Windows System Resource Manager

Do you trust this WSRM.exe process?

If so, exclude it from the AP rule.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: McAfee 8.8 and Windows System Resource Manager

I am seeing a very similar problem,  but it is with SCCM (formerly SMS).  Everytime the SMS Agent HOST service starts we see string of Access protection messages about it being blocked from shutting down various McAfee processes.

1)  This did not happen in VSE 8.5 and VSE 8.7

2)  There is no evidence that I can find that shows this service is actually trying to shut down anything.

3)  No I do NOT want to trust any part of SMS to shut down McAfee services.  And I certainly do not want to allow it the ability to shut things down just to avoid FALSE positive message.

I understand that Access Protection was completely rewritten for VSE 8.8.   That they now have hair trigger for anything coming anywhere near their services.  

Thanks\

Message was edited by: HerbSmith on 6/27/12 1:59:53 PM CDT
Highlighted
zn
Level 7
Report Inappropriate Content
Message 4 of 9

Re: McAfee 8.8 and Windows System Resource Manager

Any fix for this?  I've excluded the McAfee processes from WSRM and WRSM from the McAfee Access Protection Rules but it still triggers in the log

joel
Level 7
Report Inappropriate Content
Message 5 of 9

Re: McAfee 8.8 and Windows System Resource Manager

This is no longer an issue for us since we switched to Symantec a few months ago and it works much better for us.

Re: McAfee 8.8 and Windows System Resource Manager

McAfee posted this KB in relation to these types of issues. I was seeing it with the SCCM process (CcmExec.exe) and read this KB. I also checked with our Microsoft TAM and this is what he said; "...Ccmexec.exe shouldnever terminate anything.  Software metering is simply reading the fileinformation."

https://kc.mcafee.com/corporate/index?page=content&id=KB71970&actp=LIST_RECENT

Message was edited by: alobato on 6/27/12 12:38:48 PM CDT

Re: McAfee 8.8 and Windows System Resource Manager

You are correct on your comments.  But they are not complete.

CCMEXEC also is the process that launches the install packages that SCCM delivers to the local machines.   In our Access Protection rules that block install.exe, setup.exe and similar I have to have exceptions for CCMEXEC.EXE.   This is where my concerns start.   The install packages can have anything the SCCM staff wants to put in them.  This would include shutting down McAfee products because "it makes the install go quicker".   I also hate to rely on CCMEXEC not be explotable by the bad guys.  I do not like leaving the door open for this even a little bit.  But because of the way CCMExec plays with the self protection rules I have little choice.   The alternative is to have hundreds of thousands of alerts for CCMEXEC.exe attempting to terminate McAfee processes.

Bottom line for me is that this "improvement" in the self protection methodology has actually resulted in less protection rather than more.   I am sure McAfee could revise their code to deal with situations like this.

Thanks

Herb Smith

Re: McAfee 8.8 and Windows System Resource Manager

I whole-heartedly agree and that is why I decided to filter these events from the EPO Alert and Event logs/reports instead of applying the exclusions in the Access Protection policies.

Thanks Herb.

Anthony

Re: McAfee 8.8 and Windows System Resource Manager

We experienced a similar issue after updating from 8.7 to 8.8, and it was actually preventing us from deploying a policy from ePolicy Orchestrator to change another issue.  (McAfee was interpreting reports being e-mailed from our reporting server as a spamming worm.) 

Apparently, McAfee was using wsrm.exe in some fashion when deploying a policy, and when wsrm.exe attempted to close McAfee to deploy the policy, the rule in Comon Standard Protection to prevent the termination of McAfee processes was preventing it; a real catch 22.  We ended up logging in to the affected server as administrator, disabling the Access Protection from the console, using the 5-minute intervalbefore McAfee turned it back on to deploy a policy allowing McAfee processes to be turned off, and also installing the policy we needed.  At that point, we could re-deploy the policy not to terminate McAfee, closing the door we had opened long enough to deploy the policy we needed.

I still expect that we will see the messages in the Access Protection log after turning the policy back on.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community