cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

McAfee VSE 8.8 Access Protection log? Was this Malware?

I am trying to analyze this Access Protection log which was detected by McAfee VSE below.

Has anyone one of you guys here experienced this on a local machine?

8/6/2016 22:44:57 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\ProgramData\McAfee\Common Framework\DB:Win32App_1 Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Create

Thanks

2 Replies

Re: McAfee VSE 8.8 Access Protection log? Was this Malware?

I cannot believe nobody here knows this.

This is unexcepible.

Now I know nobody ever uses McAfee because even their support forums are a disgrace.

wwarren
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: McAfee VSE 8.8 Access Protection log? Was this Malware?

What is it you do not understand about the log entry?

To interpret the log, you can extract these details from it -

1. The process that violated a rule was named SVCHOST.EXE; and based on the path, you can confirm it was the Windows SVCHost.exe, which is a process that can be compromised by malware. But there is no way to know that from this log entry if it was malware or not. Because this is an Access Protection violation entry. AP rules do not know about malware, they only know about behaviors.

2. The target of SVCHost's action was a protected file object; protected by an AP rule (the rule which is described in the event entry).

3. The action SVCHost tried to undertake was a "Create". In other words, it tried to create that object or tried to get access to it, and was blocked.

Access Protection rules are "primitive"

There is no intelligence to them beyond "Process xyz tried to perform Action abc and was blocked". It is impossible to know if it's malware or not.

In saying that, if you look at Endpoint Security 10.2 we add intelligence to Access Protection and more to create a feature called Dynamic Application Containment. This feature will essentially answer your question for you, on whether it is malware or not, by means of a collection of rules where as a process violates rules it becomes more and more suspicious to the point where its behavior alone will convict it as malware.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community