i have a Problem with Groupshield v6.0.2 (6.0.1148.100) and VirusScan Enterprise 8.5i
Every 1 minute is an entry in the eventlog: Source: McLogEvent Event ID : 257 Type: Information User: NT-AUTORITÄT\SYSTEM
Blocked by access protection rule. Access to object \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\Configuration\Default\ExcludedItem_0 was blocked by rule Common Standard Protection:Prevent modification of McAfee files and settings.
and in the AccessProtectionLog.txt is the following entry
08.10.2007 11:52:04 Blocked by Access Protection rule NT-AUTORITÄT\SYSTEM C:\Programme\Network Associates\McAfee GroupShield\bin\SAFeService.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\Configuration\Default\ExcludedItem_0 Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Create
I'm encountered this as well on a group of my servers. It applies to 8 servers.
1. They are all application servers. 2. They are in a container on our ePO server that contains unaffected computers. 3. They are able to poll externally to the McAfee HTTP source. 4. The servers function normally otherwise. 5. The only GPOs applied to that box are our Default Domain Policy, our Windows Update Policy, and our Default Server Policy. These GPOs are applied to all servers in our domain and not causing problems anywhere. 6. Communication will occur if we force the update from the ePO console on the ePO server, but not if we attempt the update from the affected server.
We are in the process of determining if these boxes are somehow sitting inside our DMZ, but we're unsure at the moment (large environment, takes a bit).
I have this happening on 3 of my Exchange servers.
Event Type: Information Event Source: McLogEvent Event Category: None Event ID: 257 Date: 3/2/2009 Time: 4:18:17 PM User: NT AUTHORITY\SYSTEM Computer: Server name Description: Blocked by access protection rule. Access to object \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection\DefaultTask\ExcludedItem_0 was blocked by rule Common Standard Protection:Prevent modification of McAfee files and settings.
Looks like something is trying to modify McAfee items and its blocking whatever it from doing it. Would be nice if they could somehow include the object thats trying to do the modifications.
Server running Win2k3 sp2 Exchange 2003 Group Shield 6.02 (yeah it needs updated) VSE/MAS 8.5 P7 McAfee Agent 22.214.171.1245