Since yesterday's (March 16) update, Enterprise 8.5 on my computer started logging this:
3/16/2010 3:07:52 PM Blocked by Access Protection rule TFGNY\Andy D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
3/16/2010 3:07:52 PM Blocked by Access Protection rule TFGNY\Andy D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
3/16/2010 3:07:52 PM Blocked by Access Protection rule TFGNY\Andy D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
3/16/2010 3:07:52 PM Blocked by Access Protection rule TFGNY\Andy D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
3/16/2010 3:07:52 PM Blocked by Access Protection rule TFGNY\Andy D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
3/16/2010 3:07:52 PM Blocked by Access Protection rule TFGNY\Andy D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
3/16/2010 3:07:52 PM Blocked by Access Protection rule TFGNY\Andy D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
3/16/2010 3:07:52 PM Blocked by Access Protection rule TFGNY\Andy D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
The above was when the update occured.It also relogs whenever Outlook starts up. I'm hoping it's just a glitch in this update?
I'm also seeing the same behavior - it looks like I was still writing my question while you posted yours. I can't see what's changed apart from the routine DAT update - we're now running 5922.
I'm seeing this on multiple computers. Maybe it has something to do with that other update involving Buffer Overflow protection in another thread?
It may be related. It wasn't checked into our Current branch last night as it's set to only download DAT's, but it was checked into Evaluation. The clients that are exhibiting the Access Protection errors are picking up their DATs from the Current branch, so havent' picked up the Buffer Overflow DAT.
I've pushed the Buffer Overflow DAT to the Current branch, but at the moment it doesn't appear to have changed the issue.
I updated to today's DAT (5923), and no change. I do notice that in the About box, there is this:
Buffer Overflow and Access Protection DAT Version: 480
I don't remember if that was ever listed before. I wonder if they changed some rules that are causing the errors?
We got this too after the 5922 update, the update to 5923 hasn't cured the error. Have logged a call with McAfee support will post their reply when I get an answer. Interestingly though this hasn't affected a few test PC's with virus scan 8.7 installed, or could just have been lucky that the PC wasn't switched on and missed the 5922 update.
Will post the fix, if I get one from support.
I've had reports of the same thing on 8.5 (p8) but not 8.7 (p3)
I too think its got something to do with the BO dat upgrade.
17/03/2010 17:24:05 NT AUTHORITY\SYSTEM Product(s) running the latest DATs.
17/03/2010 17:24:05 NT AUTHORITY\SYSTEM Verifying BocDet_VSE.McS.
17/03/2010 17:24:05 NT AUTHORITY\SYSTEM Downloading BocDet_VSE.McS.
17/03/2010 17:24:05 NT AUTHORITY\SYSTEM Searching available updates for BOC DAT.
17/03/2010 17:24:05 NT AUTHORITY\SYSTEM Downloading PkgCatalog.z.
17/03/2010 17:24:05 NT AUTHORITY\SYSTEM Verifying PkgCatalog.z.
17/03/2010 17:24:05 NT AUTHORITY\SYSTEM Extracting PkgCatalog.z.
17/03/2010 17:24:05 NT AUTHORITY\SYSTEM Loading update configuration from: PkgCatalog.xml
17/03/2010 17:24:06 NT AUTHORITY\SYSTEM Starting BOC DAT update.
17/03/2010 17:24:06 NT AUTHORITY\SYSTEM Downloading vscan.bof.
17/03/2010 17:24:06 NT AUTHORITY\SYSTEM Update succeeded to version 480.
I don't know if it's relevent, but I've only found these alerts from machines where the users are local administrators. I'll assume that for non-administrators, Windows security steps in to prevent access to the keys rather than VirusScan's Access Protection.
At the moment, it's more of a nuisance. I wonder if it's safe to add Outlook to the exceptions?
It's not just those with local admin privs. I'm also seeing it on a Citrix server, where the login is just a regular user.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA